File: //proc/self/root/etc/filebeat/fields.yml
# WARNING! Do not edit this file directly, it was generated by the ECS project,
# based on ECS version 8.0.0-dev.
# Please visit https://github.com/elastic/ecs to suggest changes to ECS fields.
- key: ecs
title: ECS
description: ECS Fields.
fields:
- name: '@timestamp'
level: core
required: true
type: date
description: 'Date/time when the event originated.
This is the date/time extracted from the event, typically representing when
the event was generated by the source.
If the event source has no original timestamp, this value is typically populated
by the first time the event was received by the pipeline.
Required field for all events.'
example: '2016-05-23T08:05:34.853Z'
default_field: true
- name: labels
level: core
type: object
object_type: keyword
description: 'Custom key/value pairs.
Can be used to add meta information to events. Should not contain nested objects.
All values are stored as keyword.
Example: `docker` and `k8s` labels.'
example: '{"application": "foo-bar", "env": "production"}'
default_field: true
- name: message
level: core
type: match_only_text
description: 'For log events the message field contains the log message, optimized
for viewing in a log viewer.
For structured logs without an original message field, other fields can be concatenated
to form a human-readable summary of the event.
If multiple messages exist, they can be combined into one message.'
example: Hello World
default_field: true
- name: tags
level: core
type: keyword
ignore_above: 1024
description: List of keywords used to tag each event.
example: '["production", "env2"]'
default_field: true
- name: agent
title: Agent
group: 2
description: 'The agent fields contain the data about the software entity, if
any, that collects, detects, or observes events on a host, or takes measurements
on a host.
Examples include Beats. Agents may also run on observers. ECS agent.* fields
shall be populated with details of the agent running on the host or observer
where the event happened or the measurement was taken.'
footnote: 'Examples: In the case of Beats for logs, the agent.name is filebeat.
For APM, it is the agent running in the app/service. The agent information does
not change if data is sent through queuing systems like Kafka, Redis, or processing
systems such as Logstash or APM Server.'
type: group
default_field: true
fields:
- name: build.original
level: core
type: keyword
ignore_above: 1024
description: 'Extended build information for the agent.
This field is intended to contain any build information that a data source
may provide, no specific formatting is required.'
example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c
built 2020-02-05 23:10:10 +0000 UTC]
default_field: false
- name: ephemeral_id
level: extended
type: keyword
ignore_above: 1024
description: 'Ephemeral identifier of this agent (if one exists).
This id normally changes across restarts, but `agent.id` does not.'
example: 8a4f500f
- name: id
level: core
type: keyword
ignore_above: 1024
description: 'Unique identifier of this agent (if one exists).
Example: For Beats this would be beat.id.'
example: 8a4f500d
- name: name
level: core
type: keyword
ignore_above: 1024
description: 'Custom name of the agent.
This is a name that can be given to an agent. This can be helpful if for example
two Filebeat instances are running on the same host but a human readable separation
is needed on which Filebeat instance data is coming from.
If no name is given, the name is often left empty.'
example: foo
- name: type
level: core
type: keyword
ignore_above: 1024
description: 'Type of the agent.
The agent type always stays the same and should be given by the agent used.
In case of Filebeat the agent would always be Filebeat also if two Filebeat
instances are run on the same machine.'
example: filebeat
- name: version
level: core
type: keyword
ignore_above: 1024
description: Version of the agent.
example: 6.0.0-rc2
- name: as
title: Autonomous System
group: 2
description: An autonomous system (AS) is a collection of connected Internet Protocol
(IP) routing prefixes under the control of one or more network operators on
behalf of a single administrative entity or domain that presents a common, clearly
defined routing policy to the internet.
type: group
default_field: true
fields:
- name: number
level: extended
type: long
description: Unique number allocated to the autonomous system. The autonomous
system number (ASN) uniquely identifies each network on the Internet.
example: 15169
- name: organization.name
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
default_field: false
description: Organization name.
example: Google LLC
- name: client
title: Client
group: 2
description: 'A client is defined as the initiator of a network connection for
events regarding sessions, connections, or bidirectional flow records.
For TCP events, the client is the initiator of the TCP connection that sends
the SYN packet(s). For other protocols, the client is generally the initiator
or requestor in the network transaction. Some systems use the term "originator"
to refer the client in TCP connections. The client fields describe details about
the system acting as the client in the network event. Client fields are usually
populated in conjunction with server fields. Client fields are generally not
populated for packet-level events.
Client / server representations can add semantic context to an exchange, which
is helpful to visualize the data in certain situations. If your context falls
in that category, you should still ensure that source and destination are filled
appropriately.'
type: group
default_field: true
fields:
- name: address
level: extended
type: keyword
ignore_above: 1024
description: 'Some event client addresses are defined ambiguously. The event
will sometimes list an IP, a domain or a unix socket. You should always store
the raw address in the `.address` field.
Then it should be duplicated to `.ip` or `.domain`, depending on which one
it is.'
- name: as.number
level: extended
type: long
description: Unique number allocated to the autonomous system. The autonomous
system number (ASN) uniquely identifies each network on the Internet.
example: 15169
- name: as.organization.name
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
default_field: false
description: Organization name.
example: Google LLC
- name: bytes
level: core
type: long
format: bytes
description: Bytes sent from the client to the server.
example: 184
- name: domain
level: core
type: keyword
ignore_above: 1024
description: 'The domain name of the client system.
This value may be a host name, a fully qualified domain name, or another host
naming format. The value may derive from the original event or be added from
enrichment.'
example: foo.example.com
- name: geo.city_name
level: core
type: keyword
ignore_above: 1024
description: City name.
example: Montreal
- name: geo.continent_code
level: core
type: keyword
ignore_above: 1024
description: Two-letter code representing continent's name.
example: NA
default_field: false
- name: geo.continent_name
level: core
type: keyword
ignore_above: 1024
description: Name of the continent.
example: North America
- name: geo.country_iso_code
level: core
type: keyword
ignore_above: 1024
description: Country ISO code.
example: CA
- name: geo.country_name
level: core
type: keyword
ignore_above: 1024
description: Country name.
example: Canada
- name: geo.location
level: core
type: geo_point
description: Longitude and latitude.
example: '{ "lon": -73.614830, "lat": 45.505918 }'
- name: geo.name
level: extended
type: keyword
ignore_above: 1024
description: 'User-defined description of a location, at the level of granularity
they care about.
Could be the name of their data centers, the floor number, if this describes
a local physical entity, city names.
Not typically used in automated geolocation.'
example: boston-dc
- name: geo.postal_code
level: core
type: keyword
ignore_above: 1024
description: 'Postal code associated with the location.
Values appropriate for this field may also be known as a postcode or ZIP code
and will vary widely from country to country.'
example: 94040
default_field: false
- name: geo.region_iso_code
level: core
type: keyword
ignore_above: 1024
description: Region ISO code.
example: CA-QC
- name: geo.region_name
level: core
type: keyword
ignore_above: 1024
description: Region name.
example: Quebec
- name: geo.timezone
level: core
type: keyword
ignore_above: 1024
description: The time zone of the location, such as IANA time zone name.
example: America/Argentina/Buenos_Aires
default_field: false
- name: ip
level: core
type: ip
description: IP address of the client (IPv4 or IPv6).
- name: mac
level: core
type: keyword
ignore_above: 1024
description: 'MAC address of the client.
The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
byte) is represented by two [uppercase] hexadecimal digits giving the value
of the octet as an unsigned integer. Successive octets are separated by a
hyphen.'
example: 00-00-5E-00-53-23
- name: nat.ip
level: extended
type: ip
description: 'Translated IP of source based NAT sessions (e.g. internal client
to internet).
Typically connections traversing load balancers, firewalls, or routers.'
- name: nat.port
level: extended
type: long
format: string
description: 'Translated port of source based NAT sessions (e.g. internal client
to internet).
Typically connections traversing load balancers, firewalls, or routers.'
- name: packets
level: core
type: long
description: Packets sent from the client to the server.
example: 12
- name: port
level: core
type: long
format: string
description: Port of the client.
- name: registered_domain
level: extended
type: keyword
ignore_above: 1024
description: 'The highest registered client domain, stripped of the subdomain.
For example, the registered domain for "foo.example.com" is "example.com".
This value can be determined precisely with a list like the public suffix
list (http://publicsuffix.org). Trying to approximate this by simply taking
the last two labels will not work well for TLDs such as "co.uk".'
example: example.com
- name: subdomain
level: extended
type: keyword
ignore_above: 1024
description: 'The subdomain portion of a fully qualified domain name includes
all of the names except the host name under the registered_domain. In a partially
qualified domain, or if the the qualification level of the full name cannot
be determined, subdomain contains all of the names below the registered domain.
For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
the subdomain field should contain "sub2.sub1", with no trailing period.'
example: east
default_field: false
- name: top_level_domain
level: extended
type: keyword
ignore_above: 1024
description: 'The effective top level domain (eTLD), also known as the domain
suffix, is the last part of the domain name. For example, the top level domain
for example.com is "com".
This value can be determined precisely with a list like the public suffix
list (http://publicsuffix.org). Trying to approximate this by simply taking
the last label will not work well for effective TLDs such as "co.uk".'
example: co.uk
- name: user.domain
level: extended
type: keyword
ignore_above: 1024
description: 'Name of the directory the user is a member of.
For example, an LDAP or Active Directory domain name.'
- name: user.email
level: extended
type: keyword
ignore_above: 1024
description: User email address.
- name: user.full_name
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
default_field: false
description: User's full name, if available.
example: Albert Einstein
- name: user.group.domain
level: extended
type: keyword
ignore_above: 1024
description: 'Name of the directory the group is a member of.
For example, an LDAP or Active Directory domain name.'
- name: user.group.id
level: extended
type: keyword
ignore_above: 1024
description: Unique identifier for the group on the system/platform.
- name: user.group.name
level: extended
type: keyword
ignore_above: 1024
description: Name of the group.
- name: user.hash
level: extended
type: keyword
ignore_above: 1024
description: 'Unique user hash to correlate information for a user in anonymized
form.
Useful if `user.id` or `user.name` contain confidential information and cannot
be used.'
- name: user.id
level: core
type: keyword
ignore_above: 1024
description: Unique identifier of the user.
example: S-1-5-21-202424912787-2692429404-2351956786-1000
- name: user.name
level: core
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
default_field: false
description: Short name or login of the user.
example: a.einstein
- name: user.roles
level: extended
type: keyword
ignore_above: 1024
description: Array of user roles at the time of the event.
example: '["kibana_admin", "reporting_user"]'
default_field: false
- name: cloud
title: Cloud
group: 2
description: Fields related to the cloud or infrastructure the events are coming
from.
footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data
from its host, the cloud info contains the data about this machine. If Metricbeat
runs on a remote machine outside the cloud and fetches data from a service running
in the cloud, the field contains cloud data from the machine the service is
running on.
The cloud fields may be self-nested under cloud.origin.* and cloud.target.* to
describe origin or target service''s cloud information in the context of incoming
or outgoing requests, respectively. However, the fieldsets cloud.origin.* and
cloud.target.* must not be confused with the root cloud fieldset that is used
to describe the cloud context of the actual service under observation. The
fieldset cloud.origin.* may only be used in the context of incoming requests
or events to provide the originating service''s cloud information. The fieldset
cloud.target.* may only be used in the context of outgoing requests or events
to describe the target service''s cloud information.'
type: group
default_field: true
fields:
- name: account.id
level: extended
type: keyword
ignore_above: 1024
description: 'The cloud account or organization id used to identify different
entities in a multi-tenant environment.
Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
example: 666777888999
- name: account.name
level: extended
type: keyword
ignore_above: 1024
description: 'The cloud account name or alias used to identify different entities
in a multi-tenant environment.
Examples: AWS account name, Google Cloud ORG display name.'
example: elastic-dev
default_field: false
- name: availability_zone
level: extended
type: keyword
ignore_above: 1024
description: Availability zone in which this host, resource, or service is located.
example: us-east-1c
- name: instance.id
level: extended
type: keyword
ignore_above: 1024
description: Instance ID of the host machine.
example: i-1234567890abcdef0
- name: instance.name
level: extended
type: keyword
ignore_above: 1024
description: Instance name of the host machine.
- name: machine.type
level: extended
type: keyword
ignore_above: 1024
description: Machine type of the host machine.
example: t2.medium
- name: origin.account.id
level: extended
type: keyword
ignore_above: 1024
description: 'The cloud account or organization id used to identify different
entities in a multi-tenant environment.
Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
example: 666777888999
default_field: false
- name: origin.account.name
level: extended
type: keyword
ignore_above: 1024
description: 'The cloud account name or alias used to identify different entities
in a multi-tenant environment.
Examples: AWS account name, Google Cloud ORG display name.'
example: elastic-dev
default_field: false
- name: origin.availability_zone
level: extended
type: keyword
ignore_above: 1024
description: Availability zone in which this host, resource, or service is located.
example: us-east-1c
default_field: false
- name: origin.instance.id
level: extended
type: keyword
ignore_above: 1024
description: Instance ID of the host machine.
example: i-1234567890abcdef0
default_field: false
- name: origin.instance.name
level: extended
type: keyword
ignore_above: 1024
description: Instance name of the host machine.
default_field: false
- name: origin.machine.type
level: extended
type: keyword
ignore_above: 1024
description: Machine type of the host machine.
example: t2.medium
default_field: false
- name: origin.project.id
level: extended
type: keyword
ignore_above: 1024
description: 'The cloud project identifier.
Examples: Google Cloud Project id, Azure Project id.'
example: my-project
default_field: false
- name: origin.project.name
level: extended
type: keyword
ignore_above: 1024
description: 'The cloud project name.
Examples: Google Cloud Project name, Azure Project name.'
example: my project
default_field: false
- name: origin.provider
level: extended
type: keyword
ignore_above: 1024
description: Name of the cloud provider. Example values are aws, azure, gcp,
or digitalocean.
example: aws
default_field: false
- name: origin.region
level: extended
type: keyword
ignore_above: 1024
description: Region in which this host, resource, or service is located.
example: us-east-1
default_field: false
- name: origin.service.name
level: extended
type: keyword
ignore_above: 1024
description: 'The cloud service name is intended to distinguish services running
on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs
App Engine, Azure VM vs App Server.
Examples: app engine, app service, cloud run, fargate, lambda.'
example: lambda
default_field: false
- name: project.id
level: extended
type: keyword
ignore_above: 1024
description: 'The cloud project identifier.
Examples: Google Cloud Project id, Azure Project id.'
example: my-project
default_field: false
- name: project.name
level: extended
type: keyword
ignore_above: 1024
description: 'The cloud project name.
Examples: Google Cloud Project name, Azure Project name.'
example: my project
default_field: false
- name: provider
level: extended
type: keyword
ignore_above: 1024
description: Name of the cloud provider. Example values are aws, azure, gcp,
or digitalocean.
example: aws
- name: region
level: extended
type: keyword
ignore_above: 1024
description: Region in which this host, resource, or service is located.
example: us-east-1
- name: service.name
level: extended
type: keyword
ignore_above: 1024
description: 'The cloud service name is intended to distinguish services running
on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs
App Engine, Azure VM vs App Server.
Examples: app engine, app service, cloud run, fargate, lambda.'
example: lambda
default_field: false
- name: target.account.id
level: extended
type: keyword
ignore_above: 1024
description: 'The cloud account or organization id used to identify different
entities in a multi-tenant environment.
Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
example: 666777888999
default_field: false
- name: target.account.name
level: extended
type: keyword
ignore_above: 1024
description: 'The cloud account name or alias used to identify different entities
in a multi-tenant environment.
Examples: AWS account name, Google Cloud ORG display name.'
example: elastic-dev
default_field: false
- name: target.availability_zone
level: extended
type: keyword
ignore_above: 1024
description: Availability zone in which this host, resource, or service is located.
example: us-east-1c
default_field: false
- name: target.instance.id
level: extended
type: keyword
ignore_above: 1024
description: Instance ID of the host machine.
example: i-1234567890abcdef0
default_field: false
- name: target.instance.name
level: extended
type: keyword
ignore_above: 1024
description: Instance name of the host machine.
default_field: false
- name: target.machine.type
level: extended
type: keyword
ignore_above: 1024
description: Machine type of the host machine.
example: t2.medium
default_field: false
- name: target.project.id
level: extended
type: keyword
ignore_above: 1024
description: 'The cloud project identifier.
Examples: Google Cloud Project id, Azure Project id.'
example: my-project
default_field: false
- name: target.project.name
level: extended
type: keyword
ignore_above: 1024
description: 'The cloud project name.
Examples: Google Cloud Project name, Azure Project name.'
example: my project
default_field: false
- name: target.provider
level: extended
type: keyword
ignore_above: 1024
description: Name of the cloud provider. Example values are aws, azure, gcp,
or digitalocean.
example: aws
default_field: false
- name: target.region
level: extended
type: keyword
ignore_above: 1024
description: Region in which this host, resource, or service is located.
example: us-east-1
default_field: false
- name: target.service.name
level: extended
type: keyword
ignore_above: 1024
description: 'The cloud service name is intended to distinguish services running
on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs
App Engine, Azure VM vs App Server.
Examples: app engine, app service, cloud run, fargate, lambda.'
example: lambda
default_field: false
- name: code_signature
title: Code Signature
group: 2
description: These fields contain information about binary code signatures.
type: group
default_field: true
fields:
- name: digest_algorithm
level: extended
type: keyword
ignore_above: 1024
description: 'The hashing algorithm used to sign the process.
This value can distinguish signatures when a file is signed multiple times
by the same signer but with a different digest algorithm.'
example: sha256
default_field: false
- name: exists
level: core
type: boolean
description: Boolean to capture if a signature is present.
example: 'true'
default_field: false
- name: signing_id
level: extended
type: keyword
ignore_above: 1024
description: 'The identifier used to sign the process.
This is used to identify the application manufactured by a software vendor.
The field is relevant to Apple *OS only.'
example: com.apple.xpc.proxy
default_field: false
- name: status
level: extended
type: keyword
ignore_above: 1024
description: 'Additional information about the certificate status.
This is useful for logging cryptographic errors with the certificate validity
or trust status. Leave unpopulated if the validity or trust of the certificate
was unchecked.'
example: ERROR_UNTRUSTED_ROOT
default_field: false
- name: subject_name
level: core
type: keyword
ignore_above: 1024
description: Subject name of the code signer
example: Microsoft Corporation
default_field: false
- name: team_id
level: extended
type: keyword
ignore_above: 1024
description: 'The team identifier used to sign the process.
This is used to identify the team or vendor of a software product. The field
is relevant to Apple *OS only.'
example: EQHXZ8M8AV
default_field: false
- name: timestamp
level: extended
type: date
description: Date and time when the code signature was generated and signed.
example: '2021-01-01T12:10:30Z'
default_field: false
- name: trusted
level: extended
type: boolean
description: 'Stores the trust status of the certificate chain.
Validating the trust of the certificate chain may be complicated, and this
field should only be populated by tools that actively check the status.'
example: 'true'
default_field: false
- name: valid
level: extended
type: boolean
description: 'Boolean to capture if the digital signature is verified against
the binary content.
Leave unpopulated if a certificate was unchecked.'
example: 'true'
default_field: false
- name: container
title: Container
group: 2
description: 'Container fields are used for meta information about the specific
container that is the source of information.
These fields help correlate data based containers from any runtime.'
type: group
default_field: true
fields:
- name: cpu.usage
level: extended
type: scaled_float
description: 'Percent CPU used which is normalized by the number of CPU cores
and it ranges from 0 to 1. Scaling factor: 1000.'
scaling_factor: 1000
default_field: false
- name: disk.read.bytes
level: extended
type: long
description: The total number of bytes (gauge) read successfully (aggregated
from all disks) since the last metric collection.
default_field: false
- name: disk.write.bytes
level: extended
type: long
description: The total number of bytes (gauge) written successfully (aggregated
from all disks) since the last metric collection.
default_field: false
- name: id
level: core
type: keyword
ignore_above: 1024
description: Unique container id.
- name: image.name
level: extended
type: keyword
ignore_above: 1024
description: Name of the image the container was built on.
- name: image.tag
level: extended
type: keyword
ignore_above: 1024
description: Container image tags.
- name: labels
level: extended
type: object
object_type: keyword
description: Image labels.
- name: memory.usage
level: extended
type: scaled_float
description: 'Memory usage percentage and it ranges from 0 to 1. Scaling factor:
1000.'
scaling_factor: 1000
default_field: false
- name: name
level: extended
type: keyword
ignore_above: 1024
description: Container name.
- name: network.egress.bytes
level: extended
type: long
description: The number of bytes (gauge) sent out on all network interfaces
by the container since the last metric collection.
default_field: false
- name: network.ingress.bytes
level: extended
type: long
description: The number of bytes received (gauge) on all network interfaces
by the container since the last metric collection.
default_field: false
- name: runtime
level: extended
type: keyword
ignore_above: 1024
description: Runtime managing this container.
example: docker
- name: data_stream
title: Data Stream
group: 2
description: 'The data_stream fields take part in defining the new data stream
naming scheme.
In the new data stream naming scheme the value of the data stream fields combine
to the name of the actual data stream in the following manner: `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`.
This means the fields can only contain characters that are valid as part of
names of data streams. More details about this can be found in this https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme[blog
post].
An Elasticsearch data stream consists of one or more backing indices, and a
data stream name forms part of the backing indices names. Due to this convention,
data streams must also follow index naming restrictions. For example, data stream
names cannot include `\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, ` ` (space character),
`,`, or `#`. Please see the Elasticsearch reference for additional https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html#indices-create-api-path-params[restrictions].'
type: group
default_field: true
fields:
- name: dataset
level: extended
type: constant_keyword
description: "The field can contain anything that makes sense to signify the\
\ source of the data.\nExamples include `nginx.access`, `prometheus`, `endpoint`\
\ etc. For data streams that otherwise fit, but that do not have dataset set\
\ we use the value \"generic\" for the dataset value. `event.dataset` should\
\ have the same value as `data_stream.dataset`.\nBeyond the Elasticsearch\
\ data stream naming criteria noted above, the `dataset` value has additional\
\ restrictions:\n * Must not contain `-`\n * No longer than 100 characters"
example: nginx.access
default_field: false
- name: namespace
level: extended
type: constant_keyword
description: "A user defined namespace. Namespaces are useful to allow grouping\
\ of data.\nMany users already organize their indices this way, and the data\
\ stream naming scheme now provides this best practice as a default. Many\
\ users will populate this field with `default`. If no value is used, it falls\
\ back to `default`.\nBeyond the Elasticsearch index naming criteria noted\
\ above, `namespace` value has the additional restrictions:\n * Must not\
\ contain `-`\n * No longer than 100 characters"
example: production
default_field: false
- name: type
level: extended
type: constant_keyword
description: 'An overarching type for the data stream.
Currently allowed values are "logs" and "metrics". We expect to also add "traces"
and "synthetics" in the near future.'
example: logs
default_field: false
- name: destination
title: Destination
group: 2
description: 'Destination fields capture details about the receiver of a network
exchange/packet. These fields are populated from a network event, packet, or
other event containing details of a network transaction.
Destination fields are usually populated in conjunction with source fields.
The source and destination fields are considered the baseline and should always
be filled if an event contains source and destination details from a network
transaction. If the event also contains identification of the client and server
roles, then the client and server fields should also be populated.'
type: group
default_field: true
fields:
- name: address
level: extended
type: keyword
ignore_above: 1024
description: 'Some event destination addresses are defined ambiguously. The
event will sometimes list an IP, a domain or a unix socket. You should always
store the raw address in the `.address` field.
Then it should be duplicated to `.ip` or `.domain`, depending on which one
it is.'
- name: as.number
level: extended
type: long
description: Unique number allocated to the autonomous system. The autonomous
system number (ASN) uniquely identifies each network on the Internet.
example: 15169
- name: as.organization.name
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
default_field: false
description: Organization name.
example: Google LLC
- name: bytes
level: core
type: long
format: bytes
description: Bytes sent from the destination to the source.
example: 184
- name: domain
level: core
type: keyword
ignore_above: 1024
description: 'The domain name of the destination system.
This value may be a host name, a fully qualified domain name, or another host
naming format. The value may derive from the original event or be added from
enrichment.'
example: foo.example.com
- name: geo.city_name
level: core
type: keyword
ignore_above: 1024
description: City name.
example: Montreal
- name: geo.continent_code
level: core
type: keyword
ignore_above: 1024
description: Two-letter code representing continent's name.
example: NA
default_field: false
- name: geo.continent_name
level: core
type: keyword
ignore_above: 1024
description: Name of the continent.
example: North America
- name: geo.country_iso_code
level: core
type: keyword
ignore_above: 1024
description: Country ISO code.
example: CA
- name: geo.country_name
level: core
type: keyword
ignore_above: 1024
description: Country name.
example: Canada
- name: geo.location
level: core
type: geo_point
description: Longitude and latitude.
example: '{ "lon": -73.614830, "lat": 45.505918 }'
- name: geo.name
level: extended
type: keyword
ignore_above: 1024
description: 'User-defined description of a location, at the level of granularity
they care about.
Could be the name of their data centers, the floor number, if this describes
a local physical entity, city names.
Not typically used in automated geolocation.'
example: boston-dc
- name: geo.postal_code
level: core
type: keyword
ignore_above: 1024
description: 'Postal code associated with the location.
Values appropriate for this field may also be known as a postcode or ZIP code
and will vary widely from country to country.'
example: 94040
default_field: false
- name: geo.region_iso_code
level: core
type: keyword
ignore_above: 1024
description: Region ISO code.
example: CA-QC
- name: geo.region_name
level: core
type: keyword
ignore_above: 1024
description: Region name.
example: Quebec
- name: geo.timezone
level: core
type: keyword
ignore_above: 1024
description: The time zone of the location, such as IANA time zone name.
example: America/Argentina/Buenos_Aires
default_field: false
- name: ip
level: core
type: ip
description: IP address of the destination (IPv4 or IPv6).
- name: mac
level: core
type: keyword
ignore_above: 1024
description: 'MAC address of the destination.
The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
byte) is represented by two [uppercase] hexadecimal digits giving the value
of the octet as an unsigned integer. Successive octets are separated by a
hyphen.'
example: 00-00-5E-00-53-23
- name: nat.ip
level: extended
type: ip
description: 'Translated ip of destination based NAT sessions (e.g. internet
to private DMZ)
Typically used with load balancers, firewalls, or routers.'
- name: nat.port
level: extended
type: long
format: string
description: 'Port the source session is translated to by NAT Device.
Typically used with load balancers, firewalls, or routers.'
- name: packets
level: core
type: long
description: Packets sent from the destination to the source.
example: 12
- name: port
level: core
type: long
format: string
description: Port of the destination.
- name: registered_domain
level: extended
type: keyword
ignore_above: 1024
description: 'The highest registered destination domain, stripped of the subdomain.
For example, the registered domain for "foo.example.com" is "example.com".
This value can be determined precisely with a list like the public suffix
list (http://publicsuffix.org). Trying to approximate this by simply taking
the last two labels will not work well for TLDs such as "co.uk".'
example: example.com
- name: subdomain
level: extended
type: keyword
ignore_above: 1024
description: 'The subdomain portion of a fully qualified domain name includes
all of the names except the host name under the registered_domain. In a partially
qualified domain, or if the the qualification level of the full name cannot
be determined, subdomain contains all of the names below the registered domain.
For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
the subdomain field should contain "sub2.sub1", with no trailing period.'
example: east
default_field: false
- name: top_level_domain
level: extended
type: keyword
ignore_above: 1024
description: 'The effective top level domain (eTLD), also known as the domain
suffix, is the last part of the domain name. For example, the top level domain
for example.com is "com".
This value can be determined precisely with a list like the public suffix
list (http://publicsuffix.org). Trying to approximate this by simply taking
the last label will not work well for effective TLDs such as "co.uk".'
example: co.uk
- name: user.domain
level: extended
type: keyword
ignore_above: 1024
description: 'Name of the directory the user is a member of.
For example, an LDAP or Active Directory domain name.'
- name: user.email
level: extended
type: keyword
ignore_above: 1024
description: User email address.
- name: user.full_name
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
default_field: false
description: User's full name, if available.
example: Albert Einstein
- name: user.group.domain
level: extended
type: keyword
ignore_above: 1024
description: 'Name of the directory the group is a member of.
For example, an LDAP or Active Directory domain name.'
- name: user.group.id
level: extended
type: keyword
ignore_above: 1024
description: Unique identifier for the group on the system/platform.
- name: user.group.name
level: extended
type: keyword
ignore_above: 1024
description: Name of the group.
- name: user.hash
level: extended
type: keyword
ignore_above: 1024
description: 'Unique user hash to correlate information for a user in anonymized
form.
Useful if `user.id` or `user.name` contain confidential information and cannot
be used.'
- name: user.id
level: core
type: keyword
ignore_above: 1024
description: Unique identifier of the user.
example: S-1-5-21-202424912787-2692429404-2351956786-1000
- name: user.name
level: core
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
default_field: false
description: Short name or login of the user.
example: a.einstein
- name: user.roles
level: extended
type: keyword
ignore_above: 1024
description: Array of user roles at the time of the event.
example: '["kibana_admin", "reporting_user"]'
default_field: false
- name: dll
title: DLL
group: 2
description: 'These fields contain information about code libraries dynamically
loaded into processes.
Many operating systems refer to "shared code libraries" with different names,
but this field set refers to all of the following:
* Dynamic-link library (`.dll`) commonly used on Windows
* Shared Object (`.so`) commonly used on Unix-like operating systems
* Dynamic library (`.dylib`) commonly used on macOS'
type: group
default_field: true
fields:
- name: code_signature.digest_algorithm
level: extended
type: keyword
ignore_above: 1024
description: 'The hashing algorithm used to sign the process.
This value can distinguish signatures when a file is signed multiple times
by the same signer but with a different digest algorithm.'
example: sha256
default_field: false
- name: code_signature.exists
level: core
type: boolean
description: Boolean to capture if a signature is present.
example: 'true'
default_field: false
- name: code_signature.signing_id
level: extended
type: keyword
ignore_above: 1024
description: 'The identifier used to sign the process.
This is used to identify the application manufactured by a software vendor.
The field is relevant to Apple *OS only.'
example: com.apple.xpc.proxy
default_field: false
- name: code_signature.status
level: extended
type: keyword
ignore_above: 1024
description: 'Additional information about the certificate status.
This is useful for logging cryptographic errors with the certificate validity
or trust status. Leave unpopulated if the validity or trust of the certificate
was unchecked.'
example: ERROR_UNTRUSTED_ROOT
default_field: false
- name: code_signature.subject_name
level: core
type: keyword
ignore_above: 1024
description: Subject name of the code signer
example: Microsoft Corporation
default_field: false
- name: code_signature.team_id
level: extended
type: keyword
ignore_above: 1024
description: 'The team identifier used to sign the process.
This is used to identify the team or vendor of a software product. The field
is relevant to Apple *OS only.'
example: EQHXZ8M8AV
default_field: false
- name: code_signature.timestamp
level: extended
type: date
description: Date and time when the code signature was generated and signed.
example: '2021-01-01T12:10:30Z'
default_field: false
- name: code_signature.trusted
level: extended
type: boolean
description: 'Stores the trust status of the certificate chain.
Validating the trust of the certificate chain may be complicated, and this
field should only be populated by tools that actively check the status.'
example: 'true'
default_field: false
- name: code_signature.valid
level: extended
type: boolean
description: 'Boolean to capture if the digital signature is verified against
the binary content.
Leave unpopulated if a certificate was unchecked.'
example: 'true'
default_field: false
- name: hash.md5
level: extended
type: keyword
ignore_above: 1024
description: MD5 hash.
default_field: false
- name: hash.sha1
level: extended
type: keyword
ignore_above: 1024
description: SHA1 hash.
default_field: false
- name: hash.sha256
level: extended
type: keyword
ignore_above: 1024
description: SHA256 hash.
default_field: false
- name: hash.sha512
level: extended
type: keyword
ignore_above: 1024
description: SHA512 hash.
default_field: false
- name: hash.ssdeep
level: extended
type: keyword
ignore_above: 1024
description: SSDEEP hash.
default_field: false
- name: name
level: core
type: keyword
ignore_above: 1024
description: 'Name of the library.
This generally maps to the name of the file on disk.'
example: kernel32.dll
default_field: false
- name: path
level: extended
type: keyword
ignore_above: 1024
description: Full file path of the library.
example: C:\Windows\System32\kernel32.dll
default_field: false
- name: pe.architecture
level: extended
type: keyword
ignore_above: 1024
description: CPU architecture target for the file.
example: x64
default_field: false
- name: pe.company
level: extended
type: keyword
ignore_above: 1024
description: Internal company name of the file, provided at compile-time.
example: Microsoft Corporation
default_field: false
- name: pe.description
level: extended
type: keyword
ignore_above: 1024
description: Internal description of the file, provided at compile-time.
example: Paint
default_field: false
- name: pe.file_version
level: extended
type: keyword
ignore_above: 1024
description: Internal version of the file, provided at compile-time.
example: 6.3.9600.17415
default_field: false
- name: pe.imphash
level: extended
type: keyword
ignore_above: 1024
description: 'A hash of the imports in a PE file. An imphash -- or import hash
-- can be used to fingerprint binaries even after recompilation or other code-level
transformations have occurred, which would change more traditional hash values.
Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
example: 0c6803c4e922103c4dca5963aad36ddf
default_field: false
- name: pe.original_file_name
level: extended
type: keyword
ignore_above: 1024
description: Internal name of the file, provided at compile-time.
example: MSPAINT.EXE
default_field: false
- name: pe.product
level: extended
type: keyword
ignore_above: 1024
description: Internal product name of the file, provided at compile-time.
example: "Microsoft\xAE Windows\xAE Operating System"
default_field: false
- name: dns
title: DNS
group: 2
description: 'Fields describing DNS queries and answers.
DNS events should either represent a single DNS query prior to getting answers
(`dns.type:query`) or they should represent a full exchange and contain the
query details as well as all of the answers that were provided for this query
(`dns.type:answer`).'
type: group
default_field: true
fields:
- name: answers
level: extended
type: object
description: 'An array containing an object for each answer section returned
by the server.
The main keys that should be present in these objects are defined by ECS.
Records that have more information may contain more keys than what ECS defines.
Not all DNS data sources give all details about DNS answers. At minimum, answer
objects must contain the `data` key. If more information is available, map
as much of it to ECS as possible, and add any additional fields to the answer
objects as custom fields.'
- name: answers.class
level: extended
type: keyword
ignore_above: 1024
description: The class of DNS data contained in this resource record.
example: IN
- name: answers.data
level: extended
type: keyword
ignore_above: 1024
description: 'The data describing the resource.
The meaning of this data depends on the type and class of the resource record.'
example: 10.10.10.10
- name: answers.name
level: extended
type: keyword
ignore_above: 1024
description: 'The domain name to which this resource record pertains.
If a chain of CNAME is being resolved, each answer''s `name` should be the
one that corresponds with the answer''s `data`. It should not simply be the
original `question.name` repeated.'
example: www.example.com
- name: answers.ttl
level: extended
type: long
description: The time interval in seconds that this resource record may be cached
before it should be discarded. Zero values mean that the data should not be
cached.
example: 180
- name: answers.type
level: extended
type: keyword
ignore_above: 1024
description: The type of data contained in this resource record.
example: CNAME
- name: header_flags
level: extended
type: keyword
ignore_above: 1024
description: 'Array of 2 letter DNS header flags.
Expected values are: AA, TC, RD, RA, AD, CD, DO.'
example: '["RD", "RA"]'
- name: id
level: extended
type: keyword
ignore_above: 1024
description: The DNS packet identifier assigned by the program that generated
the query. The identifier is copied to the response.
example: 62111
- name: op_code
level: extended
type: keyword
ignore_above: 1024
description: The DNS operation code that specifies the kind of query in the
message. This value is set by the originator of a query and copied into the
response.
example: QUERY
- name: question.class
level: extended
type: keyword
ignore_above: 1024
description: The class of records being queried.
example: IN
- name: question.name
level: extended
type: keyword
ignore_above: 1024
description: 'The name being queried.
If the name field contains non-printable characters (below 32 or above 126),
those characters should be represented as escaped base 10 integers (\DDD).
Back slashes and quotes should be escaped. Tabs, carriage returns, and line
feeds should be converted to \t, \r, and \n respectively.'
example: www.example.com
- name: question.registered_domain
level: extended
type: keyword
ignore_above: 1024
description: 'The highest registered domain, stripped of the subdomain.
For example, the registered domain for "foo.example.com" is "example.com".
This value can be determined precisely with a list like the public suffix
list (http://publicsuffix.org). Trying to approximate this by simply taking
the last two labels will not work well for TLDs such as "co.uk".'
example: example.com
- name: question.subdomain
level: extended
type: keyword
ignore_above: 1024
description: 'The subdomain is all of the labels under the registered_domain.
If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
the subdomain field should contain "sub2.sub1", with no trailing period.'
example: www
- name: question.top_level_domain
level: extended
type: keyword
ignore_above: 1024
description: 'The effective top level domain (eTLD), also known as the domain
suffix, is the last part of the domain name. For example, the top level domain
for example.com is "com".
This value can be determined precisely with a list like the public suffix
list (http://publicsuffix.org). Trying to approximate this by simply taking
the last label will not work well for effective TLDs such as "co.uk".'
example: co.uk
- name: question.type
level: extended
type: keyword
ignore_above: 1024
description: The type of record being queried.
example: AAAA
- name: resolved_ip
level: extended
type: ip
description: 'Array containing all IPs seen in `answers.data`.
The `answers` array can be difficult to use, because of the variety of data
formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip`
makes it possible to index them as IP addresses, and makes them easier to
visualize and query for.'
example: '["10.10.10.10", "10.10.10.11"]'
- name: response_code
level: extended
type: keyword
ignore_above: 1024
description: The DNS response code.
example: NOERROR
- name: type
level: extended
type: keyword
ignore_above: 1024
description: 'The type of DNS event captured, query or answer.
If your source of DNS events only gives you DNS queries, you should only create
dns events of type `dns.type:query`.
If your source of DNS events gives you answers as well, you should create
one event per query (optionally as soon as the query is seen). And a second
event containing all query details as well as an array of answers.'
example: answer
- name: ecs
title: ECS
group: 2
description: Meta-information specific to ECS.
type: group
default_field: true
fields:
- name: version
level: core
required: true
type: keyword
ignore_above: 1024
description: 'ECS version this event conforms to. `ecs.version` is a required
field and must exist in all events.
When querying across multiple indices -- which may conform to slightly different
ECS versions -- this field lets integrations adjust to the schema version
of the events.'
example: 1.0.0
- name: elf
title: ELF Header
group: 2
description: These fields contain Linux Executable Linkable Format (ELF) metadata.
type: group
default_field: true
fields:
- name: architecture
level: extended
type: keyword
ignore_above: 1024
description: Machine architecture of the ELF file.
example: x86-64
default_field: false
- name: byte_order
level: extended
type: keyword
ignore_above: 1024
description: Byte sequence of ELF file.
example: Little Endian
default_field: false
- name: cpu_type
level: extended
type: keyword
ignore_above: 1024
description: CPU type of the ELF file.
example: Intel
default_field: false
- name: creation_date
level: extended
type: date
description: Extracted when possible from the file's metadata. Indicates when
it was built or compiled. It can also be faked by malware creators.
default_field: false
- name: exports
level: extended
type: flattened
description: List of exported element names and types.
default_field: false
- name: header.abi_version
level: extended
type: keyword
ignore_above: 1024
description: Version of the ELF Application Binary Interface (ABI).
default_field: false
- name: header.class
level: extended
type: keyword
ignore_above: 1024
description: Header class of the ELF file.
default_field: false
- name: header.data
level: extended
type: keyword
ignore_above: 1024
description: Data table of the ELF header.
default_field: false
- name: header.entrypoint
level: extended
type: long
format: string
description: Header entrypoint of the ELF file.
default_field: false
- name: header.object_version
level: extended
type: keyword
ignore_above: 1024
description: '"0x1" for original ELF files.'
default_field: false
- name: header.os_abi
level: extended
type: keyword
ignore_above: 1024
description: Application Binary Interface (ABI) of the Linux OS.
default_field: false
- name: header.type
level: extended
type: keyword
ignore_above: 1024
description: Header type of the ELF file.
default_field: false
- name: header.version
level: extended
type: keyword
ignore_above: 1024
description: Version of the ELF header.
default_field: false
- name: imports
level: extended
type: flattened
description: List of imported element names and types.
default_field: false
- name: sections
level: extended
type: nested
description: 'An array containing an object for each section of the ELF file.
The keys that should be present in these objects are defined by sub-fields
underneath `elf.sections.*`.'
default_field: false
- name: sections.chi2
level: extended
type: long
format: number
description: Chi-square probability distribution of the section.
default_field: false
- name: sections.entropy
level: extended
type: long
format: number
description: Shannon entropy calculation from the section.
default_field: false
- name: sections.flags
level: extended
type: keyword
ignore_above: 1024
description: ELF Section List flags.
default_field: false
- name: sections.name
level: extended
type: keyword
ignore_above: 1024
description: ELF Section List name.
default_field: false
- name: sections.physical_offset
level: extended
type: keyword
ignore_above: 1024
description: ELF Section List offset.
default_field: false
- name: sections.physical_size
level: extended
type: long
format: bytes
description: ELF Section List physical size.
default_field: false
- name: sections.type
level: extended
type: keyword
ignore_above: 1024
description: ELF Section List type.
default_field: false
- name: sections.virtual_address
level: extended
type: long
format: string
description: ELF Section List virtual address.
default_field: false
- name: sections.virtual_size
level: extended
type: long
format: string
description: ELF Section List virtual size.
default_field: false
- name: segments
level: extended
type: nested
description: 'An array containing an object for each segment of the ELF file.
The keys that should be present in these objects are defined by sub-fields
underneath `elf.segments.*`.'
default_field: false
- name: segments.sections
level: extended
type: keyword
ignore_above: 1024
description: ELF object segment sections.
default_field: false
- name: segments.type
level: extended
type: keyword
ignore_above: 1024
description: ELF object segment type.
default_field: false
- name: shared_libraries
level: extended
type: keyword
ignore_above: 1024
description: List of shared libraries used by this ELF object.
default_field: false
- name: telfhash
level: extended
type: keyword
ignore_above: 1024
description: telfhash symbol hash for ELF file.
default_field: false
- name: error
title: Error
group: 2
description: 'These fields can represent errors of any kind.
Use them for errors that happen while fetching events or in cases where the
event itself contains an error.'
type: group
default_field: true
fields:
- name: code
level: core
type: keyword
ignore_above: 1024
description: Error code describing the error.
- name: id
level: core
type: keyword
ignore_above: 1024
description: Unique identifier for the error.
- name: message
level: core
type: match_only_text
description: Error message.
- name: stack_trace
level: extended
type: wildcard
multi_fields:
- name: text
type: match_only_text
default_field: false
description: The stack trace of this error in plain text.
- name: type
level: extended
type: keyword
ignore_above: 1024
description: The type of the error, for example the class name of the exception.
example: java.lang.NullPointerException
- name: event
title: Event
group: 2
description: 'The event fields are used for context information about the log
or metric event itself.
A log is defined as an event containing details of something that happened.
Log events must include the time at which the thing happened. Examples of log
events include a process starting on a host, a network packet being sent from
a source to a destination, or a network connection between a client and a server
being initiated or closed. A metric is defined as an event containing one or
more numerical measurements and the time at which the measurement was taken.
Examples of metric events include memory pressure measured on a host and device
temperature. See the `event.kind` definition in this section for additional
details about metric and state events.'
type: group
default_field: true
fields:
- name: action
level: core
type: keyword
ignore_above: 1024
description: 'The action captured by the event.
This describes the information in the event. It is more specific than `event.category`.
Examples are `group-add`, `process-started`, `file-created`. The value is
normally defined by the implementer.'
example: user-password-change
- name: agent_id_status
level: extended
type: keyword
ignore_above: 1024
description: 'Agents are normally responsible for populating the `agent.id`
field value. If the system receiving events is capable of validating the value
based on authentication information for the client then this field can be
used to reflect the outcome of that validation.
For example if the agent''s connection is authenticated with mTLS and the
client cert contains the ID of the agent to which the cert was issued then
the `agent.id` value in events can be checked against the certificate. If
the values match then `event.agent_id_status: verified` is added to the event,
otherwise one of the other allowed values should be used.
If no validation is performed then the field should be omitted.
The allowed values are:
`verified` - The `agent.id` field value matches expected value obtained from
auth metadata.
`mismatch` - The `agent.id` field value does not match the expected value
obtained from auth metadata.
`missing` - There was no `agent.id` field in the event to validate.
`auth_metadata_missing` - There was no auth metadata or it was missing information
about the agent ID.'
example: verified
default_field: false
- name: category
level: core
type: keyword
ignore_above: 1024
description: 'This is one of four ECS Categorization Fields, and indicates the
second level in the ECS category hierarchy.
`event.category` represents the "big buckets" of ECS categories. For example,
filtering on `event.category:process` yields all events relating to process
activity. This field is closely related to `event.type`, which is used as
a subcategory.
This field is an array. This will allow proper categorization of some events
that fall in multiple categories.'
example: authentication
- name: code
level: extended
type: keyword
ignore_above: 1024
description: 'Identification code for this event, if one exists.
Some event sources use event codes to identify messages unambiguously, regardless
of message language or wording adjustments over time. An example of this is
the Windows Event ID.'
example: 4648
- name: created
level: core
type: date
description: 'event.created contains the date/time when the event was first
read by an agent, or by your pipeline.
This field is distinct from @timestamp in that @timestamp typically contain
the time extracted from the original event.
In most situations, these two timestamps will be slightly different. The difference
can be used to calculate the delay between your source generating an event,
and the time when your agent first processed it. This can be used to monitor
your agent''s or pipeline''s ability to keep up with your event source.
In case the two timestamps are identical, @timestamp should be used.'
example: '2016-05-23T08:05:34.857Z'
- name: dataset
level: core
type: keyword
ignore_above: 1024
description: 'Name of the dataset.
If an event source publishes more than one type of log or events (e.g. access
log, error log), the dataset is used to specify which one the event comes
from.
It''s recommended but not required to start the dataset name with the module
name, followed by a dot, then the dataset name.'
example: apache.access
- name: duration
level: core
type: long
format: duration
input_format: nanoseconds
output_format: asMilliseconds
output_precision: 1
description: 'Duration of the event in nanoseconds.
If event.start and event.end are known this value should be the difference
between the end and start time.'
- name: end
level: extended
type: date
description: event.end contains the date when the event ended or when the activity
was last observed.
- name: hash
level: extended
type: keyword
ignore_above: 1024
description: Hash (perhaps logstash fingerprint) of raw field to be able to
demonstrate log integrity.
example: 123456789012345678901234567890ABCD
- name: id
level: core
type: keyword
ignore_above: 1024
description: Unique ID to describe the event.
example: 8a4f500d
- name: ingested
level: core
type: date
description: 'Timestamp when an event arrived in the central data store.
This is different from `@timestamp`, which is when the event originally occurred. It''s
also different from `event.created`, which is meant to capture the first time
an agent saw the event.
In normal conditions, assuming no tampering, the timestamps should chronologically
look like this: `@timestamp` < `event.created` < `event.ingested`.'
example: '2016-05-23T08:05:35.101Z'
default_field: false
- name: kind
level: core
type: keyword
ignore_above: 1024
description: 'This is one of four ECS Categorization Fields, and indicates the
highest level in the ECS category hierarchy.
`event.kind` gives high-level information about what type of information the
event contains, without being specific to the contents of the event. For example,
values of this field distinguish alert events from metric events.
The value of this field can be used to inform how these kinds of events should
be handled. They may warrant different retention, different access control,
it may also help understand whether the data coming in at a regular interval
or not.'
example: alert
- name: module
level: core
type: keyword
ignore_above: 1024
description: 'Name of the module this data is coming from.
If your monitoring agent supports the concept of modules or plugins to process
events of a given source (e.g. Apache logs), `event.module` should contain
the name of this module.'
example: apache
- name: original
level: core
type: keyword
description: 'Raw text message of entire event. Used to demonstrate log integrity
or where the full log message (before splitting it up in multiple parts) may
be required, e.g. for reindex.
This field is not indexed and doc_values are disabled. It cannot be searched,
but it can be retrieved from `_source`. If users wish to override this and
index this field, please see `Field data types` in the `Elasticsearch Reference`.'
example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100|
worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232
index: false
doc_values: false
- name: outcome
level: core
type: keyword
ignore_above: 1024
description: 'This is one of four ECS Categorization Fields, and indicates the
lowest level in the ECS category hierarchy.
`event.outcome` simply denotes whether the event represents a success or a
failure from the perspective of the entity that produced the event.
Note that when a single transaction is described in multiple events, each
event may populate different values of `event.outcome`, according to their
perspective.
Also note that in the case of a compound event (a single event that contains
multiple logical events), this field should be populated with the value that
best captures the overall success or failure from the perspective of the event
producer.
Further note that not all events will have an associated outcome. For example,
this field is generally not populated for metric events, events with `event.type:info`,
or any events for which an outcome does not make logical sense.'
example: success
- name: provider
level: extended
type: keyword
ignore_above: 1024
description: 'Source of the event.
Event transports such as Syslog or the Windows Event Log typically mention
the source of an event. It can be the name of the software that generated
the event (e.g. Sysmon, httpd), or of a subsystem of the operating system
(kernel, Microsoft-Windows-Security-Auditing).'
example: kernel
- name: reason
level: extended
type: keyword
ignore_above: 1024
description: 'Reason why this event happened, according to the source.
This describes the why of a particular action or outcome captured in the event.
Where `event.action` captures the action from the event, `event.reason` describes
why that action was taken. For example, a web proxy with an `event.action`
which denied the request may also populate `event.reason` with the reason
why (e.g. `blocked site`).'
example: Terminated an unexpected process
default_field: false
- name: reference
level: extended
type: keyword
ignore_above: 1024
description: 'Reference URL linking to additional information about this event.
This URL links to a static definition of this event. Alert events, indicated
by `event.kind:alert`, are a common use case for this field.'
example: https://system.example.com/event/#0001234
default_field: false
- name: risk_score
level: core
type: float
description: Risk score or priority of the event (e.g. security solutions).
Use your system's original value here.
- name: risk_score_norm
level: extended
type: float
description: 'Normalized risk score or priority of the event, on a scale of
0 to 100.
This is mainly useful if you use more than one system that assigns risk scores,
and you want to see a normalized value across all systems.'
- name: sequence
level: extended
type: long
format: string
description: 'Sequence number of the event.
The sequence number is a value published by some event sources, to make the
exact ordering of events unambiguous, regardless of the timestamp precision.'
- name: severity
level: core
type: long
format: string
description: 'The numeric severity of the event according to your event source.
What the different severity values mean can be different between sources and
use cases. It''s up to the implementer to make sure severities are consistent
across events from the same source.
The Syslog severity belongs in `log.syslog.severity.code`. `event.severity`
is meant to represent the severity according to the event source (e.g. firewall,
IDS). If the event source does not publish its own severity, you may optionally
copy the `log.syslog.severity.code` to `event.severity`.'
example: 7
- name: start
level: extended
type: date
description: event.start contains the date when the event started or when the
activity was first observed.
- name: timezone
level: extended
type: keyword
ignore_above: 1024
description: 'This field should be populated when the event''s timestamp does
not include timezone information already (e.g. default Syslog timestamps).
It''s optional otherwise.
Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"),
abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").'
- name: type
level: core
type: keyword
ignore_above: 1024
description: 'This is one of four ECS Categorization Fields, and indicates the
third level in the ECS category hierarchy.
`event.type` represents a categorization "sub-bucket" that, when used along
with the `event.category` field values, enables filtering events down to a
level appropriate for single visualization.
This field is an array. This will allow proper categorization of some events
that fall in multiple event types.'
- name: url
level: extended
type: keyword
ignore_above: 1024
description: 'URL linking to an external system to continue investigation of
this event.
This URL links to another system where in-depth investigation of the specific
occurrence of this event can take place. Alert events, indicated by `event.kind:alert`,
are a common use case for this field.'
example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe
default_field: false
- name: faas
title: FaaS
group: 2
description: The user fields describe information about the function as a service
that is relevant to the event.
type: group
default_field: true
fields:
- name: coldstart
level: extended
type: boolean
description: Boolean value indicating a cold start of a function.
default_field: false
- name: execution
level: extended
type: keyword
ignore_above: 1024
description: The execution ID of the current function execution.
example: af9d5aa4-a685-4c5f-a22b-444f80b3cc28
default_field: false
- name: trigger
level: extended
type: nested
description: Details about the function trigger.
default_field: false
- name: trigger.request_id
level: extended
type: keyword
ignore_above: 1024
description: The ID of the trigger request , message, event, etc.
example: 123456789
default_field: false
- name: trigger.type
level: extended
type: keyword
ignore_above: 1024
description: "The trigger for the function execution.\nExpected values are:\n\
\ * http\n * pubsub\n * datasource\n * timer\n * other"
example: http
default_field: false
- name: file
title: File
group: 2
description: 'A file is defined as a set of information that has been created
on, or has existed on a filesystem.
File objects can be associated with host events, network events, and/or file
events (e.g., those produced by File Integrity Monitoring [FIM] products or
services). File fields provide details about the affected file associated with
the event or metric.'
type: group
default_field: true
fields:
- name: accessed
level: extended
type: date
description: 'Last time the file was accessed.
Note that not all filesystems keep track of access time.'
- name: attributes
level: extended
type: keyword
ignore_above: 1024
description: 'Array of file attributes.
Attributes names will vary by platform. Here''s a non-exhaustive list of values
that are expected in this field: archive, compressed, directory, encrypted,
execute, hidden, read, readonly, system, write.'
example: '["readonly", "system"]'
default_field: false
- name: code_signature.digest_algorithm
level: extended
type: keyword
ignore_above: 1024
description: 'The hashing algorithm used to sign the process.
This value can distinguish signatures when a file is signed multiple times
by the same signer but with a different digest algorithm.'
example: sha256
default_field: false
- name: code_signature.exists
level: core
type: boolean
description: Boolean to capture if a signature is present.
example: 'true'
default_field: false
- name: code_signature.signing_id
level: extended
type: keyword
ignore_above: 1024
description: 'The identifier used to sign the process.
This is used to identify the application manufactured by a software vendor.
The field is relevant to Apple *OS only.'
example: com.apple.xpc.proxy
default_field: false
- name: code_signature.status
level: extended
type: keyword
ignore_above: 1024
description: 'Additional information about the certificate status.
This is useful for logging cryptographic errors with the certificate validity
or trust status. Leave unpopulated if the validity or trust of the certificate
was unchecked.'
example: ERROR_UNTRUSTED_ROOT
default_field: false
- name: code_signature.subject_name
level: core
type: keyword
ignore_above: 1024
description: Subject name of the code signer
example: Microsoft Corporation
default_field: false
- name: code_signature.team_id
level: extended
type: keyword
ignore_above: 1024
description: 'The team identifier used to sign the process.
This is used to identify the team or vendor of a software product. The field
is relevant to Apple *OS only.'
example: EQHXZ8M8AV
default_field: false
- name: code_signature.timestamp
level: extended
type: date
description: Date and time when the code signature was generated and signed.
example: '2021-01-01T12:10:30Z'
default_field: false
- name: code_signature.trusted
level: extended
type: boolean
description: 'Stores the trust status of the certificate chain.
Validating the trust of the certificate chain may be complicated, and this
field should only be populated by tools that actively check the status.'
example: 'true'
default_field: false
- name: code_signature.valid
level: extended
type: boolean
description: 'Boolean to capture if the digital signature is verified against
the binary content.
Leave unpopulated if a certificate was unchecked.'
example: 'true'
default_field: false
- name: created
level: extended
type: date
description: 'File creation time.
Note that not all filesystems store the creation time.'
- name: ctime
level: extended
type: date
description: 'Last time the file attributes or metadata changed.
Note that changes to the file content will update `mtime`. This implies `ctime`
will be adjusted at the same time, since `mtime` is an attribute of the file.'
- name: device
level: extended
type: keyword
ignore_above: 1024
description: Device that is the source of the file.
example: sda
- name: directory
level: extended
type: keyword
ignore_above: 1024
description: Directory where the file is located. It should include the drive
letter, when appropriate.
example: /home/alice
- name: drive_letter
level: extended
type: keyword
ignore_above: 1
description: 'Drive letter where the file is located. This field is only relevant
on Windows.
The value should be uppercase, and not include the colon.'
example: C
default_field: false
- name: elf.architecture
level: extended
type: keyword
ignore_above: 1024
description: Machine architecture of the ELF file.
example: x86-64
default_field: false
- name: elf.byte_order
level: extended
type: keyword
ignore_above: 1024
description: Byte sequence of ELF file.
example: Little Endian
default_field: false
- name: elf.cpu_type
level: extended
type: keyword
ignore_above: 1024
description: CPU type of the ELF file.
example: Intel
default_field: false
- name: elf.creation_date
level: extended
type: date
description: Extracted when possible from the file's metadata. Indicates when
it was built or compiled. It can also be faked by malware creators.
default_field: false
- name: elf.exports
level: extended
type: flattened
description: List of exported element names and types.
default_field: false
- name: elf.header.abi_version
level: extended
type: keyword
ignore_above: 1024
description: Version of the ELF Application Binary Interface (ABI).
default_field: false
- name: elf.header.class
level: extended
type: keyword
ignore_above: 1024
description: Header class of the ELF file.
default_field: false
- name: elf.header.data
level: extended
type: keyword
ignore_above: 1024
description: Data table of the ELF header.
default_field: false
- name: elf.header.entrypoint
level: extended
type: long
format: string
description: Header entrypoint of the ELF file.
default_field: false
- name: elf.header.object_version
level: extended
type: keyword
ignore_above: 1024
description: '"0x1" for original ELF files.'
default_field: false
- name: elf.header.os_abi
level: extended
type: keyword
ignore_above: 1024
description: Application Binary Interface (ABI) of the Linux OS.
default_field: false
- name: elf.header.type
level: extended
type: keyword
ignore_above: 1024
description: Header type of the ELF file.
default_field: false
- name: elf.header.version
level: extended
type: keyword
ignore_above: 1024
description: Version of the ELF header.
default_field: false
- name: elf.imports
level: extended
type: flattened
description: List of imported element names and types.
default_field: false
- name: elf.sections
level: extended
type: nested
description: 'An array containing an object for each section of the ELF file.
The keys that should be present in these objects are defined by sub-fields
underneath `elf.sections.*`.'
default_field: false
- name: elf.sections.chi2
level: extended
type: long
format: number
description: Chi-square probability distribution of the section.
default_field: false
- name: elf.sections.entropy
level: extended
type: long
format: number
description: Shannon entropy calculation from the section.
default_field: false
- name: elf.sections.flags
level: extended
type: keyword
ignore_above: 1024
description: ELF Section List flags.
default_field: false
- name: elf.sections.name
level: extended
type: keyword
ignore_above: 1024
description: ELF Section List name.
default_field: false
- name: elf.sections.physical_offset
level: extended
type: keyword
ignore_above: 1024
description: ELF Section List offset.
default_field: false
- name: elf.sections.physical_size
level: extended
type: long
format: bytes
description: ELF Section List physical size.
default_field: false
- name: elf.sections.type
level: extended
type: keyword
ignore_above: 1024
description: ELF Section List type.
default_field: false
- name: elf.sections.virtual_address
level: extended
type: long
format: string
description: ELF Section List virtual address.
default_field: false
- name: elf.sections.virtual_size
level: extended
type: long
format: string
description: ELF Section List virtual size.
default_field: false
- name: elf.segments
level: extended
type: nested
description: 'An array containing an object for each segment of the ELF file.
The keys that should be present in these objects are defined by sub-fields
underneath `elf.segments.*`.'
default_field: false
- name: elf.segments.sections
level: extended
type: keyword
ignore_above: 1024
description: ELF object segment sections.
default_field: false
- name: elf.segments.type
level: extended
type: keyword
ignore_above: 1024
description: ELF object segment type.
default_field: false
- name: elf.shared_libraries
level: extended
type: keyword
ignore_above: 1024
description: List of shared libraries used by this ELF object.
default_field: false
- name: elf.telfhash
level: extended
type: keyword
ignore_above: 1024
description: telfhash symbol hash for ELF file.
default_field: false
- name: extension
level: extended
type: keyword
ignore_above: 1024
description: 'File extension, excluding the leading dot.
Note that when the file name has multiple extensions (example.tar.gz), only
the last one should be captured ("gz", not "tar.gz").'
example: png
- name: fork_name
level: extended
type: keyword
ignore_above: 1024
description: 'A fork is additional data associated with a filesystem object.
On Linux, a resource fork is used to store additional data with a filesystem
object. A file always has at least one fork for the data portion, and additional
forks may exist.
On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default
data stream for a file is just called $DATA. Zone.Identifier is commonly used
by Windows to track contents downloaded from the Internet. An ADS is typically
of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name`
is the value that should populate `fork_name`. `filename.extension` should
populate `file.name`, and `extension` should populate `file.extension`. The
full path, `file.path`, will include the fork name.'
example: Zone.Identifer
default_field: false
- name: gid
level: extended
type: keyword
ignore_above: 1024
description: Primary group ID (GID) of the file.
example: '1001'
- name: group
level: extended
type: keyword
ignore_above: 1024
description: Primary group name of the file.
example: alice
- name: hash.md5
level: extended
type: keyword
ignore_above: 1024
description: MD5 hash.
- name: hash.sha1
level: extended
type: keyword
ignore_above: 1024
description: SHA1 hash.
- name: hash.sha256
level: extended
type: keyword
ignore_above: 1024
description: SHA256 hash.
- name: hash.sha512
level: extended
type: keyword
ignore_above: 1024
description: SHA512 hash.
- name: hash.ssdeep
level: extended
type: keyword
ignore_above: 1024
description: SSDEEP hash.
default_field: false
- name: inode
level: extended
type: keyword
ignore_above: 1024
description: Inode representing the file in the filesystem.
example: '256383'
- name: mime_type
level: extended
type: keyword
ignore_above: 1024
description: MIME type should identify the format of the file or stream of bytes
using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA
official types], where possible. When more than one type is applicable, the
most specific type should be used.
default_field: false
- name: mode
level: extended
type: keyword
ignore_above: 1024
description: Mode of the file in octal representation.
example: '0640'
- name: mtime
level: extended
type: date
description: Last time the file content was modified.
- name: name
level: extended
type: keyword
ignore_above: 1024
description: Name of the file including the extension, without the directory.
example: example.png
- name: owner
level: extended
type: keyword
ignore_above: 1024
description: File owner's username.
example: alice
- name: path
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
default_field: false
description: Full path to the file, including the file name. It should include
the drive letter, when appropriate.
example: /home/alice/example.png
- name: pe.architecture
level: extended
type: keyword
ignore_above: 1024
description: CPU architecture target for the file.
example: x64
default_field: false
- name: pe.company
level: extended
type: keyword
ignore_above: 1024
description: Internal company name of the file, provided at compile-time.
example: Microsoft Corporation
default_field: false
- name: pe.description
level: extended
type: keyword
ignore_above: 1024
description: Internal description of the file, provided at compile-time.
example: Paint
default_field: false
- name: pe.file_version
level: extended
type: keyword
ignore_above: 1024
description: Internal version of the file, provided at compile-time.
example: 6.3.9600.17415
default_field: false
- name: pe.imphash
level: extended
type: keyword
ignore_above: 1024
description: 'A hash of the imports in a PE file. An imphash -- or import hash
-- can be used to fingerprint binaries even after recompilation or other code-level
transformations have occurred, which would change more traditional hash values.
Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
example: 0c6803c4e922103c4dca5963aad36ddf
default_field: false
- name: pe.original_file_name
level: extended
type: keyword
ignore_above: 1024
description: Internal name of the file, provided at compile-time.
example: MSPAINT.EXE
default_field: false
- name: pe.product
level: extended
type: keyword
ignore_above: 1024
description: Internal product name of the file, provided at compile-time.
example: "Microsoft\xAE Windows\xAE Operating System"
default_field: false
- name: size
level: extended
type: long
description: 'File size in bytes.
Only relevant when `file.type` is "file".'
example: 16384
- name: target_path
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
default_field: false
description: Target path for symlinks.
- name: type
level: extended
type: keyword
ignore_above: 1024
description: File type (file, dir, or symlink).
example: file
- name: uid
level: extended
type: keyword
ignore_above: 1024
description: The user ID (UID) or security identifier (SID) of the file owner.
example: '1001'
- name: x509.alternative_names
level: extended
type: keyword
ignore_above: 1024
description: List of subject alternative names (SAN). Name types vary by certificate
authority and certificate type but commonly contain IP addresses, DNS names
(and wildcards), and email addresses.
example: '*.elastic.co'
default_field: false
- name: x509.issuer.common_name
level: extended
type: keyword
ignore_above: 1024
description: List of common name (CN) of issuing certificate authority.
example: Example SHA2 High Assurance Server CA
default_field: false
- name: x509.issuer.country
level: extended
type: keyword
ignore_above: 1024
description: List of country (C) codes
example: US
default_field: false
- name: x509.issuer.distinguished_name
level: extended
type: keyword
ignore_above: 1024
description: Distinguished name (DN) of issuing certificate authority.
example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
Server CA
default_field: false
- name: x509.issuer.locality
level: extended
type: keyword
ignore_above: 1024
description: List of locality names (L)
example: Mountain View
default_field: false
- name: x509.issuer.organization
level: extended
type: keyword
ignore_above: 1024
description: List of organizations (O) of issuing certificate authority.
example: Example Inc
default_field: false
- name: x509.issuer.organizational_unit
level: extended
type: keyword
ignore_above: 1024
description: List of organizational units (OU) of issuing certificate authority.
example: www.example.com
default_field: false
- name: x509.issuer.state_or_province
level: extended
type: keyword
ignore_above: 1024
description: List of state or province names (ST, S, or P)
example: California
default_field: false
- name: x509.not_after
level: extended
type: date
description: Time at which the certificate is no longer considered valid.
example: 2020-07-16 03:15:39+00:00
default_field: false
- name: x509.not_before
level: extended
type: date
description: Time at which the certificate is first considered valid.
example: 2019-08-16 01:40:25+00:00
default_field: false
- name: x509.public_key_algorithm
level: extended
type: keyword
ignore_above: 1024
description: Algorithm used to generate the public key.
example: RSA
default_field: false
- name: x509.public_key_curve
level: extended
type: keyword
ignore_above: 1024
description: The curve used by the elliptic curve public key algorithm. This
is algorithm specific.
example: nistp521
default_field: false
- name: x509.public_key_exponent
level: extended
type: long
description: Exponent used to derive the public key. This is algorithm specific.
example: 65537
index: false
doc_values: false
default_field: false
- name: x509.public_key_size
level: extended
type: long
description: The size of the public key space in bits.
example: 2048
default_field: false
- name: x509.serial_number
level: extended
type: keyword
ignore_above: 1024
description: Unique serial number issued by the certificate authority. For consistency,
if this value is alphanumeric, it should be formatted without colons and uppercase
characters.
example: 55FBB9C7DEBF09809D12CCAA
default_field: false
- name: x509.signature_algorithm
level: extended
type: keyword
ignore_above: 1024
description: Identifier for certificate signature algorithm. We recommend using
names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
example: SHA256-RSA
default_field: false
- name: x509.subject.common_name
level: extended
type: keyword
ignore_above: 1024
description: List of common names (CN) of subject.
example: shared.global.example.net
default_field: false
- name: x509.subject.country
level: extended
type: keyword
ignore_above: 1024
description: List of country (C) code
example: US
default_field: false
- name: x509.subject.distinguished_name
level: extended
type: keyword
ignore_above: 1024
description: Distinguished name (DN) of the certificate subject entity.
example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
default_field: false
- name: x509.subject.locality
level: extended
type: keyword
ignore_above: 1024
description: List of locality names (L)
example: San Francisco
default_field: false
- name: x509.subject.organization
level: extended
type: keyword
ignore_above: 1024
description: List of organizations (O) of subject.
example: Example, Inc.
default_field: false
- name: x509.subject.organizational_unit
level: extended
type: keyword
ignore_above: 1024
description: List of organizational units (OU) of subject.
default_field: false
- name: x509.subject.state_or_province
level: extended
type: keyword
ignore_above: 1024
description: List of state or province names (ST, S, or P)
example: California
default_field: false
- name: x509.version_number
level: extended
type: keyword
ignore_above: 1024
description: Version of x509 format.
example: 3
default_field: false
- name: geo
title: Geo
group: 2
description: 'Geo fields can carry data about a specific location related to an
event.
This geolocation information can be derived from techniques such as Geo IP,
or be user-supplied.'
type: group
default_field: true
fields:
- name: city_name
level: core
type: keyword
ignore_above: 1024
description: City name.
example: Montreal
- name: continent_code
level: core
type: keyword
ignore_above: 1024
description: Two-letter code representing continent's name.
example: NA
default_field: false
- name: continent_name
level: core
type: keyword
ignore_above: 1024
description: Name of the continent.
example: North America
- name: country_iso_code
level: core
type: keyword
ignore_above: 1024
description: Country ISO code.
example: CA
- name: country_name
level: core
type: keyword
ignore_above: 1024
description: Country name.
example: Canada
- name: location
level: core
type: geo_point
description: Longitude and latitude.
example: '{ "lon": -73.614830, "lat": 45.505918 }'
- name: name
level: extended
type: keyword
ignore_above: 1024
description: 'User-defined description of a location, at the level of granularity
they care about.
Could be the name of their data centers, the floor number, if this describes
a local physical entity, city names.
Not typically used in automated geolocation.'
example: boston-dc
- name: postal_code
level: core
type: keyword
ignore_above: 1024
description: 'Postal code associated with the location.
Values appropriate for this field may also be known as a postcode or ZIP code
and will vary widely from country to country.'
example: 94040
default_field: false
- name: region_iso_code
level: core
type: keyword
ignore_above: 1024
description: Region ISO code.
example: CA-QC
- name: region_name
level: core
type: keyword
ignore_above: 1024
description: Region name.
example: Quebec
- name: timezone
level: core
type: keyword
ignore_above: 1024
description: The time zone of the location, such as IANA time zone name.
example: America/Argentina/Buenos_Aires
default_field: false
- name: group
title: Group
group: 2
description: The group fields are meant to represent groups that are relevant
to the event.
type: group
default_field: true
fields:
- name: domain
level: extended
type: keyword
ignore_above: 1024
description: 'Name of the directory the group is a member of.
For example, an LDAP or Active Directory domain name.'
- name: id
level: extended
type: keyword
ignore_above: 1024
description: Unique identifier for the group on the system/platform.
- name: name
level: extended
type: keyword
ignore_above: 1024
description: Name of the group.
- name: hash
title: Hash
group: 2
description: 'The hash fields represent different bitwise hash algorithms and
their values.
Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for
other hashes by lowercasing the hash algorithm name and using underscore separators
as appropriate (snake case, e.g. sha3_512).
Note that this fieldset is used for common hashes that may be computed over
a range of generic bytes. Entity-specific hashes such as ja3 or imphash are
placed in the fieldsets to which they relate (tls and pe, respectively).'
type: group
default_field: true
fields:
- name: md5
level: extended
type: keyword
ignore_above: 1024
description: MD5 hash.
- name: sha1
level: extended
type: keyword
ignore_above: 1024
description: SHA1 hash.
- name: sha256
level: extended
type: keyword
ignore_above: 1024
description: SHA256 hash.
- name: sha512
level: extended
type: keyword
ignore_above: 1024
description: SHA512 hash.
- name: ssdeep
level: extended
type: keyword
ignore_above: 1024
description: SSDEEP hash.
default_field: false
- name: host
title: Host
group: 2
description: 'A host is defined as a general computing instance.
ECS host.* fields should be populated with details about the host on which the
event happened, or from which the measurement was taken. Host types include
hardware, virtual machines, Docker containers, and Kubernetes nodes.'
type: group
default_field: true
fields:
- name: architecture
level: core
type: keyword
ignore_above: 1024
description: Operating system architecture.
example: x86_64
- name: cpu.usage
level: extended
type: scaled_float
description: 'Percent CPU used which is normalized by the number of CPU cores
and it ranges from 0 to 1.
Scaling factor: 1000.
For example: For a two core host, this value should be the average of the
two cores, between 0 and 1.'
scaling_factor: 1000
default_field: false
- name: disk.read.bytes
level: extended
type: long
description: The total number of bytes (gauge) read successfully (aggregated
from all disks) since the last metric collection.
default_field: false
- name: disk.write.bytes
level: extended
type: long
description: The total number of bytes (gauge) written successfully (aggregated
from all disks) since the last metric collection.
default_field: false
- name: domain
level: extended
type: keyword
ignore_above: 1024
description: 'Name of the domain of which the host is a member.
For example, on Windows this could be the host''s Active Directory domain
or NetBIOS domain name. For Linux this could be the domain of the host''s
LDAP provider.'
example: CONTOSO
default_field: false
- name: geo.city_name
level: core
type: keyword
ignore_above: 1024
description: City name.
example: Montreal
- name: geo.continent_code
level: core
type: keyword
ignore_above: 1024
description: Two-letter code representing continent's name.
example: NA
default_field: false
- name: geo.continent_name
level: core
type: keyword
ignore_above: 1024
description: Name of the continent.
example: North America
- name: geo.country_iso_code
level: core
type: keyword
ignore_above: 1024
description: Country ISO code.
example: CA
- name: geo.country_name
level: core
type: keyword
ignore_above: 1024
description: Country name.
example: Canada
- name: geo.location
level: core
type: geo_point
description: Longitude and latitude.
example: '{ "lon": -73.614830, "lat": 45.505918 }'
- name: geo.name
level: extended
type: keyword
ignore_above: 1024
description: 'User-defined description of a location, at the level of granularity
they care about.
Could be the name of their data centers, the floor number, if this describes
a local physical entity, city names.
Not typically used in automated geolocation.'
example: boston-dc
- name: geo.postal_code
level: core
type: keyword
ignore_above: 1024
description: 'Postal code associated with the location.
Values appropriate for this field may also be known as a postcode or ZIP code
and will vary widely from country to country.'
example: 94040
default_field: false
- name: geo.region_iso_code
level: core
type: keyword
ignore_above: 1024
description: Region ISO code.
example: CA-QC
- name: geo.region_name
level: core
type: keyword
ignore_above: 1024
description: Region name.
example: Quebec
- name: geo.timezone
level: core
type: keyword
ignore_above: 1024
description: The time zone of the location, such as IANA time zone name.
example: America/Argentina/Buenos_Aires
default_field: false
- name: hostname
level: core
type: keyword
ignore_above: 1024
description: 'Hostname of the host.
It normally contains what the `hostname` command returns on the host machine.'
- name: id
level: core
type: keyword
ignore_above: 1024
description: 'Unique host id.
As hostname is not always unique, use values that are meaningful in your environment.
Example: The current usage of `beat.name`.'
- name: ip
level: core
type: ip
description: Host ip addresses.
- name: mac
level: core
type: keyword
ignore_above: 1024
description: 'Host MAC addresses.
The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
byte) is represented by two [uppercase] hexadecimal digits giving the value
of the octet as an unsigned integer. Successive octets are separated by a
hyphen.'
example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]'
- name: name
level: core
type: keyword
ignore_above: 1024
description: 'Name of the host.
It can contain what `hostname` returns on Unix systems, the fully qualified
domain name, or a name specified by the user. The sender decides which value
to use.'
- name: network.egress.bytes
level: extended
type: long
description: The number of bytes (gauge) sent out on all network interfaces
by the host since the last metric collection.
default_field: false
- name: network.egress.packets
level: extended
type: long
description: The number of packets (gauge) sent out on all network interfaces
by the host since the last metric collection.
default_field: false
- name: network.ingress.bytes
level: extended
type: long
description: The number of bytes received (gauge) on all network interfaces
by the host since the last metric collection.
default_field: false
- name: network.ingress.packets
level: extended
type: long
description: The number of packets (gauge) received on all network interfaces
by the host since the last metric collection.
default_field: false
- name: os.family
level: extended
type: keyword
ignore_above: 1024
description: OS family (such as redhat, debian, freebsd, windows).
example: debian
- name: os.full
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
default_field: false
description: Operating system name, including the version or code name.
example: Mac OS Mojave
- name: os.kernel
level: extended
type: keyword
ignore_above: 1024
description: Operating system kernel version as a raw string.
example: 4.4.0-112-generic
- name: os.name
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
default_field: false
description: Operating system name, without the version.
example: Mac OS X
- name: os.platform
level: extended
type: keyword
ignore_above: 1024
description: Operating system platform (such centos, ubuntu, windows).
example: darwin
- name: os.type
level: extended
type: keyword
ignore_above: 1024
description: 'Use the `os.type` field to categorize the operating system into
one of the broad commercial families.
One of these following values should be used (lowercase): linux, macos, unix,
windows.
If the OS you''re dealing with is not in the list, the field should not be
populated. Please let us know by opening an issue with ECS, to propose its
addition.'
example: macos
default_field: false
- name: os.version
level: extended
type: keyword
ignore_above: 1024
description: Operating system version as a raw string.
example: 10.14.1
- name: type
level: core
type: keyword
ignore_above: 1024
description: 'Type of host.
For Cloud providers this can be the machine type like `t2.medium`. If vm,
this could be the container, for example, or other information meaningful
in your environment.'
- name: uptime
level: extended
type: long
description: Seconds the host has been up.
example: 1325
- name: http
title: HTTP
group: 2
description: Fields related to HTTP activity. Use the `url` field set to store
the url of the request.
type: group
default_field: true
fields:
- name: request.body.bytes
level: extended
type: long
format: bytes
description: Size in bytes of the request body.
example: 887
- name: request.body.content
level: extended
type: wildcard
multi_fields:
- name: text
type: match_only_text
default_field: false
description: The full HTTP request body.
example: Hello world
- name: request.bytes
level: extended
type: long
format: bytes
description: Total size in bytes of the request (body and headers).
example: 1437
- name: request.id
level: extended
type: keyword
ignore_above: 1024
description: 'A unique identifier for each HTTP request to correlate logs between
clients and servers in transactions.
The id may be contained in a non-standard HTTP header, such as `X-Request-ID`
or `X-Correlation-ID`.'
example: 123e4567-e89b-12d3-a456-426614174000
default_field: false
- name: request.method
level: extended
type: keyword
ignore_above: 1024
description: 'HTTP request method.
The value should retain its casing from the original event. For example, `GET`,
`get`, and `GeT` are all considered valid values for this field.'
example: POST
- name: request.mime_type
level: extended
type: keyword
ignore_above: 1024
description: 'Mime type of the body of the request.
This value must only be populated based on the content of the request body,
not on the `Content-Type` header. Comparing the mime type of a request with
the request''s Content-Type header can be helpful in detecting threats or
misconfigured clients.'
example: image/gif
default_field: false
- name: request.referrer
level: extended
type: keyword
ignore_above: 1024
description: Referrer for this HTTP request.
example: https://blog.example.com/
- name: response.body.bytes
level: extended
type: long
format: bytes
description: Size in bytes of the response body.
example: 887
- name: response.body.content
level: extended
type: wildcard
multi_fields:
- name: text
type: match_only_text
default_field: false
description: The full HTTP response body.
example: Hello world
- name: response.bytes
level: extended
type: long
format: bytes
description: Total size in bytes of the response (body and headers).
example: 1437
- name: response.mime_type
level: extended
type: keyword
ignore_above: 1024
description: 'Mime type of the body of the response.
This value must only be populated based on the content of the response body,
not on the `Content-Type` header. Comparing the mime type of a response with
the response''s Content-Type header can be helpful in detecting misconfigured
servers.'
example: image/gif
default_field: false
- name: response.status_code
level: extended
type: long
format: string
description: HTTP response status code.
example: 404
- name: version
level: extended
type: keyword
ignore_above: 1024
description: HTTP version.
example: 1.1
- name: interface
title: Interface
group: 2
description: The interface fields are used to record ingress and egress interface
information when reported by an observer (e.g. firewall, router, load balancer)
in the context of the observer handling a network connection. In the case of
a single observer interface (e.g. network sensor on a span port) only the observer.ingress
information should be populated.
type: group
default_field: true
fields:
- name: alias
level: extended
type: keyword
ignore_above: 1024
description: Interface alias as reported by the system, typically used in firewall
implementations for e.g. inside, outside, or dmz logical interface naming.
example: outside
default_field: false
- name: id
level: extended
type: keyword
ignore_above: 1024
description: Interface ID as reported by an observer (typically SNMP interface
ID).
example: 10
default_field: false
- name: name
level: extended
type: keyword
ignore_above: 1024
description: Interface name as reported by the system.
example: eth0
default_field: false
- name: log
title: Log
group: 2
description: 'Details about the event''s logging mechanism or logging transport.
The log.* fields are typically populated with details about the logging mechanism
used to create and/or transport the event. For example, syslog details belong
under `log.syslog.*`.
The details specific to your event source are typically not logged under `log.*`,
but rather in `event.*` or in other ECS fields.'
type: group
default_field: true
fields:
- name: file.path
level: extended
type: keyword
ignore_above: 1024
description: 'Full path to the log file this event came from, including the
file name. It should include the drive letter, when appropriate.
If the event wasn''t read from a log file, do not populate this field.'
example: /var/log/fun-times.log
default_field: false
- name: level
level: core
type: keyword
ignore_above: 1024
description: 'Original log level of the log event.
If the source of the event provides a log level or textual severity, this
is the one that goes in `log.level`. If your source doesn''t specify one,
you may put your event transport''s severity here (e.g. Syslog severity).
Some examples are `warn`, `err`, `i`, `informational`.'
example: error
- name: logger
level: core
type: keyword
ignore_above: 1024
description: The name of the logger inside an application. This is usually the
name of the class which initialized the logger, or can be a custom name.
example: org.elasticsearch.bootstrap.Bootstrap
- name: origin.file.line
level: extended
type: long
description: The line number of the file containing the source code which originated
the log event.
example: 42
- name: origin.file.name
level: extended
type: keyword
ignore_above: 1024
description: 'The name of the file containing the source code which originated
the log event.
Note that this field is not meant to capture the log file. The correct field
to capture the log file is `log.file.path`.'
example: Bootstrap.java
- name: origin.function
level: extended
type: keyword
ignore_above: 1024
description: The name of the function or method which originated the log event.
example: init
- name: syslog
level: extended
type: object
description: The Syslog metadata of the event, if the event was transmitted
via Syslog. Please see RFCs 5424 or 3164.
- name: syslog.facility.code
level: extended
type: long
format: string
description: 'The Syslog numeric facility of the log event, if available.
According to RFCs 5424 and 3164, this value should be an integer between 0
and 23.'
example: 23
- name: syslog.facility.name
level: extended
type: keyword
ignore_above: 1024
description: The Syslog text-based facility of the log event, if available.
example: local7
- name: syslog.priority
level: extended
type: long
format: string
description: 'Syslog numeric priority of the event, if available.
According to RFCs 5424 and 3164, the priority is 8 * facility + severity.
This number is therefore expected to contain a value between 0 and 191.'
example: 135
- name: syslog.severity.code
level: extended
type: long
description: 'The Syslog numeric severity of the log event, if available.
If the event source publishing via Syslog provides a different numeric severity
value (e.g. firewall, IDS), your source''s numeric severity should go to `event.severity`.
If the event source does not specify a distinct severity, you can optionally
copy the Syslog severity to `event.severity`.'
example: 3
- name: syslog.severity.name
level: extended
type: keyword
ignore_above: 1024
description: 'The Syslog numeric severity of the log event, if available.
If the event source publishing via Syslog provides a different severity value
(e.g. firewall, IDS), your source''s text severity should go to `log.level`.
If the event source does not specify a distinct severity, you can optionally
copy the Syslog severity to `log.level`.'
example: Error
- name: network
title: Network
group: 2
description: 'The network is defined as the communication path over which a host
or network event happens.
The network.* fields should be populated with details about the network activity
associated with an event.'
type: group
default_field: true
fields:
- name: application
level: extended
type: keyword
ignore_above: 1024
description: 'When a specific application or service is identified from network
connection details (source/dest IPs, ports, certificates, or wire format),
this field captures the application''s or service''s name.
For example, the original event identifies the network connection being from
a specific web service in a `https` network connection, like `facebook` or
`twitter`.
The field value must be normalized to lowercase for querying.'
example: aim
- name: bytes
level: core
type: long
format: bytes
description: 'Total bytes transferred in both directions.
If `source.bytes` and `destination.bytes` are known, `network.bytes` is their
sum.'
example: 368
- name: community_id
level: extended
type: keyword
ignore_above: 1024
description: 'A hash of source and destination IPs and ports, as well as the
protocol used in a communication. This is a tool-agnostic standard to identify
flows.
Learn more at https://github.com/corelight/community-id-spec.'
example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=
- name: direction
level: core
type: keyword
ignore_above: 1024
description: "Direction of the network traffic.\nRecommended values are:\n \
\ * ingress\n * egress\n * inbound\n * outbound\n * internal\n * external\n\
\ * unknown\n\nWhen mapping events from a host-based monitoring context,\
\ populate this field from the host's point of view, using the values \"ingress\"\
\ or \"egress\".\nWhen mapping events from a network or perimeter-based monitoring\
\ context, populate this field from the point of view of the network perimeter,\
\ using the values \"inbound\", \"outbound\", \"internal\" or \"external\"\
.\nNote that \"internal\" is not crossing perimeter boundaries, and is meant\
\ to describe communication between two hosts within the perimeter. Note also\
\ that \"external\" is meant to describe traffic between two hosts that are\
\ external to the perimeter. This could for example be useful for ISPs or\
\ VPN service providers."
example: inbound
- name: forwarded_ip
level: core
type: ip
description: Host IP address when the source IP address is the proxy.
example: 192.1.1.2
- name: iana_number
level: extended
type: keyword
ignore_above: 1024
description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml).
Standardized list of protocols. This aligns well with NetFlow and sFlow related
logs which use the IANA Protocol Number.
example: 6
- name: inner
level: extended
type: object
description: Network.inner fields are added in addition to network.vlan fields
to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed
fields include vlan.id and vlan.name. Inner vlan fields are typically used
when sending traffic with multiple 802.1q encapsulations to a network sensor
(e.g. Zeek, Wireshark.)
default_field: false
- name: inner.vlan.id
level: extended
type: keyword
ignore_above: 1024
description: VLAN ID as reported by the observer.
example: 10
default_field: false
- name: inner.vlan.name
level: extended
type: keyword
ignore_above: 1024
description: Optional VLAN name as reported by the observer.
example: outside
default_field: false
- name: name
level: extended
type: keyword
ignore_above: 1024
description: Name given by operators to sections of their network.
example: Guest Wifi
- name: packets
level: core
type: long
description: 'Total packets transferred in both directions.
If `source.packets` and `destination.packets` are known, `network.packets`
is their sum.'
example: 24
- name: protocol
level: core
type: keyword
ignore_above: 1024
description: 'In the OSI Model this would be the Application Layer protocol.
For example, `http`, `dns`, or `ssh`.
The field value must be normalized to lowercase for querying.'
example: http
- name: transport
level: core
type: keyword
ignore_above: 1024
description: 'Same as network.iana_number, but instead using the Keyword name
of the transport layer (udp, tcp, ipv6-icmp, etc.)
The field value must be normalized to lowercase for querying.'
example: tcp
- name: type
level: core
type: keyword
ignore_above: 1024
description: 'In the OSI Model this would be the Network Layer. ipv4, ipv6,
ipsec, pim, etc
The field value must be normalized to lowercase for querying.'
example: ipv4
- name: vlan.id
level: extended
type: keyword
ignore_above: 1024
description: VLAN ID as reported by the observer.
example: 10
default_field: false
- name: vlan.name
level: extended
type: keyword
ignore_above: 1024
description: Optional VLAN name as reported by the observer.
example: outside
default_field: false
- name: observer
title: Observer
group: 2
description: 'An observer is defined as a special network, security, or application
device used to detect, observe, or create network, security, or application-related
events and metrics.
This could be a custom hardware appliance or a server that has been configured
to run special network, security, or application software. Examples include
firewalls, web proxies, intrusion detection/prevention systems, network monitoring
sensors, web application firewalls, data loss prevention systems, and APM servers.
The observer.* fields shall be populated with details of the system, if any,
that detects, observes and/or creates a network, security, or application event
or metric. Message queues and ETL components used in processing events or metrics
are not considered observers in ECS.'
type: group
default_field: true
fields:
- name: egress
level: extended
type: object
description: Observer.egress holds information like interface number and name,
vlan, and zone information to classify egress traffic. Single armed monitoring
such as a network sensor on a span port should only use observer.ingress to
categorize traffic.
default_field: false
- name: egress.interface.alias
level: extended
type: keyword
ignore_above: 1024
description: Interface alias as reported by the system, typically used in firewall
implementations for e.g. inside, outside, or dmz logical interface naming.
example: outside
default_field: false
- name: egress.interface.id
level: extended
type: keyword
ignore_above: 1024
description: Interface ID as reported by an observer (typically SNMP interface
ID).
example: 10
default_field: false
- name: egress.interface.name
level: extended
type: keyword
ignore_above: 1024
description: Interface name as reported by the system.
example: eth0
default_field: false
- name: egress.vlan.id
level: extended
type: keyword
ignore_above: 1024
description: VLAN ID as reported by the observer.
example: 10
default_field: false
- name: egress.vlan.name
level: extended
type: keyword
ignore_above: 1024
description: Optional VLAN name as reported by the observer.
example: outside
default_field: false
- name: egress.zone
level: extended
type: keyword
ignore_above: 1024
description: Network zone of outbound traffic as reported by the observer to
categorize the destination area of egress traffic, e.g. Internal, External,
DMZ, HR, Legal, etc.
example: Public_Internet
default_field: false
- name: geo.city_name
level: core
type: keyword
ignore_above: 1024
description: City name.
example: Montreal
- name: geo.continent_code
level: core
type: keyword
ignore_above: 1024
description: Two-letter code representing continent's name.
example: NA
default_field: false
- name: geo.continent_name
level: core
type: keyword
ignore_above: 1024
description: Name of the continent.
example: North America
- name: geo.country_iso_code
level: core
type: keyword
ignore_above: 1024
description: Country ISO code.
example: CA
- name: geo.country_name
level: core
type: keyword
ignore_above: 1024
description: Country name.
example: Canada
- name: geo.location
level: core
type: geo_point
description: Longitude and latitude.
example: '{ "lon": -73.614830, "lat": 45.505918 }'
- name: geo.name
level: extended
type: keyword
ignore_above: 1024
description: 'User-defined description of a location, at the level of granularity
they care about.
Could be the name of their data centers, the floor number, if this describes
a local physical entity, city names.
Not typically used in automated geolocation.'
example: boston-dc
- name: geo.postal_code
level: core
type: keyword
ignore_above: 1024
description: 'Postal code associated with the location.
Values appropriate for this field may also be known as a postcode or ZIP code
and will vary widely from country to country.'
example: 94040
default_field: false
- name: geo.region_iso_code
level: core
type: keyword
ignore_above: 1024
description: Region ISO code.
example: CA-QC
- name: geo.region_name
level: core
type: keyword
ignore_above: 1024
description: Region name.
example: Quebec
- name: geo.timezone
level: core
type: keyword
ignore_above: 1024
description: The time zone of the location, such as IANA time zone name.
example: America/Argentina/Buenos_Aires
default_field: false
- name: hostname
level: core
type: keyword
ignore_above: 1024
description: Hostname of the observer.
- name: ingress
level: extended
type: object
description: Observer.ingress holds information like interface number and name,
vlan, and zone information to classify ingress traffic. Single armed monitoring
such as a network sensor on a span port should only use observer.ingress to
categorize traffic.
default_field: false
- name: ingress.interface.alias
level: extended
type: keyword
ignore_above: 1024
description: Interface alias as reported by the system, typically used in firewall
implementations for e.g. inside, outside, or dmz logical interface naming.
example: outside
default_field: false
- name: ingress.interface.id
level: extended
type: keyword
ignore_above: 1024
description: Interface ID as reported by an observer (typically SNMP interface
ID).
example: 10
default_field: false
- name: ingress.interface.name
level: extended
type: keyword
ignore_above: 1024
description: Interface name as reported by the system.
example: eth0
default_field: false
- name: ingress.vlan.id
level: extended
type: keyword
ignore_above: 1024
description: VLAN ID as reported by the observer.
example: 10
default_field: false
- name: ingress.vlan.name
level: extended
type: keyword
ignore_above: 1024
description: Optional VLAN name as reported by the observer.
example: outside
default_field: false
- name: ingress.zone
level: extended
type: keyword
ignore_above: 1024
description: Network zone of incoming traffic as reported by the observer to
categorize the source area of ingress traffic. e.g. internal, External, DMZ,
HR, Legal, etc.
example: DMZ
default_field: false
- name: ip
level: core
type: ip
description: IP addresses of the observer.
- name: mac
level: core
type: keyword
ignore_above: 1024
description: 'MAC addresses of the observer.
The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
byte) is represented by two [uppercase] hexadecimal digits giving the value
of the octet as an unsigned integer. Successive octets are separated by a
hyphen.'
example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]'
- name: name
level: extended
type: keyword
ignore_above: 1024
description: 'Custom name of the observer.
This is a name that can be given to an observer. This can be helpful for example
if multiple firewalls of the same model are used in an organization.
If no custom name is needed, the field can be left empty.'
example: 1_proxySG
- name: os.family
level: extended
type: keyword
ignore_above: 1024
description: OS family (such as redhat, debian, freebsd, windows).
example: debian
- name: os.full
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
default_field: false
description: Operating system name, including the version or code name.
example: Mac OS Mojave
- name: os.kernel
level: extended
type: keyword
ignore_above: 1024
description: Operating system kernel version as a raw string.
example: 4.4.0-112-generic
- name: os.name
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
default_field: false
description: Operating system name, without the version.
example: Mac OS X
- name: os.platform
level: extended
type: keyword
ignore_above: 1024
description: Operating system platform (such centos, ubuntu, windows).
example: darwin
- name: os.type
level: extended
type: keyword
ignore_above: 1024
description: 'Use the `os.type` field to categorize the operating system into
one of the broad commercial families.
One of these following values should be used (lowercase): linux, macos, unix,
windows.
If the OS you''re dealing with is not in the list, the field should not be
populated. Please let us know by opening an issue with ECS, to propose its
addition.'
example: macos
default_field: false
- name: os.version
level: extended
type: keyword
ignore_above: 1024
description: Operating system version as a raw string.
example: 10.14.1
- name: product
level: extended
type: keyword
ignore_above: 1024
description: The product name of the observer.
example: s200
- name: serial_number
level: extended
type: keyword
ignore_above: 1024
description: Observer serial number.
- name: type
level: core
type: keyword
ignore_above: 1024
description: 'The type of the observer the data is coming from.
There is no predefined list of observer types. Some examples are `forwarder`,
`firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.'
example: firewall
- name: vendor
level: core
type: keyword
ignore_above: 1024
description: Vendor name of the observer.
example: Symantec
- name: version
level: core
type: keyword
ignore_above: 1024
description: Observer version.
- name: orchestrator
title: Orchestrator
group: 2
description: Fields that describe the resources which container orchestrators
manage or act upon.
type: group
default_field: true
fields:
- name: api_version
level: extended
type: keyword
ignore_above: 1024
description: API version being used to carry out the action
example: v1beta1
default_field: false
- name: cluster.name
level: extended
type: keyword
ignore_above: 1024
description: Name of the cluster.
default_field: false
- name: cluster.url
level: extended
type: keyword
ignore_above: 1024
description: URL of the API used to manage the cluster.
default_field: false
- name: cluster.version
level: extended
type: keyword
ignore_above: 1024
description: The version of the cluster.
default_field: false
- name: namespace
level: extended
type: keyword
ignore_above: 1024
description: Namespace in which the action is taking place.
example: kube-system
default_field: false
- name: organization
level: extended
type: keyword
ignore_above: 1024
description: Organization affected by the event (for multi-tenant orchestrator
setups).
example: elastic
default_field: false
- name: resource.name
level: extended
type: keyword
ignore_above: 1024
description: Name of the resource being acted upon.
example: test-pod-cdcws
default_field: false
- name: resource.type
level: extended
type: keyword
ignore_above: 1024
description: Type of resource being acted upon.
example: service
default_field: false
- name: type
level: extended
type: keyword
ignore_above: 1024
description: Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry).
example: kubernetes
default_field: false
- name: organization
title: Organization
group: 2
description: 'The organization fields enrich data with information about the company
or entity the data is associated with.
These fields help you arrange or filter data stored in an index by one or multiple
organizations.'
type: group
default_field: true
fields:
- name: id
level: extended
type: keyword
ignore_above: 1024
description: Unique identifier for the organization.
- name: name
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
default_field: false
description: Organization name.
- name: os
title: Operating System
group: 2
description: The OS fields contain information about the operating system.
type: group
default_field: true
fields:
- name: family
level: extended
type: keyword
ignore_above: 1024
description: OS family (such as redhat, debian, freebsd, windows).
example: debian
- name: full
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
default_field: false
description: Operating system name, including the version or code name.
example: Mac OS Mojave
- name: kernel
level: extended
type: keyword
ignore_above: 1024
description: Operating system kernel version as a raw string.
example: 4.4.0-112-generic
- name: name
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
default_field: false
description: Operating system name, without the version.
example: Mac OS X
- name: platform
level: extended
type: keyword
ignore_above: 1024
description: Operating system platform (such centos, ubuntu, windows).
example: darwin
- name: type
level: extended
type: keyword
ignore_above: 1024
description: 'Use the `os.type` field to categorize the operating system into
one of the broad commercial families.
One of these following values should be used (lowercase): linux, macos, unix,
windows.
If the OS you''re dealing with is not in the list, the field should not be
populated. Please let us know by opening an issue with ECS, to propose its
addition.'
example: macos
default_field: false
- name: version
level: extended
type: keyword
ignore_above: 1024
description: Operating system version as a raw string.
example: 10.14.1
- name: package
title: Package
group: 2
description: These fields contain information about an installed software package.
It contains general information about a package, such as name, version or size.
It also contains installation details, such as time or location.
type: group
default_field: true
fields:
- name: architecture
level: extended
type: keyword
ignore_above: 1024
description: Package architecture.
example: x86_64
- name: build_version
level: extended
type: keyword
ignore_above: 1024
description: 'Additional information about the build version of the installed
package.
For example use the commit SHA of a non-released package.'
example: 36f4f7e89dd61b0988b12ee000b98966867710cd
default_field: false
- name: checksum
level: extended
type: keyword
ignore_above: 1024
description: Checksum of the installed package for verification.
example: 68b329da9893e34099c7d8ad5cb9c940
- name: description
level: extended
type: keyword
ignore_above: 1024
description: Description of the package.
example: Open source programming language to build simple/reliable/efficient
software.
- name: install_scope
level: extended
type: keyword
ignore_above: 1024
description: Indicating how the package was installed, e.g. user-local, global.
example: global
- name: installed
level: extended
type: date
description: Time when package was installed.
- name: license
level: extended
type: keyword
ignore_above: 1024
description: 'License under which the package was released.
Use a short name, e.g. the license identifier from SPDX License List where
possible (https://spdx.org/licenses/).'
example: Apache License 2.0
- name: name
level: extended
type: keyword
ignore_above: 1024
description: Package name
example: go
- name: path
level: extended
type: keyword
ignore_above: 1024
description: Path where the package is installed.
example: /usr/local/Cellar/go/1.12.9/
- name: reference
level: extended
type: keyword
ignore_above: 1024
description: Home page or reference URL of the software in this package, if
available.
example: https://golang.org
default_field: false
- name: size
level: extended
type: long
format: string
description: Package size in bytes.
example: 62231
- name: type
level: extended
type: keyword
ignore_above: 1024
description: 'Type of package.
This should contain the package file type, rather than the package manager
name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar.'
example: rpm
default_field: false
- name: version
level: extended
type: keyword
ignore_above: 1024
description: Package version
example: 1.12.9
- name: pe
title: PE Header
group: 2
description: These fields contain Windows Portable Executable (PE) metadata.
type: group
default_field: true
fields:
- name: architecture
level: extended
type: keyword
ignore_above: 1024
description: CPU architecture target for the file.
example: x64
default_field: false
- name: company
level: extended
type: keyword
ignore_above: 1024
description: Internal company name of the file, provided at compile-time.
example: Microsoft Corporation
default_field: false
- name: description
level: extended
type: keyword
ignore_above: 1024
description: Internal description of the file, provided at compile-time.
example: Paint
default_field: false
- name: file_version
level: extended
type: keyword
ignore_above: 1024
description: Internal version of the file, provided at compile-time.
example: 6.3.9600.17415
default_field: false
- name: imphash
level: extended
type: keyword
ignore_above: 1024
description: 'A hash of the imports in a PE file. An imphash -- or import hash
-- can be used to fingerprint binaries even after recompilation or other code-level
transformations have occurred, which would change more traditional hash values.
Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
example: 0c6803c4e922103c4dca5963aad36ddf
default_field: false
- name: original_file_name
level: extended
type: keyword
ignore_above: 1024
description: Internal name of the file, provided at compile-time.
example: MSPAINT.EXE
default_field: false
- name: product
level: extended
type: keyword
ignore_above: 1024
description: Internal product name of the file, provided at compile-time.
example: "Microsoft\xAE Windows\xAE Operating System"
default_field: false
- name: process
title: Process
group: 2
description: 'These fields contain information about a process.
These fields can help you correlate metrics information with a process id/name
from a log message. The `process.pid` often stays in the metric itself and
is copied to the global field for correlation.'
type: group
default_field: true
fields:
- name: args
level: extended
type: keyword
ignore_above: 1024
description: 'Array of process arguments, starting with the absolute path to
the executable.
May be filtered to protect sensitive information.'
example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
- name: args_count
level: extended
type: long
description: 'Length of the process.args array.
This field can be useful for querying or performing bucket analysis on how
many arguments were provided to start a process. More arguments may be an
indication of suspicious activity.'
example: 4
default_field: false
- name: code_signature.digest_algorithm
level: extended
type: keyword
ignore_above: 1024
description: 'The hashing algorithm used to sign the process.
This value can distinguish signatures when a file is signed multiple times
by the same signer but with a different digest algorithm.'
example: sha256
default_field: false
- name: code_signature.exists
level: core
type: boolean
description: Boolean to capture if a signature is present.
example: 'true'
default_field: false
- name: code_signature.signing_id
level: extended
type: keyword
ignore_above: 1024
description: 'The identifier used to sign the process.
This is used to identify the application manufactured by a software vendor.
The field is relevant to Apple *OS only.'
example: com.apple.xpc.proxy
default_field: false
- name: code_signature.status
level: extended
type: keyword
ignore_above: 1024
description: 'Additional information about the certificate status.
This is useful for logging cryptographic errors with the certificate validity
or trust status. Leave unpopulated if the validity or trust of the certificate
was unchecked.'
example: ERROR_UNTRUSTED_ROOT
default_field: false
- name: code_signature.subject_name
level: core
type: keyword
ignore_above: 1024
description: Subject name of the code signer
example: Microsoft Corporation
default_field: false
- name: code_signature.team_id
level: extended
type: keyword
ignore_above: 1024
description: 'The team identifier used to sign the process.
This is used to identify the team or vendor of a software product. The field
is relevant to Apple *OS only.'
example: EQHXZ8M8AV
default_field: false
- name: code_signature.timestamp
level: extended
type: date
description: Date and time when the code signature was generated and signed.
example: '2021-01-01T12:10:30Z'
default_field: false
- name: code_signature.trusted
level: extended
type: boolean
description: 'Stores the trust status of the certificate chain.
Validating the trust of the certificate chain may be complicated, and this
field should only be populated by tools that actively check the status.'
example: 'true'
default_field: false
- name: code_signature.valid
level: extended
type: boolean
description: 'Boolean to capture if the digital signature is verified against
the binary content.
Leave unpopulated if a certificate was unchecked.'
example: 'true'
default_field: false
- name: command_line
level: extended
type: wildcard
multi_fields:
- name: text
type: match_only_text
description: 'Full command line that started the process, including the absolute
path to the executable, and all arguments.
Some arguments may be filtered to protect sensitive information.'
example: /usr/bin/ssh -l user 10.0.0.16
default_field: false
- name: elf.architecture
level: extended
type: keyword
ignore_above: 1024
description: Machine architecture of the ELF file.
example: x86-64
default_field: false
- name: elf.byte_order
level: extended
type: keyword
ignore_above: 1024
description: Byte sequence of ELF file.
example: Little Endian
default_field: false
- name: elf.cpu_type
level: extended
type: keyword
ignore_above: 1024
description: CPU type of the ELF file.
example: Intel
default_field: false
- name: elf.creation_date
level: extended
type: date
description: Extracted when possible from the file's metadata. Indicates when
it was built or compiled. It can also be faked by malware creators.
default_field: false
- name: elf.exports
level: extended
type: flattened
description: List of exported element names and types.
default_field: false
- name: elf.header.abi_version
level: extended
type: keyword
ignore_above: 1024
description: Version of the ELF Application Binary Interface (ABI).
default_field: false
- name: elf.header.class
level: extended
type: keyword
ignore_above: 1024
description: Header class of the ELF file.
default_field: false
- name: elf.header.data
level: extended
type: keyword
ignore_above: 1024
description: Data table of the ELF header.
default_field: false
- name: elf.header.entrypoint
level: extended
type: long
format: string
description: Header entrypoint of the ELF file.
default_field: false
- name: elf.header.object_version
level: extended
type: keyword
ignore_above: 1024
description: '"0x1" for original ELF files.'
default_field: false
- name: elf.header.os_abi
level: extended
type: keyword
ignore_above: 1024
description: Application Binary Interface (ABI) of the Linux OS.
default_field: false
- name: elf.header.type
level: extended
type: keyword
ignore_above: 1024
description: Header type of the ELF file.
default_field: false
- name: elf.header.version
level: extended
type: keyword
ignore_above: 1024
description: Version of the ELF header.
default_field: false
- name: elf.imports
level: extended
type: flattened
description: List of imported element names and types.
default_field: false
- name: elf.sections
level: extended
type: nested
description: 'An array containing an object for each section of the ELF file.
The keys that should be present in these objects are defined by sub-fields
underneath `elf.sections.*`.'
default_field: false
- name: elf.sections.chi2
level: extended
type: long
format: number
description: Chi-square probability distribution of the section.
default_field: false
- name: elf.sections.entropy
level: extended
type: long
format: number
description: Shannon entropy calculation from the section.
default_field: false
- name: elf.sections.flags
level: extended
type: keyword
ignore_above: 1024
description: ELF Section List flags.
default_field: false
- name: elf.sections.name
level: extended
type: keyword
ignore_above: 1024
description: ELF Section List name.
default_field: false
- name: elf.sections.physical_offset
level: extended
type: keyword
ignore_above: 1024
description: ELF Section List offset.
default_field: false
- name: elf.sections.physical_size
level: extended
type: long
format: bytes
description: ELF Section List physical size.
default_field: false
- name: elf.sections.type
level: extended
type: keyword
ignore_above: 1024
description: ELF Section List type.
default_field: false
- name: elf.sections.virtual_address
level: extended
type: long
format: string
description: ELF Section List virtual address.
default_field: false
- name: elf.sections.virtual_size
level: extended
type: long
format: string
description: ELF Section List virtual size.
default_field: false
- name: elf.segments
level: extended
type: nested
description: 'An array containing an object for each segment of the ELF file.
The keys that should be present in these objects are defined by sub-fields
underneath `elf.segments.*`.'
default_field: false
- name: elf.segments.sections
level: extended
type: keyword
ignore_above: 1024
description: ELF object segment sections.
default_field: false
- name: elf.segments.type
level: extended
type: keyword
ignore_above: 1024
description: ELF object segment type.
default_field: false
- name: elf.shared_libraries
level: extended
type: keyword
ignore_above: 1024
description: List of shared libraries used by this ELF object.
default_field: false
- name: elf.telfhash
level: extended
type: keyword
ignore_above: 1024
description: telfhash symbol hash for ELF file.
default_field: false
- name: end
level: extended
type: date
description: The time the process ended.
example: '2016-05-23T08:05:34.853Z'
default_field: false
- name: entity_id
level: extended
type: keyword
ignore_above: 1024
description: 'Unique identifier for the process.
The implementation of this is specified by the data source, but some examples
of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
or a hash of some uniquely identifying components of a process.
Constructing a globally unique identifier is a common practice to mitigate
PID reuse as well as to identify a specific process over time, across multiple
monitored hosts.'
example: c2c455d9f99375d
default_field: false
- name: executable
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
default_field: false
description: Absolute path to the process executable.
example: /usr/bin/ssh
- name: exit_code
level: extended
type: long
description: 'The exit code of the process, if this is a termination event.
The field should be absent if there is no exit code for the event (e.g. process
start).'
example: 137
default_field: false
- name: hash.md5
level: extended
type: keyword
ignore_above: 1024
description: MD5 hash.
- name: hash.sha1
level: extended
type: keyword
ignore_above: 1024
description: SHA1 hash.
- name: hash.sha256
level: extended
type: keyword
ignore_above: 1024
description: SHA256 hash.
- name: hash.sha512
level: extended
type: keyword
ignore_above: 1024
description: SHA512 hash.
- name: hash.ssdeep
level: extended
type: keyword
ignore_above: 1024
description: SSDEEP hash.
default_field: false
- name: name
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
default_field: false
description: 'Process name.
Sometimes called program name or similar.'
example: ssh
- name: parent.args
level: extended
type: keyword
ignore_above: 1024
description: 'Array of process arguments, starting with the absolute path to
the executable.
May be filtered to protect sensitive information.'
example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
default_field: false
- name: parent.args_count
level: extended
type: long
description: 'Length of the process.args array.
This field can be useful for querying or performing bucket analysis on how
many arguments were provided to start a process. More arguments may be an
indication of suspicious activity.'
example: 4
default_field: false
- name: parent.code_signature.digest_algorithm
level: extended
type: keyword
ignore_above: 1024
description: 'The hashing algorithm used to sign the process.
This value can distinguish signatures when a file is signed multiple times
by the same signer but with a different digest algorithm.'
example: sha256
default_field: false
- name: parent.code_signature.exists
level: core
type: boolean
description: Boolean to capture if a signature is present.
example: 'true'
default_field: false
- name: parent.code_signature.signing_id
level: extended
type: keyword
ignore_above: 1024
description: 'The identifier used to sign the process.
This is used to identify the application manufactured by a software vendor.
The field is relevant to Apple *OS only.'
example: com.apple.xpc.proxy
default_field: false
- name: parent.code_signature.status
level: extended
type: keyword
ignore_above: 1024
description: 'Additional information about the certificate status.
This is useful for logging cryptographic errors with the certificate validity
or trust status. Leave unpopulated if the validity or trust of the certificate
was unchecked.'
example: ERROR_UNTRUSTED_ROOT
default_field: false
- name: parent.code_signature.subject_name
level: core
type: keyword
ignore_above: 1024
description: Subject name of the code signer
example: Microsoft Corporation
default_field: false
- name: parent.code_signature.team_id
level: extended
type: keyword
ignore_above: 1024
description: 'The team identifier used to sign the process.
This is used to identify the team or vendor of a software product. The field
is relevant to Apple *OS only.'
example: EQHXZ8M8AV
default_field: false
- name: parent.code_signature.timestamp
level: extended
type: date
description: Date and time when the code signature was generated and signed.
example: '2021-01-01T12:10:30Z'
default_field: false
- name: parent.code_signature.trusted
level: extended
type: boolean
description: 'Stores the trust status of the certificate chain.
Validating the trust of the certificate chain may be complicated, and this
field should only be populated by tools that actively check the status.'
example: 'true'
default_field: false
- name: parent.code_signature.valid
level: extended
type: boolean
description: 'Boolean to capture if the digital signature is verified against
the binary content.
Leave unpopulated if a certificate was unchecked.'
example: 'true'
default_field: false
- name: parent.command_line
level: extended
type: wildcard
multi_fields:
- name: text
type: match_only_text
description: 'Full command line that started the process, including the absolute
path to the executable, and all arguments.
Some arguments may be filtered to protect sensitive information.'
example: /usr/bin/ssh -l user 10.0.0.16
default_field: false
- name: parent.elf.architecture
level: extended
type: keyword
ignore_above: 1024
description: Machine architecture of the ELF file.
example: x86-64
default_field: false
- name: parent.elf.byte_order
level: extended
type: keyword
ignore_above: 1024
description: Byte sequence of ELF file.
example: Little Endian
default_field: false
- name: parent.elf.cpu_type
level: extended
type: keyword
ignore_above: 1024
description: CPU type of the ELF file.
example: Intel
default_field: false
- name: parent.elf.creation_date
level: extended
type: date
description: Extracted when possible from the file's metadata. Indicates when
it was built or compiled. It can also be faked by malware creators.
default_field: false
- name: parent.elf.exports
level: extended
type: flattened
description: List of exported element names and types.
default_field: false
- name: parent.elf.header.abi_version
level: extended
type: keyword
ignore_above: 1024
description: Version of the ELF Application Binary Interface (ABI).
default_field: false
- name: parent.elf.header.class
level: extended
type: keyword
ignore_above: 1024
description: Header class of the ELF file.
default_field: false
- name: parent.elf.header.data
level: extended
type: keyword
ignore_above: 1024
description: Data table of the ELF header.
default_field: false
- name: parent.elf.header.entrypoint
level: extended
type: long
format: string
description: Header entrypoint of the ELF file.
default_field: false
- name: parent.elf.header.object_version
level: extended
type: keyword
ignore_above: 1024
description: '"0x1" for original ELF files.'
default_field: false
- name: parent.elf.header.os_abi
level: extended
type: keyword
ignore_above: 1024
description: Application Binary Interface (ABI) of the Linux OS.
default_field: false
- name: parent.elf.header.type
level: extended
type: keyword
ignore_above: 1024
description: Header type of the ELF file.
default_field: false
- name: parent.elf.header.version
level: extended
type: keyword
ignore_above: 1024
description: Version of the ELF header.
default_field: false
- name: parent.elf.imports
level: extended
type: flattened
description: List of imported element names and types.
default_field: false
- name: parent.elf.sections
level: extended
type: nested
description: 'An array containing an object for each section of the ELF file.
The keys that should be present in these objects are defined by sub-fields
underneath `elf.sections.*`.'
default_field: false
- name: parent.elf.sections.chi2
level: extended
type: long
format: number
description: Chi-square probability distribution of the section.
default_field: false
- name: parent.elf.sections.entropy
level: extended
type: long
format: number
description: Shannon entropy calculation from the section.
default_field: false
- name: parent.elf.sections.flags
level: extended
type: keyword
ignore_above: 1024
description: ELF Section List flags.
default_field: false
- name: parent.elf.sections.name
level: extended
type: keyword
ignore_above: 1024
description: ELF Section List name.
default_field: false
- name: parent.elf.sections.physical_offset
level: extended
type: keyword
ignore_above: 1024
description: ELF Section List offset.
default_field: false
- name: parent.elf.sections.physical_size
level: extended
type: long
format: bytes
description: ELF Section List physical size.
default_field: false
- name: parent.elf.sections.type
level: extended
type: keyword
ignore_above: 1024
description: ELF Section List type.
default_field: false
- name: parent.elf.sections.virtual_address
level: extended
type: long
format: string
description: ELF Section List virtual address.
default_field: false
- name: parent.elf.sections.virtual_size
level: extended
type: long
format: string
description: ELF Section List virtual size.
default_field: false
- name: parent.elf.segments
level: extended
type: nested
description: 'An array containing an object for each segment of the ELF file.
The keys that should be present in these objects are defined by sub-fields
underneath `elf.segments.*`.'
default_field: false
- name: parent.elf.segments.sections
level: extended
type: keyword
ignore_above: 1024
description: ELF object segment sections.
default_field: false
- name: parent.elf.segments.type
level: extended
type: keyword
ignore_above: 1024
description: ELF object segment type.
default_field: false
- name: parent.elf.shared_libraries
level: extended
type: keyword
ignore_above: 1024
description: List of shared libraries used by this ELF object.
default_field: false
- name: parent.elf.telfhash
level: extended
type: keyword
ignore_above: 1024
description: telfhash symbol hash for ELF file.
default_field: false
- name: parent.end
level: extended
type: date
description: The time the process ended.
example: '2016-05-23T08:05:34.853Z'
default_field: false
- name: parent.entity_id
level: extended
type: keyword
ignore_above: 1024
description: 'Unique identifier for the process.
The implementation of this is specified by the data source, but some examples
of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
or a hash of some uniquely identifying components of a process.
Constructing a globally unique identifier is a common practice to mitigate
PID reuse as well as to identify a specific process over time, across multiple
monitored hosts.'
example: c2c455d9f99375d
default_field: false
- name: parent.executable
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
description: Absolute path to the process executable.
example: /usr/bin/ssh
default_field: false
- name: parent.exit_code
level: extended
type: long
description: 'The exit code of the process, if this is a termination event.
The field should be absent if there is no exit code for the event (e.g. process
start).'
example: 137
default_field: false
- name: parent.hash.md5
level: extended
type: keyword
ignore_above: 1024
description: MD5 hash.
default_field: false
- name: parent.hash.sha1
level: extended
type: keyword
ignore_above: 1024
description: SHA1 hash.
default_field: false
- name: parent.hash.sha256
level: extended
type: keyword
ignore_above: 1024
description: SHA256 hash.
default_field: false
- name: parent.hash.sha512
level: extended
type: keyword
ignore_above: 1024
description: SHA512 hash.
default_field: false
- name: parent.hash.ssdeep
level: extended
type: keyword
ignore_above: 1024
description: SSDEEP hash.
default_field: false
- name: parent.name
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
description: 'Process name.
Sometimes called program name or similar.'
example: ssh
default_field: false
- name: parent.pe.architecture
level: extended
type: keyword
ignore_above: 1024
description: CPU architecture target for the file.
example: x64
default_field: false
- name: parent.pe.company
level: extended
type: keyword
ignore_above: 1024
description: Internal company name of the file, provided at compile-time.
example: Microsoft Corporation
default_field: false
- name: parent.pe.description
level: extended
type: keyword
ignore_above: 1024
description: Internal description of the file, provided at compile-time.
example: Paint
default_field: false
- name: parent.pe.file_version
level: extended
type: keyword
ignore_above: 1024
description: Internal version of the file, provided at compile-time.
example: 6.3.9600.17415
default_field: false
- name: parent.pe.imphash
level: extended
type: keyword
ignore_above: 1024
description: 'A hash of the imports in a PE file. An imphash -- or import hash
-- can be used to fingerprint binaries even after recompilation or other code-level
transformations have occurred, which would change more traditional hash values.
Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
example: 0c6803c4e922103c4dca5963aad36ddf
default_field: false
- name: parent.pe.original_file_name
level: extended
type: keyword
ignore_above: 1024
description: Internal name of the file, provided at compile-time.
example: MSPAINT.EXE
default_field: false
- name: parent.pe.product
level: extended
type: keyword
ignore_above: 1024
description: Internal product name of the file, provided at compile-time.
example: "Microsoft\xAE Windows\xAE Operating System"
default_field: false
- name: parent.pgid
level: extended
type: long
format: string
description: Identifier of the group of processes the process belongs to.
default_field: false
- name: parent.pid
level: core
type: long
format: string
description: Process id.
example: 4242
default_field: false
- name: parent.start
level: extended
type: date
description: The time the process started.
example: '2016-05-23T08:05:34.853Z'
default_field: false
- name: parent.thread.id
level: extended
type: long
format: string
description: Thread ID.
example: 4242
default_field: false
- name: parent.thread.name
level: extended
type: keyword
ignore_above: 1024
description: Thread name.
example: thread-0
default_field: false
- name: parent.title
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
description: 'Process title.
The proctitle, some times the same as process name. Can also be different:
for example a browser setting its title to the web page currently opened.'
default_field: false
- name: parent.uptime
level: extended
type: long
description: Seconds the process has been up.
example: 1325
default_field: false
- name: parent.working_directory
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
description: The working directory of the process.
example: /home/alice
default_field: false
- name: pe.architecture
level: extended
type: keyword
ignore_above: 1024
description: CPU architecture target for the file.
example: x64
default_field: false
- name: pe.company
level: extended
type: keyword
ignore_above: 1024
description: Internal company name of the file, provided at compile-time.
example: Microsoft Corporation
default_field: false
- name: pe.description
level: extended
type: keyword
ignore_above: 1024
description: Internal description of the file, provided at compile-time.
example: Paint
default_field: false
- name: pe.file_version
level: extended
type: keyword
ignore_above: 1024
description: Internal version of the file, provided at compile-time.
example: 6.3.9600.17415
default_field: false
- name: pe.imphash
level: extended
type: keyword
ignore_above: 1024
description: 'A hash of the imports in a PE file. An imphash -- or import hash
-- can be used to fingerprint binaries even after recompilation or other code-level
transformations have occurred, which would change more traditional hash values.
Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
example: 0c6803c4e922103c4dca5963aad36ddf
default_field: false
- name: pe.original_file_name
level: extended
type: keyword
ignore_above: 1024
description: Internal name of the file, provided at compile-time.
example: MSPAINT.EXE
default_field: false
- name: pe.product
level: extended
type: keyword
ignore_above: 1024
description: Internal product name of the file, provided at compile-time.
example: "Microsoft\xAE Windows\xAE Operating System"
default_field: false
- name: pgid
level: extended
type: long
format: string
description: Identifier of the group of processes the process belongs to.
- name: pid
level: core
type: long
format: string
description: Process id.
example: 4242
- name: start
level: extended
type: date
description: The time the process started.
example: '2016-05-23T08:05:34.853Z'
- name: thread.id
level: extended
type: long
format: string
description: Thread ID.
example: 4242
- name: thread.name
level: extended
type: keyword
ignore_above: 1024
description: Thread name.
example: thread-0
- name: title
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
default_field: false
description: 'Process title.
The proctitle, some times the same as process name. Can also be different:
for example a browser setting its title to the web page currently opened.'
- name: uptime
level: extended
type: long
description: Seconds the process has been up.
example: 1325
- name: working_directory
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
default_field: false
description: The working directory of the process.
example: /home/alice
- name: registry
title: Registry
group: 2
description: Fields related to Windows Registry operations.
type: group
default_field: true
fields:
- name: data.bytes
level: extended
type: keyword
ignore_above: 1024
description: 'Original bytes written with base64 encoding.
For Windows registry operations, such as SetValueEx and RegQueryValueEx, this
corresponds to the data pointed by `lp_data`. This is optional but provides
better recoverability and should be populated for REG_BINARY encoded values.'
example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
default_field: false
- name: data.strings
level: core
type: wildcard
description: 'Content when writing string types.
Populated as an array when writing string data to the registry. For single
string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with
one string. For sequences of string with REG_MULTI_SZ, this array will be
variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should
be populated with the decimal representation (e.g `"1"`).'
example: '["C:\rta\red_ttp\bin\myapp.exe"]'
default_field: false
- name: data.type
level: core
type: keyword
ignore_above: 1024
description: Standard registry type for encoding contents
example: REG_SZ
default_field: false
- name: hive
level: core
type: keyword
ignore_above: 1024
description: Abbreviated name for the hive.
example: HKLM
default_field: false
- name: key
level: core
type: keyword
ignore_above: 1024
description: Hive-relative path of keys.
example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
default_field: false
- name: path
level: core
type: keyword
ignore_above: 1024
description: Full path, including hive, key and value
example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\winword.exe\Debugger
default_field: false
- name: value
level: core
type: keyword
ignore_above: 1024
description: Name of the value written.
example: Debugger
default_field: false
- name: related
title: Related
group: 2
description: 'This field set is meant to facilitate pivoting around a piece of
data.
Some pieces of information can be seen in many places in an ECS event. To facilitate
searching for them, store an array of all seen values to their corresponding
field in `related.`.
A concrete example is IP addresses, which can be under host, observer, source,
destination, client, server, and network.forwarded_ip. If you append all IPs
to `related.ip`, you can then search for a given IP trivially, no matter where
it appeared, by querying `related.ip:192.0.2.15`.'
type: group
default_field: true
fields:
- name: hash
level: extended
type: keyword
ignore_above: 1024
description: All the hashes seen on your event. Populating this field, then
using it to search for hashes can help in situations where you're unsure what
the hash algorithm is (and therefore which key name to search).
default_field: false
- name: hosts
level: extended
type: keyword
ignore_above: 1024
description: All hostnames or other host identifiers seen on your event. Example
identifiers include FQDNs, domain names, workstation names, or aliases.
default_field: false
- name: ip
level: extended
type: ip
description: All of the IPs seen on your event.
- name: user
level: extended
type: keyword
ignore_above: 1024
description: All the user names or other user identifiers seen on the event.
default_field: false
- name: rule
title: Rule
group: 2
description: 'Rule fields are used to capture the specifics of any observer or
agent rules that generate alerts or other notable events.
Examples of data sources that would populate the rule fields include: network
admission control platforms, network or host IDS/IPS, network firewalls, web
application firewalls, url filters, endpoint detection and response (EDR) systems,
etc.'
type: group
default_field: true
fields:
- name: author
level: extended
type: keyword
ignore_above: 1024
description: Name, organization, or pseudonym of the author or authors who created
the rule used to generate this event.
example: '["Star-Lord"]'
default_field: false
- name: category
level: extended
type: keyword
ignore_above: 1024
description: A categorization value keyword used by the entity using the rule
for detection of this event.
example: Attempted Information Leak
default_field: false
- name: description
level: extended
type: keyword
ignore_above: 1024
description: The description of the rule generating the event.
example: Block requests to public DNS over HTTPS / TLS protocols
default_field: false
- name: id
level: extended
type: keyword
ignore_above: 1024
description: A rule ID that is unique within the scope of an agent, observer,
or other entity using the rule for detection of this event.
example: 101
default_field: false
- name: license
level: extended
type: keyword
ignore_above: 1024
description: Name of the license under which the rule used to generate this
event is made available.
example: Apache 2.0
default_field: false
- name: name
level: extended
type: keyword
ignore_above: 1024
description: The name of the rule or signature generating the event.
example: BLOCK_DNS_over_TLS
default_field: false
- name: reference
level: extended
type: keyword
ignore_above: 1024
description: 'Reference URL to additional information about the rule used to
generate this event.
The URL can point to the vendor''s documentation about the rule. If that''s
not available, it can also be a link to a more general page describing this
type of alert.'
example: https://en.wikipedia.org/wiki/DNS_over_TLS
default_field: false
- name: ruleset
level: extended
type: keyword
ignore_above: 1024
description: Name of the ruleset, policy, group, or parent category in which
the rule used to generate this event is a member.
example: Standard_Protocol_Filters
default_field: false
- name: uuid
level: extended
type: keyword
ignore_above: 1024
description: A rule ID that is unique within the scope of a set or group of
agents, observers, or other entities using the rule for detection of this
event.
example: 1100110011
default_field: false
- name: version
level: extended
type: keyword
ignore_above: 1024
description: The version / revision of the rule being used for analysis.
example: 1.1
default_field: false
- name: server
title: Server
group: 2
description: 'A Server is defined as the responder in a network connection for
events regarding sessions, connections, or bidirectional flow records.
For TCP events, the server is the receiver of the initial SYN packet(s) of the
TCP connection. For other protocols, the server is generally the responder in
the network transaction. Some systems actually use the term "responder" to refer
the server in TCP connections. The server fields describe details about the
system acting as the server in the network event. Server fields are usually
populated in conjunction with client fields. Server fields are generally not
populated for packet-level events.
Client / server representations can add semantic context to an exchange, which
is helpful to visualize the data in certain situations. If your context falls
in that category, you should still ensure that source and destination are filled
appropriately.'
type: group
default_field: true
fields:
- name: address
level: extended
type: keyword
ignore_above: 1024
description: 'Some event server addresses are defined ambiguously. The event
will sometimes list an IP, a domain or a unix socket. You should always store
the raw address in the `.address` field.
Then it should be duplicated to `.ip` or `.domain`, depending on which one
it is.'
- name: as.number
level: extended
type: long
description: Unique number allocated to the autonomous system. The autonomous
system number (ASN) uniquely identifies each network on the Internet.
example: 15169
- name: as.organization.name
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
default_field: false
description: Organization name.
example: Google LLC
- name: bytes
level: core
type: long
format: bytes
description: Bytes sent from the server to the client.
example: 184
- name: domain
level: core
type: keyword
ignore_above: 1024
description: 'The domain name of the server system.
This value may be a host name, a fully qualified domain name, or another host
naming format. The value may derive from the original event or be added from
enrichment.'
example: foo.example.com
- name: geo.city_name
level: core
type: keyword
ignore_above: 1024
description: City name.
example: Montreal
- name: geo.continent_code
level: core
type: keyword
ignore_above: 1024
description: Two-letter code representing continent's name.
example: NA
default_field: false
- name: geo.continent_name
level: core
type: keyword
ignore_above: 1024
description: Name of the continent.
example: North America
- name: geo.country_iso_code
level: core
type: keyword
ignore_above: 1024
description: Country ISO code.
example: CA
- name: geo.country_name
level: core
type: keyword
ignore_above: 1024
description: Country name.
example: Canada
- name: geo.location
level: core
type: geo_point
description: Longitude and latitude.
example: '{ "lon": -73.614830, "lat": 45.505918 }'
- name: geo.name
level: extended
type: keyword
ignore_above: 1024
description: 'User-defined description of a location, at the level of granularity
they care about.
Could be the name of their data centers, the floor number, if this describes
a local physical entity, city names.
Not typically used in automated geolocation.'
example: boston-dc
- name: geo.postal_code
level: core
type: keyword
ignore_above: 1024
description: 'Postal code associated with the location.
Values appropriate for this field may also be known as a postcode or ZIP code
and will vary widely from country to country.'
example: 94040
default_field: false
- name: geo.region_iso_code
level: core
type: keyword
ignore_above: 1024
description: Region ISO code.
example: CA-QC
- name: geo.region_name
level: core
type: keyword
ignore_above: 1024
description: Region name.
example: Quebec
- name: geo.timezone
level: core
type: keyword
ignore_above: 1024
description: The time zone of the location, such as IANA time zone name.
example: America/Argentina/Buenos_Aires
default_field: false
- name: ip
level: core
type: ip
description: IP address of the server (IPv4 or IPv6).
- name: mac
level: core
type: keyword
ignore_above: 1024
description: 'MAC address of the server.
The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
byte) is represented by two [uppercase] hexadecimal digits giving the value
of the octet as an unsigned integer. Successive octets are separated by a
hyphen.'
example: 00-00-5E-00-53-23
- name: nat.ip
level: extended
type: ip
description: 'Translated ip of destination based NAT sessions (e.g. internet
to private DMZ)
Typically used with load balancers, firewalls, or routers.'
- name: nat.port
level: extended
type: long
format: string
description: 'Translated port of destination based NAT sessions (e.g. internet
to private DMZ)
Typically used with load balancers, firewalls, or routers.'
- name: packets
level: core
type: long
description: Packets sent from the server to the client.
example: 12
- name: port
level: core
type: long
format: string
description: Port of the server.
- name: registered_domain
level: extended
type: keyword
ignore_above: 1024
description: 'The highest registered server domain, stripped of the subdomain.
For example, the registered domain for "foo.example.com" is "example.com".
This value can be determined precisely with a list like the public suffix
list (http://publicsuffix.org). Trying to approximate this by simply taking
the last two labels will not work well for TLDs such as "co.uk".'
example: example.com
- name: subdomain
level: extended
type: keyword
ignore_above: 1024
description: 'The subdomain portion of a fully qualified domain name includes
all of the names except the host name under the registered_domain. In a partially
qualified domain, or if the the qualification level of the full name cannot
be determined, subdomain contains all of the names below the registered domain.
For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
the subdomain field should contain "sub2.sub1", with no trailing period.'
example: east
default_field: false
- name: top_level_domain
level: extended
type: keyword
ignore_above: 1024
description: 'The effective top level domain (eTLD), also known as the domain
suffix, is the last part of the domain name. For example, the top level domain
for example.com is "com".
This value can be determined precisely with a list like the public suffix
list (http://publicsuffix.org). Trying to approximate this by simply taking
the last label will not work well for effective TLDs such as "co.uk".'
example: co.uk
- name: user.domain
level: extended
type: keyword
ignore_above: 1024
description: 'Name of the directory the user is a member of.
For example, an LDAP or Active Directory domain name.'
- name: user.email
level: extended
type: keyword
ignore_above: 1024
description: User email address.
- name: user.full_name
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
default_field: false
description: User's full name, if available.
example: Albert Einstein
- name: user.group.domain
level: extended
type: keyword
ignore_above: 1024
description: 'Name of the directory the group is a member of.
For example, an LDAP or Active Directory domain name.'
- name: user.group.id
level: extended
type: keyword
ignore_above: 1024
description: Unique identifier for the group on the system/platform.
- name: user.group.name
level: extended
type: keyword
ignore_above: 1024
description: Name of the group.
- name: user.hash
level: extended
type: keyword
ignore_above: 1024
description: 'Unique user hash to correlate information for a user in anonymized
form.
Useful if `user.id` or `user.name` contain confidential information and cannot
be used.'
- name: user.id
level: core
type: keyword
ignore_above: 1024
description: Unique identifier of the user.
example: S-1-5-21-202424912787-2692429404-2351956786-1000
- name: user.name
level: core
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
default_field: false
description: Short name or login of the user.
example: a.einstein
- name: user.roles
level: extended
type: keyword
ignore_above: 1024
description: Array of user roles at the time of the event.
example: '["kibana_admin", "reporting_user"]'
default_field: false
- name: service
title: Service
group: 2
description: 'The service fields describe the service for or from which the data
was collected.
These fields help you find and correlate logs for a specific service and version.'
footnote: The service fields may be self-nested under service.origin.* and service.target.* to
describe origin or target services in the context of incoming or outgoing requests, respectively.
However, the fieldsets service.origin.* and service.target.* must not be confused
with the root service fieldset that is used to describe the actual service
under observation. The fieldset service.origin.* may only be used in the context
of incoming requests or events to describe the originating service of the request.
The fieldset service.target.* may only be used in the context of outgoing requests
or events to describe the target service of the request.
type: group
default_field: true
fields:
- name: address
level: extended
type: keyword
ignore_above: 1024
description: 'Address where data about this service was collected from.
This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource
path (sockets).'
example: 172.26.0.2:5432
default_field: false
- name: environment
level: extended
type: keyword
ignore_above: 1024
description: 'Identifies the environment where the service is running.
If the same service runs in different environments (production, staging, QA,
development, etc.), the environment can identify other instances of the same
service. Can also group services and applications from the same environment.'
example: production
default_field: false
- name: ephemeral_id
level: extended
type: keyword
ignore_above: 1024
description: 'Ephemeral identifier of this service (if one exists).
This id normally changes across restarts, but `service.id` does not.'
example: 8a4f500f
- name: id
level: core
type: keyword
ignore_above: 1024
description: 'Unique identifier of the running service. If the service is comprised
of many nodes, the `service.id` should be the same for all nodes.
This id should uniquely identify the service. This makes it possible to correlate
logs and metrics for one specific service, no matter which particular node
emitted the event.
Note that if you need to see the events from one specific host of the service,
you should filter on that `host.name` or `host.id` instead.'
example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
- name: name
level: core
type: keyword
ignore_above: 1024
description: 'Name of the service data is collected from.
The name of the service is normally user given. This allows for distributed
services that run on multiple hosts to correlate the related instances based
on the name.
In the case of Elasticsearch the `service.name` could contain the cluster
name. For Beats the `service.name` is by default a copy of the `service.type`
field if no name is specified.'
example: elasticsearch-metrics
- name: node.name
level: extended
type: keyword
ignore_above: 1024
description: 'Name of a service node.
This allows for two nodes of the same service running on the same host to
be differentiated. Therefore, `service.node.name` should typically be unique
across nodes of a given service.
In the case of Elasticsearch, the `service.node.name` could contain the unique
node name within the Elasticsearch cluster. In cases where the service doesn''t
have the concept of a node name, the host name or container name can be used
to distinguish running instances that make up this service. If those do not
provide uniqueness (e.g. multiple instances of the service running on the
same host) - the node name can be manually set.'
example: instance-0000000016
- name: origin.address
level: extended
type: keyword
ignore_above: 1024
description: 'Address where data about this service was collected from.
This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource
path (sockets).'
example: 172.26.0.2:5432
default_field: false
- name: origin.environment
level: extended
type: keyword
ignore_above: 1024
description: 'Identifies the environment where the service is running.
If the same service runs in different environments (production, staging, QA,
development, etc.), the environment can identify other instances of the same
service. Can also group services and applications from the same environment.'
example: production
default_field: false
- name: origin.ephemeral_id
level: extended
type: keyword
ignore_above: 1024
description: 'Ephemeral identifier of this service (if one exists).
This id normally changes across restarts, but `service.id` does not.'
example: 8a4f500f
default_field: false
- name: origin.id
level: core
type: keyword
ignore_above: 1024
description: 'Unique identifier of the running service. If the service is comprised
of many nodes, the `service.id` should be the same for all nodes.
This id should uniquely identify the service. This makes it possible to correlate
logs and metrics for one specific service, no matter which particular node
emitted the event.
Note that if you need to see the events from one specific host of the service,
you should filter on that `host.name` or `host.id` instead.'
example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
default_field: false
- name: origin.name
level: core
type: keyword
ignore_above: 1024
description: 'Name of the service data is collected from.
The name of the service is normally user given. This allows for distributed
services that run on multiple hosts to correlate the related instances based
on the name.
In the case of Elasticsearch the `service.name` could contain the cluster
name. For Beats the `service.name` is by default a copy of the `service.type`
field if no name is specified.'
example: elasticsearch-metrics
default_field: false
- name: origin.node.name
level: extended
type: keyword
ignore_above: 1024
description: 'Name of a service node.
This allows for two nodes of the same service running on the same host to
be differentiated. Therefore, `service.node.name` should typically be unique
across nodes of a given service.
In the case of Elasticsearch, the `service.node.name` could contain the unique
node name within the Elasticsearch cluster. In cases where the service doesn''t
have the concept of a node name, the host name or container name can be used
to distinguish running instances that make up this service. If those do not
provide uniqueness (e.g. multiple instances of the service running on the
same host) - the node name can be manually set.'
example: instance-0000000016
default_field: false
- name: origin.state
level: core
type: keyword
ignore_above: 1024
description: Current state of the service.
default_field: false
- name: origin.type
level: core
type: keyword
ignore_above: 1024
description: 'The type of the service data is collected from.
The type can be used to group and correlate logs and metrics from one service
type.
Example: If logs or metrics are collected from Elasticsearch, `service.type`
would be `elasticsearch`.'
example: elasticsearch
default_field: false
- name: origin.version
level: core
type: keyword
ignore_above: 1024
description: 'Version of the service the data was collected from.
This allows to look at a data set only for a specific version of a service.'
example: 3.2.4
default_field: false
- name: state
level: core
type: keyword
ignore_above: 1024
description: Current state of the service.
- name: target.address
level: extended
type: keyword
ignore_above: 1024
description: 'Address where data about this service was collected from.
This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource
path (sockets).'
example: 172.26.0.2:5432
default_field: false
- name: target.environment
level: extended
type: keyword
ignore_above: 1024
description: 'Identifies the environment where the service is running.
If the same service runs in different environments (production, staging, QA,
development, etc.), the environment can identify other instances of the same
service. Can also group services and applications from the same environment.'
example: production
default_field: false
- name: target.ephemeral_id
level: extended
type: keyword
ignore_above: 1024
description: 'Ephemeral identifier of this service (if one exists).
This id normally changes across restarts, but `service.id` does not.'
example: 8a4f500f
default_field: false
- name: target.id
level: core
type: keyword
ignore_above: 1024
description: 'Unique identifier of the running service. If the service is comprised
of many nodes, the `service.id` should be the same for all nodes.
This id should uniquely identify the service. This makes it possible to correlate
logs and metrics for one specific service, no matter which particular node
emitted the event.
Note that if you need to see the events from one specific host of the service,
you should filter on that `host.name` or `host.id` instead.'
example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
default_field: false
- name: target.name
level: core
type: keyword
ignore_above: 1024
description: 'Name of the service data is collected from.
The name of the service is normally user given. This allows for distributed
services that run on multiple hosts to correlate the related instances based
on the name.
In the case of Elasticsearch the `service.name` could contain the cluster
name. For Beats the `service.name` is by default a copy of the `service.type`
field if no name is specified.'
example: elasticsearch-metrics
default_field: false
- name: target.node.name
level: extended
type: keyword
ignore_above: 1024
description: 'Name of a service node.
This allows for two nodes of the same service running on the same host to
be differentiated. Therefore, `service.node.name` should typically be unique
across nodes of a given service.
In the case of Elasticsearch, the `service.node.name` could contain the unique
node name within the Elasticsearch cluster. In cases where the service doesn''t
have the concept of a node name, the host name or container name can be used
to distinguish running instances that make up this service. If those do not
provide uniqueness (e.g. multiple instances of the service running on the
same host) - the node name can be manually set.'
example: instance-0000000016
default_field: false
- name: target.state
level: core
type: keyword
ignore_above: 1024
description: Current state of the service.
default_field: false
- name: target.type
level: core
type: keyword
ignore_above: 1024
description: 'The type of the service data is collected from.
The type can be used to group and correlate logs and metrics from one service
type.
Example: If logs or metrics are collected from Elasticsearch, `service.type`
would be `elasticsearch`.'
example: elasticsearch
default_field: false
- name: target.version
level: core
type: keyword
ignore_above: 1024
description: 'Version of the service the data was collected from.
This allows to look at a data set only for a specific version of a service.'
example: 3.2.4
default_field: false
- name: type
level: core
type: keyword
ignore_above: 1024
description: 'The type of the service data is collected from.
The type can be used to group and correlate logs and metrics from one service
type.
Example: If logs or metrics are collected from Elasticsearch, `service.type`
would be `elasticsearch`.'
example: elasticsearch
- name: version
level: core
type: keyword
ignore_above: 1024
description: 'Version of the service the data was collected from.
This allows to look at a data set only for a specific version of a service.'
example: 3.2.4
- name: source
title: Source
group: 2
description: 'Source fields capture details about the sender of a network exchange/packet.
These fields are populated from a network event, packet, or other event containing
details of a network transaction.
Source fields are usually populated in conjunction with destination fields.
The source and destination fields are considered the baseline and should always
be filled if an event contains source and destination details from a network
transaction. If the event also contains identification of the client and server
roles, then the client and server fields should also be populated.'
type: group
default_field: true
fields:
- name: address
level: extended
type: keyword
ignore_above: 1024
description: 'Some event source addresses are defined ambiguously. The event
will sometimes list an IP, a domain or a unix socket. You should always store
the raw address in the `.address` field.
Then it should be duplicated to `.ip` or `.domain`, depending on which one
it is.'
- name: as.number
level: extended
type: long
description: Unique number allocated to the autonomous system. The autonomous
system number (ASN) uniquely identifies each network on the Internet.
example: 15169
- name: as.organization.name
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
default_field: false
description: Organization name.
example: Google LLC
- name: bytes
level: core
type: long
format: bytes
description: Bytes sent from the source to the destination.
example: 184
- name: domain
level: core
type: keyword
ignore_above: 1024
description: 'The domain name of the source system.
This value may be a host name, a fully qualified domain name, or another host
naming format. The value may derive from the original event or be added from
enrichment.'
example: foo.example.com
- name: geo.city_name
level: core
type: keyword
ignore_above: 1024
description: City name.
example: Montreal
- name: geo.continent_code
level: core
type: keyword
ignore_above: 1024
description: Two-letter code representing continent's name.
example: NA
default_field: false
- name: geo.continent_name
level: core
type: keyword
ignore_above: 1024
description: Name of the continent.
example: North America
- name: geo.country_iso_code
level: core
type: keyword
ignore_above: 1024
description: Country ISO code.
example: CA
- name: geo.country_name
level: core
type: keyword
ignore_above: 1024
description: Country name.
example: Canada
- name: geo.location
level: core
type: geo_point
description: Longitude and latitude.
example: '{ "lon": -73.614830, "lat": 45.505918 }'
- name: geo.name
level: extended
type: keyword
ignore_above: 1024
description: 'User-defined description of a location, at the level of granularity
they care about.
Could be the name of their data centers, the floor number, if this describes
a local physical entity, city names.
Not typically used in automated geolocation.'
example: boston-dc
- name: geo.postal_code
level: core
type: keyword
ignore_above: 1024
description: 'Postal code associated with the location.
Values appropriate for this field may also be known as a postcode or ZIP code
and will vary widely from country to country.'
example: 94040
default_field: false
- name: geo.region_iso_code
level: core
type: keyword
ignore_above: 1024
description: Region ISO code.
example: CA-QC
- name: geo.region_name
level: core
type: keyword
ignore_above: 1024
description: Region name.
example: Quebec
- name: geo.timezone
level: core
type: keyword
ignore_above: 1024
description: The time zone of the location, such as IANA time zone name.
example: America/Argentina/Buenos_Aires
default_field: false
- name: ip
level: core
type: ip
description: IP address of the source (IPv4 or IPv6).
- name: mac
level: core
type: keyword
ignore_above: 1024
description: 'MAC address of the source.
The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
byte) is represented by two [uppercase] hexadecimal digits giving the value
of the octet as an unsigned integer. Successive octets are separated by a
hyphen.'
example: 00-00-5E-00-53-23
- name: nat.ip
level: extended
type: ip
description: 'Translated ip of source based NAT sessions (e.g. internal client
to internet)
Typically connections traversing load balancers, firewalls, or routers.'
- name: nat.port
level: extended
type: long
format: string
description: 'Translated port of source based NAT sessions. (e.g. internal client
to internet)
Typically used with load balancers, firewalls, or routers.'
- name: packets
level: core
type: long
description: Packets sent from the source to the destination.
example: 12
- name: port
level: core
type: long
format: string
description: Port of the source.
- name: registered_domain
level: extended
type: keyword
ignore_above: 1024
description: 'The highest registered source domain, stripped of the subdomain.
For example, the registered domain for "foo.example.com" is "example.com".
This value can be determined precisely with a list like the public suffix
list (http://publicsuffix.org). Trying to approximate this by simply taking
the last two labels will not work well for TLDs such as "co.uk".'
example: example.com
- name: subdomain
level: extended
type: keyword
ignore_above: 1024
description: 'The subdomain portion of a fully qualified domain name includes
all of the names except the host name under the registered_domain. In a partially
qualified domain, or if the the qualification level of the full name cannot
be determined, subdomain contains all of the names below the registered domain.
For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
the subdomain field should contain "sub2.sub1", with no trailing period.'
example: east
default_field: false
- name: top_level_domain
level: extended
type: keyword
ignore_above: 1024
description: 'The effective top level domain (eTLD), also known as the domain
suffix, is the last part of the domain name. For example, the top level domain
for example.com is "com".
This value can be determined precisely with a list like the public suffix
list (http://publicsuffix.org). Trying to approximate this by simply taking
the last label will not work well for effective TLDs such as "co.uk".'
example: co.uk
- name: user.domain
level: extended
type: keyword
ignore_above: 1024
description: 'Name of the directory the user is a member of.
For example, an LDAP or Active Directory domain name.'
- name: user.email
level: extended
type: keyword
ignore_above: 1024
description: User email address.
- name: user.full_name
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
default_field: false
description: User's full name, if available.
example: Albert Einstein
- name: user.group.domain
level: extended
type: keyword
ignore_above: 1024
description: 'Name of the directory the group is a member of.
For example, an LDAP or Active Directory domain name.'
- name: user.group.id
level: extended
type: keyword
ignore_above: 1024
description: Unique identifier for the group on the system/platform.
- name: user.group.name
level: extended
type: keyword
ignore_above: 1024
description: Name of the group.
- name: user.hash
level: extended
type: keyword
ignore_above: 1024
description: 'Unique user hash to correlate information for a user in anonymized
form.
Useful if `user.id` or `user.name` contain confidential information and cannot
be used.'
- name: user.id
level: core
type: keyword
ignore_above: 1024
description: Unique identifier of the user.
example: S-1-5-21-202424912787-2692429404-2351956786-1000
- name: user.name
level: core
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
default_field: false
description: Short name or login of the user.
example: a.einstein
- name: user.roles
level: extended
type: keyword
ignore_above: 1024
description: Array of user roles at the time of the event.
example: '["kibana_admin", "reporting_user"]'
default_field: false
- name: threat
title: Threat
group: 2
description: "Fields to classify events and alerts according to a threat taxonomy\
\ such as the MITRE ATT&CK\xAE framework.\nThese fields are for users to classify\
\ alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy.\
\ The threat.tactic.* fields are meant to capture the high level category of\
\ the threat (e.g. \"impact\"). The threat.technique.* fields are meant to capture\
\ which kind of approach is used by this detected threat, to accomplish the\
\ goal (e.g. \"endpoint denial of service\")."
type: group
default_field: true
fields:
- name: enrichments
level: extended
type: nested
description: A list of associated indicators objects enriching the event, and
the context of that association/enrichment.
default_field: false
- name: enrichments.indicator
level: extended
type: object
description: Object containing associated indicators enriching the event.
default_field: false
- name: enrichments.indicator.as.number
level: extended
type: long
description: Unique number allocated to the autonomous system. The autonomous
system number (ASN) uniquely identifies each network on the Internet.
example: 15169
default_field: false
- name: enrichments.indicator.as.organization.name
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
description: Organization name.
example: Google LLC
default_field: false
- name: enrichments.indicator.confidence
level: extended
type: keyword
ignore_above: 1024
description: "Identifies\_the\_vendor-neutral confidence\_rating\_using\_the\
\ None/Low/Medium/High\_scale defined in Appendix A of the STIX 2.1 framework.\
\ Vendor-specific confidence scales may be added as custom fields.\nExpected\
\ values are:\n * Not Specified\n * None\n * Low\n * Medium\n * High"
example: Medium
default_field: false
- name: enrichments.indicator.description
level: extended
type: keyword
ignore_above: 1024
description: Describes the type of action conducted by the threat.
example: IP x.x.x.x was observed delivering the Angler EK.
default_field: false
- name: enrichments.indicator.email.address
level: extended
type: keyword
ignore_above: 1024
description: Identifies a threat indicator as an email address (irrespective
of direction).
example: phish@example.com
default_field: false
- name: enrichments.indicator.file.accessed
level: extended
type: date
description: 'Last time the file was accessed.
Note that not all filesystems keep track of access time.'
default_field: false
- name: enrichments.indicator.file.attributes
level: extended
type: keyword
ignore_above: 1024
description: 'Array of file attributes.
Attributes names will vary by platform. Here''s a non-exhaustive list of values
that are expected in this field: archive, compressed, directory, encrypted,
execute, hidden, read, readonly, system, write.'
example: '["readonly", "system"]'
default_field: false
- name: enrichments.indicator.file.code_signature.digest_algorithm
level: extended
type: keyword
ignore_above: 1024
description: 'The hashing algorithm used to sign the process.
This value can distinguish signatures when a file is signed multiple times
by the same signer but with a different digest algorithm.'
example: sha256
default_field: false
- name: enrichments.indicator.file.code_signature.exists
level: core
type: boolean
description: Boolean to capture if a signature is present.
example: 'true'
default_field: false
- name: enrichments.indicator.file.code_signature.signing_id
level: extended
type: keyword
ignore_above: 1024
description: 'The identifier used to sign the process.
This is used to identify the application manufactured by a software vendor.
The field is relevant to Apple *OS only.'
example: com.apple.xpc.proxy
default_field: false
- name: enrichments.indicator.file.code_signature.status
level: extended
type: keyword
ignore_above: 1024
description: 'Additional information about the certificate status.
This is useful for logging cryptographic errors with the certificate validity
or trust status. Leave unpopulated if the validity or trust of the certificate
was unchecked.'
example: ERROR_UNTRUSTED_ROOT
default_field: false
- name: enrichments.indicator.file.code_signature.subject_name
level: core
type: keyword
ignore_above: 1024
description: Subject name of the code signer
example: Microsoft Corporation
default_field: false
- name: enrichments.indicator.file.code_signature.team_id
level: extended
type: keyword
ignore_above: 1024
description: 'The team identifier used to sign the process.
This is used to identify the team or vendor of a software product. The field
is relevant to Apple *OS only.'
example: EQHXZ8M8AV
default_field: false
- name: enrichments.indicator.file.code_signature.timestamp
level: extended
type: date
description: Date and time when the code signature was generated and signed.
example: '2021-01-01T12:10:30Z'
default_field: false
- name: enrichments.indicator.file.code_signature.trusted
level: extended
type: boolean
description: 'Stores the trust status of the certificate chain.
Validating the trust of the certificate chain may be complicated, and this
field should only be populated by tools that actively check the status.'
example: 'true'
default_field: false
- name: enrichments.indicator.file.code_signature.valid
level: extended
type: boolean
description: 'Boolean to capture if the digital signature is verified against
the binary content.
Leave unpopulated if a certificate was unchecked.'
example: 'true'
default_field: false
- name: enrichments.indicator.file.created
level: extended
type: date
description: 'File creation time.
Note that not all filesystems store the creation time.'
default_field: false
- name: enrichments.indicator.file.ctime
level: extended
type: date
description: 'Last time the file attributes or metadata changed.
Note that changes to the file content will update `mtime`. This implies `ctime`
will be adjusted at the same time, since `mtime` is an attribute of the file.'
default_field: false
- name: enrichments.indicator.file.device
level: extended
type: keyword
ignore_above: 1024
description: Device that is the source of the file.
example: sda
default_field: false
- name: enrichments.indicator.file.directory
level: extended
type: keyword
ignore_above: 1024
description: Directory where the file is located. It should include the drive
letter, when appropriate.
example: /home/alice
default_field: false
- name: enrichments.indicator.file.drive_letter
level: extended
type: keyword
ignore_above: 1
description: 'Drive letter where the file is located. This field is only relevant
on Windows.
The value should be uppercase, and not include the colon.'
example: C
default_field: false
- name: enrichments.indicator.file.elf.architecture
level: extended
type: keyword
ignore_above: 1024
description: Machine architecture of the ELF file.
example: x86-64
default_field: false
- name: enrichments.indicator.file.elf.byte_order
level: extended
type: keyword
ignore_above: 1024
description: Byte sequence of ELF file.
example: Little Endian
default_field: false
- name: enrichments.indicator.file.elf.cpu_type
level: extended
type: keyword
ignore_above: 1024
description: CPU type of the ELF file.
example: Intel
default_field: false
- name: enrichments.indicator.file.elf.creation_date
level: extended
type: date
description: Extracted when possible from the file's metadata. Indicates when
it was built or compiled. It can also be faked by malware creators.
default_field: false
- name: enrichments.indicator.file.elf.exports
level: extended
type: flattened
description: List of exported element names and types.
default_field: false
- name: enrichments.indicator.file.elf.header.abi_version
level: extended
type: keyword
ignore_above: 1024
description: Version of the ELF Application Binary Interface (ABI).
default_field: false
- name: enrichments.indicator.file.elf.header.class
level: extended
type: keyword
ignore_above: 1024
description: Header class of the ELF file.
default_field: false
- name: enrichments.indicator.file.elf.header.data
level: extended
type: keyword
ignore_above: 1024
description: Data table of the ELF header.
default_field: false
- name: enrichments.indicator.file.elf.header.entrypoint
level: extended
type: long
format: string
description: Header entrypoint of the ELF file.
default_field: false
- name: enrichments.indicator.file.elf.header.object_version
level: extended
type: keyword
ignore_above: 1024
description: '"0x1" for original ELF files.'
default_field: false
- name: enrichments.indicator.file.elf.header.os_abi
level: extended
type: keyword
ignore_above: 1024
description: Application Binary Interface (ABI) of the Linux OS.
default_field: false
- name: enrichments.indicator.file.elf.header.type
level: extended
type: keyword
ignore_above: 1024
description: Header type of the ELF file.
default_field: false
- name: enrichments.indicator.file.elf.header.version
level: extended
type: keyword
ignore_above: 1024
description: Version of the ELF header.
default_field: false
- name: enrichments.indicator.file.elf.imports
level: extended
type: flattened
description: List of imported element names and types.
default_field: false
- name: enrichments.indicator.file.elf.sections
level: extended
type: nested
description: 'An array containing an object for each section of the ELF file.
The keys that should be present in these objects are defined by sub-fields
underneath `elf.sections.*`.'
default_field: false
- name: enrichments.indicator.file.elf.sections.chi2
level: extended
type: long
format: number
description: Chi-square probability distribution of the section.
default_field: false
- name: enrichments.indicator.file.elf.sections.entropy
level: extended
type: long
format: number
description: Shannon entropy calculation from the section.
default_field: false
- name: enrichments.indicator.file.elf.sections.flags
level: extended
type: keyword
ignore_above: 1024
description: ELF Section List flags.
default_field: false
- name: enrichments.indicator.file.elf.sections.name
level: extended
type: keyword
ignore_above: 1024
description: ELF Section List name.
default_field: false
- name: enrichments.indicator.file.elf.sections.physical_offset
level: extended
type: keyword
ignore_above: 1024
description: ELF Section List offset.
default_field: false
- name: enrichments.indicator.file.elf.sections.physical_size
level: extended
type: long
format: bytes
description: ELF Section List physical size.
default_field: false
- name: enrichments.indicator.file.elf.sections.type
level: extended
type: keyword
ignore_above: 1024
description: ELF Section List type.
default_field: false
- name: enrichments.indicator.file.elf.sections.virtual_address
level: extended
type: long
format: string
description: ELF Section List virtual address.
default_field: false
- name: enrichments.indicator.file.elf.sections.virtual_size
level: extended
type: long
format: string
description: ELF Section List virtual size.
default_field: false
- name: enrichments.indicator.file.elf.segments
level: extended
type: nested
description: 'An array containing an object for each segment of the ELF file.
The keys that should be present in these objects are defined by sub-fields
underneath `elf.segments.*`.'
default_field: false
- name: enrichments.indicator.file.elf.segments.sections
level: extended
type: keyword
ignore_above: 1024
description: ELF object segment sections.
default_field: false
- name: enrichments.indicator.file.elf.segments.type
level: extended
type: keyword
ignore_above: 1024
description: ELF object segment type.
default_field: false
- name: enrichments.indicator.file.elf.shared_libraries
level: extended
type: keyword
ignore_above: 1024
description: List of shared libraries used by this ELF object.
default_field: false
- name: enrichments.indicator.file.elf.telfhash
level: extended
type: keyword
ignore_above: 1024
description: telfhash symbol hash for ELF file.
default_field: false
- name: enrichments.indicator.file.extension
level: extended
type: keyword
ignore_above: 1024
description: 'File extension, excluding the leading dot.
Note that when the file name has multiple extensions (example.tar.gz), only
the last one should be captured ("gz", not "tar.gz").'
example: png
default_field: false
- name: enrichments.indicator.file.fork_name
level: extended
type: keyword
ignore_above: 1024
description: 'A fork is additional data associated with a filesystem object.
On Linux, a resource fork is used to store additional data with a filesystem
object. A file always has at least one fork for the data portion, and additional
forks may exist.
On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default
data stream for a file is just called $DATA. Zone.Identifier is commonly used
by Windows to track contents downloaded from the Internet. An ADS is typically
of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name`
is the value that should populate `fork_name`. `filename.extension` should
populate `file.name`, and `extension` should populate `file.extension`. The
full path, `file.path`, will include the fork name.'
example: Zone.Identifer
default_field: false
- name: enrichments.indicator.file.gid
level: extended
type: keyword
ignore_above: 1024
description: Primary group ID (GID) of the file.
example: '1001'
default_field: false
- name: enrichments.indicator.file.group
level: extended
type: keyword
ignore_above: 1024
description: Primary group name of the file.
example: alice
default_field: false
- name: enrichments.indicator.file.hash.md5
level: extended
type: keyword
ignore_above: 1024
description: MD5 hash.
default_field: false
- name: enrichments.indicator.file.hash.sha1
level: extended
type: keyword
ignore_above: 1024
description: SHA1 hash.
default_field: false
- name: enrichments.indicator.file.hash.sha256
level: extended
type: keyword
ignore_above: 1024
description: SHA256 hash.
default_field: false
- name: enrichments.indicator.file.hash.sha512
level: extended
type: keyword
ignore_above: 1024
description: SHA512 hash.
default_field: false
- name: enrichments.indicator.file.hash.ssdeep
level: extended
type: keyword
ignore_above: 1024
description: SSDEEP hash.
default_field: false
- name: enrichments.indicator.file.inode
level: extended
type: keyword
ignore_above: 1024
description: Inode representing the file in the filesystem.
example: '256383'
default_field: false
- name: enrichments.indicator.file.mime_type
level: extended
type: keyword
ignore_above: 1024
description: MIME type should identify the format of the file or stream of bytes
using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA
official types], where possible. When more than one type is applicable, the
most specific type should be used.
default_field: false
- name: enrichments.indicator.file.mode
level: extended
type: keyword
ignore_above: 1024
description: Mode of the file in octal representation.
example: '0640'
default_field: false
- name: enrichments.indicator.file.mtime
level: extended
type: date
description: Last time the file content was modified.
default_field: false
- name: enrichments.indicator.file.name
level: extended
type: keyword
ignore_above: 1024
description: Name of the file including the extension, without the directory.
example: example.png
default_field: false
- name: enrichments.indicator.file.owner
level: extended
type: keyword
ignore_above: 1024
description: File owner's username.
example: alice
default_field: false
- name: enrichments.indicator.file.path
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
description: Full path to the file, including the file name. It should include
the drive letter, when appropriate.
example: /home/alice/example.png
default_field: false
- name: enrichments.indicator.file.pe.architecture
level: extended
type: keyword
ignore_above: 1024
description: CPU architecture target for the file.
example: x64
default_field: false
- name: enrichments.indicator.file.pe.company
level: extended
type: keyword
ignore_above: 1024
description: Internal company name of the file, provided at compile-time.
example: Microsoft Corporation
default_field: false
- name: enrichments.indicator.file.pe.description
level: extended
type: keyword
ignore_above: 1024
description: Internal description of the file, provided at compile-time.
example: Paint
default_field: false
- name: enrichments.indicator.file.pe.file_version
level: extended
type: keyword
ignore_above: 1024
description: Internal version of the file, provided at compile-time.
example: 6.3.9600.17415
default_field: false
- name: enrichments.indicator.file.pe.imphash
level: extended
type: keyword
ignore_above: 1024
description: 'A hash of the imports in a PE file. An imphash -- or import hash
-- can be used to fingerprint binaries even after recompilation or other code-level
transformations have occurred, which would change more traditional hash values.
Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
example: 0c6803c4e922103c4dca5963aad36ddf
default_field: false
- name: enrichments.indicator.file.pe.original_file_name
level: extended
type: keyword
ignore_above: 1024
description: Internal name of the file, provided at compile-time.
example: MSPAINT.EXE
default_field: false
- name: enrichments.indicator.file.pe.product
level: extended
type: keyword
ignore_above: 1024
description: Internal product name of the file, provided at compile-time.
example: "Microsoft\xAE Windows\xAE Operating System"
default_field: false
- name: enrichments.indicator.file.size
level: extended
type: long
description: 'File size in bytes.
Only relevant when `file.type` is "file".'
example: 16384
default_field: false
- name: enrichments.indicator.file.target_path
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
description: Target path for symlinks.
default_field: false
- name: enrichments.indicator.file.type
level: extended
type: keyword
ignore_above: 1024
description: File type (file, dir, or symlink).
example: file
default_field: false
- name: enrichments.indicator.file.uid
level: extended
type: keyword
ignore_above: 1024
description: The user ID (UID) or security identifier (SID) of the file owner.
example: '1001'
default_field: false
- name: enrichments.indicator.file.x509.alternative_names
level: extended
type: keyword
ignore_above: 1024
description: List of subject alternative names (SAN). Name types vary by certificate
authority and certificate type but commonly contain IP addresses, DNS names
(and wildcards), and email addresses.
example: '*.elastic.co'
default_field: false
- name: enrichments.indicator.file.x509.issuer.common_name
level: extended
type: keyword
ignore_above: 1024
description: List of common name (CN) of issuing certificate authority.
example: Example SHA2 High Assurance Server CA
default_field: false
- name: enrichments.indicator.file.x509.issuer.country
level: extended
type: keyword
ignore_above: 1024
description: List of country (C) codes
example: US
default_field: false
- name: enrichments.indicator.file.x509.issuer.distinguished_name
level: extended
type: keyword
ignore_above: 1024
description: Distinguished name (DN) of issuing certificate authority.
example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
Server CA
default_field: false
- name: enrichments.indicator.file.x509.issuer.locality
level: extended
type: keyword
ignore_above: 1024
description: List of locality names (L)
example: Mountain View
default_field: false
- name: enrichments.indicator.file.x509.issuer.organization
level: extended
type: keyword
ignore_above: 1024
description: List of organizations (O) of issuing certificate authority.
example: Example Inc
default_field: false
- name: enrichments.indicator.file.x509.issuer.organizational_unit
level: extended
type: keyword
ignore_above: 1024
description: List of organizational units (OU) of issuing certificate authority.
example: www.example.com
default_field: false
- name: enrichments.indicator.file.x509.issuer.state_or_province
level: extended
type: keyword
ignore_above: 1024
description: List of state or province names (ST, S, or P)
example: California
default_field: false
- name: enrichments.indicator.file.x509.not_after
level: extended
type: date
description: Time at which the certificate is no longer considered valid.
example: 2020-07-16 03:15:39+00:00
default_field: false
- name: enrichments.indicator.file.x509.not_before
level: extended
type: date
description: Time at which the certificate is first considered valid.
example: 2019-08-16 01:40:25+00:00
default_field: false
- name: enrichments.indicator.file.x509.public_key_algorithm
level: extended
type: keyword
ignore_above: 1024
description: Algorithm used to generate the public key.
example: RSA
default_field: false
- name: enrichments.indicator.file.x509.public_key_curve
level: extended
type: keyword
ignore_above: 1024
description: The curve used by the elliptic curve public key algorithm. This
is algorithm specific.
example: nistp521
default_field: false
- name: enrichments.indicator.file.x509.public_key_exponent
level: extended
type: long
description: Exponent used to derive the public key. This is algorithm specific.
example: 65537
index: false
doc_values: false
default_field: false
- name: enrichments.indicator.file.x509.public_key_size
level: extended
type: long
description: The size of the public key space in bits.
example: 2048
default_field: false
- name: enrichments.indicator.file.x509.serial_number
level: extended
type: keyword
ignore_above: 1024
description: Unique serial number issued by the certificate authority. For consistency,
if this value is alphanumeric, it should be formatted without colons and uppercase
characters.
example: 55FBB9C7DEBF09809D12CCAA
default_field: false
- name: enrichments.indicator.file.x509.signature_algorithm
level: extended
type: keyword
ignore_above: 1024
description: Identifier for certificate signature algorithm. We recommend using
names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
example: SHA256-RSA
default_field: false
- name: enrichments.indicator.file.x509.subject.common_name
level: extended
type: keyword
ignore_above: 1024
description: List of common names (CN) of subject.
example: shared.global.example.net
default_field: false
- name: enrichments.indicator.file.x509.subject.country
level: extended
type: keyword
ignore_above: 1024
description: List of country (C) code
example: US
default_field: false
- name: enrichments.indicator.file.x509.subject.distinguished_name
level: extended
type: keyword
ignore_above: 1024
description: Distinguished name (DN) of the certificate subject entity.
example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
default_field: false
- name: enrichments.indicator.file.x509.subject.locality
level: extended
type: keyword
ignore_above: 1024
description: List of locality names (L)
example: San Francisco
default_field: false
- name: enrichments.indicator.file.x509.subject.organization
level: extended
type: keyword
ignore_above: 1024
description: List of organizations (O) of subject.
example: Example, Inc.
default_field: false
- name: enrichments.indicator.file.x509.subject.organizational_unit
level: extended
type: keyword
ignore_above: 1024
description: List of organizational units (OU) of subject.
default_field: false
- name: enrichments.indicator.file.x509.subject.state_or_province
level: extended
type: keyword
ignore_above: 1024
description: List of state or province names (ST, S, or P)
example: California
default_field: false
- name: enrichments.indicator.file.x509.version_number
level: extended
type: keyword
ignore_above: 1024
description: Version of x509 format.
example: 3
default_field: false
- name: enrichments.indicator.first_seen
level: extended
type: date
description: The date and time when intelligence source first reported sighting
this indicator.
example: '2020-11-05T17:25:47.000Z'
default_field: false
- name: enrichments.indicator.geo.city_name
level: core
type: keyword
ignore_above: 1024
description: City name.
example: Montreal
default_field: false
- name: enrichments.indicator.geo.continent_code
level: core
type: keyword
ignore_above: 1024
description: Two-letter code representing continent's name.
example: NA
default_field: false
- name: enrichments.indicator.geo.continent_name
level: core
type: keyword
ignore_above: 1024
description: Name of the continent.
example: North America
default_field: false
- name: enrichments.indicator.geo.country_iso_code
level: core
type: keyword
ignore_above: 1024
description: Country ISO code.
example: CA
default_field: false
- name: enrichments.indicator.geo.country_name
level: core
type: keyword
ignore_above: 1024
description: Country name.
example: Canada
default_field: false
- name: enrichments.indicator.geo.location
level: core
type: geo_point
description: Longitude and latitude.
example: '{ "lon": -73.614830, "lat": 45.505918 }'
default_field: false
- name: enrichments.indicator.geo.name
level: extended
type: keyword
ignore_above: 1024
description: 'User-defined description of a location, at the level of granularity
they care about.
Could be the name of their data centers, the floor number, if this describes
a local physical entity, city names.
Not typically used in automated geolocation.'
example: boston-dc
default_field: false
- name: enrichments.indicator.geo.postal_code
level: core
type: keyword
ignore_above: 1024
description: 'Postal code associated with the location.
Values appropriate for this field may also be known as a postcode or ZIP code
and will vary widely from country to country.'
example: 94040
default_field: false
- name: enrichments.indicator.geo.region_iso_code
level: core
type: keyword
ignore_above: 1024
description: Region ISO code.
example: CA-QC
default_field: false
- name: enrichments.indicator.geo.region_name
level: core
type: keyword
ignore_above: 1024
description: Region name.
example: Quebec
default_field: false
- name: enrichments.indicator.geo.timezone
level: core
type: keyword
ignore_above: 1024
description: The time zone of the location, such as IANA time zone name.
example: America/Argentina/Buenos_Aires
default_field: false
- name: enrichments.indicator.ip
level: extended
type: ip
description: Identifies a threat indicator as an IP address (irrespective of
direction).
example: 1.2.3.4
default_field: false
- name: enrichments.indicator.last_seen
level: extended
type: date
description: The date and time when intelligence source last reported sighting
this indicator.
example: '2020-11-05T17:25:47.000Z'
default_field: false
- name: enrichments.indicator.marking.tlp
level: extended
type: keyword
ignore_above: 1024
description: "Traffic Light Protocol sharing markings. Recommended values are:\n\
\ * WHITE\n * GREEN\n * AMBER\n * RED"
example: White
default_field: false
- name: enrichments.indicator.modified_at
level: extended
type: date
description: The date and time when intelligence source last modified information
for this indicator.
example: '2020-11-05T17:25:47.000Z'
default_field: false
- name: enrichments.indicator.port
level: extended
type: long
description: Identifies a threat indicator as a port number (irrespective of
direction).
example: 443
default_field: false
- name: enrichments.indicator.provider
level: extended
type: keyword
ignore_above: 1024
description: The name of the indicator's provider.
example: lrz_urlhaus
default_field: false
- name: enrichments.indicator.reference
level: extended
type: keyword
ignore_above: 1024
description: Reference URL linking to additional information about this indicator.
example: https://system.example.com/indicator/0001234
default_field: false
- name: enrichments.indicator.registry.data.bytes
level: extended
type: keyword
ignore_above: 1024
description: 'Original bytes written with base64 encoding.
For Windows registry operations, such as SetValueEx and RegQueryValueEx, this
corresponds to the data pointed by `lp_data`. This is optional but provides
better recoverability and should be populated for REG_BINARY encoded values.'
example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
default_field: false
- name: enrichments.indicator.registry.data.strings
level: core
type: wildcard
description: 'Content when writing string types.
Populated as an array when writing string data to the registry. For single
string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with
one string. For sequences of string with REG_MULTI_SZ, this array will be
variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should
be populated with the decimal representation (e.g `"1"`).'
example: '["C:\rta\red_ttp\bin\myapp.exe"]'
default_field: false
- name: enrichments.indicator.registry.data.type
level: core
type: keyword
ignore_above: 1024
description: Standard registry type for encoding contents
example: REG_SZ
default_field: false
- name: enrichments.indicator.registry.hive
level: core
type: keyword
ignore_above: 1024
description: Abbreviated name for the hive.
example: HKLM
default_field: false
- name: enrichments.indicator.registry.key
level: core
type: keyword
ignore_above: 1024
description: Hive-relative path of keys.
example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
default_field: false
- name: enrichments.indicator.registry.path
level: core
type: keyword
ignore_above: 1024
description: Full path, including hive, key and value
example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\winword.exe\Debugger
default_field: false
- name: enrichments.indicator.registry.value
level: core
type: keyword
ignore_above: 1024
description: Name of the value written.
example: Debugger
default_field: false
- name: enrichments.indicator.scanner_stats
level: extended
type: long
description: Count of AV/EDR vendors that successfully detected malicious file
or URL.
example: 4
default_field: false
- name: enrichments.indicator.sightings
level: extended
type: long
description: Number of times this indicator was observed conducting threat activity.
example: 20
default_field: false
- name: enrichments.indicator.type
level: extended
type: keyword
ignore_above: 1024
description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\
\ Recommended values:\n * autonomous-system\n * artifact\n * directory\n\
\ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\
\ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \
\ * user-account\n * windows-registry-key\n * x509-certificate"
example: ipv4-addr
default_field: false
- name: enrichments.indicator.url.domain
level: extended
type: keyword
ignore_above: 1024
description: 'Domain of the url, such as "www.elastic.co".
In some cases a URL may refer to an IP and/or port directly, without a domain
name. In this case, the IP address would go to the `domain` field.
If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC
2732), the `[` and `]` characters should also be captured in the `domain`
field.'
example: www.elastic.co
default_field: false
- name: enrichments.indicator.url.extension
level: extended
type: keyword
ignore_above: 1024
description: 'The field contains the file extension from the original request
url, excluding the leading dot.
The file extension is only set if it exists, as not every url has a file extension.
The leading period must not be included. For example, the value must be "png",
not ".png".
Note that when the file name has multiple extensions (example.tar.gz), only
the last one should be captured ("gz", not "tar.gz").'
example: png
default_field: false
- name: enrichments.indicator.url.fragment
level: extended
type: keyword
ignore_above: 1024
description: 'Portion of the url after the `#`, such as "top".
The `#` is not part of the fragment.'
default_field: false
- name: enrichments.indicator.url.full
level: extended
type: wildcard
multi_fields:
- name: text
type: match_only_text
description: If full URLs are important to your use case, they should be stored
in `url.full`, whether this field is reconstructed or present in the event
source.
example: https://www.elastic.co:443/search?q=elasticsearch#top
default_field: false
- name: enrichments.indicator.url.original
level: extended
type: wildcard
multi_fields:
- name: text
type: match_only_text
description: 'Unmodified original url as seen in the event source.
Note that in network monitoring, the observed URL may be a full URL, whereas
in access logs, the URL is often just represented as a path.
This field is meant to represent the URL as it was observed, complete or not.'
example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
default_field: false
- name: enrichments.indicator.url.password
level: extended
type: keyword
ignore_above: 1024
description: Password of the request.
default_field: false
- name: enrichments.indicator.url.path
level: extended
type: wildcard
description: Path of the request, such as "/search".
default_field: false
- name: enrichments.indicator.url.port
level: extended
type: long
format: string
description: Port of the request, such as 443.
example: 443
default_field: false
- name: enrichments.indicator.url.query
level: extended
type: keyword
ignore_above: 1024
description: 'The query field describes the query string of the request, such
as "q=elasticsearch".
The `?` is excluded from the query string. If a URL contains no `?`, there
is no query field. If there is a `?` but no query, the query field exists
with an empty string. The `exists` query can be used to differentiate between
the two cases.'
default_field: false
- name: enrichments.indicator.url.registered_domain
level: extended
type: keyword
ignore_above: 1024
description: 'The highest registered url domain, stripped of the subdomain.
For example, the registered domain for "foo.example.com" is "example.com".
This value can be determined precisely with a list like the public suffix
list (http://publicsuffix.org). Trying to approximate this by simply taking
the last two labels will not work well for TLDs such as "co.uk".'
example: example.com
default_field: false
- name: enrichments.indicator.url.scheme
level: extended
type: keyword
ignore_above: 1024
description: 'Scheme of the request, such as "https".
Note: The `:` is not part of the scheme.'
example: https
default_field: false
- name: enrichments.indicator.url.subdomain
level: extended
type: keyword
ignore_above: 1024
description: 'The subdomain portion of a fully qualified domain name includes
all of the names except the host name under the registered_domain. In a partially
qualified domain, or if the the qualification level of the full name cannot
be determined, subdomain contains all of the names below the registered domain.
For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
the subdomain field should contain "sub2.sub1", with no trailing period.'
example: east
default_field: false
- name: enrichments.indicator.url.top_level_domain
level: extended
type: keyword
ignore_above: 1024
description: 'The effective top level domain (eTLD), also known as the domain
suffix, is the last part of the domain name. For example, the top level domain
for example.com is "com".
This value can be determined precisely with a list like the public suffix
list (http://publicsuffix.org). Trying to approximate this by simply taking
the last label will not work well for effective TLDs such as "co.uk".'
example: co.uk
default_field: false
- name: enrichments.indicator.url.username
level: extended
type: keyword
ignore_above: 1024
description: Username of the request.
default_field: false
- name: enrichments.indicator.x509.alternative_names
level: extended
type: keyword
ignore_above: 1024
description: List of subject alternative names (SAN). Name types vary by certificate
authority and certificate type but commonly contain IP addresses, DNS names
(and wildcards), and email addresses.
example: '*.elastic.co'
default_field: false
- name: enrichments.indicator.x509.issuer.common_name
level: extended
type: keyword
ignore_above: 1024
description: List of common name (CN) of issuing certificate authority.
example: Example SHA2 High Assurance Server CA
default_field: false
- name: enrichments.indicator.x509.issuer.country
level: extended
type: keyword
ignore_above: 1024
description: List of country (C) codes
example: US
default_field: false
- name: enrichments.indicator.x509.issuer.distinguished_name
level: extended
type: keyword
ignore_above: 1024
description: Distinguished name (DN) of issuing certificate authority.
example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
Server CA
default_field: false
- name: enrichments.indicator.x509.issuer.locality
level: extended
type: keyword
ignore_above: 1024
description: List of locality names (L)
example: Mountain View
default_field: false
- name: enrichments.indicator.x509.issuer.organization
level: extended
type: keyword
ignore_above: 1024
description: List of organizations (O) of issuing certificate authority.
example: Example Inc
default_field: false
- name: enrichments.indicator.x509.issuer.organizational_unit
level: extended
type: keyword
ignore_above: 1024
description: List of organizational units (OU) of issuing certificate authority.
example: www.example.com
default_field: false
- name: enrichments.indicator.x509.issuer.state_or_province
level: extended
type: keyword
ignore_above: 1024
description: List of state or province names (ST, S, or P)
example: California
default_field: false
- name: enrichments.indicator.x509.not_after
level: extended
type: date
description: Time at which the certificate is no longer considered valid.
example: 2020-07-16 03:15:39+00:00
default_field: false
- name: enrichments.indicator.x509.not_before
level: extended
type: date
description: Time at which the certificate is first considered valid.
example: 2019-08-16 01:40:25+00:00
default_field: false
- name: enrichments.indicator.x509.public_key_algorithm
level: extended
type: keyword
ignore_above: 1024
description: Algorithm used to generate the public key.
example: RSA
default_field: false
- name: enrichments.indicator.x509.public_key_curve
level: extended
type: keyword
ignore_above: 1024
description: The curve used by the elliptic curve public key algorithm. This
is algorithm specific.
example: nistp521
default_field: false
- name: enrichments.indicator.x509.public_key_exponent
level: extended
type: long
description: Exponent used to derive the public key. This is algorithm specific.
example: 65537
index: false
doc_values: false
default_field: false
- name: enrichments.indicator.x509.public_key_size
level: extended
type: long
description: The size of the public key space in bits.
example: 2048
default_field: false
- name: enrichments.indicator.x509.serial_number
level: extended
type: keyword
ignore_above: 1024
description: Unique serial number issued by the certificate authority. For consistency,
if this value is alphanumeric, it should be formatted without colons and uppercase
characters.
example: 55FBB9C7DEBF09809D12CCAA
default_field: false
- name: enrichments.indicator.x509.signature_algorithm
level: extended
type: keyword
ignore_above: 1024
description: Identifier for certificate signature algorithm. We recommend using
names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
example: SHA256-RSA
default_field: false
- name: enrichments.indicator.x509.subject.common_name
level: extended
type: keyword
ignore_above: 1024
description: List of common names (CN) of subject.
example: shared.global.example.net
default_field: false
- name: enrichments.indicator.x509.subject.country
level: extended
type: keyword
ignore_above: 1024
description: List of country (C) code
example: US
default_field: false
- name: enrichments.indicator.x509.subject.distinguished_name
level: extended
type: keyword
ignore_above: 1024
description: Distinguished name (DN) of the certificate subject entity.
example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
default_field: false
- name: enrichments.indicator.x509.subject.locality
level: extended
type: keyword
ignore_above: 1024
description: List of locality names (L)
example: San Francisco
default_field: false
- name: enrichments.indicator.x509.subject.organization
level: extended
type: keyword
ignore_above: 1024
description: List of organizations (O) of subject.
example: Example, Inc.
default_field: false
- name: enrichments.indicator.x509.subject.organizational_unit
level: extended
type: keyword
ignore_above: 1024
description: List of organizational units (OU) of subject.
default_field: false
- name: enrichments.indicator.x509.subject.state_or_province
level: extended
type: keyword
ignore_above: 1024
description: List of state or province names (ST, S, or P)
example: California
default_field: false
- name: enrichments.indicator.x509.version_number
level: extended
type: keyword
ignore_above: 1024
description: Version of x509 format.
example: 3
default_field: false
- name: enrichments.matched.atomic
level: extended
type: keyword
ignore_above: 1024
description: Identifies the atomic indicator value that matched a local environment
endpoint or network event.
example: bad-domain.com
default_field: false
- name: enrichments.matched.field
level: extended
type: keyword
ignore_above: 1024
description: Identifies the field of the atomic indicator that matched a local
environment endpoint or network event.
example: file.hash.sha256
default_field: false
- name: enrichments.matched.id
level: extended
type: keyword
ignore_above: 1024
description: Identifies the _id of the indicator document enriching the event.
example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5
default_field: false
- name: enrichments.matched.index
level: extended
type: keyword
ignore_above: 1024
description: Identifies the _index of the indicator document enriching the event.
example: filebeat-8.0.0-2021.05.23-000011
default_field: false
- name: enrichments.matched.type
level: extended
type: keyword
ignore_above: 1024
description: Identifies the type of match that caused the event to be enriched
with the given indicator
example: indicator_match_rule
default_field: false
- name: framework
level: extended
type: keyword
ignore_above: 1024
description: Name of the threat framework used to further categorize and classify
the tactic and technique of the reported threat. Framework classification
can be provided by detecting systems, evaluated at ingest time, or retrospectively
tagged to events.
example: MITRE ATT&CK
- name: group.alias
level: extended
type: keyword
ignore_above: 1024
description: "The alias(es) of the group for a set of related intrusion activity\
\ that are tracked by a common name in the security community.\nWhile not\
\ required, you can use a MITRE ATT&CK\xAE group alias(es)."
example: '[ "Magecart Group 6" ]'
default_field: false
- name: group.id
level: extended
type: keyword
ignore_above: 1024
description: "The id of the group for a set of related intrusion activity that\
\ are tracked by a common name in the security community.\nWhile not required,\
\ you can use a MITRE ATT&CK\xAE group id."
example: G0037
default_field: false
- name: group.name
level: extended
type: keyword
ignore_above: 1024
description: "The name of the group for a set of related intrusion activity\
\ that are tracked by a common name in the security community.\nWhile not\
\ required, you can use a MITRE ATT&CK\xAE group name."
example: FIN6
default_field: false
- name: group.reference
level: extended
type: keyword
ignore_above: 1024
description: "The reference URL of the group for a set of related intrusion\
\ activity that are tracked by a common name in the security community.\n\
While not required, you can use a MITRE ATT&CK\xAE group reference URL."
example: https://attack.mitre.org/groups/G0037/
default_field: false
- name: indicator.as.number
level: extended
type: long
description: Unique number allocated to the autonomous system. The autonomous
system number (ASN) uniquely identifies each network on the Internet.
example: 15169
default_field: false
- name: indicator.as.organization.name
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
description: Organization name.
example: Google LLC
default_field: false
- name: indicator.confidence
level: extended
type: keyword
ignore_above: 1024
description: "Identifies\_the\_vendor-neutral confidence\_rating\_using\_the\
\ None/Low/Medium/High\_scale defined in Appendix A of the STIX 2.1 framework.\
\ Vendor-specific confidence scales may be added as custom fields.\nExpected\
\ values are:\n * Not Specified\n * None\n * Low\n * Medium\n * High"
example: Medium
default_field: false
- name: indicator.description
level: extended
type: keyword
ignore_above: 1024
description: Describes the type of action conducted by the threat.
example: IP x.x.x.x was observed delivering the Angler EK.
default_field: false
- name: indicator.email.address
level: extended
type: keyword
ignore_above: 1024
description: Identifies a threat indicator as an email address (irrespective
of direction).
example: phish@example.com
default_field: false
- name: indicator.file.accessed
level: extended
type: date
description: 'Last time the file was accessed.
Note that not all filesystems keep track of access time.'
default_field: false
- name: indicator.file.attributes
level: extended
type: keyword
ignore_above: 1024
description: 'Array of file attributes.
Attributes names will vary by platform. Here''s a non-exhaustive list of values
that are expected in this field: archive, compressed, directory, encrypted,
execute, hidden, read, readonly, system, write.'
example: '["readonly", "system"]'
default_field: false
- name: indicator.file.code_signature.digest_algorithm
level: extended
type: keyword
ignore_above: 1024
description: 'The hashing algorithm used to sign the process.
This value can distinguish signatures when a file is signed multiple times
by the same signer but with a different digest algorithm.'
example: sha256
default_field: false
- name: indicator.file.code_signature.exists
level: core
type: boolean
description: Boolean to capture if a signature is present.
example: 'true'
default_field: false
- name: indicator.file.code_signature.signing_id
level: extended
type: keyword
ignore_above: 1024
description: 'The identifier used to sign the process.
This is used to identify the application manufactured by a software vendor.
The field is relevant to Apple *OS only.'
example: com.apple.xpc.proxy
default_field: false
- name: indicator.file.code_signature.status
level: extended
type: keyword
ignore_above: 1024
description: 'Additional information about the certificate status.
This is useful for logging cryptographic errors with the certificate validity
or trust status. Leave unpopulated if the validity or trust of the certificate
was unchecked.'
example: ERROR_UNTRUSTED_ROOT
default_field: false
- name: indicator.file.code_signature.subject_name
level: core
type: keyword
ignore_above: 1024
description: Subject name of the code signer
example: Microsoft Corporation
default_field: false
- name: indicator.file.code_signature.team_id
level: extended
type: keyword
ignore_above: 1024
description: 'The team identifier used to sign the process.
This is used to identify the team or vendor of a software product. The field
is relevant to Apple *OS only.'
example: EQHXZ8M8AV
default_field: false
- name: indicator.file.code_signature.timestamp
level: extended
type: date
description: Date and time when the code signature was generated and signed.
example: '2021-01-01T12:10:30Z'
default_field: false
- name: indicator.file.code_signature.trusted
level: extended
type: boolean
description: 'Stores the trust status of the certificate chain.
Validating the trust of the certificate chain may be complicated, and this
field should only be populated by tools that actively check the status.'
example: 'true'
default_field: false
- name: indicator.file.code_signature.valid
level: extended
type: boolean
description: 'Boolean to capture if the digital signature is verified against
the binary content.
Leave unpopulated if a certificate was unchecked.'
example: 'true'
default_field: false
- name: indicator.file.created
level: extended
type: date
description: 'File creation time.
Note that not all filesystems store the creation time.'
default_field: false
- name: indicator.file.ctime
level: extended
type: date
description: 'Last time the file attributes or metadata changed.
Note that changes to the file content will update `mtime`. This implies `ctime`
will be adjusted at the same time, since `mtime` is an attribute of the file.'
default_field: false
- name: indicator.file.device
level: extended
type: keyword
ignore_above: 1024
description: Device that is the source of the file.
example: sda
default_field: false
- name: indicator.file.directory
level: extended
type: keyword
ignore_above: 1024
description: Directory where the file is located. It should include the drive
letter, when appropriate.
example: /home/alice
default_field: false
- name: indicator.file.drive_letter
level: extended
type: keyword
ignore_above: 1
description: 'Drive letter where the file is located. This field is only relevant
on Windows.
The value should be uppercase, and not include the colon.'
example: C
default_field: false
- name: indicator.file.elf.architecture
level: extended
type: keyword
ignore_above: 1024
description: Machine architecture of the ELF file.
example: x86-64
default_field: false
- name: indicator.file.elf.byte_order
level: extended
type: keyword
ignore_above: 1024
description: Byte sequence of ELF file.
example: Little Endian
default_field: false
- name: indicator.file.elf.cpu_type
level: extended
type: keyword
ignore_above: 1024
description: CPU type of the ELF file.
example: Intel
default_field: false
- name: indicator.file.elf.creation_date
level: extended
type: date
description: Extracted when possible from the file's metadata. Indicates when
it was built or compiled. It can also be faked by malware creators.
default_field: false
- name: indicator.file.elf.exports
level: extended
type: flattened
description: List of exported element names and types.
default_field: false
- name: indicator.file.elf.header.abi_version
level: extended
type: keyword
ignore_above: 1024
description: Version of the ELF Application Binary Interface (ABI).
default_field: false
- name: indicator.file.elf.header.class
level: extended
type: keyword
ignore_above: 1024
description: Header class of the ELF file.
default_field: false
- name: indicator.file.elf.header.data
level: extended
type: keyword
ignore_above: 1024
description: Data table of the ELF header.
default_field: false
- name: indicator.file.elf.header.entrypoint
level: extended
type: long
format: string
description: Header entrypoint of the ELF file.
default_field: false
- name: indicator.file.elf.header.object_version
level: extended
type: keyword
ignore_above: 1024
description: '"0x1" for original ELF files.'
default_field: false
- name: indicator.file.elf.header.os_abi
level: extended
type: keyword
ignore_above: 1024
description: Application Binary Interface (ABI) of the Linux OS.
default_field: false
- name: indicator.file.elf.header.type
level: extended
type: keyword
ignore_above: 1024
description: Header type of the ELF file.
default_field: false
- name: indicator.file.elf.header.version
level: extended
type: keyword
ignore_above: 1024
description: Version of the ELF header.
default_field: false
- name: indicator.file.elf.imports
level: extended
type: flattened
description: List of imported element names and types.
default_field: false
- name: indicator.file.elf.sections
level: extended
type: nested
description: 'An array containing an object for each section of the ELF file.
The keys that should be present in these objects are defined by sub-fields
underneath `elf.sections.*`.'
default_field: false
- name: indicator.file.elf.sections.chi2
level: extended
type: long
format: number
description: Chi-square probability distribution of the section.
default_field: false
- name: indicator.file.elf.sections.entropy
level: extended
type: long
format: number
description: Shannon entropy calculation from the section.
default_field: false
- name: indicator.file.elf.sections.flags
level: extended
type: keyword
ignore_above: 1024
description: ELF Section List flags.
default_field: false
- name: indicator.file.elf.sections.name
level: extended
type: keyword
ignore_above: 1024
description: ELF Section List name.
default_field: false
- name: indicator.file.elf.sections.physical_offset
level: extended
type: keyword
ignore_above: 1024
description: ELF Section List offset.
default_field: false
- name: indicator.file.elf.sections.physical_size
level: extended
type: long
format: bytes
description: ELF Section List physical size.
default_field: false
- name: indicator.file.elf.sections.type
level: extended
type: keyword
ignore_above: 1024
description: ELF Section List type.
default_field: false
- name: indicator.file.elf.sections.virtual_address
level: extended
type: long
format: string
description: ELF Section List virtual address.
default_field: false
- name: indicator.file.elf.sections.virtual_size
level: extended
type: long
format: string
description: ELF Section List virtual size.
default_field: false
- name: indicator.file.elf.segments
level: extended
type: nested
description: 'An array containing an object for each segment of the ELF file.
The keys that should be present in these objects are defined by sub-fields
underneath `elf.segments.*`.'
default_field: false
- name: indicator.file.elf.segments.sections
level: extended
type: keyword
ignore_above: 1024
description: ELF object segment sections.
default_field: false
- name: indicator.file.elf.segments.type
level: extended
type: keyword
ignore_above: 1024
description: ELF object segment type.
default_field: false
- name: indicator.file.elf.shared_libraries
level: extended
type: keyword
ignore_above: 1024
description: List of shared libraries used by this ELF object.
default_field: false
- name: indicator.file.elf.telfhash
level: extended
type: keyword
ignore_above: 1024
description: telfhash symbol hash for ELF file.
default_field: false
- name: indicator.file.extension
level: extended
type: keyword
ignore_above: 1024
description: 'File extension, excluding the leading dot.
Note that when the file name has multiple extensions (example.tar.gz), only
the last one should be captured ("gz", not "tar.gz").'
example: png
default_field: false
- name: indicator.file.fork_name
level: extended
type: keyword
ignore_above: 1024
description: 'A fork is additional data associated with a filesystem object.
On Linux, a resource fork is used to store additional data with a filesystem
object. A file always has at least one fork for the data portion, and additional
forks may exist.
On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default
data stream for a file is just called $DATA. Zone.Identifier is commonly used
by Windows to track contents downloaded from the Internet. An ADS is typically
of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name`
is the value that should populate `fork_name`. `filename.extension` should
populate `file.name`, and `extension` should populate `file.extension`. The
full path, `file.path`, will include the fork name.'
example: Zone.Identifer
default_field: false
- name: indicator.file.gid
level: extended
type: keyword
ignore_above: 1024
description: Primary group ID (GID) of the file.
example: '1001'
default_field: false
- name: indicator.file.group
level: extended
type: keyword
ignore_above: 1024
description: Primary group name of the file.
example: alice
default_field: false
- name: indicator.file.hash.md5
level: extended
type: keyword
ignore_above: 1024
description: MD5 hash.
default_field: false
- name: indicator.file.hash.sha1
level: extended
type: keyword
ignore_above: 1024
description: SHA1 hash.
default_field: false
- name: indicator.file.hash.sha256
level: extended
type: keyword
ignore_above: 1024
description: SHA256 hash.
default_field: false
- name: indicator.file.hash.sha512
level: extended
type: keyword
ignore_above: 1024
description: SHA512 hash.
default_field: false
- name: indicator.file.hash.ssdeep
level: extended
type: keyword
ignore_above: 1024
description: SSDEEP hash.
default_field: false
- name: indicator.file.inode
level: extended
type: keyword
ignore_above: 1024
description: Inode representing the file in the filesystem.
example: '256383'
default_field: false
- name: indicator.file.mime_type
level: extended
type: keyword
ignore_above: 1024
description: MIME type should identify the format of the file or stream of bytes
using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA
official types], where possible. When more than one type is applicable, the
most specific type should be used.
default_field: false
- name: indicator.file.mode
level: extended
type: keyword
ignore_above: 1024
description: Mode of the file in octal representation.
example: '0640'
default_field: false
- name: indicator.file.mtime
level: extended
type: date
description: Last time the file content was modified.
default_field: false
- name: indicator.file.name
level: extended
type: keyword
ignore_above: 1024
description: Name of the file including the extension, without the directory.
example: example.png
default_field: false
- name: indicator.file.owner
level: extended
type: keyword
ignore_above: 1024
description: File owner's username.
example: alice
default_field: false
- name: indicator.file.path
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
description: Full path to the file, including the file name. It should include
the drive letter, when appropriate.
example: /home/alice/example.png
default_field: false
- name: indicator.file.pe.architecture
level: extended
type: keyword
ignore_above: 1024
description: CPU architecture target for the file.
example: x64
default_field: false
- name: indicator.file.pe.company
level: extended
type: keyword
ignore_above: 1024
description: Internal company name of the file, provided at compile-time.
example: Microsoft Corporation
default_field: false
- name: indicator.file.pe.description
level: extended
type: keyword
ignore_above: 1024
description: Internal description of the file, provided at compile-time.
example: Paint
default_field: false
- name: indicator.file.pe.file_version
level: extended
type: keyword
ignore_above: 1024
description: Internal version of the file, provided at compile-time.
example: 6.3.9600.17415
default_field: false
- name: indicator.file.pe.imphash
level: extended
type: keyword
ignore_above: 1024
description: 'A hash of the imports in a PE file. An imphash -- or import hash
-- can be used to fingerprint binaries even after recompilation or other code-level
transformations have occurred, which would change more traditional hash values.
Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
example: 0c6803c4e922103c4dca5963aad36ddf
default_field: false
- name: indicator.file.pe.original_file_name
level: extended
type: keyword
ignore_above: 1024
description: Internal name of the file, provided at compile-time.
example: MSPAINT.EXE
default_field: false
- name: indicator.file.pe.product
level: extended
type: keyword
ignore_above: 1024
description: Internal product name of the file, provided at compile-time.
example: "Microsoft\xAE Windows\xAE Operating System"
default_field: false
- name: indicator.file.size
level: extended
type: long
description: 'File size in bytes.
Only relevant when `file.type` is "file".'
example: 16384
default_field: false
- name: indicator.file.target_path
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
description: Target path for symlinks.
default_field: false
- name: indicator.file.type
level: extended
type: keyword
ignore_above: 1024
description: File type (file, dir, or symlink).
example: file
default_field: false
- name: indicator.file.uid
level: extended
type: keyword
ignore_above: 1024
description: The user ID (UID) or security identifier (SID) of the file owner.
example: '1001'
default_field: false
- name: indicator.file.x509.alternative_names
level: extended
type: keyword
ignore_above: 1024
description: List of subject alternative names (SAN). Name types vary by certificate
authority and certificate type but commonly contain IP addresses, DNS names
(and wildcards), and email addresses.
example: '*.elastic.co'
default_field: false
- name: indicator.file.x509.issuer.common_name
level: extended
type: keyword
ignore_above: 1024
description: List of common name (CN) of issuing certificate authority.
example: Example SHA2 High Assurance Server CA
default_field: false
- name: indicator.file.x509.issuer.country
level: extended
type: keyword
ignore_above: 1024
description: List of country (C) codes
example: US
default_field: false
- name: indicator.file.x509.issuer.distinguished_name
level: extended
type: keyword
ignore_above: 1024
description: Distinguished name (DN) of issuing certificate authority.
example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
Server CA
default_field: false
- name: indicator.file.x509.issuer.locality
level: extended
type: keyword
ignore_above: 1024
description: List of locality names (L)
example: Mountain View
default_field: false
- name: indicator.file.x509.issuer.organization
level: extended
type: keyword
ignore_above: 1024
description: List of organizations (O) of issuing certificate authority.
example: Example Inc
default_field: false
- name: indicator.file.x509.issuer.organizational_unit
level: extended
type: keyword
ignore_above: 1024
description: List of organizational units (OU) of issuing certificate authority.
example: www.example.com
default_field: false
- name: indicator.file.x509.issuer.state_or_province
level: extended
type: keyword
ignore_above: 1024
description: List of state or province names (ST, S, or P)
example: California
default_field: false
- name: indicator.file.x509.not_after
level: extended
type: date
description: Time at which the certificate is no longer considered valid.
example: 2020-07-16 03:15:39+00:00
default_field: false
- name: indicator.file.x509.not_before
level: extended
type: date
description: Time at which the certificate is first considered valid.
example: 2019-08-16 01:40:25+00:00
default_field: false
- name: indicator.file.x509.public_key_algorithm
level: extended
type: keyword
ignore_above: 1024
description: Algorithm used to generate the public key.
example: RSA
default_field: false
- name: indicator.file.x509.public_key_curve
level: extended
type: keyword
ignore_above: 1024
description: The curve used by the elliptic curve public key algorithm. This
is algorithm specific.
example: nistp521
default_field: false
- name: indicator.file.x509.public_key_exponent
level: extended
type: long
description: Exponent used to derive the public key. This is algorithm specific.
example: 65537
index: false
doc_values: false
default_field: false
- name: indicator.file.x509.public_key_size
level: extended
type: long
description: The size of the public key space in bits.
example: 2048
default_field: false
- name: indicator.file.x509.serial_number
level: extended
type: keyword
ignore_above: 1024
description: Unique serial number issued by the certificate authority. For consistency,
if this value is alphanumeric, it should be formatted without colons and uppercase
characters.
example: 55FBB9C7DEBF09809D12CCAA
default_field: false
- name: indicator.file.x509.signature_algorithm
level: extended
type: keyword
ignore_above: 1024
description: Identifier for certificate signature algorithm. We recommend using
names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
example: SHA256-RSA
default_field: false
- name: indicator.file.x509.subject.common_name
level: extended
type: keyword
ignore_above: 1024
description: List of common names (CN) of subject.
example: shared.global.example.net
default_field: false
- name: indicator.file.x509.subject.country
level: extended
type: keyword
ignore_above: 1024
description: List of country (C) code
example: US
default_field: false
- name: indicator.file.x509.subject.distinguished_name
level: extended
type: keyword
ignore_above: 1024
description: Distinguished name (DN) of the certificate subject entity.
example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
default_field: false
- name: indicator.file.x509.subject.locality
level: extended
type: keyword
ignore_above: 1024
description: List of locality names (L)
example: San Francisco
default_field: false
- name: indicator.file.x509.subject.organization
level: extended
type: keyword
ignore_above: 1024
description: List of organizations (O) of subject.
example: Example, Inc.
default_field: false
- name: indicator.file.x509.subject.organizational_unit
level: extended
type: keyword
ignore_above: 1024
description: List of organizational units (OU) of subject.
default_field: false
- name: indicator.file.x509.subject.state_or_province
level: extended
type: keyword
ignore_above: 1024
description: List of state or province names (ST, S, or P)
example: California
default_field: false
- name: indicator.file.x509.version_number
level: extended
type: keyword
ignore_above: 1024
description: Version of x509 format.
example: 3
default_field: false
- name: indicator.first_seen
level: extended
type: date
description: The date and time when intelligence source first reported sighting
this indicator.
example: '2020-11-05T17:25:47.000Z'
default_field: false
- name: indicator.geo.city_name
level: core
type: keyword
ignore_above: 1024
description: City name.
example: Montreal
default_field: false
- name: indicator.geo.continent_code
level: core
type: keyword
ignore_above: 1024
description: Two-letter code representing continent's name.
example: NA
default_field: false
- name: indicator.geo.continent_name
level: core
type: keyword
ignore_above: 1024
description: Name of the continent.
example: North America
default_field: false
- name: indicator.geo.country_iso_code
level: core
type: keyword
ignore_above: 1024
description: Country ISO code.
example: CA
default_field: false
- name: indicator.geo.country_name
level: core
type: keyword
ignore_above: 1024
description: Country name.
example: Canada
default_field: false
- name: indicator.geo.location
level: core
type: geo_point
description: Longitude and latitude.
example: '{ "lon": -73.614830, "lat": 45.505918 }'
default_field: false
- name: indicator.geo.name
level: extended
type: keyword
ignore_above: 1024
description: 'User-defined description of a location, at the level of granularity
they care about.
Could be the name of their data centers, the floor number, if this describes
a local physical entity, city names.
Not typically used in automated geolocation.'
example: boston-dc
default_field: false
- name: indicator.geo.postal_code
level: core
type: keyword
ignore_above: 1024
description: 'Postal code associated with the location.
Values appropriate for this field may also be known as a postcode or ZIP code
and will vary widely from country to country.'
example: 94040
default_field: false
- name: indicator.geo.region_iso_code
level: core
type: keyword
ignore_above: 1024
description: Region ISO code.
example: CA-QC
default_field: false
- name: indicator.geo.region_name
level: core
type: keyword
ignore_above: 1024
description: Region name.
example: Quebec
default_field: false
- name: indicator.geo.timezone
level: core
type: keyword
ignore_above: 1024
description: The time zone of the location, such as IANA time zone name.
example: America/Argentina/Buenos_Aires
default_field: false
- name: indicator.ip
level: extended
type: ip
description: Identifies a threat indicator as an IP address (irrespective of
direction).
example: 1.2.3.4
default_field: false
- name: indicator.last_seen
level: extended
type: date
description: The date and time when intelligence source last reported sighting
this indicator.
example: '2020-11-05T17:25:47.000Z'
default_field: false
- name: indicator.marking.tlp
level: extended
type: keyword
ignore_above: 1024
description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\
\ * WHITE\n * GREEN\n * AMBER\n * RED"
example: WHITE
default_field: false
- name: indicator.modified_at
level: extended
type: date
description: The date and time when intelligence source last modified information
for this indicator.
example: '2020-11-05T17:25:47.000Z'
default_field: false
- name: indicator.port
level: extended
type: long
description: Identifies a threat indicator as a port number (irrespective of
direction).
example: 443
default_field: false
- name: indicator.provider
level: extended
type: keyword
ignore_above: 1024
description: The name of the indicator's provider.
example: lrz_urlhaus
default_field: false
- name: indicator.reference
level: extended
type: keyword
ignore_above: 1024
description: Reference URL linking to additional information about this indicator.
example: https://system.example.com/indicator/0001234
default_field: false
- name: indicator.registry.data.bytes
level: extended
type: keyword
ignore_above: 1024
description: 'Original bytes written with base64 encoding.
For Windows registry operations, such as SetValueEx and RegQueryValueEx, this
corresponds to the data pointed by `lp_data`. This is optional but provides
better recoverability and should be populated for REG_BINARY encoded values.'
example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
default_field: false
- name: indicator.registry.data.strings
level: core
type: wildcard
description: 'Content when writing string types.
Populated as an array when writing string data to the registry. For single
string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with
one string. For sequences of string with REG_MULTI_SZ, this array will be
variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should
be populated with the decimal representation (e.g `"1"`).'
example: '["C:\rta\red_ttp\bin\myapp.exe"]'
default_field: false
- name: indicator.registry.data.type
level: core
type: keyword
ignore_above: 1024
description: Standard registry type for encoding contents
example: REG_SZ
default_field: false
- name: indicator.registry.hive
level: core
type: keyword
ignore_above: 1024
description: Abbreviated name for the hive.
example: HKLM
default_field: false
- name: indicator.registry.key
level: core
type: keyword
ignore_above: 1024
description: Hive-relative path of keys.
example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
default_field: false
- name: indicator.registry.path
level: core
type: keyword
ignore_above: 1024
description: Full path, including hive, key and value
example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\winword.exe\Debugger
default_field: false
- name: indicator.registry.value
level: core
type: keyword
ignore_above: 1024
description: Name of the value written.
example: Debugger
default_field: false
- name: indicator.scanner_stats
level: extended
type: long
description: Count of AV/EDR vendors that successfully detected malicious file
or URL.
example: 4
default_field: false
- name: indicator.sightings
level: extended
type: long
description: Number of times this indicator was observed conducting threat activity.
example: 20
default_field: false
- name: indicator.type
level: extended
type: keyword
ignore_above: 1024
description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\
Recommended values:\n * autonomous-system\n * artifact\n * directory\n\
\ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\
\ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \
\ * user-account\n * windows-registry-key\n * x509-certificate"
example: ipv4-addr
default_field: false
- name: indicator.url.domain
level: extended
type: keyword
ignore_above: 1024
description: 'Domain of the url, such as "www.elastic.co".
In some cases a URL may refer to an IP and/or port directly, without a domain
name. In this case, the IP address would go to the `domain` field.
If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC
2732), the `[` and `]` characters should also be captured in the `domain`
field.'
example: www.elastic.co
default_field: false
- name: indicator.url.extension
level: extended
type: keyword
ignore_above: 1024
description: 'The field contains the file extension from the original request
url, excluding the leading dot.
The file extension is only set if it exists, as not every url has a file extension.
The leading period must not be included. For example, the value must be "png",
not ".png".
Note that when the file name has multiple extensions (example.tar.gz), only
the last one should be captured ("gz", not "tar.gz").'
example: png
default_field: false
- name: indicator.url.fragment
level: extended
type: keyword
ignore_above: 1024
description: 'Portion of the url after the `#`, such as "top".
The `#` is not part of the fragment.'
default_field: false
- name: indicator.url.full
level: extended
type: wildcard
multi_fields:
- name: text
type: match_only_text
description: If full URLs are important to your use case, they should be stored
in `url.full`, whether this field is reconstructed or present in the event
source.
example: https://www.elastic.co:443/search?q=elasticsearch#top
default_field: false
- name: indicator.url.original
level: extended
type: wildcard
multi_fields:
- name: text
type: match_only_text
description: 'Unmodified original url as seen in the event source.
Note that in network monitoring, the observed URL may be a full URL, whereas
in access logs, the URL is often just represented as a path.
This field is meant to represent the URL as it was observed, complete or not.'
example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
default_field: false
- name: indicator.url.password
level: extended
type: keyword
ignore_above: 1024
description: Password of the request.
default_field: false
- name: indicator.url.path
level: extended
type: wildcard
description: Path of the request, such as "/search".
default_field: false
- name: indicator.url.port
level: extended
type: long
format: string
description: Port of the request, such as 443.
example: 443
default_field: false
- name: indicator.url.query
level: extended
type: keyword
ignore_above: 1024
description: 'The query field describes the query string of the request, such
as "q=elasticsearch".
The `?` is excluded from the query string. If a URL contains no `?`, there
is no query field. If there is a `?` but no query, the query field exists
with an empty string. The `exists` query can be used to differentiate between
the two cases.'
default_field: false
- name: indicator.url.registered_domain
level: extended
type: keyword
ignore_above: 1024
description: 'The highest registered url domain, stripped of the subdomain.
For example, the registered domain for "foo.example.com" is "example.com".
This value can be determined precisely with a list like the public suffix
list (http://publicsuffix.org). Trying to approximate this by simply taking
the last two labels will not work well for TLDs such as "co.uk".'
example: example.com
default_field: false
- name: indicator.url.scheme
level: extended
type: keyword
ignore_above: 1024
description: 'Scheme of the request, such as "https".
Note: The `:` is not part of the scheme.'
example: https
default_field: false
- name: indicator.url.subdomain
level: extended
type: keyword
ignore_above: 1024
description: 'The subdomain portion of a fully qualified domain name includes
all of the names except the host name under the registered_domain. In a partially
qualified domain, or if the the qualification level of the full name cannot
be determined, subdomain contains all of the names below the registered domain.
For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
the subdomain field should contain "sub2.sub1", with no trailing period.'
example: east
default_field: false
- name: indicator.url.top_level_domain
level: extended
type: keyword
ignore_above: 1024
description: 'The effective top level domain (eTLD), also known as the domain
suffix, is the last part of the domain name. For example, the top level domain
for example.com is "com".
This value can be determined precisely with a list like the public suffix
list (http://publicsuffix.org). Trying to approximate this by simply taking
the last label will not work well for effective TLDs such as "co.uk".'
example: co.uk
default_field: false
- name: indicator.url.username
level: extended
type: keyword
ignore_above: 1024
description: Username of the request.
default_field: false
- name: indicator.x509.alternative_names
level: extended
type: keyword
ignore_above: 1024
description: List of subject alternative names (SAN). Name types vary by certificate
authority and certificate type but commonly contain IP addresses, DNS names
(and wildcards), and email addresses.
example: '*.elastic.co'
default_field: false
- name: indicator.x509.issuer.common_name
level: extended
type: keyword
ignore_above: 1024
description: List of common name (CN) of issuing certificate authority.
example: Example SHA2 High Assurance Server CA
default_field: false
- name: indicator.x509.issuer.country
level: extended
type: keyword
ignore_above: 1024
description: List of country (C) codes
example: US
default_field: false
- name: indicator.x509.issuer.distinguished_name
level: extended
type: keyword
ignore_above: 1024
description: Distinguished name (DN) of issuing certificate authority.
example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
Server CA
default_field: false
- name: indicator.x509.issuer.locality
level: extended
type: keyword
ignore_above: 1024
description: List of locality names (L)
example: Mountain View
default_field: false
- name: indicator.x509.issuer.organization
level: extended
type: keyword
ignore_above: 1024
description: List of organizations (O) of issuing certificate authority.
example: Example Inc
default_field: false
- name: indicator.x509.issuer.organizational_unit
level: extended
type: keyword
ignore_above: 1024
description: List of organizational units (OU) of issuing certificate authority.
example: www.example.com
default_field: false
- name: indicator.x509.issuer.state_or_province
level: extended
type: keyword
ignore_above: 1024
description: List of state or province names (ST, S, or P)
example: California
default_field: false
- name: indicator.x509.not_after
level: extended
type: date
description: Time at which the certificate is no longer considered valid.
example: 2020-07-16 03:15:39+00:00
default_field: false
- name: indicator.x509.not_before
level: extended
type: date
description: Time at which the certificate is first considered valid.
example: 2019-08-16 01:40:25+00:00
default_field: false
- name: indicator.x509.public_key_algorithm
level: extended
type: keyword
ignore_above: 1024
description: Algorithm used to generate the public key.
example: RSA
default_field: false
- name: indicator.x509.public_key_curve
level: extended
type: keyword
ignore_above: 1024
description: The curve used by the elliptic curve public key algorithm. This
is algorithm specific.
example: nistp521
default_field: false
- name: indicator.x509.public_key_exponent
level: extended
type: long
description: Exponent used to derive the public key. This is algorithm specific.
example: 65537
index: false
doc_values: false
default_field: false
- name: indicator.x509.public_key_size
level: extended
type: long
description: The size of the public key space in bits.
example: 2048
default_field: false
- name: indicator.x509.serial_number
level: extended
type: keyword
ignore_above: 1024
description: Unique serial number issued by the certificate authority. For consistency,
if this value is alphanumeric, it should be formatted without colons and uppercase
characters.
example: 55FBB9C7DEBF09809D12CCAA
default_field: false
- name: indicator.x509.signature_algorithm
level: extended
type: keyword
ignore_above: 1024
description: Identifier for certificate signature algorithm. We recommend using
names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
example: SHA256-RSA
default_field: false
- name: indicator.x509.subject.common_name
level: extended
type: keyword
ignore_above: 1024
description: List of common names (CN) of subject.
example: shared.global.example.net
default_field: false
- name: indicator.x509.subject.country
level: extended
type: keyword
ignore_above: 1024
description: List of country (C) code
example: US
default_field: false
- name: indicator.x509.subject.distinguished_name
level: extended
type: keyword
ignore_above: 1024
description: Distinguished name (DN) of the certificate subject entity.
example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
default_field: false
- name: indicator.x509.subject.locality
level: extended
type: keyword
ignore_above: 1024
description: List of locality names (L)
example: San Francisco
default_field: false
- name: indicator.x509.subject.organization
level: extended
type: keyword
ignore_above: 1024
description: List of organizations (O) of subject.
example: Example, Inc.
default_field: false
- name: indicator.x509.subject.organizational_unit
level: extended
type: keyword
ignore_above: 1024
description: List of organizational units (OU) of subject.
default_field: false
- name: indicator.x509.subject.state_or_province
level: extended
type: keyword
ignore_above: 1024
description: List of state or province names (ST, S, or P)
example: California
default_field: false
- name: indicator.x509.version_number
level: extended
type: keyword
ignore_above: 1024
description: Version of x509 format.
example: 3
default_field: false
- name: software.alias
level: extended
type: keyword
ignore_above: 1024
description: "The alias(es) of the software for a set of related intrusion activity\
\ that are tracked by a common name in the security community.\nWhile not\
\ required, you can use a MITRE ATT&CK\xAE associated software description."
example: '[ "X-Agent" ]'
default_field: false
- name: software.id
level: extended
type: keyword
ignore_above: 1024
description: "The id of the software used by this threat to conduct behavior\
\ commonly modeled using MITRE ATT&CK\xAE.\nWhile not required, you can use\
\ a MITRE ATT&CK\xAE software id."
example: S0552
default_field: false
- name: software.name
level: extended
type: keyword
ignore_above: 1024
description: "The name of the software used by this threat to conduct behavior\
\ commonly modeled using MITRE ATT&CK\xAE.\nWhile not required, you can use\
\ a MITRE ATT&CK\xAE software name."
example: AdFind
default_field: false
- name: software.platforms
level: extended
type: keyword
ignore_above: 1024
description: "The platforms of the software used by this threat to conduct behavior\
\ commonly modeled using MITRE ATT&CK\xAE.\nRecommended Values:\n * AWS\n\
\ * Azure\n * Azure AD\n * GCP\n * Linux\n * macOS\n * Network\n *\
\ Office 365\n * SaaS\n * Windows\n\nWhile not required, you can use a MITRE\
\ ATT&CK\xAE software platforms."
example: '[ "Windows" ]'
default_field: false
- name: software.reference
level: extended
type: keyword
ignore_above: 1024
description: "The reference URL of the software used by this threat to conduct\
\ behavior commonly modeled using MITRE ATT&CK\xAE.\nWhile not required, you\
\ can use a MITRE ATT&CK\xAE software reference URL."
example: https://attack.mitre.org/software/S0552/
default_field: false
- name: software.type
level: extended
type: keyword
ignore_above: 1024
description: "The type of software used by this threat to conduct behavior commonly\
\ modeled using MITRE ATT&CK\xAE.\nRecommended values\n * Malware\n * Tool\n\
\n While not required, you can use a MITRE ATT&CK\xAE software type."
example: Tool
default_field: false
- name: tactic.id
level: extended
type: keyword
ignore_above: 1024
description: "The id of tactic used by this threat. You can use a MITRE ATT&CK\xAE\
\ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )"
example: TA0002
- name: tactic.name
level: extended
type: keyword
ignore_above: 1024
description: "Name of the type of tactic used by this threat. You can use a\
\ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)"
example: Execution
- name: tactic.reference
level: extended
type: keyword
ignore_above: 1024
description: "The reference url of tactic used by this threat. You can use a\
\ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/\
\ )"
example: https://attack.mitre.org/tactics/TA0002/
- name: technique.id
level: extended
type: keyword
ignore_above: 1024
description: "The id of technique used by this threat. You can use a MITRE ATT&CK\xAE\
\ technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
example: T1059
- name: technique.name
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
default_field: false
description: "The name of technique used by this threat. You can use a MITRE\
\ ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
example: Command and Scripting Interpreter
- name: technique.reference
level: extended
type: keyword
ignore_above: 1024
description: "The reference url of technique used by this threat. You can use\
\ a MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
example: https://attack.mitre.org/techniques/T1059/
- name: technique.subtechnique.id
level: extended
type: keyword
ignore_above: 1024
description: "The full id of subtechnique used by this threat. You can use a\
\ MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
example: T1059.001
default_field: false
- name: technique.subtechnique.name
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
description: "The name of subtechnique used by this threat. You can use a MITRE\
\ ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
example: PowerShell
default_field: false
- name: technique.subtechnique.reference
level: extended
type: keyword
ignore_above: 1024
description: "The reference url of subtechnique used by this threat. You can\
\ use a MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
example: https://attack.mitre.org/techniques/T1059/001/
default_field: false
- name: tls
title: TLS
group: 2
description: Fields related to a TLS connection. These fields focus on the TLS
protocol itself and intentionally avoids in-depth analysis of the related x.509
certificate files.
type: group
default_field: true
fields:
- name: cipher
level: extended
type: keyword
ignore_above: 1024
description: String indicating the cipher used during the current connection.
example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
default_field: false
- name: client.certificate
level: extended
type: keyword
ignore_above: 1024
description: PEM-encoded stand-alone certificate offered by the client. This
is usually mutually-exclusive of `client.certificate_chain` since this value
also exists in that list.
example: MII...
default_field: false
- name: client.certificate_chain
level: extended
type: keyword
ignore_above: 1024
description: Array of PEM-encoded certificates that make up the certificate
chain offered by the client. This is usually mutually-exclusive of `client.certificate`
since that value should be the first certificate in the chain.
example: '["MII...", "MII..."]'
default_field: false
- name: client.hash.md5
level: extended
type: keyword
ignore_above: 1024
description: Certificate fingerprint using the MD5 digest of DER-encoded version
of certificate offered by the client. For consistency with other hash values,
this value should be formatted as an uppercase hash.
example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
default_field: false
- name: client.hash.sha1
level: extended
type: keyword
ignore_above: 1024
description: Certificate fingerprint using the SHA1 digest of DER-encoded version
of certificate offered by the client. For consistency with other hash values,
this value should be formatted as an uppercase hash.
example: 9E393D93138888D288266C2D915214D1D1CCEB2A
default_field: false
- name: client.hash.sha256
level: extended
type: keyword
ignore_above: 1024
description: Certificate fingerprint using the SHA256 digest of DER-encoded
version of certificate offered by the client. For consistency with other hash
values, this value should be formatted as an uppercase hash.
example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
default_field: false
- name: client.issuer
level: extended
type: keyword
ignore_above: 1024
description: Distinguished name of subject of the issuer of the x.509 certificate
presented by the client.
example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
default_field: false
- name: client.ja3
level: extended
type: keyword
ignore_above: 1024
description: A hash that identifies clients based on how they perform an SSL/TLS
handshake.
example: d4e5b18d6b55c71272893221c96ba240
default_field: false
- name: client.not_after
level: extended
type: date
description: Date/Time indicating when client certificate is no longer considered
valid.
example: '2021-01-01T00:00:00.000Z'
default_field: false
- name: client.not_before
level: extended
type: date
description: Date/Time indicating when client certificate is first considered
valid.
example: '1970-01-01T00:00:00.000Z'
default_field: false
- name: client.server_name
level: extended
type: keyword
ignore_above: 1024
description: Also called an SNI, this tells the server which hostname to which
the client is attempting to connect to. When this value is available, it should
get copied to `destination.domain`.
example: www.elastic.co
default_field: false
- name: client.subject
level: extended
type: keyword
ignore_above: 1024
description: Distinguished name of subject of the x.509 certificate presented
by the client.
example: CN=myclient, OU=Documentation Team, DC=example, DC=com
default_field: false
- name: client.supported_ciphers
level: extended
type: keyword
ignore_above: 1024
description: Array of ciphers offered by the client during the client hello.
example: '["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"..."]'
default_field: false
- name: client.x509.alternative_names
level: extended
type: keyword
ignore_above: 1024
description: List of subject alternative names (SAN). Name types vary by certificate
authority and certificate type but commonly contain IP addresses, DNS names
(and wildcards), and email addresses.
example: '*.elastic.co'
default_field: false
- name: client.x509.issuer.common_name
level: extended
type: keyword
ignore_above: 1024
description: List of common name (CN) of issuing certificate authority.
example: Example SHA2 High Assurance Server CA
default_field: false
- name: client.x509.issuer.country
level: extended
type: keyword
ignore_above: 1024
description: List of country (C) codes
example: US
default_field: false
- name: client.x509.issuer.distinguished_name
level: extended
type: keyword
ignore_above: 1024
description: Distinguished name (DN) of issuing certificate authority.
example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
Server CA
default_field: false
- name: client.x509.issuer.locality
level: extended
type: keyword
ignore_above: 1024
description: List of locality names (L)
example: Mountain View
default_field: false
- name: client.x509.issuer.organization
level: extended
type: keyword
ignore_above: 1024
description: List of organizations (O) of issuing certificate authority.
example: Example Inc
default_field: false
- name: client.x509.issuer.organizational_unit
level: extended
type: keyword
ignore_above: 1024
description: List of organizational units (OU) of issuing certificate authority.
example: www.example.com
default_field: false
- name: client.x509.issuer.state_or_province
level: extended
type: keyword
ignore_above: 1024
description: List of state or province names (ST, S, or P)
example: California
default_field: false
- name: client.x509.not_after
level: extended
type: date
description: Time at which the certificate is no longer considered valid.
example: 2020-07-16 03:15:39+00:00
default_field: false
- name: client.x509.not_before
level: extended
type: date
description: Time at which the certificate is first considered valid.
example: 2019-08-16 01:40:25+00:00
default_field: false
- name: client.x509.public_key_algorithm
level: extended
type: keyword
ignore_above: 1024
description: Algorithm used to generate the public key.
example: RSA
default_field: false
- name: client.x509.public_key_curve
level: extended
type: keyword
ignore_above: 1024
description: The curve used by the elliptic curve public key algorithm. This
is algorithm specific.
example: nistp521
default_field: false
- name: client.x509.public_key_exponent
level: extended
type: long
description: Exponent used to derive the public key. This is algorithm specific.
example: 65537
index: false
doc_values: false
default_field: false
- name: client.x509.public_key_size
level: extended
type: long
description: The size of the public key space in bits.
example: 2048
default_field: false
- name: client.x509.serial_number
level: extended
type: keyword
ignore_above: 1024
description: Unique serial number issued by the certificate authority. For consistency,
if this value is alphanumeric, it should be formatted without colons and uppercase
characters.
example: 55FBB9C7DEBF09809D12CCAA
default_field: false
- name: client.x509.signature_algorithm
level: extended
type: keyword
ignore_above: 1024
description: Identifier for certificate signature algorithm. We recommend using
names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
example: SHA256-RSA
default_field: false
- name: client.x509.subject.common_name
level: extended
type: keyword
ignore_above: 1024
description: List of common names (CN) of subject.
example: shared.global.example.net
default_field: false
- name: client.x509.subject.country
level: extended
type: keyword
ignore_above: 1024
description: List of country (C) code
example: US
default_field: false
- name: client.x509.subject.distinguished_name
level: extended
type: keyword
ignore_above: 1024
description: Distinguished name (DN) of the certificate subject entity.
example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
default_field: false
- name: client.x509.subject.locality
level: extended
type: keyword
ignore_above: 1024
description: List of locality names (L)
example: San Francisco
default_field: false
- name: client.x509.subject.organization
level: extended
type: keyword
ignore_above: 1024
description: List of organizations (O) of subject.
example: Example, Inc.
default_field: false
- name: client.x509.subject.organizational_unit
level: extended
type: keyword
ignore_above: 1024
description: List of organizational units (OU) of subject.
default_field: false
- name: client.x509.subject.state_or_province
level: extended
type: keyword
ignore_above: 1024
description: List of state or province names (ST, S, or P)
example: California
default_field: false
- name: client.x509.version_number
level: extended
type: keyword
ignore_above: 1024
description: Version of x509 format.
example: 3
default_field: false
- name: curve
level: extended
type: keyword
ignore_above: 1024
description: String indicating the curve used for the given cipher, when applicable.
example: secp256r1
default_field: false
- name: established
level: extended
type: boolean
description: Boolean flag indicating if the TLS negotiation was successful and
transitioned to an encrypted tunnel.
default_field: false
- name: next_protocol
level: extended
type: keyword
ignore_above: 1024
description: String indicating the protocol being tunneled. Per the values in
the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids),
this string should be lower case.
example: http/1.1
default_field: false
- name: resumed
level: extended
type: boolean
description: Boolean flag indicating if this TLS connection was resumed from
an existing TLS negotiation.
default_field: false
- name: server.certificate
level: extended
type: keyword
ignore_above: 1024
description: PEM-encoded stand-alone certificate offered by the server. This
is usually mutually-exclusive of `server.certificate_chain` since this value
also exists in that list.
example: MII...
default_field: false
- name: server.certificate_chain
level: extended
type: keyword
ignore_above: 1024
description: Array of PEM-encoded certificates that make up the certificate
chain offered by the server. This is usually mutually-exclusive of `server.certificate`
since that value should be the first certificate in the chain.
example: '["MII...", "MII..."]'
default_field: false
- name: server.hash.md5
level: extended
type: keyword
ignore_above: 1024
description: Certificate fingerprint using the MD5 digest of DER-encoded version
of certificate offered by the server. For consistency with other hash values,
this value should be formatted as an uppercase hash.
example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
default_field: false
- name: server.hash.sha1
level: extended
type: keyword
ignore_above: 1024
description: Certificate fingerprint using the SHA1 digest of DER-encoded version
of certificate offered by the server. For consistency with other hash values,
this value should be formatted as an uppercase hash.
example: 9E393D93138888D288266C2D915214D1D1CCEB2A
default_field: false
- name: server.hash.sha256
level: extended
type: keyword
ignore_above: 1024
description: Certificate fingerprint using the SHA256 digest of DER-encoded
version of certificate offered by the server. For consistency with other hash
values, this value should be formatted as an uppercase hash.
example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
default_field: false
- name: server.issuer
level: extended
type: keyword
ignore_above: 1024
description: Subject of the issuer of the x.509 certificate presented by the
server.
example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
default_field: false
- name: server.ja3s
level: extended
type: keyword
ignore_above: 1024
description: A hash that identifies servers based on how they perform an SSL/TLS
handshake.
example: 394441ab65754e2207b1e1b457b3641d
default_field: false
- name: server.not_after
level: extended
type: date
description: Timestamp indicating when server certificate is no longer considered
valid.
example: '2021-01-01T00:00:00.000Z'
default_field: false
- name: server.not_before
level: extended
type: date
description: Timestamp indicating when server certificate is first considered
valid.
example: '1970-01-01T00:00:00.000Z'
default_field: false
- name: server.subject
level: extended
type: keyword
ignore_above: 1024
description: Subject of the x.509 certificate presented by the server.
example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com
default_field: false
- name: server.x509.alternative_names
level: extended
type: keyword
ignore_above: 1024
description: List of subject alternative names (SAN). Name types vary by certificate
authority and certificate type but commonly contain IP addresses, DNS names
(and wildcards), and email addresses.
example: '*.elastic.co'
default_field: false
- name: server.x509.issuer.common_name
level: extended
type: keyword
ignore_above: 1024
description: List of common name (CN) of issuing certificate authority.
example: Example SHA2 High Assurance Server CA
default_field: false
- name: server.x509.issuer.country
level: extended
type: keyword
ignore_above: 1024
description: List of country (C) codes
example: US
default_field: false
- name: server.x509.issuer.distinguished_name
level: extended
type: keyword
ignore_above: 1024
description: Distinguished name (DN) of issuing certificate authority.
example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
Server CA
default_field: false
- name: server.x509.issuer.locality
level: extended
type: keyword
ignore_above: 1024
description: List of locality names (L)
example: Mountain View
default_field: false
- name: server.x509.issuer.organization
level: extended
type: keyword
ignore_above: 1024
description: List of organizations (O) of issuing certificate authority.
example: Example Inc
default_field: false
- name: server.x509.issuer.organizational_unit
level: extended
type: keyword
ignore_above: 1024
description: List of organizational units (OU) of issuing certificate authority.
example: www.example.com
default_field: false
- name: server.x509.issuer.state_or_province
level: extended
type: keyword
ignore_above: 1024
description: List of state or province names (ST, S, or P)
example: California
default_field: false
- name: server.x509.not_after
level: extended
type: date
description: Time at which the certificate is no longer considered valid.
example: 2020-07-16 03:15:39+00:00
default_field: false
- name: server.x509.not_before
level: extended
type: date
description: Time at which the certificate is first considered valid.
example: 2019-08-16 01:40:25+00:00
default_field: false
- name: server.x509.public_key_algorithm
level: extended
type: keyword
ignore_above: 1024
description: Algorithm used to generate the public key.
example: RSA
default_field: false
- name: server.x509.public_key_curve
level: extended
type: keyword
ignore_above: 1024
description: The curve used by the elliptic curve public key algorithm. This
is algorithm specific.
example: nistp521
default_field: false
- name: server.x509.public_key_exponent
level: extended
type: long
description: Exponent used to derive the public key. This is algorithm specific.
example: 65537
index: false
doc_values: false
default_field: false
- name: server.x509.public_key_size
level: extended
type: long
description: The size of the public key space in bits.
example: 2048
default_field: false
- name: server.x509.serial_number
level: extended
type: keyword
ignore_above: 1024
description: Unique serial number issued by the certificate authority. For consistency,
if this value is alphanumeric, it should be formatted without colons and uppercase
characters.
example: 55FBB9C7DEBF09809D12CCAA
default_field: false
- name: server.x509.signature_algorithm
level: extended
type: keyword
ignore_above: 1024
description: Identifier for certificate signature algorithm. We recommend using
names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
example: SHA256-RSA
default_field: false
- name: server.x509.subject.common_name
level: extended
type: keyword
ignore_above: 1024
description: List of common names (CN) of subject.
example: shared.global.example.net
default_field: false
- name: server.x509.subject.country
level: extended
type: keyword
ignore_above: 1024
description: List of country (C) code
example: US
default_field: false
- name: server.x509.subject.distinguished_name
level: extended
type: keyword
ignore_above: 1024
description: Distinguished name (DN) of the certificate subject entity.
example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
default_field: false
- name: server.x509.subject.locality
level: extended
type: keyword
ignore_above: 1024
description: List of locality names (L)
example: San Francisco
default_field: false
- name: server.x509.subject.organization
level: extended
type: keyword
ignore_above: 1024
description: List of organizations (O) of subject.
example: Example, Inc.
default_field: false
- name: server.x509.subject.organizational_unit
level: extended
type: keyword
ignore_above: 1024
description: List of organizational units (OU) of subject.
default_field: false
- name: server.x509.subject.state_or_province
level: extended
type: keyword
ignore_above: 1024
description: List of state or province names (ST, S, or P)
example: California
default_field: false
- name: server.x509.version_number
level: extended
type: keyword
ignore_above: 1024
description: Version of x509 format.
example: 3
default_field: false
- name: version
level: extended
type: keyword
ignore_above: 1024
description: Numeric part of the version parsed from the original string.
example: '1.2'
default_field: false
- name: version_protocol
level: extended
type: keyword
ignore_above: 1024
description: Normalized lowercase protocol name parsed from original string.
example: tls
default_field: false
- name: span.id
level: extended
type: keyword
ignore_above: 1024
description: 'Unique identifier of the span within the scope of its trace.
A span represents an operation within a transaction, such as a request to another
service, or a database query.'
example: 3ff9a8981b7ccd5a
- name: trace.id
level: extended
type: keyword
ignore_above: 1024
description: 'Unique identifier of the trace.
A trace groups multiple events like transactions that belong together. For example,
a user request handled by multiple inter-connected services.'
example: 4bf92f3577b34da6a3ce929d0e0e4736
default_field: true
- name: transaction.id
level: extended
type: keyword
ignore_above: 1024
description: 'Unique identifier of the transaction within the scope of its trace.
A transaction is the highest level of work measured within a service, such as
a request to a server.'
example: 00f067aa0ba902b7
default_field: true
- name: url
title: URL
group: 2
description: URL fields provide support for complete or partial URLs, and supports
the breaking down into scheme, domain, path, and so on.
type: group
default_field: true
fields:
- name: domain
level: extended
type: keyword
ignore_above: 1024
description: 'Domain of the url, such as "www.elastic.co".
In some cases a URL may refer to an IP and/or port directly, without a domain
name. In this case, the IP address would go to the `domain` field.
If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC
2732), the `[` and `]` characters should also be captured in the `domain`
field.'
example: www.elastic.co
- name: extension
level: extended
type: keyword
ignore_above: 1024
description: 'The field contains the file extension from the original request
url, excluding the leading dot.
The file extension is only set if it exists, as not every url has a file extension.
The leading period must not be included. For example, the value must be "png",
not ".png".
Note that when the file name has multiple extensions (example.tar.gz), only
the last one should be captured ("gz", not "tar.gz").'
example: png
- name: fragment
level: extended
type: keyword
ignore_above: 1024
description: 'Portion of the url after the `#`, such as "top".
The `#` is not part of the fragment.'
- name: full
level: extended
type: wildcard
multi_fields:
- name: text
type: match_only_text
default_field: false
description: If full URLs are important to your use case, they should be stored
in `url.full`, whether this field is reconstructed or present in the event
source.
example: https://www.elastic.co:443/search?q=elasticsearch#top
- name: original
level: extended
type: wildcard
multi_fields:
- name: text
type: match_only_text
default_field: false
description: 'Unmodified original url as seen in the event source.
Note that in network monitoring, the observed URL may be a full URL, whereas
in access logs, the URL is often just represented as a path.
This field is meant to represent the URL as it was observed, complete or not.'
example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
- name: password
level: extended
type: keyword
ignore_above: 1024
description: Password of the request.
- name: path
level: extended
type: wildcard
description: Path of the request, such as "/search".
- name: port
level: extended
type: long
format: string
description: Port of the request, such as 443.
example: 443
- name: query
level: extended
type: keyword
ignore_above: 1024
description: 'The query field describes the query string of the request, such
as "q=elasticsearch".
The `?` is excluded from the query string. If a URL contains no `?`, there
is no query field. If there is a `?` but no query, the query field exists
with an empty string. The `exists` query can be used to differentiate between
the two cases.'
- name: registered_domain
level: extended
type: keyword
ignore_above: 1024
description: 'The highest registered url domain, stripped of the subdomain.
For example, the registered domain for "foo.example.com" is "example.com".
This value can be determined precisely with a list like the public suffix
list (http://publicsuffix.org). Trying to approximate this by simply taking
the last two labels will not work well for TLDs such as "co.uk".'
example: example.com
- name: scheme
level: extended
type: keyword
ignore_above: 1024
description: 'Scheme of the request, such as "https".
Note: The `:` is not part of the scheme.'
example: https
- name: subdomain
level: extended
type: keyword
ignore_above: 1024
description: 'The subdomain portion of a fully qualified domain name includes
all of the names except the host name under the registered_domain. In a partially
qualified domain, or if the the qualification level of the full name cannot
be determined, subdomain contains all of the names below the registered domain.
For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
the subdomain field should contain "sub2.sub1", with no trailing period.'
example: east
default_field: false
- name: top_level_domain
level: extended
type: keyword
ignore_above: 1024
description: 'The effective top level domain (eTLD), also known as the domain
suffix, is the last part of the domain name. For example, the top level domain
for example.com is "com".
This value can be determined precisely with a list like the public suffix
list (http://publicsuffix.org). Trying to approximate this by simply taking
the last label will not work well for effective TLDs such as "co.uk".'
example: co.uk
- name: username
level: extended
type: keyword
ignore_above: 1024
description: Username of the request.
- name: user
title: User
group: 2
description: 'The user fields describe information about the user that is relevant
to the event.
Fields can have one entry or multiple entries. If a user has more than one id,
provide an array that includes all of them.'
type: group
default_field: true
fields:
- name: changes.domain
level: extended
type: keyword
ignore_above: 1024
description: 'Name of the directory the user is a member of.
For example, an LDAP or Active Directory domain name.'
default_field: false
- name: changes.email
level: extended
type: keyword
ignore_above: 1024
description: User email address.
default_field: false
- name: changes.full_name
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
description: User's full name, if available.
example: Albert Einstein
default_field: false
- name: changes.group.domain
level: extended
type: keyword
ignore_above: 1024
description: 'Name of the directory the group is a member of.
For example, an LDAP or Active Directory domain name.'
default_field: false
- name: changes.group.id
level: extended
type: keyword
ignore_above: 1024
description: Unique identifier for the group on the system/platform.
default_field: false
- name: changes.group.name
level: extended
type: keyword
ignore_above: 1024
description: Name of the group.
default_field: false
- name: changes.hash
level: extended
type: keyword
ignore_above: 1024
description: 'Unique user hash to correlate information for a user in anonymized
form.
Useful if `user.id` or `user.name` contain confidential information and cannot
be used.'
default_field: false
- name: changes.id
level: core
type: keyword
ignore_above: 1024
description: Unique identifier of the user.
example: S-1-5-21-202424912787-2692429404-2351956786-1000
default_field: false
- name: changes.name
level: core
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
description: Short name or login of the user.
example: a.einstein
default_field: false
- name: changes.roles
level: extended
type: keyword
ignore_above: 1024
description: Array of user roles at the time of the event.
example: '["kibana_admin", "reporting_user"]'
default_field: false
- name: domain
level: extended
type: keyword
ignore_above: 1024
description: 'Name of the directory the user is a member of.
For example, an LDAP or Active Directory domain name.'
- name: effective.domain
level: extended
type: keyword
ignore_above: 1024
description: 'Name of the directory the user is a member of.
For example, an LDAP or Active Directory domain name.'
default_field: false
- name: effective.email
level: extended
type: keyword
ignore_above: 1024
description: User email address.
default_field: false
- name: effective.full_name
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
description: User's full name, if available.
example: Albert Einstein
default_field: false
- name: effective.group.domain
level: extended
type: keyword
ignore_above: 1024
description: 'Name of the directory the group is a member of.
For example, an LDAP or Active Directory domain name.'
default_field: false
- name: effective.group.id
level: extended
type: keyword
ignore_above: 1024
description: Unique identifier for the group on the system/platform.
default_field: false
- name: effective.group.name
level: extended
type: keyword
ignore_above: 1024
description: Name of the group.
default_field: false
- name: effective.hash
level: extended
type: keyword
ignore_above: 1024
description: 'Unique user hash to correlate information for a user in anonymized
form.
Useful if `user.id` or `user.name` contain confidential information and cannot
be used.'
default_field: false
- name: effective.id
level: core
type: keyword
ignore_above: 1024
description: Unique identifier of the user.
example: S-1-5-21-202424912787-2692429404-2351956786-1000
default_field: false
- name: effective.name
level: core
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
description: Short name or login of the user.
example: a.einstein
default_field: false
- name: effective.roles
level: extended
type: keyword
ignore_above: 1024
description: Array of user roles at the time of the event.
example: '["kibana_admin", "reporting_user"]'
default_field: false
- name: email
level: extended
type: keyword
ignore_above: 1024
description: User email address.
- name: full_name
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
default_field: false
description: User's full name, if available.
example: Albert Einstein
- name: group.domain
level: extended
type: keyword
ignore_above: 1024
description: 'Name of the directory the group is a member of.
For example, an LDAP or Active Directory domain name.'
- name: group.id
level: extended
type: keyword
ignore_above: 1024
description: Unique identifier for the group on the system/platform.
- name: group.name
level: extended
type: keyword
ignore_above: 1024
description: Name of the group.
- name: hash
level: extended
type: keyword
ignore_above: 1024
description: 'Unique user hash to correlate information for a user in anonymized
form.
Useful if `user.id` or `user.name` contain confidential information and cannot
be used.'
- name: id
level: core
type: keyword
ignore_above: 1024
description: Unique identifier of the user.
example: S-1-5-21-202424912787-2692429404-2351956786-1000
- name: name
level: core
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
default_field: false
description: Short name or login of the user.
example: a.einstein
- name: roles
level: extended
type: keyword
ignore_above: 1024
description: Array of user roles at the time of the event.
example: '["kibana_admin", "reporting_user"]'
default_field: false
- name: target.domain
level: extended
type: keyword
ignore_above: 1024
description: 'Name of the directory the user is a member of.
For example, an LDAP or Active Directory domain name.'
default_field: false
- name: target.email
level: extended
type: keyword
ignore_above: 1024
description: User email address.
default_field: false
- name: target.full_name
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
description: User's full name, if available.
example: Albert Einstein
default_field: false
- name: target.group.domain
level: extended
type: keyword
ignore_above: 1024
description: 'Name of the directory the group is a member of.
For example, an LDAP or Active Directory domain name.'
default_field: false
- name: target.group.id
level: extended
type: keyword
ignore_above: 1024
description: Unique identifier for the group on the system/platform.
default_field: false
- name: target.group.name
level: extended
type: keyword
ignore_above: 1024
description: Name of the group.
default_field: false
- name: target.hash
level: extended
type: keyword
ignore_above: 1024
description: 'Unique user hash to correlate information for a user in anonymized
form.
Useful if `user.id` or `user.name` contain confidential information and cannot
be used.'
default_field: false
- name: target.id
level: core
type: keyword
ignore_above: 1024
description: Unique identifier of the user.
example: S-1-5-21-202424912787-2692429404-2351956786-1000
default_field: false
- name: target.name
level: core
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
description: Short name or login of the user.
example: a.einstein
default_field: false
- name: target.roles
level: extended
type: keyword
ignore_above: 1024
description: Array of user roles at the time of the event.
example: '["kibana_admin", "reporting_user"]'
default_field: false
- name: user_agent
title: User agent
group: 2
description: 'The user_agent fields normally come from a browser request.
They often show up in web service logs coming from the parsed user agent string.'
type: group
default_field: true
fields:
- name: device.name
level: extended
type: keyword
ignore_above: 1024
description: Name of the device.
example: iPhone
- name: name
level: extended
type: keyword
ignore_above: 1024
description: Name of the user agent.
example: Safari
- name: original
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
description: Unparsed user_agent string.
example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15
(KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
- name: os.family
level: extended
type: keyword
ignore_above: 1024
description: OS family (such as redhat, debian, freebsd, windows).
example: debian
- name: os.full
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
default_field: false
description: Operating system name, including the version or code name.
example: Mac OS Mojave
- name: os.kernel
level: extended
type: keyword
ignore_above: 1024
description: Operating system kernel version as a raw string.
example: 4.4.0-112-generic
- name: os.name
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
default_field: false
description: Operating system name, without the version.
example: Mac OS X
- name: os.platform
level: extended
type: keyword
ignore_above: 1024
description: Operating system platform (such centos, ubuntu, windows).
example: darwin
- name: os.type
level: extended
type: keyword
ignore_above: 1024
description: 'Use the `os.type` field to categorize the operating system into
one of the broad commercial families.
One of these following values should be used (lowercase): linux, macos, unix,
windows.
If the OS you''re dealing with is not in the list, the field should not be
populated. Please let us know by opening an issue with ECS, to propose its
addition.'
example: macos
default_field: false
- name: os.version
level: extended
type: keyword
ignore_above: 1024
description: Operating system version as a raw string.
example: 10.14.1
- name: version
level: extended
type: keyword
ignore_above: 1024
description: Version of the user agent.
example: 12.0
- name: vlan
title: VLAN
group: 2
description: 'The VLAN fields are used to identify 802.1q tag(s) of a packet,
as well as ingress and egress VLAN associations of an observer in relation to
a specific packet or connection.
Network.vlan fields are used to record a single VLAN tag, or the outer tag in
the case of q-in-q encapsulations, for a packet or connection as observed, typically
provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic.
Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple
802.1q encapsulations) as observed, typically provided by a network sensor (e.g.
Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should
only be used in addition to network.vlan fields to indicate q-in-q tagging.
Observer.ingress and observer.egress VLAN values are used to record observer
specific information when observer events contain discrete ingress and egress
VLAN information, typically provided by firewalls, routers, or load balancers.'
type: group
default_field: true
fields:
- name: id
level: extended
type: keyword
ignore_above: 1024
description: VLAN ID as reported by the observer.
example: 10
default_field: false
- name: name
level: extended
type: keyword
ignore_above: 1024
description: Optional VLAN name as reported by the observer.
example: outside
default_field: false
- name: vulnerability
title: Vulnerability
group: 2
description: The vulnerability fields describe information about a vulnerability
that is relevant to an event.
type: group
default_field: true
fields:
- name: category
level: extended
type: keyword
ignore_above: 1024
description: 'The type of system or architecture that the vulnerability affects.
These may be platform-specific (for example, Debian or SUSE) or general (for
example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys
vulnerability categories])
This field must be an array.'
example: '["Firewall"]'
default_field: false
- name: classification
level: extended
type: keyword
ignore_above: 1024
description: The classification of the vulnerability scoring system. For example
(https://www.first.org/cvss/)
example: CVSS
default_field: false
- name: description
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
description: The description of the vulnerability that provides additional context
of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common
Vulnerabilities and Exposure CVE description])
example: In macOS before 2.12.6, there is a vulnerability in the RPC...
default_field: false
- name: enumeration
level: extended
type: keyword
ignore_above: 1024
description: The type of identifier used for this vulnerability. For example
(https://cve.mitre.org/about/)
example: CVE
default_field: false
- name: id
level: extended
type: keyword
ignore_above: 1024
description: The identification (ID) is the number portion of a vulnerability
entry. It includes a unique identification number for the vulnerability. For
example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities
and Exposure CVE ID]
example: CVE-2019-00001
default_field: false
- name: reference
level: extended
type: keyword
ignore_above: 1024
description: A resource that provides additional information, context, and mitigations
for the identified vulnerability.
example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111
default_field: false
- name: report_id
level: extended
type: keyword
ignore_above: 1024
description: The report or scan identification number.
example: 20191018.0001
default_field: false
- name: scanner.vendor
level: extended
type: keyword
ignore_above: 1024
description: The name of the vulnerability scanner vendor.
example: Tenable
default_field: false
- name: score.base
level: extended
type: float
description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
Base scores cover an assessment for exploitability metrics (attack vector,
complexity, privileges, and user interaction), impact metrics (confidentiality,
integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document)'
example: 5.5
default_field: false
- name: score.environmental
level: extended
type: float
description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
Environmental scores cover an assessment for any modified Base metrics, confidentiality,
integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document)'
example: 5.5
default_field: false
- name: score.temporal
level: extended
type: float
description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
Temporal scores cover an assessment for code maturity, remediation level,
and confidence. For example (https://www.first.org/cvss/specification-document)'
default_field: false
- name: score.version
level: extended
type: keyword
ignore_above: 1024
description: 'The National Vulnerability Database (NVD) provides qualitative
severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score
ranges in addition to the severity ratings for CVSS v3.0 as they are defined
in the CVSS v3.0 specification.
CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit
organization, whose mission is to help computer security incident response
teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss)'
example: 2.0
default_field: false
- name: severity
level: extended
type: keyword
ignore_above: 1024
description: The severity of the vulnerability can help with metrics and internal
prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss)
example: Critical
default_field: false
- name: x509
title: x509 Certificate
group: 2
description: 'This implements the common core fields for x509 certificates. This
information is likely logged with TLS sessions, digital signatures found in
executable binaries, S/MIME information in email bodies, or analysis of files
on disk.
When the certificate relates to a file, use the fields at `file.x509`. When
hashes of the DER-encoded certificate are available, the `hash` data set should
be populated as well (e.g. `file.hash.sha256`).
Events that contain certificate information about network connections, should
use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or
`tls.client.x509`.'
type: group
default_field: true
fields:
- name: alternative_names
level: extended
type: keyword
ignore_above: 1024
description: List of subject alternative names (SAN). Name types vary by certificate
authority and certificate type but commonly contain IP addresses, DNS names
(and wildcards), and email addresses.
example: '*.elastic.co'
default_field: false
- name: issuer.common_name
level: extended
type: keyword
ignore_above: 1024
description: List of common name (CN) of issuing certificate authority.
example: Example SHA2 High Assurance Server CA
default_field: false
- name: issuer.country
level: extended
type: keyword
ignore_above: 1024
description: List of country (C) codes
example: US
default_field: false
- name: issuer.distinguished_name
level: extended
type: keyword
ignore_above: 1024
description: Distinguished name (DN) of issuing certificate authority.
example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
Server CA
default_field: false
- name: issuer.locality
level: extended
type: keyword
ignore_above: 1024
description: List of locality names (L)
example: Mountain View
default_field: false
- name: issuer.organization
level: extended
type: keyword
ignore_above: 1024
description: List of organizations (O) of issuing certificate authority.
example: Example Inc
default_field: false
- name: issuer.organizational_unit
level: extended
type: keyword
ignore_above: 1024
description: List of organizational units (OU) of issuing certificate authority.
example: www.example.com
default_field: false
- name: issuer.state_or_province
level: extended
type: keyword
ignore_above: 1024
description: List of state or province names (ST, S, or P)
example: California
default_field: false
- name: not_after
level: extended
type: date
description: Time at which the certificate is no longer considered valid.
example: 2020-07-16 03:15:39+00:00
default_field: false
- name: not_before
level: extended
type: date
description: Time at which the certificate is first considered valid.
example: 2019-08-16 01:40:25+00:00
default_field: false
- name: public_key_algorithm
level: extended
type: keyword
ignore_above: 1024
description: Algorithm used to generate the public key.
example: RSA
default_field: false
- name: public_key_curve
level: extended
type: keyword
ignore_above: 1024
description: The curve used by the elliptic curve public key algorithm. This
is algorithm specific.
example: nistp521
default_field: false
- name: public_key_exponent
level: extended
type: long
description: Exponent used to derive the public key. This is algorithm specific.
example: 65537
index: false
doc_values: false
default_field: false
- name: public_key_size
level: extended
type: long
description: The size of the public key space in bits.
example: 2048
default_field: false
- name: serial_number
level: extended
type: keyword
ignore_above: 1024
description: Unique serial number issued by the certificate authority. For consistency,
if this value is alphanumeric, it should be formatted without colons and uppercase
characters.
example: 55FBB9C7DEBF09809D12CCAA
default_field: false
- name: signature_algorithm
level: extended
type: keyword
ignore_above: 1024
description: Identifier for certificate signature algorithm. We recommend using
names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
example: SHA256-RSA
default_field: false
- name: subject.common_name
level: extended
type: keyword
ignore_above: 1024
description: List of common names (CN) of subject.
example: shared.global.example.net
default_field: false
- name: subject.country
level: extended
type: keyword
ignore_above: 1024
description: List of country (C) code
example: US
default_field: false
- name: subject.distinguished_name
level: extended
type: keyword
ignore_above: 1024
description: Distinguished name (DN) of the certificate subject entity.
example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
default_field: false
- name: subject.locality
level: extended
type: keyword
ignore_above: 1024
description: List of locality names (L)
example: San Francisco
default_field: false
- name: subject.organization
level: extended
type: keyword
ignore_above: 1024
description: List of organizations (O) of subject.
example: Example, Inc.
default_field: false
- name: subject.organizational_unit
level: extended
type: keyword
ignore_above: 1024
description: List of organizational units (OU) of subject.
default_field: false
- name: subject.state_or_province
level: extended
type: keyword
ignore_above: 1024
description: List of state or province names (ST, S, or P)
example: California
default_field: false
- name: version_number
level: extended
type: keyword
ignore_above: 1024
description: Version of x509 format.
example: 3
default_field: false
- key: beat
anchor: beat-common
title: Beat
description: >
Contains common beat fields available in all event types.
fields:
- name: agent.hostname
type: alias
path: agent.name
description: >
Deprecated - use agent.name or agent.id to identify an agent.
- name: beat.timezone
type: alias
path: event.timezone
migration: true
- name: fields
type: object
object_type: keyword
description: >
Contains user configurable fields.
- name: beat.name
type: alias
path: host.name
migration: true
- name: beat.hostname
type: alias
path: agent.name
migration: true
- name: timeseries.instance
type: keyword
description: Time series instance id
- key: cloud
title: Cloud provider metadata
description: >
Metadata from cloud providers added by the add_cloud_metadata processor.
fields:
- name: cloud.image.id
default_field: true
example: ami-abcd1234
description: >
Image ID for the cloud instance.
# Alias for old fields
- name: meta.cloud.provider
default_field: true
type: alias
path: cloud.provider
migration: true
- name: meta.cloud.instance_id
default_field: true
type: alias
path: cloud.instance.id
migration: true
- name: meta.cloud.instance_name
default_field: true
type: alias
path: cloud.instance.name
migration: true
- name: meta.cloud.machine_type
default_field: true
type: alias
path: cloud.machine.type
migration: true
- name: meta.cloud.availability_zone
default_field: true
type: alias
path: cloud.availability_zone
migration: true
- name: meta.cloud.project_id
default_field: true
type: alias
path: cloud.project.id
migration: true
- name: meta.cloud.region
default_field: true
type: alias
path: cloud.region
migration: true
- key: docker
title: Docker
description: >
Docker stats collected from Docker.
short_config: false
anchor: docker-processor
fields:
- name: docker
default_field: true
type: group
fields:
- name: container.id
type: alias
path: container.id
migration: true
- name: container.image
type: alias
path: container.image.name
migration: true
- name: container.name
type: alias
path: container.name
migration: true
- name: container.labels # TODO: How to map these?
type: object
object_type: keyword
description: >
Image labels.
- key: host
default_field: true
title: Host
description: >
Info collected for the host machine.
anchor: host-processor
fields:
# ECS fields are in fields.ecs.yml.
# These are the non-ECS fields.
- name: host
default_field: true
type: group
fields:
- name: containerized
type: boolean
description: >
If the host is a container.
- name: os.build
type: keyword
example: "18D109"
description: >
OS build information.
- name: os.codename
type: keyword
example: "stretch"
description: >
OS codename, if any.
- key: kubernetes
title: Kubernetes
description: >
Kubernetes metadata added by the kubernetes processor
short_config: false
anchor: kubernetes-processor
fields:
- name: kubernetes
default_field: true
type: group
fields:
- name: pod.name
type: keyword
description: >
Kubernetes pod name
- name: pod.uid
type: keyword
description: >
Kubernetes Pod UID
- name: pod.ip
type: ip
description: >
Kubernetes Pod IP
- name: namespace
type: keyword
description: >
Kubernetes namespace
- name: node.name
type: keyword
description: >
Kubernetes node name
- name: node.hostname
type: keyword
description: >
Kubernetes hostname as reported by the node’s kernel
- name: labels.*
type: object
object_type: keyword
object_type_mapping_type: "*"
description: >
Kubernetes labels map
- name: annotations.*
type: object
object_type: keyword
object_type_mapping_type: "*"
description: >
Kubernetes annotations map
- name: selectors.*
type: object
object_type: keyword
object_type_mapping_type: "*"
description: >
Kubernetes selectors map
- name: replicaset.name
type: keyword
description: >
Kubernetes replicaset name
- name: deployment.name
type: keyword
description: >
Kubernetes deployment name
- name: statefulset.name
type: keyword
description: >
Kubernetes statefulset name
- name: container.name
type: keyword
description: >
Kubernetes container name (different than the name from the runtime)
- key: process
title: Process
description: >
Process metadata fields
fields:
- name: process
default_field: true
type: group
fields:
- name: exe
type: alias
path: process.executable
migration: true
- name: owner
type: group
description: Process owner information.
fields:
- name: id
type: keyword
ignore_above: 1024
description: Unique identifier of the user.
- name: name
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: text
norms: false
description: Short name or login of the user.
example: albert
- key: jolokia-autodiscover
title: Jolokia Discovery autodiscover provider
description: >
Metadata from Jolokia Discovery added by the jolokia provider.
fields:
- name: jolokia.agent.version
default_field: true
type: keyword
description: >
Version number of jolokia agent.
- name: jolokia.agent.id
default_field: true
type: keyword
description: >
Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type.
- name: jolokia.server.product
default_field: true
type: keyword
description: >
The container product if detected.
- name: jolokia.server.version
default_field: true
type: keyword
description: >
The container's version (if detected).
- name: jolokia.server.vendor
default_field: true
type: keyword
description: >
The vendor of the container the agent is running in.
- name: jolokia.url
default_field: true
type: keyword
description: >
The URL how this agent can be contacted.
- name: jolokia.secured
default_field: true
type: boolean
description: >
Whether the agent was configured for authentication or not.
- key: log
title: Log file content
description: >
Contains log file lines.
fields:
- name: log.source.address
type: keyword
required: false
description: >
Source address from which the log event was read / sent from.
- name: log.offset
type: long
required: false
description: >
The file offset the reported line starts at.
- name: stream
type: keyword
required: false
description: >
Log stream when reading container logs, can be 'stdout' or 'stderr'
- name: input.type
required: true
description: >
The input type from which the event was generated. This field is set to the value specified
for the `type` option in the input section of the Filebeat config file.
- name: syslog.facility
type: long
required: false
description: >
The facility extracted from the priority.
- name: syslog.priority
type: long
required: false
description: >
The priority of the syslog event.
- name: syslog.severity_label
type: keyword
required: false
description: >
The human readable severity.
- name: syslog.facility_label
type: keyword
required: false
description: >
The human readable facility.
- name: process.program
type: keyword
required: false
description: >
The name of the program.
- name: log.flags
description: >
This field contains the flags of the event.
- name: http.response.content_length
type: alias
path: http.response.body.bytes
migration: true
- name: user_agent
type: group
fields:
- name: os
type: group
fields:
- name: full_name
type: keyword
- name: fileset.name
type: keyword
description: >
The Filebeat fileset that generated this event.
- name: fileset.module
type: alias
path: event.module
migration: true
- name: read_timestamp
type: alias
path: event.created
migration: true
- name: docker.attrs
type: object
object_type: keyword
description: >
docker.attrs contains labels and environment variables written by docker's JSON File logging driver.
These fields are only available when they are configured in the logging driver options.
- name: icmp.code
type: keyword
description: >
ICMP code.
- name: icmp.type
type: keyword
description: >
ICMP type.
- name: igmp.type
type: keyword
description: >
IGMP type.
- name: azure
type: group
fields:
- name: eventhub
type: keyword
description: >
Name of the eventhub.
- name: offset
type: long
description: >
The offset.
- name: enqueued_time
type: date
description: >
The enqueued time.
- name: partition_id
type: long
description: >
The partition id.
- name: consumer_group
type: keyword
description: >
The consumer group.
- name: sequence_number
type: long
description: >
The sequence number.
- name: kafka
type: group
fields:
- name: topic
type: keyword
description: >
Kafka topic
- name: partition
type: long
description: >
Kafka partition number
- name: offset
type: long
description: >
Kafka offset of this message
- name: key
type: keyword
description: >
Kafka key, corresponding to the Kafka value stored in the message
- name: block_timestamp
type: date
description: >
Kafka outer (compressed) block timestamp
- name: headers
type: array
description: >
An array of Kafka header strings for this message, in the form
"<key>: <value>".
- key: apache
title: "Apache"
description: >
Apache Module
short_config: true
fields:
- name: apache
type: group
description: >
Apache fields.
fields:
- name: access
type: group
description: >
Contains fields for the Apache HTTP Server access logs.
fields:
- name: ssl.protocol
type: keyword
description: >
SSL protocol version.
- name: ssl.cipher
type: keyword
description: >
SSL cipher name.
- name: error
type: group
description: >
Fields from the Apache error logs.
fields:
- name: module
type: keyword
description: >
The module producing the logged message.
- key: auditd
title: "Auditd"
description: >
Module for parsing auditd logs.
short_config: true
fields:
- name: user
type: group
fields:
- name: terminal
type: keyword
description: >
Terminal or tty device on which the user is performing the observed activity.
- name: audit
type: group
fields:
- name: id
type: keyword
description: >
One or multiple unique identifiers of the user.
- name: name
type: keyword
example: albert
description: >
Short name or login of the user.
- name: group.id
type: keyword
description: >
Unique identifier for the group on the system/platform.
- name: group.name
type: keyword
description: >
Name of the group.
- name: filesystem
type: group
fields:
- name: id
type: keyword
description: >
One or multiple unique identifiers of the user.
- name: name
type: keyword
example: albert
description: >
Short name or login of the user.
- name: group.id
type: keyword
description: >
Unique identifier for the group on the system/platform.
- name: group.name
type: keyword
description: >
Name of the group.
- name: owner
type: group
fields:
- name: id
type: keyword
description: >
One or multiple unique identifiers of the user.
- name: name
type: keyword
example: albert
description: >
Short name or login of the user.
- name: group.id
type: keyword
description: >
Unique identifier for the group on the system/platform.
- name: group.name
type: keyword
description: >
Name of the group.
- name: saved
type: group
fields:
- name: id
type: keyword
description: >
One or multiple unique identifiers of the user.
- name: name
type: keyword
example: albert
description: >
Short name or login of the user.
- name: group.id
type: keyword
description: >
Unique identifier for the group on the system/platform.
- name: group.name
type: keyword
description: >
Name of the group.
- name: auditd
type: group
description: >
Fields from the auditd logs.
fields:
- name: log
type: group
description: >
Fields from the Linux audit log. Not all fields are documented here because
they are dynamic and vary by audit event type.
fields:
- name: old_auid
description: >
For login events this is the old audit ID used for the user prior to
this login.
- name: new_auid
description: >
For login events this is the new audit ID. The audit ID can be used to
trace future events to the user even if their identity changes (like
becoming root).
- name: old_ses
description: >
For login events this is the old session ID used for the user prior to
this login.
- name: new_ses
description: >
For login events this is the new session ID. It can be used to tie a
user to future events by session ID.
- name: sequence
type: long
description: >
The audit event sequence number.
- name: items
description: >
The number of items in an event.
- name: item
description: >
The item field indicates which item out of the total number of items.
This number is zero-based; a value of 0 means it is the first item.
- name: tty
type: keyword
definition: >
TTY udevice the user is running programs on.
- name: a0
description: >
The first argument to the system call.
- name: addr
type: ip
definition: >
Remote address that the user is connecting from.
- name: rport
type: long
definition: >
Remote port number.
- name: laddr
type: ip
definition: >
Local network address.
- name: lport
type: long
definition: >
Local port number.
- name: acct
type: alias
path: user.name
migration: true
- name: pid
type: alias
path: process.pid
migration: true
- name: ppid
type: alias
path: process.parent.pid
migration: true
- name: res
type: alias
path: event.outcome
migration: true
- name: record_type
type: alias
path: event.action
migration: true
- name: geoip
type: group
fields:
- name: continent_name
type: alias
path: source.geo.continent_name
migration: true
- name: country_iso_code
type: alias
path: source.geo.country_iso_code
migration: true
- name: location
type: alias
path: source.geo.location
migration: true
- name: region_name
type: alias
path: source.geo.region_name
migration: true
- name: city_name
type: alias
path: source.geo.city_name
migration: true
- name: region_iso_code
type: alias
path: source.geo.region_iso_code
migration: true
# Fields below were not defined in 6.x but were still being populated.
- name: arch
type: alias
path: host.architecture
migration: true
- name: gid
type: alias
path: user.group.id
migration: true
- name: uid
type: alias
path: user.id
migration: true
- name: agid
type: alias
path: user.audit.group.id
migration: true
- name: auid
type: alias
path: user.audit.id
migration: true
- name: fsgid
type: alias
path: user.filesystem.group.id
migration: true
- name: fsuid
type: alias
path: user.filesystem.id
migration: true
- name: egid
type: alias
path: user.effective.group.id
migration: true
- name: euid
type: alias
path: user.effective.id
migration: true
- name: sgid
type: alias
path: user.saved.group.id
migration: true
- name: suid
type: alias
path: user.saved.id
migration: true
- name: ogid
type: alias
path: user.owner.group.id
migration: true
- name: ouid
type: alias
path: user.owner.id
migration: true
- name: comm
type: alias
path: process.name
migration: true
- name: exe
type: alias
path: process.executable
migration: true
- name: terminal
type: alias
path: user.terminal
migration: true
- name: msg
type: alias
path: message
migration: true
- name: src
type: alias
path: source.address
migration: true
- name: dst
type: alias
path: destination.address
migration: true
- key: elasticsearch
title: "Elasticsearch"
release: ga
description: >
elasticsearch Module
fields:
- name: elasticsearch
type: group
description: >
fields:
- name: component
description: "Elasticsearch component from where the log event originated"
example: "o.e.c.m.MetaDataCreateIndexService"
type: keyword
- name: cluster.uuid
description: "UUID of the cluster"
example: "GmvrbHlNTiSVYiPf8kxg9g"
type: keyword
- name: cluster.name
description: "Name of the cluster"
example: "docker-cluster"
type: keyword
- name: node.id
description: "ID of the node"
example: "DSiWcTyeThWtUXLB9J0BMw"
type: keyword
- name: node.name
description: "Name of the node"
example: "vWNJsZ3"
type: keyword
- name: index.name
description: "Index name"
example: "filebeat-test-input"
type: keyword
- name: index.id
description: "Index id"
example: "aOGgDwbURfCV57AScqbCgw"
type: keyword
- name: shard.id
description: "Id of the shard"
example: "0"
type: keyword
- name: elastic_product_origin
type: keyword
description: "Used by Elastic stack to identify which component of the stack sent the request"
example: "kibana"
- name: http.request.x_opaque_id
description: "Used by Elasticsearch to throttle and deduplicate deprecation warnings"
example: "v7app"
type: keyword
- name: event.category
description: "Category of the deprecation event"
example: "compatible_api"
type: keyword
- name: audit
type: group
fields:
- name: layer
description: "The layer from which this event originated: rest, transport or ip_filter"
example: "rest"
type: keyword
- name: event_type
description: "The type of event that occurred: anonymous_access_denied, authentication_failed, access_denied, access_granted, connection_granted, connection_denied, tampered_request, run_as_granted, run_as_denied"
example: "access_granted"
type: keyword
- name: origin.type
description: "Where the request originated: rest (request originated from a REST API request), transport (request was received on the transport channel), local_node (the local node issued the request)"
example: "local_node"
type: keyword
- name: realm
description: "The authentication realm the authentication was validated against"
example": "default_file"
type: keyword
- name: user.realm
description: "The user's authentication realm, if authenticated"
example": "active_directory"
type: keyword
- name: user.roles
description: "Roles to which the principal belongs"
example: [ "kibana_admin", "beats_admin" ]
type: keyword
- name: user.run_as.name
type: keyword
- name: user.run_as.realm
type: keyword
- name: component
type: keyword
- name: action
description: "The name of the action that was executed"
example: "cluster:monitor/main"
type: keyword
- name: url.params
description: "REST URI parameters"
example: "{username=jacknich2}"
- name: indices
description: "Indices accessed by action"
example: [ "foo-2019.01.04", "foo-2019.01.03", "foo-2019.01.06" ]
type: keyword
- name: request.id
description: "Unique ID of request"
example: "WzL_kb6VSvOhAq0twPvHOQ"
type: keyword
- name: request.name
description: "The type of request that was executed"
example: "ClearScrollRequest"
type: keyword
- name: request_body
type: alias
path: http.request.body.content
migration: true
- name: origin_address
type: alias
path: source.ip
migration: true
- name: uri
type: alias
path: url.original
migration: true
- name: principal
type: alias
path: user.name
migration: true
- name: message
type: text
- name: invalidate.apikeys.owned_by_authenticated_user
type: boolean
- name: authentication.type
type: keyword
- name: opaque_id
type: text
- name: deprecation
type: group
description: >
fields:
- name: gc
type: group
description: >
GC fileset fields.
fields:
- name: phase
type: group
description: >
Fields specific to GC phase.
fields:
- name: name
type: keyword
description: >
Name of the GC collection phase.
- name: duration_sec
type: float
description: >
Collection phase duration according to the Java virtual machine.
- name: scrub_symbol_table_time_sec
type: float
description: >
Pause time in seconds cleaning up symbol tables.
- name: scrub_string_table_time_sec
type: float
description: >
Pause time in seconds cleaning up string tables.
- name: weak_refs_processing_time_sec
type: float
description: >
Time spent processing weak references in seconds.
- name: parallel_rescan_time_sec
type: float
description: >
Time spent in seconds marking live objects while application is stopped.
- name: class_unload_time_sec
type: float
description: >
Time spent unloading unused classes in seconds.
- name: cpu_time
type: group
description: >
Process CPU time spent performing collections.
fields:
- name: user_sec
type: float
description: >
CPU time spent outside the kernel.
- name: sys_sec
type: float
description: >
CPU time spent inside the kernel.
- name: real_sec
type: float
description: >
Total elapsed CPU time spent to complete the collection from start to finish.
- name: jvm_runtime_sec
type: float
description: >
The time from JVM start up in seconds, as a floating point number.
- name: threads_total_stop_time_sec
type: float
description: >
Garbage collection threads total stop time seconds.
- name: stopping_threads_time_sec
type: float
description: >
Time took to stop threads seconds.
- name: tags
type: keyword
description: >
GC logging tags.
- name: heap
type: group
description: >
Heap allocation and total size.
fields:
- name: size_kb
type: integer
description: >
Total heap size in kilobytes.
- name: used_kb
type: integer
description: >
Used heap in kilobytes.
- name: old_gen
type: group
description: >
Old generation occupancy and total size.
fields:
- name: size_kb
type: integer
description: >
Total size of old generation in kilobytes.
- name: used_kb
type: integer
description: >
Old generation occupancy in kilobytes.
- name: young_gen
type: group
description: >
Young generation occupancy and total size.
fields:
- name: size_kb
type: integer
description: >
Total size of young generation in kilobytes.
- name: used_kb
type: integer
description: >
Young generation occupancy in kilobytes.
- name: server
description: "Server log file"
type: group
fields:
- name: stacktrace
description": Stack trace in case of errors
index: false
- name: gc
description: "GC log"
type: group
fields:
- name: young
description: "Young GC"
example: ""
type: group
fields:
- name: one
description: ""
example: ""
type: long
- name: two
description: ""
example: ""
type: long
- name: overhead_seq
description: "Sequence number"
example: 3449992
type: long
- name: collection_duration.ms
description: "Time spent in GC, in milliseconds"
example: 1600
type: float
- name: observation_duration.ms
description: "Total time over which collection was observed, in milliseconds"
example: 1800
type: float
- name: slowlog
description: "Slowlog events from Elasticsearch"
example: "[2018-06-29T10:06:14,933][INFO ][index.search.slowlog.query] [v_VJhjV] [metricbeat-6.3.0-2018.06.26][0] took[4.5ms], took_millis[4], total_hits[19435], types[], stats[], search_type[QUERY_THEN_FETCH], total_shards[1], source[{\"query\":{\"match_all\":{\"boost\":1.0}}}],"
type: group
fields:
- name: logger
description: "Logger name"
example: "index.search.slowlog.fetch"
type: keyword
- name: took
description: "Time it took to execute the query"
example: "300ms"
type: keyword
- name: types
description: "Types"
example: ""
type: keyword
- name: stats
description: "Stats groups"
example: "group1"
type: keyword
- name: search_type
description: "Search type"
example: "QUERY_THEN_FETCH"
type: keyword
- name: source_query
description: "Slow query"
example: "{\"query\":{\"match_all\":{\"boost\":1.0}}}"
type: keyword
- name: extra_source
description: "Extra source information"
example: ""
type: keyword
- name: total_hits
description: "Total hits"
example: 42
type: keyword
- name: total_shards
description: "Total queried shards"
example: 22
type: keyword
- name: routing
description: "Routing"
example: "s01HZ2QBk9jw4gtgaFtn"
type: keyword
- name: id
description: Id
example: ""
type: keyword
- name: type
description: "Type"
example: "doc"
type: keyword
- name: source
description: Source of document that was indexed
type: keyword
- key: haproxy
title: "HAProxy"
description: >
haproxy Module
fields:
- name: haproxy
type: group
description: >
fields:
- name: frontend_name
description: Name of the frontend (or listener) which received and processed the connection.
- name: backend_name
description: Name of the backend (or listener) which was selected to manage the connection to the server.
- name: server_name
description: Name of the last server to which the connection was sent.
- name: total_waiting_time_ms
description: Total time in milliseconds spent waiting in the various queues
type: long
- name: connection_wait_time_ms
description: Total time in milliseconds spent waiting for the connection to establish to the final server
type: long
- name: bytes_read
description: Total number of bytes transmitted to the client when the log is emitted.
type: long
- name: time_queue
description: Total time in milliseconds spent waiting in the various queues.
type: long
- name: time_backend_connect
description: Total time in milliseconds spent waiting for the connection to establish to the final server, including retries.
type: long
- name: server_queue
description: Total number of requests which were processed before this one in the server queue.
type: long
- name: backend_queue
description: Total number of requests which were processed before this one in the backend's global queue.
type: long
- name: bind_name
description: Name of the listening address which received the connection.
- name: error_message
description: Error message logged by HAProxy in case of error.
type: text
- name: source
type: keyword
description: The HAProxy source of the log
- name: termination_state
description: Condition the session was in when the session ended.
- name: mode
type: keyword
description: mode that the frontend is operating (TCP or HTTP)
- name: connections
description: Contains various counts of connections active in the process.
type: group
fields:
- name: active
description: Total number of concurrent connections on the process when the session was logged.
type: long
- name: frontend
description: Total number of concurrent connections on the frontend when the session was logged.
type: long
- name: backend
description: Total number of concurrent connections handled by the backend when the session was logged.
type: long
- name: server
description: Total number of concurrent connections still active on the server when the session was logged.
type: long
- name: retries
description: Number of connection retries experienced by this session when trying to connect to the server.
type: long
- name: client
description: Information about the client doing the request
type: group
fields:
- name: ip
type: alias
path: source.address
migration: true
- name: port
type: alias
path: source.port
migration: true
- name: process_name
type: alias
path: process.name
migration: true
- name: pid
type: alias
path: process.pid
migration: true
- name: destination
description: Destination information
type: group
fields:
- name: port
type: alias
path: destination.port
migration: true
- name: ip
type: alias
path: destination.ip
migration: true
- name: geoip
type: group
description: >
Contains GeoIP information gathered based on the client.ip field.
Only present if the GeoIP Elasticsearch plugin is available and
used.
fields:
- name: continent_name
type: alias
path: source.geo.continent_name
migration: true
- name: country_iso_code
type: alias
path: source.geo.country_iso_code
migration: true
- name: location
type: alias
path: source.geo.location
migration: true
- name: region_name
type: alias
path: source.geo.region_name
migration: true
- name: city_name
type: alias
path: source.geo.city_name
migration: true
- name: region_iso_code
type: alias
path: source.geo.region_iso_code
migration: true
- name: http
description: Please add description
type: group
fields:
- name: response
description: Fields related to the HTTP response
type: group
fields:
- name: captured_cookie
description: >
Optional "name=value" entry indicating that the client had this cookie in the response.
- name: captured_headers
description: >
List of headers captured in the response due to the presence of the "capture response header" statement in the frontend.
type: keyword
- name: status_code
type: alias
path: http.response.status_code
migration: true
- name: request
description: Fields related to the HTTP request
type: group
fields:
- name: captured_cookie
description: >
Optional "name=value" entry indicating that the server has returned a cookie with its request.
- name: captured_headers
description: >
List of headers captured in the request due to the presence of the "capture request header" statement in the frontend.
type: keyword
- name: raw_request_line
description: Complete HTTP request line, including the method, request and HTTP version string.
type: keyword
- name: time_wait_without_data_ms
description: Total time in milliseconds spent waiting for the server to send a full HTTP response, not counting data.
type: long
- name: time_wait_ms
description: Total time in milliseconds spent waiting for a full HTTP request from the client (not counting body) after the first byte was received.
type: long
- name: tcp
description: TCP log format
type: group
fields:
- name: connection_waiting_time_ms
type: long
description: Total time in milliseconds elapsed between the accept and the last close
- key: icinga
title: "Icinga"
description: >
Icinga Module
fields:
- name: icinga
type: group
description: >
fields:
- name: debug
type: group
description: >
Contains fields for the Icinga debug logs.
fields:
- name: facility
type: keyword
description: >
Specifies what component of Icinga logged the message.
- name: severity
type: alias
path: log.level
migration: true
- name: message
type: alias
path: message
migration: true
- name: main
type: group
description: >
Contains fields for the Icinga main logs.
fields:
- name: facility
type: keyword
description: >
Specifies what component of Icinga logged the message.
- name: severity
type: alias
path: log.level
migration: true
- name: message
type: alias
path: message
migration: true
- name: startup
type: group
description: >
Contains fields for the Icinga startup logs.
fields:
- name: facility
type: keyword
description: >
Specifies what component of Icinga logged the message.
- name: severity
type: alias
path: log.level
migration: true
- name: message
type: alias
path: message
migration: true
- key: iis
title: "IIS"
description: >
Module for parsing IIS log files.
fields:
- name: iis
type: group
description: >
Fields from IIS log files.
fields:
- name: access
type: group
description: >
Contains fields for IIS access logs.
fields:
- name: sub_status
type: long
description: >
The HTTP substatus code.
- name: win32_status
type: long
description: >
The Windows status code.
- name: site_name
type: keyword
description: >
The site name and instance number.
- name: server_name
type: keyword
description: >
The name of the server on which the log file entry was generated.
- name: cookie
type: keyword
description: >
The content of the cookie sent or received, if any.
- name: body_received.bytes
type: alias
path: http.request.body.bytes
migration: true
- name: body_sent.bytes
type: alias
path: http.response.body.bytes
migration: true
- name: server_ip
type: alias
path: destination.address
migration: true
- name: method
type: alias
path: http.request.method
migration: true
- name: url
type: alias
path: url.path
migration: true
- name: query_string
type: alias
path: url.query
migration: true
- name: port
type: alias
path: destination.port
migration: true
- name: user_name
type: alias
path: user.name
migration: true
- name: remote_ip
type: alias
path: source.address
migration: true
- name: referrer
type: alias
path: http.request.referrer
migration: true
- name: response_code
type: alias
path: http.response.status_code
migration: true
- name: http_version
type: alias
path: http.version
migration: true
- name: hostname
type: alias
path: host.hostname
migration: true
- name: user_agent
type: group
fields:
- name: device
type: alias
path: user_agent.device.name
migration: true
- name: name
type: alias
path: user_agent.name
migration: true
- name: os
type: alias
path: user_agent.os.full_name
migration: true
- name: os_name
type: alias
path: user_agent.os.name
migration: true
- name: original
type: alias
path: user_agent.original
migration: true
- name: geoip
type: group
fields:
- name: continent_name
type: alias
path: source.geo.continent_name
migration: true
- name: country_iso_code
type: alias
path: source.geo.country_iso_code
migration: true
- name: location
type: alias
path: source.geo.location
migration: true
- name: region_name
type: alias
path: source.geo.region_name
migration: true
- name: city_name
type: alias
path: source.geo.city_name
migration: true
- name: region_iso_code
type: alias
path: source.geo.region_iso_code
migration: true
- name: error
type: group
description: >
Contains fields for IIS error logs.
fields:
- name: reason_phrase
type: keyword
description: >
The HTTP reason phrase.
- name: queue_name
type: keyword
description: >
The IIS application pool name.
- name: remote_ip
type: alias
path: source.address
migration: true
- name: remote_port
type: alias
path: source.port
migration: true
- name: server_ip
type: alias
path: destination.address
migration: true
- name: server_port
type: alias
path: destination.port
migration: true
- name: http_version
type: alias
path: http.version
migration: true
- name: method
type: alias
path: http.request.method
migration: true
- name: url
type: alias
path: url.original
migration: true
- name: response_code
type: alias
path: http.response.status_code
migration: true
- name: geoip
type: group
fields:
- name: continent_name
type: alias
path: source.geo.continent_name
migration: true
- name: country_iso_code
type: alias
path: source.geo.country_iso_code
migration: true
- name: location
type: alias
path: source.geo.location
migration: true
- name: region_name
type: alias
path: source.geo.region_name
migration: true
- name: city_name
type: alias
path: source.geo.city_name
migration: true
- name: region_iso_code
type: alias
path: source.geo.region_iso_code
migration: true
- key: kafka
title: "Kafka"
description: >
Kafka module
fields:
- name: kafka
type: group
description: >
fields:
- name: log
type: group
description: >
Kafka log lines.
fields:
- name: component
type: keyword
description: >
Component the log is coming from.
- name: class
type: keyword
description: >
Java class the log is coming from.
- name: thread
type: keyword
description: >
Thread name the log is coming from.
- name: trace
type: group
description: >
Trace in the log line.
fields:
- name: class
type: keyword
description: >
Java class the trace is coming from.
- name: message
type: text
description: >
Message part of the trace.
- key: kibana
title: "kibana"
release: ga
description: >
kibana Module
fields:
- name: service.node.roles
type: keyword
- name: kibana
type: group
description: >
Module for parsing Kibana logs.
fields:
- name: session_id
description: The ID of the user session associated with this event. Each login attempt results in a unique session id.
example: "123e4567-e89b-12d3-a456-426614174000"
type: keyword
- name: space_id
description: "The id of the space associated with this event."
example: "default"
type: keyword
- name: saved_object.type
description: "The type of the saved object associated with this event."
example: "dashboard"
type: keyword
- name: saved_object.id
description: "The id of the saved object associated with this event."
example: "6295bdd0-0a0e-11e7-825f-6748cda7d858"
type: keyword
- name: add_to_spaces
description: "The set of space ids that a saved object was shared to."
example: "['default', 'marketing']"
type: keyword
- name: delete_from_spaces
description: "The set of space ids that a saved object was removed from."
example: "['default', 'marketing']"
type: keyword
- name: authentication_provider
description: "The authentication provider associated with a login event."
example: "basic1"
type: keyword
- name: authentication_type
description: "The authentication provider type associated with a login event."
example: "basic"
type: keyword
- name: authentication_realm
description: "The Elasticsearch authentication realm name which fulfilled a login event."
example: "native"
type: keyword
- name: lookup_realm
description: "The Elasticsearch lookup realm which fulfilled a login event."
example: "native"
type: keyword
- name: log
type: group
description: >
Kibana log lines.
fields:
- name: tags
type: keyword
description: >
Kibana logging tags.
- name: state
type: keyword
description: >
Current state of Kibana.
- name: meta
type: object
object_type: keyword
- name: meta.req.headers
type: flattened
- name: meta.res.headers
type: flattened
- key: logstash
title: "logstash"
release: ga
description: >
logstash Module
fields:
- name: logstash
type: group
description: >
fields:
- name: log
title: "Logstash"
type: group
description: >
Fields from the Logstash logs.
fields:
- name: module
type: keyword
description: >
The module or class where the event originate.
- name: thread
type: keyword
description: >
Information about the running thread where the log originate.
multi_fields:
- name: text
type: text
- name: log_event
type: object
description: >
key and value debugging information.
- name: log_event.action
type: keyword
- name: pipeline_id
type: keyword
example: main
description: >
The ID of the pipeline.
- name: message
type: alias
path: message
migration: true
- name: level
type: alias
path: log.level
migration: true
- name: slowlog
type: group
description: >
slowlog
fields:
- name: module
type: keyword
description: >
The module or class where the event originate.
- name: thread
type: keyword
description: >
Information about the running thread where the log originate.
multi_fields:
- name: text
type: text
- name: event
type: keyword
description: >
Raw dump of the original event
multi_fields:
- name: text
type: text
- name: plugin_name
type: keyword
description: >
Name of the plugin
- name: plugin_type
type: keyword
description: >
Type of the plugin: Inputs, Filters, Outputs or Codecs.
- name: took_in_millis
type: long
description: >
Execution time for the plugin in milliseconds.
- name: plugin_params
type: keyword
description: >
String value of the plugin configuration
multi_fields:
- name: text
type: text
- name: plugin_params_object
type: object
description: >
key -> value of the configuration used by the plugin.
- name: level
type: alias
path: log.level
migration: true
- name: took_in_nanos
type: alias
path: event.duration
migration: true
- key: mongodb
title: "mongodb"
description: >
Module for parsing MongoDB log files.
fields:
- name: mongodb
type: group
description: >
Fields from MongoDB logs.
fields:
- name: log
type: group
description: >
Contains fields from MongoDB logs.
fields:
- name: component
description: >
Functional categorization of message
example: COMMAND
type: keyword
- name: context
description: >
Context of message
example: initandlisten
type: keyword
- name: severity
type: alias
path: log.level
migration: true
- name: message
type: alias
path: message
migration: true
- name: id
description: >
Integer representing the unique identifier of the log statement
example: 4615611
type: long
- key: mysql
title: "MySQL"
description: >
Module for parsing the MySQL log files.
short_config: true
fields:
- name: mysql
type: group
description: >
Fields from the MySQL log files.
fields:
- name: thread_id
type: long
description: >
The connection or thread ID for the query.
- name: error
type: group
description: >
Contains fields from the MySQL error logs.
fields:
- name: thread_id
type: alias
path: mysql.thread_id
migration: true
- name: level
type: alias
path: log.level
migration: true
- name: message
type: alias
path: message
migration: true
- name: slowlog
type: group
description: >
Contains fields from the MySQL slow logs.
fields:
- name: lock_time.sec
type: float
description: >
The amount of time the query waited for the lock to be available. The
value is in seconds, as a floating point number.
- name: rows_sent
type: long
description: >
The number of rows returned by the query.
- name: rows_examined
type: long
description: >
The number of rows scanned by the query.
- name: rows_affected
type: long
description: >
The number of rows modified by the query.
- name: bytes_sent
type: long
format: bytes
description: >
The number of bytes sent to client.
- name: bytes_received
type: long
format: bytes
description: >
The number of bytes received from client.
- name: query
description: >
The slow query.
- name: id
type: alias
path: mysql.thread_id
migration: true
- name: schema
type: keyword
description: >
The schema where the slow query was executed.
- name: current_user
type: keyword
description: >
Current authenticated user, used to determine access privileges. Can differ from the value for user.
- name: last_errno
type: keyword
description: >
Last SQL error seen.
- name: killed
type: keyword
description: >
Code of the reason if the query was killed.
- name: query_cache_hit
type: boolean
description: >
Whether the query cache was hit.
- name: tmp_table
type: boolean
description: >
Whether a temporary table was used to resolve the query.
- name: tmp_table_on_disk
type: boolean
description: >
Whether the query needed temporary tables on disk.
- name: tmp_tables
type: long
description: >
Number of temporary tables created for this query
- name: tmp_disk_tables
type: long
description: >
Number of temporary tables created on disk for this query.
- name: tmp_table_sizes
type: long
format: bytes
description:
Size of temporary tables created for this query.
- name: filesort
type: boolean
description: >
Whether filesort optimization was used.
- name: filesort_on_disk
type: boolean
description: >
Whether filesort optimization was used and it needed temporary tables on disk.
- name: priority_queue
type: boolean
description: >
Whether a priority queue was used for filesort.
- name: full_scan
type: boolean
description: >
Whether a full table scan was needed for the slow query.
- name: full_join
type: boolean
description: >
Whether a full join was needed for the slow query (no indexes were used for joins).
- name: merge_passes
type: long
description: >
Number of merge passes executed for the query.
- name: sort_merge_passes
type: long
description: >
Number of merge passes that the sort algorithm has had to do.
- name: sort_range_count
type: long
description: >
Number of sorts that were done using ranges.
- name: sort_rows
type: long
description: >
Number of sorted rows.
- name: sort_scan_count
type: long
description: >
Number of sorts that were done by scanning the table.
- name: log_slow_rate_type
type: keyword
description: >
Type of slow log rate limit, it can be `session` if the rate limit
is applied per session, or `query` if it applies per query.
- name: log_slow_rate_limit
type: keyword
description: >
Slow log rate limit, a value of 100 means that one in a hundred queries
or sessions are being logged.
- name: read_first
type: long
description: >
The number of times the first entry in an index was read.
- name: read_last
type: long
description: >
The number of times the last key in an index was read.
- name: read_key
type: long
description: >
The number of requests to read a row based on a key.
- name: read_next
type: long
description: >
The number of requests to read the next row in key order.
- name: read_prev
type: long
description: >
The number of requests to read the previous row in key order.
- name: read_rnd
type: long
description: >
The number of requests to read a row based on a fixed position.
- name: read_rnd_next
type: long
description: >
The number of requests to read the next row in the data file.
# https://www.percona.com/doc/percona-server/5.7/diagnostics/slow_extended.html
- name: innodb
type: group
description: >
Contains fields relative to InnoDB engine
fields:
- name: trx_id
type: keyword
description: >
Transaction ID
- name: io_r_ops
type: long
description: >
Number of page read operations.
- name: io_r_bytes
type: long
format: bytes
description: >
Bytes read during page read operations.
- name: io_r_wait.sec
type: long
description: >
How long it took to read all needed data from storage.
- name: rec_lock_wait.sec
type: long
description: >
How long the query waited for locks.
- name: queue_wait.sec
type: long
description: >
How long the query waited to enter the InnoDB queue and to be executed once
in the queue.
- name: pages_distinct
type: long
description: >
Approximated count of pages accessed to execute the query.
- name: user
type: alias
path: user.name
migration: true
- name: host
type: alias
path: source.domain
migration: true
- name: ip
type: alias
path: source.ip
migration: true
- key: nats
title: "NATS"
description: >
Module for parsing NATS log files.
release: beta
fields:
- name: nats
type: group
description: >
Fields from NATS logs.
fields:
- name: log
type: group
description: >
Nats log files
release: beta
fields:
- name: client
type: group
description: >
Fields from NATS logs client.
fields:
- name: id
type: integer
description: >
The id of the client
- name: msg
type: group
description: >
Fields from NATS logs message.
fields:
- name: bytes
type: long
format: bytes
description: >
Size of the payload in bytes
- name: type
type: keyword
description: >
The protocol message type
- name: subject
type: keyword
description: >
Subject name this message was received on
- name: sid
type: integer
description: >
The unique alphanumeric subscription ID of the subject
- name: reply_to
type: keyword
description: >
The inbox subject on which the publisher is listening for responses
- name: max_messages
type: integer
description: >
An optional number of messages to wait for before automatically unsubscribing
- name: error.message
type: text
description: >
Details about the error occurred
- name: queue_group
type: text
description: >
The queue group which subscriber will join
- key: nginx
title: "Nginx"
description: >
Module for parsing the Nginx log files.
short_config: true
fields:
- name: nginx
type: group
description: >
Fields from the Nginx log files.
fields:
- name: access
type: group
description: >
Contains fields for the Nginx access logs.
fields:
- name: remote_ip_list
type: array
description: >
An array of remote IP addresses. It is a list because it is common to include, besides the client
IP address, IP addresses from headers like `X-Forwarded-For`.
Real source IP is restored to `source.ip`.
- name: body_sent.bytes
type: alias
path: http.response.body.bytes
migration: true
- name: user_name
type: alias
path: user.name
migration: true
- name: method
type: alias
path: http.request.method
migration: true
- name: url
type: alias
path: url.original
migration: true
- name: http_version
type: alias
path: http.version
migration: true
- name: response_code
type: alias
path: http.response.status_code
migration: true
- name: referrer
type: alias
path: http.request.referrer
migration: true
- name: agent
type: alias
path: user_agent.original
migration: true
- name: user_agent
type: group
fields:
- name: device
type: alias
path: user_agent.device.name
migration: true
- name: name
type: alias
path: user_agent.name
migration: true
- name: os
type: alias
path: user_agent.os.full_name
migration: true
- name: os_name
type: alias
path: user_agent.os.name
migration: true
- name: original
type: alias
path: user_agent.original
migration: true
- name: geoip
type: group
fields:
- name: continent_name
type: alias
path: source.geo.continent_name
migration: true
- name: country_iso_code
type: alias
path: source.geo.country_iso_code
migration: true
- name: location
type: alias
path: source.geo.location
migration: true
- name: region_name
type: alias
path: source.geo.region_name
migration: true
- name: city_name
type: alias
path: source.geo.city_name
migration: true
- name: region_iso_code
type: alias
path: source.geo.region_iso_code
migration: true
- name: error
type: group
description: >
Contains fields for the Nginx error logs.
fields:
- name: connection_id
type: long
description: >
Connection identifier.
- name: level
type: alias
path: log.level
migration: true
- name: pid
type: alias
path: process.pid
migration: true
- name: tid
type: alias
path: process.thread.id
migration: true
- name: message
type: alias
path: message
migration: true
- name: ingress_controller
type: group
description: >
Contains fields for the Ingress Nginx controller access logs.
fields:
- name: remote_ip_list
type: array
description: >
An array of remote IP addresses. It is a list because it is common to include, besides the client
IP address, IP addresses from headers like `X-Forwarded-For`.
Real source IP is restored to `source.ip`.
# ingress-controller specific fields
- name: upstream_address_list
type: keyword
description: >
An array of the upstream addresses. It is a list because it is common that several upstream servers
were contacted during request processing.
- name: upstream.response.length_list
type: keyword
description: >
An array of upstream response lengths. It is a list because it is common that several upstream servers
were contacted during request processing.
- name: upstream.response.time_list
type: keyword
description: >
An array of upstream response durations. It is a list because it is common that several upstream servers
were contacted during request processing.
- name: upstream.response.status_code_list
type: keyword
description: >
An array of upstream response status codes. It is a list because it is common that several upstream servers
were contacted during request processing.
- name: http.request.length
type: long
format: bytes
description: >
The request length (including request line, header, and request body)
- name: http.request.time
type: double
format: duration
description: >
Time elapsed since the first bytes were read from the client
- name: upstream.name
type: keyword
description: >
The name of the upstream.
- name: upstream.alternative_name
type: keyword
description: >
The name of the alternative upstream.
- name: upstream.response.length
type: long
format: bytes
description: >
The length of the response obtained from the upstream server. If several servers were contacted during request process,
the summary of the multiple response lengths is stored.
- name: upstream.response.time
type: double
format: duration
description: >
The time spent on receiving the response from the upstream as seconds with millisecond resolution.
If several servers were contacted during request process, the summary of the multiple response times is stored.
- name: upstream.response.status_code
type: long
description: >
The status code of the response obtained from the upstream server. If several servers were contacted during
request process, only the status code of the response from the last one is stored in this field.
- name: upstream.ip
type: ip
description: >
The IP address of the upstream server. If several servers were contacted during request process,
only the last one is stored in this field.
- name: upstream.port
type: long
description: >
The port of the upstream server. If several servers were contacted during request process,
only the last one is stored in this field.
- name: http.request.id
type: keyword
description: >
The randomly generated ID of the request
- name: body_sent.bytes
type: alias
path: http.response.body.bytes
migration: true
- name: user_name
type: alias
path: user.name
migration: true
- name: method
type: alias
path: http.request.method
migration: true
- name: url
type: alias
path: url.original
migration: true
- name: http_version
type: alias
path: http.version
migration: true
- name: response_code
type: alias
path: http.response.status_code
migration: true
- name: referrer
type: alias
path: http.request.referrer
migration: true
- name: agent
type: alias
path: user_agent.original
migration: true
- name: user_agent
type: group
fields:
- name: device
type: alias
path: user_agent.device.name
migration: true
- name: name
type: alias
path: user_agent.name
migration: true
- name: os
type: alias
path: user_agent.os.full_name
migration: true
- name: os_name
type: alias
path: user_agent.os.name
migration: true
- name: original
type: alias
path: user_agent.original
migration: true
- name: geoip
type: group
fields:
- name: continent_name
type: alias
path: source.geo.continent_name
migration: true
- name: country_iso_code
type: alias
path: source.geo.country_iso_code
migration: true
- name: location
type: alias
path: source.geo.location
migration: true
- name: region_name
type: alias
path: source.geo.region_name
migration: true
- name: city_name
type: alias
path: source.geo.city_name
migration: true
- name: region_iso_code
type: alias
path: source.geo.region_iso_code
migration: true
- key: osquery
title: "Osquery"
description: >
Fields exported by the `osquery` module
fields:
- name: osquery
type: group
description: >
fields:
- name: result
type: group
description: >
Common fields exported by the result metricset.
fields:
- name: name
type: keyword
description: >
The name of the query that generated this event.
- name: action
type: keyword
description: >
For incremental data, marks whether the entry was added
or removed. It can be one of "added", "removed", or "snapshot".
- name: host_identifier
type: keyword
description: >
The identifier for the host on which the osquery agent is running.
Normally the hostname.
- name: unix_time
type: long
description: >
Unix timestamp of the event, in seconds since the epoch. Used for computing the `@timestamp` column.
- name: calendar_time
type: keyword
description: >
String representation of the collection time, as formatted by osquery.
- key: pensando
title: Pensando
description: >
pensando Module
fields:
- name: pensando
type: group
description: >
Fields from Pensando logs.
fields:
- name: dfw
type: group
release: beta
description: >
Fields for Pensando DFW
fields:
- name: action
type: keyword
description: >
Action on the flow.
- name: app_id
type: integer
description: >
Application ID
- name: destination_address
type: keyword
description: >
Address of destination.
- name: destination_port
type: integer
description: >
Port of destination.
- name: direction
type: keyword
description: >
Direction of the flow
- name: protocol
type: keyword
description: >
Protocol of the flow
- name: rule_id
type: keyword
description: >
Rule ID that was matched.
- name: session_id
type: integer
description: >
Session ID of the flow
- name: session_state
type: keyword
description: >
Session state of the flow.
- name: source_address
type: keyword
description: >
Source address of the flow.
- name: source_port
type: integer
description: >
Source port of the flow.
- name: timestamp
type: date
description: >
Timestamp of the log.
- key: postgresql
title: "PostgreSQL"
description: >
Module for parsing the PostgreSQL log files.
short_config: true
fields:
- name: postgresql
type: group
description: >
Fields from PostgreSQL logs.
fields:
- name: log
type: group
description: >
Fields from the PostgreSQL log files.
fields:
- name: timestamp
deprecated: 7.3.0
description: >
The timestamp from the log line.
- name: core_id
type: alias
path: postgresql.log.session_line_number
description: >
Core id. (deprecated, there is no core_id in PostgreSQL logs, this is actually session_line_number).
deprecated: 8.0.0
- name: client_addr
example: "127.0.0.1"
description: >
Host where the connection originated from.
- name: client_port
example: "59700"
description: >
Port where the connection originated from.
- name: session_id
description: >
PostgreSQL session.
example: "5ff1dd98.22"
- name: session_line_number
type: long
description: >
Line number inside a session. (%l in `log_line_prefix`).
- name: database
example: "postgres"
description: >
Name of database.
- name: query
example: "SELECT * FROM users;"
description: >
Query statement. In the case of CSV parse, look at command_tag to get more context.
- name: query_step
example: "parse"
description: >
Statement step when using extended query protocol (one of statement, parse, bind or execute).
- name: query_name
example: "pdo_stmt_00000001"
description: >
Name given to a query when using extended query protocol. If it is "<unnamed>", or not present,
this field is ignored.
- name: command_tag
example: "SELECT"
description: >
Type of session's current command.
The complete list can be found at: src/include/tcop/cmdtaglist.h
- name: session_start_time
type: date
description: >
Time when this session started.
- name: virtual_transaction_id
description: >
Backend local transaction id.
- name: transaction_id
type: long
description: >
The id of current transaction.
- name: sql_state_code
# This code is not a number.
type: keyword
description: >
State code returned by Postgres (if any).
See also https://www.postgresql.org/docs/current/errcodes-appendix.html
- name: detail
description: >
More information about the message, parameters in case of a parametrized query.
e.g. 'Role \"user\" does not exist.', 'parameters: $1 = 42', etc.
- name: hint
description: >
A possible solution to solve an error.
- name: internal_query
description: >
Internal query that led to the error (if any).
- name: internal_query_pos
type: long
description: >
Character count of the internal query (if any).
- name: context
description: >
Error context.
- name: query_pos
type: long
description: >
Character count of the error position (if any).
- name: location
description: >
Location of the error in the PostgreSQL source code (if log_error_verbosity is set to verbose).
- name: application_name
description: >
Name of the application of this event. It is defined by the client.
- name: backend_type
example: "client backend"
description: >
Type of backend of this event.
Possible types are autovacuum launcher, autovacuum worker, logical replication launcher,
logical replication worker, parallel worker, background writer, client backend, checkpointer,
startup, walreceiver, walsender and walwriter.
In addition, background workers registered by extensions may have additional types.
- name: error.code
type: alias
path: postgresql.log.sql_state_code
description: >
Error code returned by Postgres (if any).
Deprecated: errors can have letters. Use sql_state_code instead.
deprecated: 8.0.0
- name: timezone
type: alias
path: event.timezone
migration: true
- name: user
type: alias
path: user.name
migration: true
- name: level
type: alias
example: "LOG"
description: >
Valid values are DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1, INFO, NOTICE, WARNING, ERROR, LOG, FATAL, and PANIC.
path: log.level
migration: true
- name: message
type: alias
path: message
migration: true
- key: redis
title: "Redis"
description: >
Redis Module
fields:
- name: redis
type: group
description: >
fields:
- name: log
type: group
description: >
Redis log files
fields:
- name: role
type: keyword
description: >
The role of the Redis instance. Can be one of `master`, `slave`, `child` (for RDF/AOF writing child),
or `sentinel`.
- name: pid
type: alias
path: process.pid
migration: true
- name: level
type: alias
path: log.level
migration: true
- name: message
type: alias
path: message
migration: true
- name: slowlog
type: group
description: >
Slow logs are retrieved from Redis via a network connection.
fields:
- name: cmd
type: keyword
description: >
The command executed.
- name: duration.us
type: long
description: >
How long it took to execute the command in microseconds.
- name: id
type: long
description: >
The ID of the query.
- name: key
type: keyword
description: >
The key on which the command was executed.
- name: args
type: keyword
description: >
The arguments with which the command was called.
- key: santa
title: "Google Santa"
description: >
Santa Module
fields:
- name: santa
type: group
description: >
fields:
- name: action
type: keyword
example: EXEC
description: Action
- name: decision
type: keyword
example: ALLOW
description: Decision that santad took.
- name: reason
type: keyword
example: CERT
description: Reason for the decsision.
- name: mode
type: keyword
example: M
description: Operating mode of Santa.
- name: disk
type: group
description: Fields for DISKAPPEAR actions.
fields:
- name: volume
description: The volume name.
- name: bus
description: The disk bus protocol.
- name: serial
description: The disk serial number.
- name: bsdname
example: disk1s3
description: The disk BSD name.
- name: model
example: APPLE SSD SM0512L
description: The disk model.
- name: fs
example: apfs
description: The disk volume kind (filesystem type).
- name: mount
description: The disk volume path.
- name: certificate.common_name
type: keyword
description: Common name from code signing certificate.
- name: certificate.sha256
type: keyword
description: SHA256 hash of code signing certificate.
- key: system
title: "System"
description: >
Module for parsing system log files.
short_config: true
fields:
- name: system
type: group
description: >
Fields from the system log files.
fields:
- name: auth
type: group
description: >
Fields from the Linux authorization logs.
fields:
- name: timestamp
type: alias
path: '@timestamp'
migration: true
- name: hostname
type: alias
path: host.hostname
migration: true
- name: program
type: alias
path: process.name
migration: true
- name: pid
type: alias
path: process.pid
migration: true
- name: message
type: alias
path: message
migration: true
- name: user
type: alias
path: user.name
migration: true
- name: ssh
type: group
fields:
- name: method
description: >
The SSH authentication method. Can be one of "password" or "publickey".
- name: signature
description: >
The signature of the client public key.
- name: dropped_ip
type: ip
description: >
The client IP from SSH connections that are open and immediately dropped.
- name: event
example: Accepted
description: >
The SSH event as found in the logs (Accepted, Invalid, Failed, etc.)
- name: ip
type: alias
path: source.ip
migration: true
- name: port
type: alias
path: source.port
migration: true
- name: geoip
type: group
fields:
- name: continent_name
type: alias
path: source.geo.continent_name
migration: true
- name: country_iso_code
type: alias
path: source.geo.country_iso_code
migration: true
- name: location
type: alias
path: source.geo.location
migration: true
- name: region_name
type: alias
path: source.geo.region_name
migration: true
- name: city_name
type: alias
path: source.geo.city_name
migration: true
- name: region_iso_code
type: alias
path: source.geo.region_iso_code
migration: true
- name: sudo
type: group
description: >
Fields specific to events created by the `sudo` command.
fields:
- name: error
example: user NOT in sudoers
description: >
The error message in case the sudo command failed.
- name: tty
description: >
The TTY where the sudo command is executed.
- name: pwd
description: >
The current directory where the sudo command is executed.
- name: user
example: root
description: >
The target user to which the sudo command is switching.
- name: command
description: >
The command executed via sudo.
- name: useradd
type: group
description: >
Fields specific to events created by the `useradd` command.
fields:
- name: home
description:
The home folder for the new user.
- name: shell
description:
The default shell for the new user.
- name: name
type: alias
path: user.name
migration: true
- name: uid
type: alias
path: user.id
migration: true
- name: gid
type: alias
path: group.id
migration: true
- name: groupadd
type: group
description: >
Fields specific to events created by the `groupadd` command.
fields:
- name: name
type: alias
path: group.name
migration: true
- name: gid
type: alias
path: group.id
migration: true
- name: syslog
type: group
description: >
Contains fields from the syslog system logs.
fields:
- name: timestamp
type: alias
path: '@timestamp'
migration: true
- name: hostname
type: alias
path: host.hostname
migration: true
- name: program
type: alias
path: process.name
migration: true
- name: pid
type: alias
path: process.pid
migration: true
- name: message
type: alias
path: message
migration: true
- key: traefik
title: "Traefik"
description: >
Module for parsing the Traefik log files.
fields:
- name: traefik
type: group
description: >
Fields from the Traefik log files.
fields:
- name: access
type: group
description: >
Contains fields for the Traefik access logs.
fields:
- name: user_identifier
type: keyword
description: >
Is the RFC 1413 identity of the client
- name: request_count
type: long
description: >
The number of requests
- name: frontend_name
type: keyword
description: >
The name of the frontend used
- name: backend_url
type: keyword
description:
The url of the backend where request is forwarded
- name: body_sent.bytes
type: alias
path: http.response.body.bytes
migration: true
- name: remote_ip
type: alias
path: source.address
migration: true
- name: user_name
type: alias
path: user.name
migration: true
- name: method
type: alias
path: http.request.method
migration: true
- name: url
type: alias
path: url.original
migration: true
- name: http_version
type: alias
path: http.version
migration: true
- name: response_code
type: alias
path: http.response.status_code
migration: true
- name: referrer
type: alias
path: http.request.referrer
migration: true
- name: agent
type: alias
path: user_agent.original
migration: true
- name: user_agent
type: group
fields:
- name: name
type: alias
path: user_agent.name
- name: os
type: alias
path: user_agent.os.full_name
- name: os_name
type: alias
path: user_agent.os.name
- name: original
type: alias
path: user_agent.original
- name: geoip
type: group
fields:
- name: continent_name
type: alias
path: source.geo.continent_name
- name: country_iso_code
type: alias
path: source.geo.country_iso_code
- name: location
type: alias
path: source.geo.location
- name: region_name
type: alias
path: source.geo.region_name
- name: city_name
type: alias
path: source.geo.city_name
- name: region_iso_code
type: alias
path: source.geo.region_iso_code
- key: activemq
title: "ActiveMQ"
release: ga
description: >
Module for parsing ActiveMQ log files.
fields:
- name: activemq
type: group
description: >
fields:
- name: caller
type: keyword
description: >
Name of the caller issuing the logging request (class or resource).
- name: thread
type: keyword
description: >
Thread that generated the logging event.
- name: user
type: keyword
description: >
User that generated the logging event.
- name: audit
type: group
description: >
Fields from ActiveMQ audit logs.
fields:
- name: log
type: group
description: >
Fields from ActiveMQ application logs.
fields:
- name: stack_trace
type: keyword
- key: aws
title: AWS
release: ga
description: >
Module for handling logs from AWS.
fields:
- name: aws
type: group
description: >
Fields from AWS logs.
fields:
- name: cloudtrail
type: group
release: ga
description: >
Fields for AWS CloudTrail logs.
fields:
- name: event_version
type: keyword
description: >
The CloudTrail version of the log event format.
- name: user_identity
type: group
description: >-
The userIdentity element contains details about the type of
IAM identity that made the request, and which credentials were
used. If temporary credentials were used, the element shows how the
credentials were obtained.
fields:
- name: type
type: keyword
description: >
The type of the identity
- name: arn
type: keyword
description: >-
The Amazon Resource Name (ARN) of the principal that made the call.
- name: access_key_id
type: keyword
description: >-
The access key ID that was used to sign the request.
- name: session_context
type: group
description: >-
If the request was made with temporary security
credentials, an element that provides information about the session
that was created for those credentials
fields:
- name: mfa_authenticated
type: keyword
description: >-
The value is true if the root user or IAM user whose
credentials were used for the request also was authenticated with an
MFA device; otherwise, false.
- name: creation_date
type: date
description: >-
The date and time when the temporary security credentials were issued.
- name: session_issuer
type: group
description: >-
If the request was made with temporary security
credentials, an element that provides information about
how the credentials were obtained.
fields:
- name: type
type: keyword
description: >-
The source of the temporary security credentials, such
as Root, IAMUser, or Role.
- name: principal_id
type: keyword
description: >-
The internal ID of the entity that was used to get
credentials.
- name: arn
type: keyword
description: >-
The ARN of the source (account, IAM user, or role)
that was used to get temporary security credentials.
- name: account_id
type: keyword
description: >-
The account that owns the entity that was used to get
credentials.
- name: invoked_by
type: keyword
description: >-
The name of the AWS service that made the request, such as
Amazon EC2 Auto Scaling or AWS Elastic Beanstalk.
- name: error_code
type: keyword
description: >-
The AWS service error if the request returns an error.
- name: error_message
type: keyword
description: >-
If the request returns an error, the description of the error.
- name: request_parameters
type: keyword
description: >-
The parameters, if any, that were sent with the request.
multi_fields:
- name: text
type: text
- name: response_elements
type: keyword
description: >-
The response element for actions that make changes (create,
update, or delete actions).
multi_fields:
- name: text
type: text
- name: additional_eventdata
type: keyword
description: >-
Additional data about the event that was not part of the
request or response.
multi_fields:
- name: text
type: text
- name: request_id
type: keyword
description: >-
The value that identifies the request. The service being
called generates this value.
- name: event_type
type: keyword
description: >-
Identifies the type of event that generated the event record.
- name: api_version
type: keyword
description: >-
Identifies the API version associated with the AwsApiCall
eventType value.
- name: management_event
type: keyword
description: >-
A Boolean value that identifies whether the event is a
management event.
- name: read_only
type: keyword
description: >-
Identifies whether this operation is a read-only operation.
- name: resources
type: group
description: >-
A list of resources accessed in the event.
fields:
- name: arn
type: keyword
description: >-
Resource ARNs
- name: account_id
type: keyword
description: >-
Account ID of the resource owner
- name: type
type: keyword
description: >-
Resource type identifier in the format: AWS::aws-service-name::data-type-name
- name: recipient_account_id
type: keyword
description: >-
Represents the account ID that received this event.
- name: service_event_details
type: keyword
description: >-
Identifies the service event, including what triggered the
event and the result.
multi_fields:
- name: text
type: text
- name: shared_event_id
type: keyword
description: >-
GUID generated by CloudTrail to uniquely identify CloudTrail
events from the same AWS action that is sent to different AWS
accounts.
- name: vpc_endpoint_id
type: keyword
description: >-
Identifies the VPC endpoint in which requests were made from a
VPC to another AWS service, such as Amazon S3.
- name: event_category
type: keyword
description: |-
Shows the event category that is used in LookupEvents calls.
- For management events, the value is management.
- For data events, the value is data.
- For Insights events, the value is insight.
- name: console_login
type: group
description: >-
Fields specific to ConsoleLogin events
fields:
- name: additional_eventdata
type: group
description: >
Additional Event Data for ConsoleLogin events
fields:
- name: mobile_version
type: boolean
description: >-
Identifies whether ConsoleLogin was from mobile version
- name: login_to
type: keyword
description: >-
URL for ConsoleLogin
- name: mfa_used
type: boolean
description: >-
Identifies whether multi factor authentication was
used during ConsoleLogin
- name: flattened
type: group
description: >-
ES flattened datatype for objects where the subfields aren't known in advance.
fields:
- name: additional_eventdata
type: flattened
description: >
Additional data about the event that was not part of the
request or response.
- name: request_parameters
type: flattened
description: >-
The parameters, if any, that were sent with the request.
- name: response_elements
type: flattened
description: >-
The response element for actions that make changes (create,
update, or delete actions).
- name: service_event_details
type: flattened
description: >-
Identifies the service event, including what triggered the
event and the result.
- name: digest
type: group
description: >-
Fields from Cloudtrail Digest Logs
fields:
- name: log_files
type: nested
description: >-
A list of Logfiles contained in the digest.
- name: start_time
type: date
description: >-
The starting UTC time range that the digest file covers,
taking as a reference the time in which log files have
been delivered by CloudTrail.
- name: end_time
type: date
description: >-
The ending UTC time range that the digest file covers,
taking as a reference the time in which log files have
been delivered by CloudTrail.
- name: s3_bucket
type: keyword
description: >-
The name of the Amazon S3 bucket to which the current
digest file has been delivered.
- name: s3_object
type: keyword
description: >-
The Amazon S3 object key (that is, the Amazon S3 bucket
location) of the current digest file.
- name: newest_event_time
type: date
description: >-
The UTC time of the most recent event among all of the
events in the log files in the digest.
- name: oldest_event_time
type: date
description: >-
The UTC time of the oldest event among all of the events
in the log files in the digest.
- name: previous_s3_bucket
type: keyword
description: >-
The Amazon S3 bucket to which the previous digest file was
delivered.
- name: previous_hash_algorithm
type: keyword
description: >-
The name of the hash algorithm that was used to hash the
previous digest file.
- name: public_key_fingerprint
type: keyword
description: >-
The hexadecimal encoded fingerprint of the public key that
matches the private key used to sign this digest file.
- name: signature_algorithm
type: keyword
description: >-
The algorithm used to sign the digest file.
- name: insight_details
type: flattened
description: >-
Shows information about the underlying triggers of an Insights
event, such as event source, user agent, statistics, API name,
and whether the event is the start or end of the Insights
event.
- name: cloudwatch
type: group
release: ga
description: >
Fields for AWS CloudWatch logs.
fields:
- name: message
type: text
description: >
CloudWatch log message.
- name: ec2
type: group
release: ga
description: >
Fields for AWS EC2 logs in CloudWatch.
fields:
- name: ip_address
type: keyword
description: >
The internet address of the requester.
- name: elb
type: group
release: ga
description: >
Fields for AWS ELB logs.
fields:
- name: name
type: keyword
description: >
The name of the load balancer.
- name: type
type: keyword
description: >
The type of the load balancer for v2 Load Balancers.
- name: target_group.arn
type: keyword
description: >
The ARN of the target group handling the request.
- name: listener
type: keyword
description: >
The ELB listener that received the connection.
- name: protocol
type: keyword
description: >
The protocol of the load balancer (http or tcp).
- name: request_processing_time.sec
type: float
description: >
The total time in seconds since the connection or request is received until it is sent to a registered backend.
- name: backend_processing_time.sec
type: float
description: >
The total time in seconds since the connection is sent to the backend till the backend starts responding.
- name: response_processing_time.sec
type: float
description: >
The total time in seconds since the response is received from the backend till it is sent to the client.
- name: connection_time.ms
type: long
description: >
The total time of the connection in milliseconds, since it is opened till it is closed.
- name: tls_handshake_time.ms
type: long
description: >
The total time for the TLS handshake to complete in milliseconds once the connection has been established.
- name: backend.ip
type: keyword
description: >
The IP address of the backend processing this connection.
- name: backend.port
type: keyword
description: >
The port in the backend processing this connection.
- name: backend.http.response.status_code
type: keyword
description: >
The status code from the backend (status code sent to the client from ELB is stored in `http.response.status_code`
- name: ssl_cipher
type: keyword
description: >
The SSL cipher used in TLS/SSL connections.
- name: ssl_protocol
type: keyword
description: >
The SSL protocol used in TLS/SSL connections.
- name: chosen_cert.arn
type: keyword
description: >
The ARN of the chosen certificate presented to the client in TLS/SSL connections.
- name: chosen_cert.serial
type: keyword
description: >
The serial number of the chosen certificate presented to the client in TLS/SSL connections.
- name: incoming_tls_alert
type: keyword
description: >
The integer value of TLS alerts received by the load balancer from the client, if present.
- name: tls_named_group
type: keyword
description: >
The TLS named group.
- name: trace_id
type: keyword
description: >
The contents of the `X-Amzn-Trace-Id` header.
- name: matched_rule_priority
type: keyword
description: >
The priority value of the rule that matched the request, if a rule matched.
- name: action_executed
type: keyword
description: >
The action executed when processing the request (forward, fixed-response, authenticate...). It can contain several values.
- name: redirect_url
type: keyword
description: >
The URL used if a redirection action was executed.
- name: error.reason
type: keyword
description: >
The error reason if the executed action failed.
- name: target_port
type: keyword
description: >
List of IP addresses and ports for the targets that processed this request.
- name: target_status_code
type: keyword
description: >
List of status codes from the responses of the targets.
- name: classification
type: keyword
description: >
The classification for desync mitigation.
- name: classification_reason
type: keyword
description: >
The classification reason code.
- name: s3access
type: group
release: ga
description: >
Fields for AWS S3 server access logs.
fields:
- name: bucket_owner
type: keyword
description: >
The canonical user ID of the owner of the source bucket.
- name: bucket
type: keyword
description: >
The name of the bucket that the request was processed against.
- name: remote_ip
type: ip
description: >
The apparent internet address of the requester.
- name: requester
type: keyword
description: >
The canonical user ID of the requester, or a - for unauthenticated requests.
- name: request_id
type: keyword
description: >
A string generated by Amazon S3 to uniquely identify each request.
- name: operation
type: keyword
description: >
The operation listed here is declared as SOAP.operation, REST.HTTP_method.resource_type, WEBSITE.HTTP_method.resource_type, or BATCH.DELETE.OBJECT.
- name: key
type: keyword
description: >
The "key" part of the request, URL encoded, or "-" if the operation does not take a key parameter.
- name: request_uri
type: keyword
description: >
The Request-URI part of the HTTP request message.
- name: http_status
type: long
description: >
The numeric HTTP status code of the response.
- name: error_code
type: keyword
description: >
The Amazon S3 Error Code, or "-" if no error occurred.
- name: bytes_sent
type: long
description: >
The number of response bytes sent, excluding HTTP protocol overhead, or "-" if zero.
- name: object_size
type: long
description: >
The total size of the object in question.
- name: total_time
type: long
description: >
The number of milliseconds the request was in flight from the server's perspective.
- name: turn_around_time
type: long
description: >
The number of milliseconds that Amazon S3 spent processing your request.
- name: referrer
type: keyword
description: >
The value of the HTTP Referrer header, if present.
- name: user_agent
type: keyword
description: >
The value of the HTTP User-Agent header.
- name: version_id
type: keyword
description: >
The version ID in the request, or "-" if the operation does not take a versionId parameter.
- name: host_id
type: keyword
description: >
The x-amz-id-2 or Amazon S3 extended request ID.
- name: signature_version
type: keyword
description: >
The signature version, SigV2 or SigV4, that was used to authenticate the request or a - for unauthenticated requests.
- name: cipher_suite
type: keyword
description: >
The Secure Sockets Layer (SSL) cipher that was negotiated for HTTPS request or a - for HTTP.
- name: authentication_type
type: keyword
description: >
The type of request authentication used, AuthHeader for authentication headers, QueryString for query string (pre-signed URL) or a - for unauthenticated requests.
- name: host_header
type: keyword
description: >
The endpoint used to connect to Amazon S3.
- name: tls_version
type: keyword
description: >
The Transport Layer Security (TLS) version negotiated by the client.
- name: vpcflow
type: group
release: ga
description: >
Fields for AWS VPC flow logs.
fields:
- name: version
type: keyword
description: >
The VPC Flow Logs version. If you use the default format, the version is 2. If you specify a custom format, the version is 3.
- name: account_id
type: keyword
description: >
The AWS account ID for the flow log.
- name: interface_id
type: keyword
description: >
The ID of the network interface for which the traffic is recorded.
- name: action
type: keyword
description: >
The action that is associated with the traffic, ACCEPT or REJECT.
- name: log_status
type: keyword
description: >
The logging status of the flow log, OK, NODATA or SKIPDATA.
- name: instance_id
type: keyword
description: >
The ID of the instance that's associated with network interface for which the traffic is recorded, if the instance is owned by you.
- name: pkt_srcaddr
type: ip
description: >
The packet-level (original) source IP address of the traffic.
- name: pkt_dstaddr
type: ip
description: >
The packet-level (original) destination IP address for the traffic.
- name: vpc_id
type: keyword
description: >
The ID of the VPC that contains the network interface for which the traffic is recorded.
- name: subnet_id
type: keyword
description: >
The ID of the subnet that contains the network interface for which the traffic is recorded.
- name: tcp_flags
type: keyword
description: >
The bitmask value for the following TCP flags: 2=SYN,18=SYN-ACK,1=FIN,4=RST
- name: tcp_flags_array
type: keyword
description: >
List of TCP flags: 'fin, syn, rst, psh, ack, urg'
- name: type
type: keyword
description: >
The type of traffic: IPv4, IPv6, or EFA.
- key: awsfargate
title: AWS Fargate
release: beta
description: >
Module for collecting container logs from Amazon ECS Fargate.
fields:
- name: awsfargate
type: group
description: >
Fields from Amazon ECS Fargate logs.
fields:
- name: log
type: group
release: beta
description: >
Fields for Amazon Fargate container logs.
fields:
- key: azure
title: "Azure"
release: ga
description: >
Azure Module
fields:
- name: azure
type: group
description: >
fields:
- name: subscription_id
type: keyword
description: >
Azure subscription ID
- name: correlation_id
type: keyword
description: >
Correlation ID
- name: tenant_id
type: keyword
description: >
tenant ID
- name: resource
type: group
description: >
Resource
fields:
- name: id
type: keyword
description: >
Resource ID
- name: group
type: keyword
description: >
Resource group
- name: provider
type: keyword
description: >
Resource type/namespace
- name: namespace
type: keyword
description: >
Resource type/namespace
- name: name
type: keyword
description: >
Name
- name: authorization_rule
type: keyword
description: >
Authorization rule
- name: activitylogs
type: group
release: ga
description: >
Fields for Azure activity logs.
fields:
- name: identity_name
type: keyword
description: identity name
- name: identity
type: group
description: >
Identity
fields:
- name: claims_initiated_by_user
type: group
description: >
Claims initiated by user
fields:
- name: name
type: keyword
description: >
Name
- name: givenname
type: keyword
description: >
Givenname
- name: surname
type: keyword
description: >
Surname
- name: fullname
type: keyword
description: >
Fullname
- name: schema
type: keyword
description: >
Schema
- name: claims.*
type: object
object_type: keyword
object_type_mapping_type: "*"
description: >
Claims
- name: authorization
type: group
description: >
Authorization
fields:
- name: scope
type: keyword
description: >
Scope
- name: action
type: keyword
description: >
Action
- name: evidence
type: group
description: >
Evidence
fields:
- name: role_assignment_scope
type: keyword
description: >
Role assignment scope
- name: role_definition_id
type: keyword
description: >
Role definition ID
- name: role
type: keyword
description: >
Role
- name: role_assignment_id
type: keyword
description: >
Role assignment ID
- name: principal_id
type: keyword
description: >
Principal ID
- name: principal_type
type: keyword
description: >
Principal type
- name: tenant_id
type: keyword
description: >
Tenant ID
- name: level
type: long
description: >
Level
- name: operation_version
type: keyword
description: >
Operation version
- name: operation_name
type: keyword
description: >
Operation name
- name: result_type
type: keyword
description: >
Result type
- name: result_signature
type: keyword
description: >
Result signature
- name: category
type: keyword
description: >
Category
- name: event_category
type: keyword
description: >
Event Category
- name: properties
type: flattened
description: >
Properties
- name: auditlogs
type: group
release: ga
description: >
Fields for Azure audit logs.
fields:
- name: category
type: keyword
description: >
The category of the operation. Currently, Audit is the only supported value.
- name: operation_name
type: keyword
description: >
The operation name
- name: operation_version
type: keyword
description: >
The operation version
- name: identity
type: keyword
description: >
Identity
- name: tenant_id
type: keyword
description: >
Tenant ID
- name: result_signature
type: keyword
description: >
Result signature
- name: properties
type: group
description: >
The audit log properties
fields:
- name: result
type: keyword
description: >
Log result
- name: activity_display_name
type: keyword
description: >
Activity display name
- name: result_reason
type: keyword
description: >
Reason for the log result
- name: correlation_id
type: keyword
description: >
Correlation ID
- name: logged_by_service
type: keyword
description: >
Logged by service
- name: operation_type
type: keyword
description: >
Operation type
- name: id
type: keyword
description: >
ID
- name: activity_datetime
type: date
description: >
Activity timestamp
- name: category
type: keyword
description: >
category
- name: target_resources.*
type: group
object_type_mapping_type: "*"
description: >
Target resources
fields:
- name: display_name
type: keyword
description: >
Display name
- name: id
type: keyword
description: >
ID
- name: type
type: keyword
description: >
Type
- name: ip_address
type: keyword
description: >
ip Address
- name: user_principal_name
type: keyword
description: >
User principal name
- name: modified_properties.*
type: group
object_type: keyword
object_type_mapping_type: "*"
description: >
Modified properties
fields:
- name: new_value
type: keyword
description: >
New value
- name: display_name
type: keyword
description: >
Display value
- name: old_value
type: keyword
description: >
Old value
- name: initiated_by
type: group
description: >
Information regarding the initiator
fields:
- name: app
type: group
description: >
App
fields:
- name: servicePrincipalName
type: keyword
description: >
Service principal name
- name: displayName
type: keyword
description: >
Display name
- name: appId
type: keyword
description: >
App ID
- name: servicePrincipalId
type: keyword
description: >
Service principal ID
- name: user
type: group
description: >
User
fields:
- name: userPrincipalName
type: keyword
description: >
User principal name
- name: displayName
type: keyword
description: >
Display name
- name: id
type: keyword
description: >
ID
- name: ipAddress
type: keyword
description: >
ip Address
- name: platformlogs
type: group
release: ga
description: >
Fields for Azure platform logs.
fields:
- name: operation_name
type: keyword
description: >
Operation name
- name: result_type
type: keyword
description: >
Result type
- name: result_signature
type: keyword
description: >
Result signature
- name: category
type: keyword
description: >
Category
- name: event_category
type: keyword
description: >
Event Category
- name: status
type: keyword
description: >
Status
- name: ccpNamespace
type: keyword
description: >
ccpNamespace
- name: Cloud
type: keyword
description: >
Cloud
- name: Environment
type: keyword
description: >
Environment
- name: EventTimeString
type: keyword
description: >
EventTimeString
- name: Caller
type: keyword
description: >
Caller
- name: ScaleUnit
type: keyword
description: >
ScaleUnit
- name: ActivityId
type: keyword
description: >
ActivityId
- name: identity_name
type: keyword
description: |
Identity name
- name: properties
type: flattened
description: >
Event inner properties
- name: signinlogs
type: group
release: ga
description: >
Fields for Azure sign-in logs.
fields:
- name: operation_name
type: keyword
description: |
The operation name
- name: operation_version
type: keyword
description: |
The operation version
- name: tenant_id
type: keyword
description: |
Tenant ID
- name: result_signature
type: keyword
description: |
Result signature
- name: result_description
type: keyword
description: |
Result description
- name: result_type
type: keyword
description: |
Result type
- name: identity
type: keyword
description: |
Identity
- name: category
type: keyword
description: |
Category
- name: properties
type: group
# See https://docs.microsoft.com/en-au/graph/api/resources/signin
fields:
- name: id
type: keyword
description: |
Unique ID representing the sign-in activity.
- name: created_at
type: date
description: |
Date and time (UTC) the sign-in was initiated.
- name: user_display_name
type: keyword
description: |
User display name
- name: correlation_id
type: keyword
description: |
Correlation ID
- name: user_principal_name
type: keyword
description: |
User principal name
- name: user_id
type: keyword
description: |
User ID
- name: app_id
type: keyword
description: |
App ID
- name: app_display_name
type: keyword
description: |
App display name
- name: autonomous_system_number
type: long
description: Autonomous system number.
- name: client_app_used
type: keyword
description: |
Client app used
- name: conditional_access_status
type: keyword
description: |
Conditional access status
- name: original_request_id
type: keyword
description: |
Original request ID
- name: is_interactive
type: boolean
description: |
Is interactive
- name: token_issuer_name
type: keyword
description: |
Token issuer name
- name: token_issuer_type
type: keyword
description: |
Token issuer type
- name: processing_time_ms
type: float
description: |
Processing time in milliseconds
- name: risk_detail
type: keyword
description: |
Risk detail
- name: risk_level_aggregated
type: keyword
description: |
Risk level aggregated
- name: risk_level_during_signin
type: keyword
description: |
Risk level during signIn
- name: risk_state
type: keyword
description: |
Risk state
- name: resource_display_name
type: keyword
description: |
Resource display name
- name: status
type: group
fields:
- name: error_code
type: long
description: |
Error code
- name: device_detail
type: group
fields:
- name: device_id
type: keyword
description: |
Device ID
- name: operating_system
type: keyword
description: |
Operating system
- name: browser
type: keyword
description: |
Browser
- name: display_name
type: keyword
description: |
Display name
- name: trust_type
type: keyword
description: |
Trust type
- name: is_compliant
type: boolean
description: |
If the device is compliant
- name: is_managed
type: boolean
description: |
If the device is managed
- name: applied_conditional_access_policies
type: array
description: |
A list of conditional access policies that are triggered by the corresponding sign-in activity.
- name: authentication_details
type: array
description: |
The result of the authentication attempt and additional details on the authentication method.
- name: authentication_processing_details
type: flattened
description: |
Additional authentication processing details, such as the agent name in case of PTA/PHS or Server/farm name in case of federated authentication.
- name: authentication_protocol
type: keyword
description: |
Authentication protocol type.
- name: incoming_token_type
type: keyword
description: |
Incoming token type.
- name: unique_token_identifier
type: keyword
description: Unique token identifier for the request.
- name: authentication_requirement
type: keyword
description: |
This holds the highest level of authentication needed through all the sign-in steps, for sign-in to succeed.
- name: authentication_requirement_policies
type: flattened
description: |
Set of CA policies that apply to this sign-in, each as CA: policy name, and/or MFA: Per-user
- name: flagged_for_review
type: boolean
- name: home_tenant_id
type: keyword
- name: network_location_details
type: array
description: The network location details including the type of network used and its names.
- name: resource_id
type: keyword
description: The identifier of the resource that the user signed in to.
- name: resource_tenant_id
type: keyword
- name: risk_event_types
type: keyword
description: |
The list of risk event types associated with the sign-in. Possible values: unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic, or unknownFutureValue.
- name: risk_event_types_v2
type: keyword
description: |
The list of risk event types associated with the sign-in. Possible values: unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic, or unknownFutureValue.
- name: service_principal_name
type: keyword
description: |
The application name used for sign-in. This field is populated when you are signing in using an application.
- name: user_type
type: keyword
- name: service_principal_id
type: keyword
description: |
The application identifier used for sign-in. This field is populated when you are signing in using an application.
- name: cross_tenant_access_type
type: keyword
- name: is_tenant_restricted
type: boolean
- name: sso_extension_version
type: keyword
- key: barracuda
title: Barracuda Web Application Firewall
description: >
barracuda fields.
fields:
- name: network.interface.name
overwrite: true
type: keyword
description: >
Name of the network interface where the traffic has been observed.
- name: rsa
overwrite: true
type: group
fields:
- name: internal
overwrite: true
type: group
fields:
- name: msg
overwrite: true
type: keyword
description: This key is used to capture the raw message that comes into the
Log Decoder
- name: messageid
overwrite: true
type: keyword
- name: event_desc
overwrite: true
type: keyword
- name: message
overwrite: true
type: keyword
description: This key captures the contents of instant messages
- name: time
overwrite: true
type: date
description: This is the time at which a session hits a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness.
- name: level
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: msg_id
overwrite: true
type: keyword
description: This is the Message ID1 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: msg_vid
overwrite: true
type: keyword
description: This is the Message ID2 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: data
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_server
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_val
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: resource
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_id
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: statement
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: audit_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: entry
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: hcode
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: inode
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: resource_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: dead
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: feed_desc
overwrite: true
type: keyword
description: This is used to capture the description of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: feed_name
overwrite: true
type: keyword
description: This is used to capture the name of the feed. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: cid
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Concentrator.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_class
overwrite: true
type: keyword
description: This is the Classification of the Log Event Source under a predefined
fixed set of Event Source Classifications. This key should never be used to
parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
key in NetWitness
- name: device_group
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_host
overwrite: true
type: keyword
description: This is the Hostname of the log Event Source sending the logs to
NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ip
overwrite: true
type: ip
description: This is the IPv4 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ipv6
overwrite: true
type: ip
description: This is the IPv6 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_type
overwrite: true
type: keyword
description: This is the name of the log parser which parsed a given session.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_type_id
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: did
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: entropy_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: entropy_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: event_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: feed_category
overwrite: true
type: keyword
description: This is used to capture the category of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: forward_ip
overwrite: true
type: ip
description: This key should be used to capture the IPV4 address of a relay
system which forwarded the events from the original system to NetWitness.
- name: forward_ipv6
overwrite: true
type: ip
description: This key is used to capture the IPV6 address of a relay system
which forwarded the events from the original system to NetWitness. This key
should never be used to parse Meta data from a session (Logs/Packets) Directly,
this is a Reserved key in NetWitness
- name: header_id
overwrite: true
type: keyword
description: This is the Header ID value that identifies the exact log parser
header definition that parses a particular log session. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: lc_cid
overwrite: true
type: keyword
description: This is a unique Identifier of a Log Collector. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: lc_ctime
overwrite: true
type: date
description: This is the time at which a log is collected in a NetWitness Log
Collector. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: mcb_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
request is simply which byte for each side (0 thru 255) was seen the most
- name: mcb_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
response is simply which byte for each side (0 thru 255) was seen the most
- name: mcbc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: mcbc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: medium
overwrite: true
type: long
description: "This key is used to identify if it\u2019s a log/packet session\
\ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
\ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
\ 32 = log, 33 = correlation session, < 32 is packet session"
- name: node_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: nwe_callback_id
overwrite: true
type: keyword
description: This key denotes that event is endpoint related
- name: parse_error
overwrite: true
type: keyword
description: This is a special key that stores any Meta key validation error
found while parsing a log session. This key should never be used to parse
Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
NetWitness
- name: payload_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: payload_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: process_vid_dst
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the target process.
- name: process_vid_src
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the source process.
- name: rid
overwrite: true
type: long
description: This is a special ID of the Remote Session created by NetWitness
Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: session_split
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: site
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: size
overwrite: true
type: long
description: This is the size of the session as seen by the NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: sourcefile
overwrite: true
type: keyword
description: This is the name of the log file or PCAPs that can be imported
into NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: ubc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: ubc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: word
overwrite: true
type: keyword
description: This is used by the Word Parsing technology to capture the first
5 character of every word in an unparsed log
- name: time
overwrite: true
type: group
fields:
- name: event_time
overwrite: true
type: date
description: This key is used to capture the time mentioned in a raw session
that represents the actual time an event occured in a standard normalized
form
- name: duration_time
overwrite: true
type: double
description: This key is used to capture the normalized duration/lifetime in
seconds.
- name: event_time_str
overwrite: true
type: keyword
description: This key is used to capture the incomplete time mentioned in a
session as a string
- name: starttime
overwrite: true
type: date
description: This key is used to capture the Start time mentioned in a session
in a standard form
- name: month
overwrite: true
type: keyword
- name: day
overwrite: true
type: keyword
- name: endtime
overwrite: true
type: date
description: This key is used to capture the End time mentioned in a session
in a standard form
- name: timezone
overwrite: true
type: keyword
description: This key is used to capture the timezone of the Event Time
- name: duration_str
overwrite: true
type: keyword
description: A text string version of the duration
- name: date
overwrite: true
type: keyword
- name: year
overwrite: true
type: keyword
- name: recorded_time
overwrite: true
type: date
description: The event time as recorded by the system the event is collected
from. The usage scenario is a multi-tier application where the management
layer of the system records it's own timestamp at the time of collection from
its child nodes. Must be in timestamp format.
- name: datetime
overwrite: true
type: keyword
- name: effective_time
overwrite: true
type: date
description: This key is the effective time referenced by an individual event
in a Standard Timestamp format
- name: expire_time
overwrite: true
type: date
description: This key is the timestamp that explicitly refers to an expiration.
- name: process_time
overwrite: true
type: keyword
description: Deprecated, use duration.time
- name: hour
overwrite: true
type: keyword
- name: min
overwrite: true
type: keyword
- name: timestamp
overwrite: true
type: keyword
- name: event_queue_time
overwrite: true
type: date
description: This key is the Time that the event was queued.
- name: p_time1
overwrite: true
type: keyword
- name: tzone
overwrite: true
type: keyword
- name: eventtime
overwrite: true
type: keyword
- name: gmtdate
overwrite: true
type: keyword
- name: gmttime
overwrite: true
type: keyword
- name: p_date
overwrite: true
type: keyword
- name: p_month
overwrite: true
type: keyword
- name: p_time
overwrite: true
type: keyword
- name: p_time2
overwrite: true
type: keyword
- name: p_year
overwrite: true
type: keyword
- name: expire_time_str
overwrite: true
type: keyword
description: This key is used to capture incomplete timestamp that explicitly
refers to an expiration.
- name: stamp
overwrite: true
type: date
description: Deprecated key defined only in table map.
- name: misc
overwrite: true
type: group
fields:
- name: action
overwrite: true
type: keyword
- name: result
overwrite: true
type: keyword
description: This key is used to capture the outcome/result string value of
an action in a session.
- name: severity
overwrite: true
type: keyword
description: This key is used to capture the severity given the session
- name: event_type
overwrite: true
type: keyword
description: This key captures the event category type as specified by the event
source.
- name: reference_id
overwrite: true
type: keyword
description: This key is used to capture an event id from the session directly
- name: version
overwrite: true
type: keyword
description: This key captures Version of the application or OS which is generating
the event.
- name: disposition
overwrite: true
type: keyword
description: This key captures the The end state of an action.
- name: result_code
overwrite: true
type: keyword
description: This key is used to capture the outcome/result numeric value of
an action in a session
- name: category
overwrite: true
type: keyword
description: This key is used to capture the category of an event given by the
vendor in the session
- name: obj_name
overwrite: true
type: keyword
description: This is used to capture name of object
- name: obj_type
overwrite: true
type: keyword
description: This is used to capture type of object
- name: event_source
overwrite: true
type: keyword
description: "This key captures Source of the event that\u2019s not a hostname"
- name: log_session_id
overwrite: true
type: keyword
description: This key is used to capture a sessionid from the session directly
- name: group
overwrite: true
type: keyword
description: This key captures the Group Name value
- name: policy_name
overwrite: true
type: keyword
description: This key is used to capture the Policy Name only.
- name: rule_name
overwrite: true
type: keyword
description: This key captures the Rule Name
- name: context
overwrite: true
type: keyword
description: This key captures Information which adds additional context to
the event.
- name: change_new
overwrite: true
type: keyword
description: "This key is used to capture the new values of the attribute that\u2019\
s changing in a session"
- name: space
overwrite: true
type: keyword
- name: client
overwrite: true
type: keyword
description: This key is used to capture only the name of the client application
requesting resources of the server. See the user.agent meta key for capture
of the specific user agent identifier or browser identification string.
- name: msgIdPart1
overwrite: true
type: keyword
- name: msgIdPart2
overwrite: true
type: keyword
- name: change_old
overwrite: true
type: keyword
description: "This key is used to capture the old value of the attribute that\u2019\
s changing in a session"
- name: operation_id
overwrite: true
type: keyword
description: An alert number or operation number. The values should be unique
and non-repeating.
- name: event_state
overwrite: true
type: keyword
description: This key captures the current state of the object/item referenced
within the event. Describing an on-going event.
- name: group_object
overwrite: true
type: keyword
description: This key captures a collection/grouping of entities. Specific usage
- name: node
overwrite: true
type: keyword
description: Common use case is the node name within a cluster. The cluster
name is reflected by the host name.
- name: rule
overwrite: true
type: keyword
description: This key captures the Rule number
- name: device_name
overwrite: true
type: keyword
description: 'This is used to capture name of the Device associated with the
node Like: a physical disk, printer, etc'
- name: param
overwrite: true
type: keyword
description: This key is the parameters passed as part of a command or application,
etc.
- name: change_attrib
overwrite: true
type: keyword
description: "This key is used to capture the name of the attribute that\u2019\
s changing in a session"
- name: event_computer
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
fully qualified domain name in a windows log.
- name: reference_id1
overwrite: true
type: keyword
description: This key is for Linked ID to be used as an addition to "reference.id"
- name: event_log
overwrite: true
type: keyword
description: This key captures the Name of the event log
- name: OS
overwrite: true
type: keyword
description: This key captures the Name of the Operating System
- name: terminal
overwrite: true
type: keyword
description: This key captures the Terminal Names only
- name: msgIdPart3
overwrite: true
type: keyword
- name: filter
overwrite: true
type: keyword
description: This key captures Filter used to reduce result set
- name: serial_number
overwrite: true
type: keyword
description: This key is the Serial number associated with a physical asset.
- name: checksum
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the entity
such as a file or process. Checksum should be used over checksum.src or checksum.dst
when it is unclear whether the entity is a source or target of an action.
- name: event_user
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
combination of domain name and username in a windows log.
- name: virusname
overwrite: true
type: keyword
description: This key captures the name of the virus
- name: content_type
overwrite: true
type: keyword
description: This key is used to capture Content Type only.
- name: group_id
overwrite: true
type: keyword
description: This key captures Group ID Number (related to the group name)
- name: policy_id
overwrite: true
type: keyword
description: This key is used to capture the Policy ID only, this should be
a numeric value, use policy.name otherwise
- name: vsys
overwrite: true
type: keyword
description: This key captures Virtual System Name
- name: connection_id
overwrite: true
type: keyword
description: This key captures the Connection ID
- name: reference_id2
overwrite: true
type: keyword
description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
or "reference.id1" value but should not be used unless the other two variables
are in play.
- name: sensor
overwrite: true
type: keyword
description: This key captures Name of the sensor. Typically used in IDS/IPS
based devices
- name: sig_id
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID
- name: port_name
overwrite: true
type: keyword
description: 'This key is used for Physical or logical port connection but does
NOT include a network port. (Example: Printer port name).'
- name: rule_group
overwrite: true
type: keyword
description: This key captures the Rule group name
- name: risk_num
overwrite: true
type: double
description: This key captures a Numeric Risk value
- name: trigger_val
overwrite: true
type: keyword
description: This key captures the Value of the trigger or threshold condition.
- name: log_session_id1
overwrite: true
type: keyword
description: This key is used to capture a Linked (Related) Session ID from
the session directly
- name: comp_version
overwrite: true
type: keyword
description: This key captures the Version level of a sub-component of a product.
- name: content_version
overwrite: true
type: keyword
description: This key captures Version level of a signature or database content.
- name: hardware_id
overwrite: true
type: keyword
description: This key is used to capture unique identifier for a device or system
(NOT a Mac address)
- name: risk
overwrite: true
type: keyword
description: This key captures the non-numeric risk value
- name: event_id
overwrite: true
type: keyword
- name: reason
overwrite: true
type: keyword
- name: status
overwrite: true
type: keyword
- name: mail_id
overwrite: true
type: keyword
description: This key is used to capture the mailbox id/name
- name: rule_uid
overwrite: true
type: keyword
description: This key is the Unique Identifier for a rule.
- name: trigger_desc
overwrite: true
type: keyword
description: This key captures the Description of the trigger or threshold condition.
- name: inout
overwrite: true
type: keyword
- name: p_msgid
overwrite: true
type: keyword
- name: data_type
overwrite: true
type: keyword
- name: msgIdPart4
overwrite: true
type: keyword
- name: error
overwrite: true
type: keyword
description: This key captures All non successful Error codes or responses
- name: index
overwrite: true
type: keyword
- name: listnum
overwrite: true
type: keyword
description: This key is used to capture listname or listnumber, primarily for
collecting access-list
- name: ntype
overwrite: true
type: keyword
- name: observed_val
overwrite: true
type: keyword
description: This key captures the Value observed (from the perspective of the
device generating the log).
- name: policy_value
overwrite: true
type: keyword
description: This key captures the contents of the policy. This contains details
about the policy
- name: pool_name
overwrite: true
type: keyword
description: This key captures the name of a resource pool
- name: rule_template
overwrite: true
type: keyword
description: A default set of parameters which are overlayed onto a rule (or
rulename) which efffectively constitutes a template
- name: count
overwrite: true
type: keyword
- name: number
overwrite: true
type: keyword
- name: sigcat
overwrite: true
type: keyword
- name: type
overwrite: true
type: keyword
- name: comments
overwrite: true
type: keyword
description: Comment information provided in the log message
- name: doc_number
overwrite: true
type: long
description: This key captures File Identification number
- name: expected_val
overwrite: true
type: keyword
description: This key captures the Value expected (from the perspective of the
device generating the log).
- name: job_num
overwrite: true
type: keyword
description: This key captures the Job Number
- name: spi_dst
overwrite: true
type: keyword
description: Destination SPI Index
- name: spi_src
overwrite: true
type: keyword
description: Source SPI Index
- name: code
overwrite: true
type: keyword
- name: agent_id
overwrite: true
type: keyword
description: This key is used to capture agent id
- name: message_body
overwrite: true
type: keyword
description: This key captures the The contents of the message body.
- name: phone
overwrite: true
type: keyword
- name: sig_id_str
overwrite: true
type: keyword
description: This key captures a string object of the sigid variable.
- name: cmd
overwrite: true
type: keyword
- name: misc
overwrite: true
type: keyword
- name: name
overwrite: true
type: keyword
- name: cpu
overwrite: true
type: long
description: This key is the CPU time used in the execution of the event being
recorded.
- name: event_desc
overwrite: true
type: keyword
description: This key is used to capture a description of an event available
directly or inferred
- name: sig_id1
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID. This must be linked
to the sig.id
- name: im_buddyid
overwrite: true
type: keyword
- name: im_client
overwrite: true
type: keyword
- name: im_userid
overwrite: true
type: keyword
- name: pid
overwrite: true
type: keyword
- name: priority
overwrite: true
type: keyword
- name: context_subject
overwrite: true
type: keyword
description: This key is to be used in an audit context where the subject is
the object being identified
- name: context_target
overwrite: true
type: keyword
- name: cve
overwrite: true
type: keyword
description: This key captures CVE (Common Vulnerabilities and Exposures) -
an identifier for known information security vulnerabilities.
- name: fcatnum
overwrite: true
type: keyword
description: This key captures Filter Category Number. Legacy Usage
- name: library
overwrite: true
type: keyword
description: This key is used to capture library information in mainframe devices
- name: parent_node
overwrite: true
type: keyword
description: This key captures the Parent Node Name. Must be related to node
variable.
- name: risk_info
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: tcp_flags
overwrite: true
type: long
description: This key is captures the TCP flags set in any packet of session
- name: tos
overwrite: true
type: long
description: This key describes the type of service
- name: vm_target
overwrite: true
type: keyword
description: VMWare Target **VMWARE** only varaible.
- name: workspace
overwrite: true
type: keyword
description: This key captures Workspace Description
- name: command
overwrite: true
type: keyword
- name: event_category
overwrite: true
type: keyword
- name: facilityname
overwrite: true
type: keyword
- name: forensic_info
overwrite: true
type: keyword
- name: jobname
overwrite: true
type: keyword
- name: mode
overwrite: true
type: keyword
- name: policy
overwrite: true
type: keyword
- name: policy_waiver
overwrite: true
type: keyword
- name: second
overwrite: true
type: keyword
- name: space1
overwrite: true
type: keyword
- name: subcategory
overwrite: true
type: keyword
- name: tbdstr2
overwrite: true
type: keyword
- name: alert_id
overwrite: true
type: keyword
description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: checksum_dst
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the the target
entity such as a process or file.
- name: checksum_src
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the source
entity such as a file or process.
- name: fresult
overwrite: true
type: long
description: This key captures the Filter Result
- name: payload_dst
overwrite: true
type: keyword
description: This key is used to capture destination payload
- name: payload_src
overwrite: true
type: keyword
description: This key is used to capture source payload
- name: pool_id
overwrite: true
type: keyword
description: This key captures the identifier (typically numeric field) of a
resource pool
- name: process_id_val
overwrite: true
type: keyword
description: This key is a failure key for Process ID when it is not an integer
value
- name: risk_num_comm
overwrite: true
type: double
description: This key captures Risk Number Community
- name: risk_num_next
overwrite: true
type: double
description: This key captures Risk Number NextGen
- name: risk_num_sand
overwrite: true
type: double
description: This key captures Risk Number SandBox
- name: risk_num_static
overwrite: true
type: double
description: This key captures Risk Number Static
- name: risk_suspicious
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: risk_warning
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: snmp_oid
overwrite: true
type: keyword
description: SNMP Object Identifier
- name: sql
overwrite: true
type: keyword
description: This key captures the SQL query
- name: vuln_ref
overwrite: true
type: keyword
description: This key captures the Vulnerability Reference details
- name: acl_id
overwrite: true
type: keyword
- name: acl_op
overwrite: true
type: keyword
- name: acl_pos
overwrite: true
type: keyword
- name: acl_table
overwrite: true
type: keyword
- name: admin
overwrite: true
type: keyword
- name: alarm_id
overwrite: true
type: keyword
- name: alarmname
overwrite: true
type: keyword
- name: app_id
overwrite: true
type: keyword
- name: audit
overwrite: true
type: keyword
- name: audit_object
overwrite: true
type: keyword
- name: auditdata
overwrite: true
type: keyword
- name: benchmark
overwrite: true
type: keyword
- name: bypass
overwrite: true
type: keyword
- name: cache
overwrite: true
type: keyword
- name: cache_hit
overwrite: true
type: keyword
- name: cefversion
overwrite: true
type: keyword
- name: cfg_attr
overwrite: true
type: keyword
- name: cfg_obj
overwrite: true
type: keyword
- name: cfg_path
overwrite: true
type: keyword
- name: changes
overwrite: true
type: keyword
- name: client_ip
overwrite: true
type: keyword
- name: clustermembers
overwrite: true
type: keyword
- name: cn_acttimeout
overwrite: true
type: keyword
- name: cn_asn_src
overwrite: true
type: keyword
- name: cn_bgpv4nxthop
overwrite: true
type: keyword
- name: cn_ctr_dst_code
overwrite: true
type: keyword
- name: cn_dst_tos
overwrite: true
type: keyword
- name: cn_dst_vlan
overwrite: true
type: keyword
- name: cn_engine_id
overwrite: true
type: keyword
- name: cn_engine_type
overwrite: true
type: keyword
- name: cn_f_switch
overwrite: true
type: keyword
- name: cn_flowsampid
overwrite: true
type: keyword
- name: cn_flowsampintv
overwrite: true
type: keyword
- name: cn_flowsampmode
overwrite: true
type: keyword
- name: cn_inacttimeout
overwrite: true
type: keyword
- name: cn_inpermbyts
overwrite: true
type: keyword
- name: cn_inpermpckts
overwrite: true
type: keyword
- name: cn_invalid
overwrite: true
type: keyword
- name: cn_ip_proto_ver
overwrite: true
type: keyword
- name: cn_ipv4_ident
overwrite: true
type: keyword
- name: cn_l_switch
overwrite: true
type: keyword
- name: cn_log_did
overwrite: true
type: keyword
- name: cn_log_rid
overwrite: true
type: keyword
- name: cn_max_ttl
overwrite: true
type: keyword
- name: cn_maxpcktlen
overwrite: true
type: keyword
- name: cn_min_ttl
overwrite: true
type: keyword
- name: cn_minpcktlen
overwrite: true
type: keyword
- name: cn_mpls_lbl_1
overwrite: true
type: keyword
- name: cn_mpls_lbl_10
overwrite: true
type: keyword
- name: cn_mpls_lbl_2
overwrite: true
type: keyword
- name: cn_mpls_lbl_3
overwrite: true
type: keyword
- name: cn_mpls_lbl_4
overwrite: true
type: keyword
- name: cn_mpls_lbl_5
overwrite: true
type: keyword
- name: cn_mpls_lbl_6
overwrite: true
type: keyword
- name: cn_mpls_lbl_7
overwrite: true
type: keyword
- name: cn_mpls_lbl_8
overwrite: true
type: keyword
- name: cn_mpls_lbl_9
overwrite: true
type: keyword
- name: cn_mplstoplabel
overwrite: true
type: keyword
- name: cn_mplstoplabip
overwrite: true
type: keyword
- name: cn_mul_dst_byt
overwrite: true
type: keyword
- name: cn_mul_dst_pks
overwrite: true
type: keyword
- name: cn_muligmptype
overwrite: true
type: keyword
- name: cn_sampalgo
overwrite: true
type: keyword
- name: cn_sampint
overwrite: true
type: keyword
- name: cn_seqctr
overwrite: true
type: keyword
- name: cn_spackets
overwrite: true
type: keyword
- name: cn_src_tos
overwrite: true
type: keyword
- name: cn_src_vlan
overwrite: true
type: keyword
- name: cn_sysuptime
overwrite: true
type: keyword
- name: cn_template_id
overwrite: true
type: keyword
- name: cn_totbytsexp
overwrite: true
type: keyword
- name: cn_totflowexp
overwrite: true
type: keyword
- name: cn_totpcktsexp
overwrite: true
type: keyword
- name: cn_unixnanosecs
overwrite: true
type: keyword
- name: cn_v6flowlabel
overwrite: true
type: keyword
- name: cn_v6optheaders
overwrite: true
type: keyword
- name: comp_class
overwrite: true
type: keyword
- name: comp_name
overwrite: true
type: keyword
- name: comp_rbytes
overwrite: true
type: keyword
- name: comp_sbytes
overwrite: true
type: keyword
- name: cpu_data
overwrite: true
type: keyword
- name: criticality
overwrite: true
type: keyword
- name: cs_agency_dst
overwrite: true
type: keyword
- name: cs_analyzedby
overwrite: true
type: keyword
- name: cs_av_other
overwrite: true
type: keyword
- name: cs_av_primary
overwrite: true
type: keyword
- name: cs_av_secondary
overwrite: true
type: keyword
- name: cs_bgpv6nxthop
overwrite: true
type: keyword
- name: cs_bit9status
overwrite: true
type: keyword
- name: cs_context
overwrite: true
type: keyword
- name: cs_control
overwrite: true
type: keyword
- name: cs_data
overwrite: true
type: keyword
- name: cs_datecret
overwrite: true
type: keyword
- name: cs_dst_tld
overwrite: true
type: keyword
- name: cs_eth_dst_ven
overwrite: true
type: keyword
- name: cs_eth_src_ven
overwrite: true
type: keyword
- name: cs_event_uuid
overwrite: true
type: keyword
- name: cs_filetype
overwrite: true
type: keyword
- name: cs_fld
overwrite: true
type: keyword
- name: cs_if_desc
overwrite: true
type: keyword
- name: cs_if_name
overwrite: true
type: keyword
- name: cs_ip_next_hop
overwrite: true
type: keyword
- name: cs_ipv4dstpre
overwrite: true
type: keyword
- name: cs_ipv4srcpre
overwrite: true
type: keyword
- name: cs_lifetime
overwrite: true
type: keyword
- name: cs_log_medium
overwrite: true
type: keyword
- name: cs_loginname
overwrite: true
type: keyword
- name: cs_modulescore
overwrite: true
type: keyword
- name: cs_modulesign
overwrite: true
type: keyword
- name: cs_opswatresult
overwrite: true
type: keyword
- name: cs_payload
overwrite: true
type: keyword
- name: cs_registrant
overwrite: true
type: keyword
- name: cs_registrar
overwrite: true
type: keyword
- name: cs_represult
overwrite: true
type: keyword
- name: cs_rpayload
overwrite: true
type: keyword
- name: cs_sampler_name
overwrite: true
type: keyword
- name: cs_sourcemodule
overwrite: true
type: keyword
- name: cs_streams
overwrite: true
type: keyword
- name: cs_targetmodule
overwrite: true
type: keyword
- name: cs_v6nxthop
overwrite: true
type: keyword
- name: cs_whois_server
overwrite: true
type: keyword
- name: cs_yararesult
overwrite: true
type: keyword
- name: description
overwrite: true
type: keyword
- name: devvendor
overwrite: true
type: keyword
- name: distance
overwrite: true
type: keyword
- name: dstburb
overwrite: true
type: keyword
- name: edomain
overwrite: true
type: keyword
- name: edomaub
overwrite: true
type: keyword
- name: euid
overwrite: true
type: keyword
- name: facility
overwrite: true
type: keyword
- name: finterface
overwrite: true
type: keyword
- name: flags
overwrite: true
type: keyword
- name: gaddr
overwrite: true
type: keyword
- name: id3
overwrite: true
type: keyword
- name: im_buddyname
overwrite: true
type: keyword
- name: im_croomid
overwrite: true
type: keyword
- name: im_croomtype
overwrite: true
type: keyword
- name: im_members
overwrite: true
type: keyword
- name: im_username
overwrite: true
type: keyword
- name: ipkt
overwrite: true
type: keyword
- name: ipscat
overwrite: true
type: keyword
- name: ipspri
overwrite: true
type: keyword
- name: latitude
overwrite: true
type: keyword
- name: linenum
overwrite: true
type: keyword
- name: list_name
overwrite: true
type: keyword
- name: load_data
overwrite: true
type: keyword
- name: location_floor
overwrite: true
type: keyword
- name: location_mark
overwrite: true
type: keyword
- name: log_id
overwrite: true
type: keyword
- name: log_type
overwrite: true
type: keyword
- name: logid
overwrite: true
type: keyword
- name: logip
overwrite: true
type: keyword
- name: logname
overwrite: true
type: keyword
- name: longitude
overwrite: true
type: keyword
- name: lport
overwrite: true
type: keyword
- name: mbug_data
overwrite: true
type: keyword
- name: misc_name
overwrite: true
type: keyword
- name: msg_type
overwrite: true
type: keyword
- name: msgid
overwrite: true
type: keyword
- name: netsessid
overwrite: true
type: keyword
- name: num
overwrite: true
type: keyword
- name: number1
overwrite: true
type: keyword
- name: number2
overwrite: true
type: keyword
- name: nwwn
overwrite: true
type: keyword
- name: object
overwrite: true
type: keyword
- name: operation
overwrite: true
type: keyword
- name: opkt
overwrite: true
type: keyword
- name: orig_from
overwrite: true
type: keyword
- name: owner_id
overwrite: true
type: keyword
- name: p_action
overwrite: true
type: keyword
- name: p_filter
overwrite: true
type: keyword
- name: p_group_object
overwrite: true
type: keyword
- name: p_id
overwrite: true
type: keyword
- name: p_msgid1
overwrite: true
type: keyword
- name: p_msgid2
overwrite: true
type: keyword
- name: p_result1
overwrite: true
type: keyword
- name: password_chg
overwrite: true
type: keyword
- name: password_expire
overwrite: true
type: keyword
- name: permgranted
overwrite: true
type: keyword
- name: permwanted
overwrite: true
type: keyword
- name: pgid
overwrite: true
type: keyword
- name: policyUUID
overwrite: true
type: keyword
- name: prog_asp_num
overwrite: true
type: keyword
- name: program
overwrite: true
type: keyword
- name: real_data
overwrite: true
type: keyword
- name: rec_asp_device
overwrite: true
type: keyword
- name: rec_asp_num
overwrite: true
type: keyword
- name: rec_library
overwrite: true
type: keyword
- name: recordnum
overwrite: true
type: keyword
- name: ruid
overwrite: true
type: keyword
- name: sburb
overwrite: true
type: keyword
- name: sdomain_fld
overwrite: true
type: keyword
- name: sec
overwrite: true
type: keyword
- name: sensorname
overwrite: true
type: keyword
- name: seqnum
overwrite: true
type: keyword
- name: session
overwrite: true
type: keyword
- name: sessiontype
overwrite: true
type: keyword
- name: sigUUID
overwrite: true
type: keyword
- name: spi
overwrite: true
type: keyword
- name: srcburb
overwrite: true
type: keyword
- name: srcdom
overwrite: true
type: keyword
- name: srcservice
overwrite: true
type: keyword
- name: state
overwrite: true
type: keyword
- name: status1
overwrite: true
type: keyword
- name: svcno
overwrite: true
type: keyword
- name: system
overwrite: true
type: keyword
- name: tbdstr1
overwrite: true
type: keyword
- name: tgtdom
overwrite: true
type: keyword
- name: tgtdomain
overwrite: true
type: keyword
- name: threshold
overwrite: true
type: keyword
- name: type1
overwrite: true
type: keyword
- name: udb_class
overwrite: true
type: keyword
- name: url_fld
overwrite: true
type: keyword
- name: user_div
overwrite: true
type: keyword
- name: userid
overwrite: true
type: keyword
- name: username_fld
overwrite: true
type: keyword
- name: utcstamp
overwrite: true
type: keyword
- name: v_instafname
overwrite: true
type: keyword
- name: virt_data
overwrite: true
type: keyword
- name: vpnid
overwrite: true
type: keyword
- name: autorun_type
overwrite: true
type: keyword
description: This is used to capture Auto Run type
- name: cc_number
overwrite: true
type: long
description: Valid Credit Card Numbers only
- name: content
overwrite: true
type: keyword
description: This key captures the content type from protocol headers
- name: ein_number
overwrite: true
type: long
description: Employee Identification Numbers only
- name: found
overwrite: true
type: keyword
description: This is used to capture the results of regex match
- name: language
overwrite: true
type: keyword
description: This is used to capture list of languages the client support and
what it prefers
- name: lifetime
overwrite: true
type: long
description: This key is used to capture the session lifetime in seconds.
- name: link
overwrite: true
type: keyword
description: This key is used to link the sessions together. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: match
overwrite: true
type: keyword
description: This key is for regex match name from search.ini
- name: param_dst
overwrite: true
type: keyword
description: This key captures the command line/launch argument of the target
process or file
- name: param_src
overwrite: true
type: keyword
description: This key captures source parameter
- name: search_text
overwrite: true
type: keyword
description: This key captures the Search Text used
- name: sig_name
overwrite: true
type: keyword
description: This key is used to capture the Signature Name only.
- name: snmp_value
overwrite: true
type: keyword
description: SNMP set request value
- name: streams
overwrite: true
type: long
description: This key captures number of streams in session
- name: db
overwrite: true
type: group
fields:
- name: index
overwrite: true
type: keyword
description: This key captures IndexID of the index.
- name: instance
overwrite: true
type: keyword
description: This key is used to capture the database server instance name
- name: database
overwrite: true
type: keyword
description: This key is used to capture the name of a database or an instance
as seen in a session
- name: transact_id
overwrite: true
type: keyword
description: This key captures the SQL transantion ID of the current session
- name: permissions
overwrite: true
type: keyword
description: This key captures permission or privilege level assigned to a resource.
- name: table_name
overwrite: true
type: keyword
description: This key is used to capture the table name
- name: db_id
overwrite: true
type: keyword
description: This key is used to capture the unique identifier for a database
- name: db_pid
overwrite: true
type: long
description: This key captures the process id of a connection with database
server
- name: lread
overwrite: true
type: long
description: This key is used for the number of logical reads
- name: lwrite
overwrite: true
type: long
description: This key is used for the number of logical writes
- name: pread
overwrite: true
type: long
description: This key is used for the number of physical writes
- name: network
overwrite: true
type: group
fields:
- name: alias_host
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
that isnt ad.computer.
- name: domain
overwrite: true
type: keyword
- name: host_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Hostname"
- name: network_service
overwrite: true
type: keyword
description: This is used to capture layer 7 protocols/service names
- name: interface
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of an interface is not clear
- name: network_port
overwrite: true
type: long
description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
- name: eth_host
overwrite: true
type: keyword
description: Deprecated, use alias.mac
- name: sinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Interface"
- name: dinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Interface"
- name: vlan
overwrite: true
type: long
description: This key should only be used to capture the ID of the Virtual LAN
- name: zone_src
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Zone."
- name: zone
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a Zone is not clear
- name: zone_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Zone."
- name: gateway
overwrite: true
type: keyword
description: This key is used to capture the IP Address of the gateway
- name: icmp_type
overwrite: true
type: long
description: This key is used to capture the ICMP type only
- name: mask
overwrite: true
type: keyword
description: This key is used to capture the device network IPmask.
- name: icmp_code
overwrite: true
type: long
description: This key is used to capture the ICMP code only
- name: protocol_detail
overwrite: true
type: keyword
description: This key should be used to capture additional protocol information
- name: dmask
overwrite: true
type: keyword
description: This key is used for Destionation Device network mask
- name: port
overwrite: true
type: long
description: This key should only be used to capture a Network Port when the
directionality is not clear
- name: smask
overwrite: true
type: keyword
description: This key is used for capturing source Network Mask
- name: netname
overwrite: true
type: keyword
description: This key is used to capture the network name associated with an
IP range. This is configured by the end user.
- name: paddr
overwrite: true
type: ip
description: Deprecated
- name: faddr
overwrite: true
type: keyword
- name: lhost
overwrite: true
type: keyword
- name: origin
overwrite: true
type: keyword
- name: remote_domain_id
overwrite: true
type: keyword
- name: addr
overwrite: true
type: keyword
- name: dns_a_record
overwrite: true
type: keyword
- name: dns_ptr_record
overwrite: true
type: keyword
- name: fhost
overwrite: true
type: keyword
- name: fport
overwrite: true
type: keyword
- name: laddr
overwrite: true
type: keyword
- name: linterface
overwrite: true
type: keyword
- name: phost
overwrite: true
type: keyword
- name: ad_computer_dst
overwrite: true
type: keyword
description: Deprecated, use host.dst
- name: eth_type
overwrite: true
type: long
description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
Only
- name: ip_proto
overwrite: true
type: long
description: This key should be used to capture the Protocol number, all the
protocol nubers are converted into string in UI
- name: dns_cname_record
overwrite: true
type: keyword
- name: dns_id
overwrite: true
type: keyword
- name: dns_opcode
overwrite: true
type: keyword
- name: dns_resp
overwrite: true
type: keyword
- name: dns_type
overwrite: true
type: keyword
- name: domain1
overwrite: true
type: keyword
- name: host_type
overwrite: true
type: keyword
- name: packet_length
overwrite: true
type: keyword
- name: host_orig
overwrite: true
type: keyword
description: This is used to capture the original hostname in case of a Forwarding
Agent or a Proxy in between.
- name: rpayload
overwrite: true
type: keyword
description: This key is used to capture the total number of payload bytes seen
in the retransmitted packets.
- name: vlan_name
overwrite: true
type: keyword
description: This key should only be used to capture the name of the Virtual
LAN
- name: investigations
overwrite: true
type: group
fields:
- name: ec_activity
overwrite: true
type: keyword
description: This key captures the particular event activity(Ex:Logoff)
- name: ec_theme
overwrite: true
type: keyword
description: This key captures the Theme of a particular Event(Ex:Authentication)
- name: ec_subject
overwrite: true
type: keyword
description: This key captures the Subject of a particular Event(Ex:User)
- name: ec_outcome
overwrite: true
type: keyword
description: This key captures the outcome of a particular Event(Ex:Success)
- name: event_cat
overwrite: true
type: long
description: This key captures the Event category number
- name: event_cat_name
overwrite: true
type: keyword
description: This key captures the event category name corresponding to the
event cat code
- name: event_vcat
overwrite: true
type: keyword
description: This is a vendor supplied category. This should be used in situations
where the vendor has adopted their own event_category taxonomy.
- name: analysis_file
overwrite: true
type: keyword
description: This is used to capture all indicators used in a File Analysis.
This key should be used to capture an analysis of a file
- name: analysis_service
overwrite: true
type: keyword
description: This is used to capture all indicators used in a Service Analysis.
This key should be used to capture an analysis of a service
- name: analysis_session
overwrite: true
type: keyword
description: This is used to capture all indicators used for a Session Analysis.
This key should be used to capture an analysis of a session
- name: boc
overwrite: true
type: keyword
description: This is used to capture behaviour of compromise
- name: eoc
overwrite: true
type: keyword
description: This is used to capture Enablers of Compromise
- name: inv_category
overwrite: true
type: keyword
description: This used to capture investigation category
- name: inv_context
overwrite: true
type: keyword
description: This used to capture investigation context
- name: ioc
overwrite: true
type: keyword
description: This is key capture indicator of compromise
- name: counters
overwrite: true
type: group
fields:
- name: dclass_c1
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c1.str only
- name: dclass_c2
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c2.str only
- name: event_counter
overwrite: true
type: long
description: This is used to capture the number of times an event repeated
- name: dclass_r1
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r1.str only
- name: dclass_c3
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c3.str only
- name: dclass_c1_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c1 only
- name: dclass_c2_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c2 only
- name: dclass_r1_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r1 only
- name: dclass_r2
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r2.str only
- name: dclass_c3_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c3 only
- name: dclass_r3
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r3.str only
- name: dclass_r2_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r2 only
- name: dclass_r3_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r3 only
- name: identity
overwrite: true
type: group
fields:
- name: auth_method
overwrite: true
type: keyword
description: This key is used to capture authentication methods used only
- name: user_role
overwrite: true
type: keyword
description: This key is used to capture the Role of a user only
- name: dn
overwrite: true
type: keyword
description: X.500 (LDAP) Distinguished Name
- name: logon_type
overwrite: true
type: keyword
description: This key is used to capture the type of logon method used.
- name: profile
overwrite: true
type: keyword
description: This key is used to capture the user profile
- name: accesses
overwrite: true
type: keyword
description: This key is used to capture actual privileges used in accessing
an object
- name: realm
overwrite: true
type: keyword
description: Radius realm or similar grouping of accounts
- name: user_sid_dst
overwrite: true
type: keyword
description: This key captures Destination User Session ID
- name: dn_src
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that is used in a context that
indicates a Source dn
- name: org
overwrite: true
type: keyword
description: This key captures the User organization
- name: dn_dst
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that used in a context that
indicates a Destination dn
- name: firstname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: lastname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: user_dept
overwrite: true
type: keyword
description: User's Department Names only
- name: user_sid_src
overwrite: true
type: keyword
description: This key captures Source User Session ID
- name: federated_sp
overwrite: true
type: keyword
description: This key is the Federated Service Provider. This is the application
requesting authentication.
- name: federated_idp
overwrite: true
type: keyword
description: This key is the federated Identity Provider. This is the server
providing the authentication.
- name: logon_type_desc
overwrite: true
type: keyword
description: This key is used to capture the textual description of an integer
logon type as stored in the meta key 'logon.type'.
- name: middlename
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: password
overwrite: true
type: keyword
description: This key is for Passwords seen in any session, plain text or encrypted
- name: host_role
overwrite: true
type: keyword
description: This key should only be used to capture the role of a Host Machine
- name: ldap
overwrite: true
type: keyword
description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
t have a clear query or response context"
- name: ldap_query
overwrite: true
type: keyword
description: This key is the Search criteria from an LDAP search
- name: ldap_response
overwrite: true
type: keyword
description: This key is to capture Results from an LDAP search
- name: owner
overwrite: true
type: keyword
description: This is used to capture username the process or service is running
as, the author of the task
- name: service_account
overwrite: true
type: keyword
description: This key is a windows specific key, used for capturing name of
the account a service (referenced in the event) is running under. Legacy Usage
- name: email
overwrite: true
type: group
fields:
- name: email_dst
overwrite: true
type: keyword
description: This key is used to capture the Destination email address only,
when the destination context is not clear use email
- name: email_src
overwrite: true
type: keyword
description: This key is used to capture the source email address only, when
the source context is not clear use email
- name: subject
overwrite: true
type: keyword
description: This key is used to capture the subject string from an Email only.
- name: email
overwrite: true
type: keyword
description: This key is used to capture a generic email address where the source
or destination context is not clear
- name: trans_from
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: trans_to
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: file
overwrite: true
type: group
fields:
- name: privilege
overwrite: true
type: keyword
description: Deprecated, use permissions
- name: attachment
overwrite: true
type: keyword
description: This key captures the attachment file name
- name: filesystem
overwrite: true
type: keyword
- name: binary
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: filename_dst
overwrite: true
type: keyword
description: This is used to capture name of the file targeted by the action
- name: filename_src
overwrite: true
type: keyword
description: This is used to capture name of the parent filename, the file which
performed the action
- name: filename_tmp
overwrite: true
type: keyword
- name: directory_dst
overwrite: true
type: keyword
description: <span>This key is used to capture the directory of the target process
or file</span>
- name: directory_src
overwrite: true
type: keyword
description: This key is used to capture the directory of the source process
or file
- name: file_entropy
overwrite: true
type: double
description: This is used to capture entropy vale of a file
- name: file_vendor
overwrite: true
type: keyword
description: This is used to capture Company name of file located in version_info
- name: task_name
overwrite: true
type: keyword
description: This is used to capture name of the task
- name: web
overwrite: true
type: group
fields:
- name: fqdn
overwrite: true
type: keyword
description: Fully Qualified Domain Names
- name: web_cookie
overwrite: true
type: keyword
description: This key is used to capture the Web cookies specifically.
- name: alias_host
overwrite: true
type: keyword
- name: reputation_num
overwrite: true
type: double
description: Reputation Number of an entity. Typically used for Web Domains
- name: web_ref_domain
overwrite: true
type: keyword
description: Web referer's domain
- name: web_ref_query
overwrite: true
type: keyword
description: This key captures Web referer's query portion of the URL
- name: remote_domain
overwrite: true
type: keyword
- name: web_ref_page
overwrite: true
type: keyword
description: This key captures Web referer's page information
- name: web_ref_root
overwrite: true
type: keyword
description: Web referer's root URL path
- name: cn_asn_dst
overwrite: true
type: keyword
- name: cn_rpackets
overwrite: true
type: keyword
- name: urlpage
overwrite: true
type: keyword
- name: urlroot
overwrite: true
type: keyword
- name: p_url
overwrite: true
type: keyword
- name: p_user_agent
overwrite: true
type: keyword
- name: p_web_cookie
overwrite: true
type: keyword
- name: p_web_method
overwrite: true
type: keyword
- name: p_web_referer
overwrite: true
type: keyword
- name: web_extension_tmp
overwrite: true
type: keyword
- name: web_page
overwrite: true
type: keyword
- name: threat
overwrite: true
type: group
fields:
- name: threat_category
overwrite: true
type: keyword
description: This key captures Threat Name/Threat Category/Categorization of
alert
- name: threat_desc
overwrite: true
type: keyword
description: This key is used to capture the threat description from the session
directly or inferred
- name: alert
overwrite: true
type: keyword
description: This key is used to capture name of the alert
- name: threat_source
overwrite: true
type: keyword
description: This key is used to capture source of the threat
- name: crypto
overwrite: true
type: group
fields:
- name: crypto
overwrite: true
type: keyword
description: This key is used to capture the Encryption Type or Encryption Key
only
- name: cipher_src
overwrite: true
type: keyword
description: This key is for Source (Client) Cipher
- name: cert_subject
overwrite: true
type: keyword
description: This key is used to capture the Certificate organization only
- name: peer
overwrite: true
type: keyword
description: This key is for Encryption peer's IP Address
- name: cipher_size_src
overwrite: true
type: long
description: This key captures Source (Client) Cipher Size
- name: ike
overwrite: true
type: keyword
description: IKE negotiation phase.
- name: scheme
overwrite: true
type: keyword
description: This key captures the Encryption scheme used
- name: peer_id
overwrite: true
type: keyword
description: "This key is for Encryption peer\u2019s identity"
- name: sig_type
overwrite: true
type: keyword
description: This key captures the Signature Type
- name: cert_issuer
overwrite: true
type: keyword
- name: cert_host_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: cert_error
overwrite: true
type: keyword
description: This key captures the Certificate Error String
- name: cipher_dst
overwrite: true
type: keyword
description: This key is for Destination (Server) Cipher
- name: cipher_size_dst
overwrite: true
type: long
description: This key captures Destination (Server) Cipher Size
- name: ssl_ver_src
overwrite: true
type: keyword
description: Deprecated, use version
- name: d_certauth
overwrite: true
type: keyword
- name: s_certauth
overwrite: true
type: keyword
- name: ike_cookie1
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
- name: ike_cookie2
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
- name: cert_checksum
overwrite: true
type: keyword
- name: cert_host_cat
overwrite: true
type: keyword
description: This key is used for the hostname category value of a certificate
- name: cert_serial
overwrite: true
type: keyword
description: This key is used to capture the Certificate serial number only
- name: cert_status
overwrite: true
type: keyword
description: This key captures Certificate validation status
- name: ssl_ver_dst
overwrite: true
type: keyword
description: Deprecated, use version
- name: cert_keysize
overwrite: true
type: keyword
- name: cert_username
overwrite: true
type: keyword
- name: https_insact
overwrite: true
type: keyword
- name: https_valid
overwrite: true
type: keyword
- name: cert_ca
overwrite: true
type: keyword
description: This key is used to capture the Certificate signing authority only
- name: cert_common
overwrite: true
type: keyword
description: This key is used to capture the Certificate common name only
- name: wireless
overwrite: true
type: group
fields:
- name: wlan_ssid
overwrite: true
type: keyword
description: This key is used to capture the ssid of a Wireless Session
- name: access_point
overwrite: true
type: keyword
description: This key is used to capture the access point name.
- name: wlan_channel
overwrite: true
type: long
description: This is used to capture the channel names
- name: wlan_name
overwrite: true
type: keyword
description: This key captures either WLAN number/name
- name: storage
overwrite: true
type: group
fields:
- name: disk_volume
overwrite: true
type: keyword
description: A unique name assigned to logical units (volumes) within a physical
disk
- name: lun
overwrite: true
type: keyword
description: Logical Unit Number.This key is a very useful concept in Storage.
- name: pwwn
overwrite: true
type: keyword
description: This uniquely identifies a port on a HBA.
- name: physical
overwrite: true
type: group
fields:
- name: org_dst
overwrite: true
type: keyword
description: This is used to capture the destination organization based on the
GEOPIP Maxmind database.
- name: org_src
overwrite: true
type: keyword
description: This is used to capture the source organization based on the GEOPIP
Maxmind database.
- name: healthcare
overwrite: true
type: group
fields:
- name: patient_fname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_id
overwrite: true
type: keyword
description: This key captures the unique ID for a patient
- name: patient_lname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_mname
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: endpoint
overwrite: true
type: group
fields:
- name: host_state
overwrite: true
type: keyword
description: This key is used to capture the current state of the machine, such
as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
disabled</strong> and so on
- name: registry_key
overwrite: true
type: keyword
description: This key captures the path to the registry key
- name: registry_value
overwrite: true
type: keyword
description: This key captures values or decorators used within a registry entry
- name: network.interface.name
overwrite: true
type: keyword
description: >
Name of the network interface where the traffic has been observed.
- name: rsa
overwrite: true
type: group
fields:
- name: internal
overwrite: true
type: group
fields:
- name: msg
overwrite: true
type: keyword
description: This key is used to capture the raw message that comes into the
Log Decoder
- name: messageid
overwrite: true
type: keyword
- name: event_desc
overwrite: true
type: keyword
- name: message
overwrite: true
type: keyword
description: This key captures the contents of instant messages
- name: time
overwrite: true
type: date
description: This is the time at which a session hits a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness.
- name: level
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: msg_id
overwrite: true
type: keyword
description: This is the Message ID1 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: msg_vid
overwrite: true
type: keyword
description: This is the Message ID2 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: data
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_server
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_val
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: resource
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_id
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: statement
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: audit_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: entry
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: hcode
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: inode
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: resource_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: dead
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: feed_desc
overwrite: true
type: keyword
description: This is used to capture the description of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: feed_name
overwrite: true
type: keyword
description: This is used to capture the name of the feed. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: cid
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Concentrator.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_class
overwrite: true
type: keyword
description: This is the Classification of the Log Event Source under a predefined
fixed set of Event Source Classifications. This key should never be used to
parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
key in NetWitness
- name: device_group
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_host
overwrite: true
type: keyword
description: This is the Hostname of the log Event Source sending the logs to
NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ip
overwrite: true
type: ip
description: This is the IPv4 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ipv6
overwrite: true
type: ip
description: This is the IPv6 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_type
overwrite: true
type: keyword
description: This is the name of the log parser which parsed a given session.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_type_id
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: did
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: entropy_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: entropy_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: event_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: feed_category
overwrite: true
type: keyword
description: This is used to capture the category of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: forward_ip
overwrite: true
type: ip
description: This key should be used to capture the IPV4 address of a relay
system which forwarded the events from the original system to NetWitness.
- name: forward_ipv6
overwrite: true
type: ip
description: This key is used to capture the IPV6 address of a relay system
which forwarded the events from the original system to NetWitness. This key
should never be used to parse Meta data from a session (Logs/Packets) Directly,
this is a Reserved key in NetWitness
- name: header_id
overwrite: true
type: keyword
description: This is the Header ID value that identifies the exact log parser
header definition that parses a particular log session. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: lc_cid
overwrite: true
type: keyword
description: This is a unique Identifier of a Log Collector. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: lc_ctime
overwrite: true
type: date
description: This is the time at which a log is collected in a NetWitness Log
Collector. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: mcb_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
request is simply which byte for each side (0 thru 255) was seen the most
- name: mcb_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
response is simply which byte for each side (0 thru 255) was seen the most
- name: mcbc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: mcbc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: medium
overwrite: true
type: long
description: "This key is used to identify if it\u2019s a log/packet session\
\ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
\ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
\ 32 = log, 33 = correlation session, < 32 is packet session"
- name: node_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: nwe_callback_id
overwrite: true
type: keyword
description: This key denotes that event is endpoint related
- name: parse_error
overwrite: true
type: keyword
description: This is a special key that stores any Meta key validation error
found while parsing a log session. This key should never be used to parse
Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
NetWitness
- name: payload_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: payload_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: process_vid_dst
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the target process.
- name: process_vid_src
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the source process.
- name: rid
overwrite: true
type: long
description: This is a special ID of the Remote Session created by NetWitness
Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: session_split
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: site
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: size
overwrite: true
type: long
description: This is the size of the session as seen by the NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: sourcefile
overwrite: true
type: keyword
description: This is the name of the log file or PCAPs that can be imported
into NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: ubc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: ubc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: word
overwrite: true
type: keyword
description: This is used by the Word Parsing technology to capture the first
5 character of every word in an unparsed log
- name: time
overwrite: true
type: group
fields:
- name: event_time
overwrite: true
type: date
description: This key is used to capture the time mentioned in a raw session
that represents the actual time an event occured in a standard normalized
form
- name: duration_time
overwrite: true
type: double
description: This key is used to capture the normalized duration/lifetime in
seconds.
- name: event_time_str
overwrite: true
type: keyword
description: This key is used to capture the incomplete time mentioned in a
session as a string
- name: starttime
overwrite: true
type: date
description: This key is used to capture the Start time mentioned in a session
in a standard form
- name: month
overwrite: true
type: keyword
- name: day
overwrite: true
type: keyword
- name: endtime
overwrite: true
type: date
description: This key is used to capture the End time mentioned in a session
in a standard form
- name: timezone
overwrite: true
type: keyword
description: This key is used to capture the timezone of the Event Time
- name: duration_str
overwrite: true
type: keyword
description: A text string version of the duration
- name: date
overwrite: true
type: keyword
- name: year
overwrite: true
type: keyword
- name: recorded_time
overwrite: true
type: date
description: The event time as recorded by the system the event is collected
from. The usage scenario is a multi-tier application where the management
layer of the system records it's own timestamp at the time of collection from
its child nodes. Must be in timestamp format.
- name: datetime
overwrite: true
type: keyword
- name: effective_time
overwrite: true
type: date
description: This key is the effective time referenced by an individual event
in a Standard Timestamp format
- name: expire_time
overwrite: true
type: date
description: This key is the timestamp that explicitly refers to an expiration.
- name: process_time
overwrite: true
type: keyword
description: Deprecated, use duration.time
- name: hour
overwrite: true
type: keyword
- name: min
overwrite: true
type: keyword
- name: timestamp
overwrite: true
type: keyword
- name: event_queue_time
overwrite: true
type: date
description: This key is the Time that the event was queued.
- name: p_time1
overwrite: true
type: keyword
- name: tzone
overwrite: true
type: keyword
- name: eventtime
overwrite: true
type: keyword
- name: gmtdate
overwrite: true
type: keyword
- name: gmttime
overwrite: true
type: keyword
- name: p_date
overwrite: true
type: keyword
- name: p_month
overwrite: true
type: keyword
- name: p_time
overwrite: true
type: keyword
- name: p_time2
overwrite: true
type: keyword
- name: p_year
overwrite: true
type: keyword
- name: expire_time_str
overwrite: true
type: keyword
description: This key is used to capture incomplete timestamp that explicitly
refers to an expiration.
- name: stamp
overwrite: true
type: date
description: Deprecated key defined only in table map.
- name: misc
overwrite: true
type: group
fields:
- name: action
overwrite: true
type: keyword
- name: result
overwrite: true
type: keyword
description: This key is used to capture the outcome/result string value of
an action in a session.
- name: severity
overwrite: true
type: keyword
description: This key is used to capture the severity given the session
- name: event_type
overwrite: true
type: keyword
description: This key captures the event category type as specified by the event
source.
- name: reference_id
overwrite: true
type: keyword
description: This key is used to capture an event id from the session directly
- name: version
overwrite: true
type: keyword
description: This key captures Version of the application or OS which is generating
the event.
- name: disposition
overwrite: true
type: keyword
description: This key captures the The end state of an action.
- name: result_code
overwrite: true
type: keyword
description: This key is used to capture the outcome/result numeric value of
an action in a session
- name: category
overwrite: true
type: keyword
description: This key is used to capture the category of an event given by the
vendor in the session
- name: obj_name
overwrite: true
type: keyword
description: This is used to capture name of object
- name: obj_type
overwrite: true
type: keyword
description: This is used to capture type of object
- name: event_source
overwrite: true
type: keyword
description: "This key captures Source of the event that\u2019s not a hostname"
- name: log_session_id
overwrite: true
type: keyword
description: This key is used to capture a sessionid from the session directly
- name: group
overwrite: true
type: keyword
description: This key captures the Group Name value
- name: policy_name
overwrite: true
type: keyword
description: This key is used to capture the Policy Name only.
- name: rule_name
overwrite: true
type: keyword
description: This key captures the Rule Name
- name: context
overwrite: true
type: keyword
description: This key captures Information which adds additional context to
the event.
- name: change_new
overwrite: true
type: keyword
description: "This key is used to capture the new values of the attribute that\u2019\
s changing in a session"
- name: space
overwrite: true
type: keyword
- name: client
overwrite: true
type: keyword
description: This key is used to capture only the name of the client application
requesting resources of the server. See the user.agent meta key for capture
of the specific user agent identifier or browser identification string.
- name: msgIdPart1
overwrite: true
type: keyword
- name: msgIdPart2
overwrite: true
type: keyword
- name: change_old
overwrite: true
type: keyword
description: "This key is used to capture the old value of the attribute that\u2019\
s changing in a session"
- name: operation_id
overwrite: true
type: keyword
description: An alert number or operation number. The values should be unique
and non-repeating.
- name: event_state
overwrite: true
type: keyword
description: This key captures the current state of the object/item referenced
within the event. Describing an on-going event.
- name: group_object
overwrite: true
type: keyword
description: This key captures a collection/grouping of entities. Specific usage
- name: node
overwrite: true
type: keyword
description: Common use case is the node name within a cluster. The cluster
name is reflected by the host name.
- name: rule
overwrite: true
type: keyword
description: This key captures the Rule number
- name: device_name
overwrite: true
type: keyword
description: 'This is used to capture name of the Device associated with the
node Like: a physical disk, printer, etc'
- name: param
overwrite: true
type: keyword
description: This key is the parameters passed as part of a command or application,
etc.
- name: change_attrib
overwrite: true
type: keyword
description: "This key is used to capture the name of the attribute that\u2019\
s changing in a session"
- name: event_computer
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
fully qualified domain name in a windows log.
- name: reference_id1
overwrite: true
type: keyword
description: This key is for Linked ID to be used as an addition to "reference.id"
- name: event_log
overwrite: true
type: keyword
description: This key captures the Name of the event log
- name: OS
overwrite: true
type: keyword
description: This key captures the Name of the Operating System
- name: terminal
overwrite: true
type: keyword
description: This key captures the Terminal Names only
- name: msgIdPart3
overwrite: true
type: keyword
- name: filter
overwrite: true
type: keyword
description: This key captures Filter used to reduce result set
- name: serial_number
overwrite: true
type: keyword
description: This key is the Serial number associated with a physical asset.
- name: checksum
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the entity
such as a file or process. Checksum should be used over checksum.src or checksum.dst
when it is unclear whether the entity is a source or target of an action.
- name: event_user
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
combination of domain name and username in a windows log.
- name: virusname
overwrite: true
type: keyword
description: This key captures the name of the virus
- name: content_type
overwrite: true
type: keyword
description: This key is used to capture Content Type only.
- name: group_id
overwrite: true
type: keyword
description: This key captures Group ID Number (related to the group name)
- name: policy_id
overwrite: true
type: keyword
description: This key is used to capture the Policy ID only, this should be
a numeric value, use policy.name otherwise
- name: vsys
overwrite: true
type: keyword
description: This key captures Virtual System Name
- name: connection_id
overwrite: true
type: keyword
description: This key captures the Connection ID
- name: reference_id2
overwrite: true
type: keyword
description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
or "reference.id1" value but should not be used unless the other two variables
are in play.
- name: sensor
overwrite: true
type: keyword
description: This key captures Name of the sensor. Typically used in IDS/IPS
based devices
- name: sig_id
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID
- name: port_name
overwrite: true
type: keyword
description: 'This key is used for Physical or logical port connection but does
NOT include a network port. (Example: Printer port name).'
- name: rule_group
overwrite: true
type: keyword
description: This key captures the Rule group name
- name: risk_num
overwrite: true
type: double
description: This key captures a Numeric Risk value
- name: trigger_val
overwrite: true
type: keyword
description: This key captures the Value of the trigger or threshold condition.
- name: log_session_id1
overwrite: true
type: keyword
description: This key is used to capture a Linked (Related) Session ID from
the session directly
- name: comp_version
overwrite: true
type: keyword
description: This key captures the Version level of a sub-component of a product.
- name: content_version
overwrite: true
type: keyword
description: This key captures Version level of a signature or database content.
- name: hardware_id
overwrite: true
type: keyword
description: This key is used to capture unique identifier for a device or system
(NOT a Mac address)
- name: risk
overwrite: true
type: keyword
description: This key captures the non-numeric risk value
- name: event_id
overwrite: true
type: keyword
- name: reason
overwrite: true
type: keyword
- name: status
overwrite: true
type: keyword
- name: mail_id
overwrite: true
type: keyword
description: This key is used to capture the mailbox id/name
- name: rule_uid
overwrite: true
type: keyword
description: This key is the Unique Identifier for a rule.
- name: trigger_desc
overwrite: true
type: keyword
description: This key captures the Description of the trigger or threshold condition.
- name: inout
overwrite: true
type: keyword
- name: p_msgid
overwrite: true
type: keyword
- name: data_type
overwrite: true
type: keyword
- name: msgIdPart4
overwrite: true
type: keyword
- name: error
overwrite: true
type: keyword
description: This key captures All non successful Error codes or responses
- name: index
overwrite: true
type: keyword
- name: listnum
overwrite: true
type: keyword
description: This key is used to capture listname or listnumber, primarily for
collecting access-list
- name: ntype
overwrite: true
type: keyword
- name: observed_val
overwrite: true
type: keyword
description: This key captures the Value observed (from the perspective of the
device generating the log).
- name: policy_value
overwrite: true
type: keyword
description: This key captures the contents of the policy. This contains details
about the policy
- name: pool_name
overwrite: true
type: keyword
description: This key captures the name of a resource pool
- name: rule_template
overwrite: true
type: keyword
description: A default set of parameters which are overlayed onto a rule (or
rulename) which efffectively constitutes a template
- name: count
overwrite: true
type: keyword
- name: number
overwrite: true
type: keyword
- name: sigcat
overwrite: true
type: keyword
- name: type
overwrite: true
type: keyword
- name: comments
overwrite: true
type: keyword
description: Comment information provided in the log message
- name: doc_number
overwrite: true
type: long
description: This key captures File Identification number
- name: expected_val
overwrite: true
type: keyword
description: This key captures the Value expected (from the perspective of the
device generating the log).
- name: job_num
overwrite: true
type: keyword
description: This key captures the Job Number
- name: spi_dst
overwrite: true
type: keyword
description: Destination SPI Index
- name: spi_src
overwrite: true
type: keyword
description: Source SPI Index
- name: code
overwrite: true
type: keyword
- name: agent_id
overwrite: true
type: keyword
description: This key is used to capture agent id
- name: message_body
overwrite: true
type: keyword
description: This key captures the The contents of the message body.
- name: phone
overwrite: true
type: keyword
- name: sig_id_str
overwrite: true
type: keyword
description: This key captures a string object of the sigid variable.
- name: cmd
overwrite: true
type: keyword
- name: misc
overwrite: true
type: keyword
- name: name
overwrite: true
type: keyword
- name: cpu
overwrite: true
type: long
description: This key is the CPU time used in the execution of the event being
recorded.
- name: event_desc
overwrite: true
type: keyword
description: This key is used to capture a description of an event available
directly or inferred
- name: sig_id1
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID. This must be linked
to the sig.id
- name: im_buddyid
overwrite: true
type: keyword
- name: im_client
overwrite: true
type: keyword
- name: im_userid
overwrite: true
type: keyword
- name: pid
overwrite: true
type: keyword
- name: priority
overwrite: true
type: keyword
- name: context_subject
overwrite: true
type: keyword
description: This key is to be used in an audit context where the subject is
the object being identified
- name: context_target
overwrite: true
type: keyword
- name: cve
overwrite: true
type: keyword
description: This key captures CVE (Common Vulnerabilities and Exposures) -
an identifier for known information security vulnerabilities.
- name: fcatnum
overwrite: true
type: keyword
description: This key captures Filter Category Number. Legacy Usage
- name: library
overwrite: true
type: keyword
description: This key is used to capture library information in mainframe devices
- name: parent_node
overwrite: true
type: keyword
description: This key captures the Parent Node Name. Must be related to node
variable.
- name: risk_info
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: tcp_flags
overwrite: true
type: long
description: This key is captures the TCP flags set in any packet of session
- name: tos
overwrite: true
type: long
description: This key describes the type of service
- name: vm_target
overwrite: true
type: keyword
description: VMWare Target **VMWARE** only varaible.
- name: workspace
overwrite: true
type: keyword
description: This key captures Workspace Description
- name: command
overwrite: true
type: keyword
- name: event_category
overwrite: true
type: keyword
- name: facilityname
overwrite: true
type: keyword
- name: forensic_info
overwrite: true
type: keyword
- name: jobname
overwrite: true
type: keyword
- name: mode
overwrite: true
type: keyword
- name: policy
overwrite: true
type: keyword
- name: policy_waiver
overwrite: true
type: keyword
- name: second
overwrite: true
type: keyword
- name: space1
overwrite: true
type: keyword
- name: subcategory
overwrite: true
type: keyword
- name: tbdstr2
overwrite: true
type: keyword
- name: alert_id
overwrite: true
type: keyword
description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: checksum_dst
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the the target
entity such as a process or file.
- name: checksum_src
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the source
entity such as a file or process.
- name: fresult
overwrite: true
type: long
description: This key captures the Filter Result
- name: payload_dst
overwrite: true
type: keyword
description: This key is used to capture destination payload
- name: payload_src
overwrite: true
type: keyword
description: This key is used to capture source payload
- name: pool_id
overwrite: true
type: keyword
description: This key captures the identifier (typically numeric field) of a
resource pool
- name: process_id_val
overwrite: true
type: keyword
description: This key is a failure key for Process ID when it is not an integer
value
- name: risk_num_comm
overwrite: true
type: double
description: This key captures Risk Number Community
- name: risk_num_next
overwrite: true
type: double
description: This key captures Risk Number NextGen
- name: risk_num_sand
overwrite: true
type: double
description: This key captures Risk Number SandBox
- name: risk_num_static
overwrite: true
type: double
description: This key captures Risk Number Static
- name: risk_suspicious
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: risk_warning
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: snmp_oid
overwrite: true
type: keyword
description: SNMP Object Identifier
- name: sql
overwrite: true
type: keyword
description: This key captures the SQL query
- name: vuln_ref
overwrite: true
type: keyword
description: This key captures the Vulnerability Reference details
- name: acl_id
overwrite: true
type: keyword
- name: acl_op
overwrite: true
type: keyword
- name: acl_pos
overwrite: true
type: keyword
- name: acl_table
overwrite: true
type: keyword
- name: admin
overwrite: true
type: keyword
- name: alarm_id
overwrite: true
type: keyword
- name: alarmname
overwrite: true
type: keyword
- name: app_id
overwrite: true
type: keyword
- name: audit
overwrite: true
type: keyword
- name: audit_object
overwrite: true
type: keyword
- name: auditdata
overwrite: true
type: keyword
- name: benchmark
overwrite: true
type: keyword
- name: bypass
overwrite: true
type: keyword
- name: cache
overwrite: true
type: keyword
- name: cache_hit
overwrite: true
type: keyword
- name: cefversion
overwrite: true
type: keyword
- name: cfg_attr
overwrite: true
type: keyword
- name: cfg_obj
overwrite: true
type: keyword
- name: cfg_path
overwrite: true
type: keyword
- name: changes
overwrite: true
type: keyword
- name: client_ip
overwrite: true
type: keyword
- name: clustermembers
overwrite: true
type: keyword
- name: cn_acttimeout
overwrite: true
type: keyword
- name: cn_asn_src
overwrite: true
type: keyword
- name: cn_bgpv4nxthop
overwrite: true
type: keyword
- name: cn_ctr_dst_code
overwrite: true
type: keyword
- name: cn_dst_tos
overwrite: true
type: keyword
- name: cn_dst_vlan
overwrite: true
type: keyword
- name: cn_engine_id
overwrite: true
type: keyword
- name: cn_engine_type
overwrite: true
type: keyword
- name: cn_f_switch
overwrite: true
type: keyword
- name: cn_flowsampid
overwrite: true
type: keyword
- name: cn_flowsampintv
overwrite: true
type: keyword
- name: cn_flowsampmode
overwrite: true
type: keyword
- name: cn_inacttimeout
overwrite: true
type: keyword
- name: cn_inpermbyts
overwrite: true
type: keyword
- name: cn_inpermpckts
overwrite: true
type: keyword
- name: cn_invalid
overwrite: true
type: keyword
- name: cn_ip_proto_ver
overwrite: true
type: keyword
- name: cn_ipv4_ident
overwrite: true
type: keyword
- name: cn_l_switch
overwrite: true
type: keyword
- name: cn_log_did
overwrite: true
type: keyword
- name: cn_log_rid
overwrite: true
type: keyword
- name: cn_max_ttl
overwrite: true
type: keyword
- name: cn_maxpcktlen
overwrite: true
type: keyword
- name: cn_min_ttl
overwrite: true
type: keyword
- name: cn_minpcktlen
overwrite: true
type: keyword
- name: cn_mpls_lbl_1
overwrite: true
type: keyword
- name: cn_mpls_lbl_10
overwrite: true
type: keyword
- name: cn_mpls_lbl_2
overwrite: true
type: keyword
- name: cn_mpls_lbl_3
overwrite: true
type: keyword
- name: cn_mpls_lbl_4
overwrite: true
type: keyword
- name: cn_mpls_lbl_5
overwrite: true
type: keyword
- name: cn_mpls_lbl_6
overwrite: true
type: keyword
- name: cn_mpls_lbl_7
overwrite: true
type: keyword
- name: cn_mpls_lbl_8
overwrite: true
type: keyword
- name: cn_mpls_lbl_9
overwrite: true
type: keyword
- name: cn_mplstoplabel
overwrite: true
type: keyword
- name: cn_mplstoplabip
overwrite: true
type: keyword
- name: cn_mul_dst_byt
overwrite: true
type: keyword
- name: cn_mul_dst_pks
overwrite: true
type: keyword
- name: cn_muligmptype
overwrite: true
type: keyword
- name: cn_sampalgo
overwrite: true
type: keyword
- name: cn_sampint
overwrite: true
type: keyword
- name: cn_seqctr
overwrite: true
type: keyword
- name: cn_spackets
overwrite: true
type: keyword
- name: cn_src_tos
overwrite: true
type: keyword
- name: cn_src_vlan
overwrite: true
type: keyword
- name: cn_sysuptime
overwrite: true
type: keyword
- name: cn_template_id
overwrite: true
type: keyword
- name: cn_totbytsexp
overwrite: true
type: keyword
- name: cn_totflowexp
overwrite: true
type: keyword
- name: cn_totpcktsexp
overwrite: true
type: keyword
- name: cn_unixnanosecs
overwrite: true
type: keyword
- name: cn_v6flowlabel
overwrite: true
type: keyword
- name: cn_v6optheaders
overwrite: true
type: keyword
- name: comp_class
overwrite: true
type: keyword
- name: comp_name
overwrite: true
type: keyword
- name: comp_rbytes
overwrite: true
type: keyword
- name: comp_sbytes
overwrite: true
type: keyword
- name: cpu_data
overwrite: true
type: keyword
- name: criticality
overwrite: true
type: keyword
- name: cs_agency_dst
overwrite: true
type: keyword
- name: cs_analyzedby
overwrite: true
type: keyword
- name: cs_av_other
overwrite: true
type: keyword
- name: cs_av_primary
overwrite: true
type: keyword
- name: cs_av_secondary
overwrite: true
type: keyword
- name: cs_bgpv6nxthop
overwrite: true
type: keyword
- name: cs_bit9status
overwrite: true
type: keyword
- name: cs_context
overwrite: true
type: keyword
- name: cs_control
overwrite: true
type: keyword
- name: cs_data
overwrite: true
type: keyword
- name: cs_datecret
overwrite: true
type: keyword
- name: cs_dst_tld
overwrite: true
type: keyword
- name: cs_eth_dst_ven
overwrite: true
type: keyword
- name: cs_eth_src_ven
overwrite: true
type: keyword
- name: cs_event_uuid
overwrite: true
type: keyword
- name: cs_filetype
overwrite: true
type: keyword
- name: cs_fld
overwrite: true
type: keyword
- name: cs_if_desc
overwrite: true
type: keyword
- name: cs_if_name
overwrite: true
type: keyword
- name: cs_ip_next_hop
overwrite: true
type: keyword
- name: cs_ipv4dstpre
overwrite: true
type: keyword
- name: cs_ipv4srcpre
overwrite: true
type: keyword
- name: cs_lifetime
overwrite: true
type: keyword
- name: cs_log_medium
overwrite: true
type: keyword
- name: cs_loginname
overwrite: true
type: keyword
- name: cs_modulescore
overwrite: true
type: keyword
- name: cs_modulesign
overwrite: true
type: keyword
- name: cs_opswatresult
overwrite: true
type: keyword
- name: cs_payload
overwrite: true
type: keyword
- name: cs_registrant
overwrite: true
type: keyword
- name: cs_registrar
overwrite: true
type: keyword
- name: cs_represult
overwrite: true
type: keyword
- name: cs_rpayload
overwrite: true
type: keyword
- name: cs_sampler_name
overwrite: true
type: keyword
- name: cs_sourcemodule
overwrite: true
type: keyword
- name: cs_streams
overwrite: true
type: keyword
- name: cs_targetmodule
overwrite: true
type: keyword
- name: cs_v6nxthop
overwrite: true
type: keyword
- name: cs_whois_server
overwrite: true
type: keyword
- name: cs_yararesult
overwrite: true
type: keyword
- name: description
overwrite: true
type: keyword
- name: devvendor
overwrite: true
type: keyword
- name: distance
overwrite: true
type: keyword
- name: dstburb
overwrite: true
type: keyword
- name: edomain
overwrite: true
type: keyword
- name: edomaub
overwrite: true
type: keyword
- name: euid
overwrite: true
type: keyword
- name: facility
overwrite: true
type: keyword
- name: finterface
overwrite: true
type: keyword
- name: flags
overwrite: true
type: keyword
- name: gaddr
overwrite: true
type: keyword
- name: id3
overwrite: true
type: keyword
- name: im_buddyname
overwrite: true
type: keyword
- name: im_croomid
overwrite: true
type: keyword
- name: im_croomtype
overwrite: true
type: keyword
- name: im_members
overwrite: true
type: keyword
- name: im_username
overwrite: true
type: keyword
- name: ipkt
overwrite: true
type: keyword
- name: ipscat
overwrite: true
type: keyword
- name: ipspri
overwrite: true
type: keyword
- name: latitude
overwrite: true
type: keyword
- name: linenum
overwrite: true
type: keyword
- name: list_name
overwrite: true
type: keyword
- name: load_data
overwrite: true
type: keyword
- name: location_floor
overwrite: true
type: keyword
- name: location_mark
overwrite: true
type: keyword
- name: log_id
overwrite: true
type: keyword
- name: log_type
overwrite: true
type: keyword
- name: logid
overwrite: true
type: keyword
- name: logip
overwrite: true
type: keyword
- name: logname
overwrite: true
type: keyword
- name: longitude
overwrite: true
type: keyword
- name: lport
overwrite: true
type: keyword
- name: mbug_data
overwrite: true
type: keyword
- name: misc_name
overwrite: true
type: keyword
- name: msg_type
overwrite: true
type: keyword
- name: msgid
overwrite: true
type: keyword
- name: netsessid
overwrite: true
type: keyword
- name: num
overwrite: true
type: keyword
- name: number1
overwrite: true
type: keyword
- name: number2
overwrite: true
type: keyword
- name: nwwn
overwrite: true
type: keyword
- name: object
overwrite: true
type: keyword
- name: operation
overwrite: true
type: keyword
- name: opkt
overwrite: true
type: keyword
- name: orig_from
overwrite: true
type: keyword
- name: owner_id
overwrite: true
type: keyword
- name: p_action
overwrite: true
type: keyword
- name: p_filter
overwrite: true
type: keyword
- name: p_group_object
overwrite: true
type: keyword
- name: p_id
overwrite: true
type: keyword
- name: p_msgid1
overwrite: true
type: keyword
- name: p_msgid2
overwrite: true
type: keyword
- name: p_result1
overwrite: true
type: keyword
- name: password_chg
overwrite: true
type: keyword
- name: password_expire
overwrite: true
type: keyword
- name: permgranted
overwrite: true
type: keyword
- name: permwanted
overwrite: true
type: keyword
- name: pgid
overwrite: true
type: keyword
- name: policyUUID
overwrite: true
type: keyword
- name: prog_asp_num
overwrite: true
type: keyword
- name: program
overwrite: true
type: keyword
- name: real_data
overwrite: true
type: keyword
- name: rec_asp_device
overwrite: true
type: keyword
- name: rec_asp_num
overwrite: true
type: keyword
- name: rec_library
overwrite: true
type: keyword
- name: recordnum
overwrite: true
type: keyword
- name: ruid
overwrite: true
type: keyword
- name: sburb
overwrite: true
type: keyword
- name: sdomain_fld
overwrite: true
type: keyword
- name: sec
overwrite: true
type: keyword
- name: sensorname
overwrite: true
type: keyword
- name: seqnum
overwrite: true
type: keyword
- name: session
overwrite: true
type: keyword
- name: sessiontype
overwrite: true
type: keyword
- name: sigUUID
overwrite: true
type: keyword
- name: spi
overwrite: true
type: keyword
- name: srcburb
overwrite: true
type: keyword
- name: srcdom
overwrite: true
type: keyword
- name: srcservice
overwrite: true
type: keyword
- name: state
overwrite: true
type: keyword
- name: status1
overwrite: true
type: keyword
- name: svcno
overwrite: true
type: keyword
- name: system
overwrite: true
type: keyword
- name: tbdstr1
overwrite: true
type: keyword
- name: tgtdom
overwrite: true
type: keyword
- name: tgtdomain
overwrite: true
type: keyword
- name: threshold
overwrite: true
type: keyword
- name: type1
overwrite: true
type: keyword
- name: udb_class
overwrite: true
type: keyword
- name: url_fld
overwrite: true
type: keyword
- name: user_div
overwrite: true
type: keyword
- name: userid
overwrite: true
type: keyword
- name: username_fld
overwrite: true
type: keyword
- name: utcstamp
overwrite: true
type: keyword
- name: v_instafname
overwrite: true
type: keyword
- name: virt_data
overwrite: true
type: keyword
- name: vpnid
overwrite: true
type: keyword
- name: autorun_type
overwrite: true
type: keyword
description: This is used to capture Auto Run type
- name: cc_number
overwrite: true
type: long
description: Valid Credit Card Numbers only
- name: content
overwrite: true
type: keyword
description: This key captures the content type from protocol headers
- name: ein_number
overwrite: true
type: long
description: Employee Identification Numbers only
- name: found
overwrite: true
type: keyword
description: This is used to capture the results of regex match
- name: language
overwrite: true
type: keyword
description: This is used to capture list of languages the client support and
what it prefers
- name: lifetime
overwrite: true
type: long
description: This key is used to capture the session lifetime in seconds.
- name: link
overwrite: true
type: keyword
description: This key is used to link the sessions together. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: match
overwrite: true
type: keyword
description: This key is for regex match name from search.ini
- name: param_dst
overwrite: true
type: keyword
description: This key captures the command line/launch argument of the target
process or file
- name: param_src
overwrite: true
type: keyword
description: This key captures source parameter
- name: search_text
overwrite: true
type: keyword
description: This key captures the Search Text used
- name: sig_name
overwrite: true
type: keyword
description: This key is used to capture the Signature Name only.
- name: snmp_value
overwrite: true
type: keyword
description: SNMP set request value
- name: streams
overwrite: true
type: long
description: This key captures number of streams in session
- name: db
overwrite: true
type: group
fields:
- name: index
overwrite: true
type: keyword
description: This key captures IndexID of the index.
- name: instance
overwrite: true
type: keyword
description: This key is used to capture the database server instance name
- name: database
overwrite: true
type: keyword
description: This key is used to capture the name of a database or an instance
as seen in a session
- name: transact_id
overwrite: true
type: keyword
description: This key captures the SQL transantion ID of the current session
- name: permissions
overwrite: true
type: keyword
description: This key captures permission or privilege level assigned to a resource.
- name: table_name
overwrite: true
type: keyword
description: This key is used to capture the table name
- name: db_id
overwrite: true
type: keyword
description: This key is used to capture the unique identifier for a database
- name: db_pid
overwrite: true
type: long
description: This key captures the process id of a connection with database
server
- name: lread
overwrite: true
type: long
description: This key is used for the number of logical reads
- name: lwrite
overwrite: true
type: long
description: This key is used for the number of logical writes
- name: pread
overwrite: true
type: long
description: This key is used for the number of physical writes
- name: network
overwrite: true
type: group
fields:
- name: alias_host
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
that isnt ad.computer.
- name: domain
overwrite: true
type: keyword
- name: host_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Hostname"
- name: network_service
overwrite: true
type: keyword
description: This is used to capture layer 7 protocols/service names
- name: interface
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of an interface is not clear
- name: network_port
overwrite: true
type: long
description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
- name: eth_host
overwrite: true
type: keyword
description: Deprecated, use alias.mac
- name: sinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Interface"
- name: dinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Interface"
- name: vlan
overwrite: true
type: long
description: This key should only be used to capture the ID of the Virtual LAN
- name: zone_src
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Zone."
- name: zone
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a Zone is not clear
- name: zone_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Zone."
- name: gateway
overwrite: true
type: keyword
description: This key is used to capture the IP Address of the gateway
- name: icmp_type
overwrite: true
type: long
description: This key is used to capture the ICMP type only
- name: mask
overwrite: true
type: keyword
description: This key is used to capture the device network IPmask.
- name: icmp_code
overwrite: true
type: long
description: This key is used to capture the ICMP code only
- name: protocol_detail
overwrite: true
type: keyword
description: This key should be used to capture additional protocol information
- name: dmask
overwrite: true
type: keyword
description: This key is used for Destionation Device network mask
- name: port
overwrite: true
type: long
description: This key should only be used to capture a Network Port when the
directionality is not clear
- name: smask
overwrite: true
type: keyword
description: This key is used for capturing source Network Mask
- name: netname
overwrite: true
type: keyword
description: This key is used to capture the network name associated with an
IP range. This is configured by the end user.
- name: paddr
overwrite: true
type: ip
description: Deprecated
- name: faddr
overwrite: true
type: keyword
- name: lhost
overwrite: true
type: keyword
- name: origin
overwrite: true
type: keyword
- name: remote_domain_id
overwrite: true
type: keyword
- name: addr
overwrite: true
type: keyword
- name: dns_a_record
overwrite: true
type: keyword
- name: dns_ptr_record
overwrite: true
type: keyword
- name: fhost
overwrite: true
type: keyword
- name: fport
overwrite: true
type: keyword
- name: laddr
overwrite: true
type: keyword
- name: linterface
overwrite: true
type: keyword
- name: phost
overwrite: true
type: keyword
- name: ad_computer_dst
overwrite: true
type: keyword
description: Deprecated, use host.dst
- name: eth_type
overwrite: true
type: long
description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
Only
- name: ip_proto
overwrite: true
type: long
description: This key should be used to capture the Protocol number, all the
protocol nubers are converted into string in UI
- name: dns_cname_record
overwrite: true
type: keyword
- name: dns_id
overwrite: true
type: keyword
- name: dns_opcode
overwrite: true
type: keyword
- name: dns_resp
overwrite: true
type: keyword
- name: dns_type
overwrite: true
type: keyword
- name: domain1
overwrite: true
type: keyword
- name: host_type
overwrite: true
type: keyword
- name: packet_length
overwrite: true
type: keyword
- name: host_orig
overwrite: true
type: keyword
description: This is used to capture the original hostname in case of a Forwarding
Agent or a Proxy in between.
- name: rpayload
overwrite: true
type: keyword
description: This key is used to capture the total number of payload bytes seen
in the retransmitted packets.
- name: vlan_name
overwrite: true
type: keyword
description: This key should only be used to capture the name of the Virtual
LAN
- name: investigations
overwrite: true
type: group
fields:
- name: ec_activity
overwrite: true
type: keyword
description: This key captures the particular event activity(Ex:Logoff)
- name: ec_theme
overwrite: true
type: keyword
description: This key captures the Theme of a particular Event(Ex:Authentication)
- name: ec_subject
overwrite: true
type: keyword
description: This key captures the Subject of a particular Event(Ex:User)
- name: ec_outcome
overwrite: true
type: keyword
description: This key captures the outcome of a particular Event(Ex:Success)
- name: event_cat
overwrite: true
type: long
description: This key captures the Event category number
- name: event_cat_name
overwrite: true
type: keyword
description: This key captures the event category name corresponding to the
event cat code
- name: event_vcat
overwrite: true
type: keyword
description: This is a vendor supplied category. This should be used in situations
where the vendor has adopted their own event_category taxonomy.
- name: analysis_file
overwrite: true
type: keyword
description: This is used to capture all indicators used in a File Analysis.
This key should be used to capture an analysis of a file
- name: analysis_service
overwrite: true
type: keyword
description: This is used to capture all indicators used in a Service Analysis.
This key should be used to capture an analysis of a service
- name: analysis_session
overwrite: true
type: keyword
description: This is used to capture all indicators used for a Session Analysis.
This key should be used to capture an analysis of a session
- name: boc
overwrite: true
type: keyword
description: This is used to capture behaviour of compromise
- name: eoc
overwrite: true
type: keyword
description: This is used to capture Enablers of Compromise
- name: inv_category
overwrite: true
type: keyword
description: This used to capture investigation category
- name: inv_context
overwrite: true
type: keyword
description: This used to capture investigation context
- name: ioc
overwrite: true
type: keyword
description: This is key capture indicator of compromise
- name: counters
overwrite: true
type: group
fields:
- name: dclass_c1
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c1.str only
- name: dclass_c2
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c2.str only
- name: event_counter
overwrite: true
type: long
description: This is used to capture the number of times an event repeated
- name: dclass_r1
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r1.str only
- name: dclass_c3
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c3.str only
- name: dclass_c1_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c1 only
- name: dclass_c2_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c2 only
- name: dclass_r1_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r1 only
- name: dclass_r2
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r2.str only
- name: dclass_c3_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c3 only
- name: dclass_r3
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r3.str only
- name: dclass_r2_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r2 only
- name: dclass_r3_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r3 only
- name: identity
overwrite: true
type: group
fields:
- name: auth_method
overwrite: true
type: keyword
description: This key is used to capture authentication methods used only
- name: user_role
overwrite: true
type: keyword
description: This key is used to capture the Role of a user only
- name: dn
overwrite: true
type: keyword
description: X.500 (LDAP) Distinguished Name
- name: logon_type
overwrite: true
type: keyword
description: This key is used to capture the type of logon method used.
- name: profile
overwrite: true
type: keyword
description: This key is used to capture the user profile
- name: accesses
overwrite: true
type: keyword
description: This key is used to capture actual privileges used in accessing
an object
- name: realm
overwrite: true
type: keyword
description: Radius realm or similar grouping of accounts
- name: user_sid_dst
overwrite: true
type: keyword
description: This key captures Destination User Session ID
- name: dn_src
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that is used in a context that
indicates a Source dn
- name: org
overwrite: true
type: keyword
description: This key captures the User organization
- name: dn_dst
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that used in a context that
indicates a Destination dn
- name: firstname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: lastname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: user_dept
overwrite: true
type: keyword
description: User's Department Names only
- name: user_sid_src
overwrite: true
type: keyword
description: This key captures Source User Session ID
- name: federated_sp
overwrite: true
type: keyword
description: This key is the Federated Service Provider. This is the application
requesting authentication.
- name: federated_idp
overwrite: true
type: keyword
description: This key is the federated Identity Provider. This is the server
providing the authentication.
- name: logon_type_desc
overwrite: true
type: keyword
description: This key is used to capture the textual description of an integer
logon type as stored in the meta key 'logon.type'.
- name: middlename
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: password
overwrite: true
type: keyword
description: This key is for Passwords seen in any session, plain text or encrypted
- name: host_role
overwrite: true
type: keyword
description: This key should only be used to capture the role of a Host Machine
- name: ldap
overwrite: true
type: keyword
description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
t have a clear query or response context"
- name: ldap_query
overwrite: true
type: keyword
description: This key is the Search criteria from an LDAP search
- name: ldap_response
overwrite: true
type: keyword
description: This key is to capture Results from an LDAP search
- name: owner
overwrite: true
type: keyword
description: This is used to capture username the process or service is running
as, the author of the task
- name: service_account
overwrite: true
type: keyword
description: This key is a windows specific key, used for capturing name of
the account a service (referenced in the event) is running under. Legacy Usage
- name: email
overwrite: true
type: group
fields:
- name: email_dst
overwrite: true
type: keyword
description: This key is used to capture the Destination email address only,
when the destination context is not clear use email
- name: email_src
overwrite: true
type: keyword
description: This key is used to capture the source email address only, when
the source context is not clear use email
- name: subject
overwrite: true
type: keyword
description: This key is used to capture the subject string from an Email only.
- name: email
overwrite: true
type: keyword
description: This key is used to capture a generic email address where the source
or destination context is not clear
- name: trans_from
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: trans_to
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: file
overwrite: true
type: group
fields:
- name: privilege
overwrite: true
type: keyword
description: Deprecated, use permissions
- name: attachment
overwrite: true
type: keyword
description: This key captures the attachment file name
- name: filesystem
overwrite: true
type: keyword
- name: binary
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: filename_dst
overwrite: true
type: keyword
description: This is used to capture name of the file targeted by the action
- name: filename_src
overwrite: true
type: keyword
description: This is used to capture name of the parent filename, the file which
performed the action
- name: filename_tmp
overwrite: true
type: keyword
- name: directory_dst
overwrite: true
type: keyword
description: <span>This key is used to capture the directory of the target process
or file</span>
- name: directory_src
overwrite: true
type: keyword
description: This key is used to capture the directory of the source process
or file
- name: file_entropy
overwrite: true
type: double
description: This is used to capture entropy vale of a file
- name: file_vendor
overwrite: true
type: keyword
description: This is used to capture Company name of file located in version_info
- name: task_name
overwrite: true
type: keyword
description: This is used to capture name of the task
- name: web
overwrite: true
type: group
fields:
- name: fqdn
overwrite: true
type: keyword
description: Fully Qualified Domain Names
- name: web_cookie
overwrite: true
type: keyword
description: This key is used to capture the Web cookies specifically.
- name: alias_host
overwrite: true
type: keyword
- name: reputation_num
overwrite: true
type: double
description: Reputation Number of an entity. Typically used for Web Domains
- name: web_ref_domain
overwrite: true
type: keyword
description: Web referer's domain
- name: web_ref_query
overwrite: true
type: keyword
description: This key captures Web referer's query portion of the URL
- name: remote_domain
overwrite: true
type: keyword
- name: web_ref_page
overwrite: true
type: keyword
description: This key captures Web referer's page information
- name: web_ref_root
overwrite: true
type: keyword
description: Web referer's root URL path
- name: cn_asn_dst
overwrite: true
type: keyword
- name: cn_rpackets
overwrite: true
type: keyword
- name: urlpage
overwrite: true
type: keyword
- name: urlroot
overwrite: true
type: keyword
- name: p_url
overwrite: true
type: keyword
- name: p_user_agent
overwrite: true
type: keyword
- name: p_web_cookie
overwrite: true
type: keyword
- name: p_web_method
overwrite: true
type: keyword
- name: p_web_referer
overwrite: true
type: keyword
- name: web_extension_tmp
overwrite: true
type: keyword
- name: web_page
overwrite: true
type: keyword
- name: threat
overwrite: true
type: group
fields:
- name: threat_category
overwrite: true
type: keyword
description: This key captures Threat Name/Threat Category/Categorization of
alert
- name: threat_desc
overwrite: true
type: keyword
description: This key is used to capture the threat description from the session
directly or inferred
- name: alert
overwrite: true
type: keyword
description: This key is used to capture name of the alert
- name: threat_source
overwrite: true
type: keyword
description: This key is used to capture source of the threat
- name: crypto
overwrite: true
type: group
fields:
- name: crypto
overwrite: true
type: keyword
description: This key is used to capture the Encryption Type or Encryption Key
only
- name: cipher_src
overwrite: true
type: keyword
description: This key is for Source (Client) Cipher
- name: cert_subject
overwrite: true
type: keyword
description: This key is used to capture the Certificate organization only
- name: peer
overwrite: true
type: keyword
description: This key is for Encryption peer's IP Address
- name: cipher_size_src
overwrite: true
type: long
description: This key captures Source (Client) Cipher Size
- name: ike
overwrite: true
type: keyword
description: IKE negotiation phase.
- name: scheme
overwrite: true
type: keyword
description: This key captures the Encryption scheme used
- name: peer_id
overwrite: true
type: keyword
description: "This key is for Encryption peer\u2019s identity"
- name: sig_type
overwrite: true
type: keyword
description: This key captures the Signature Type
- name: cert_issuer
overwrite: true
type: keyword
- name: cert_host_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: cert_error
overwrite: true
type: keyword
description: This key captures the Certificate Error String
- name: cipher_dst
overwrite: true
type: keyword
description: This key is for Destination (Server) Cipher
- name: cipher_size_dst
overwrite: true
type: long
description: This key captures Destination (Server) Cipher Size
- name: ssl_ver_src
overwrite: true
type: keyword
description: Deprecated, use version
- name: d_certauth
overwrite: true
type: keyword
- name: s_certauth
overwrite: true
type: keyword
- name: ike_cookie1
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
- name: ike_cookie2
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
- name: cert_checksum
overwrite: true
type: keyword
- name: cert_host_cat
overwrite: true
type: keyword
description: This key is used for the hostname category value of a certificate
- name: cert_serial
overwrite: true
type: keyword
description: This key is used to capture the Certificate serial number only
- name: cert_status
overwrite: true
type: keyword
description: This key captures Certificate validation status
- name: ssl_ver_dst
overwrite: true
type: keyword
description: Deprecated, use version
- name: cert_keysize
overwrite: true
type: keyword
- name: cert_username
overwrite: true
type: keyword
- name: https_insact
overwrite: true
type: keyword
- name: https_valid
overwrite: true
type: keyword
- name: cert_ca
overwrite: true
type: keyword
description: This key is used to capture the Certificate signing authority only
- name: cert_common
overwrite: true
type: keyword
description: This key is used to capture the Certificate common name only
- name: wireless
overwrite: true
type: group
fields:
- name: wlan_ssid
overwrite: true
type: keyword
description: This key is used to capture the ssid of a Wireless Session
- name: access_point
overwrite: true
type: keyword
description: This key is used to capture the access point name.
- name: wlan_channel
overwrite: true
type: long
description: This is used to capture the channel names
- name: wlan_name
overwrite: true
type: keyword
description: This key captures either WLAN number/name
- name: storage
overwrite: true
type: group
fields:
- name: disk_volume
overwrite: true
type: keyword
description: A unique name assigned to logical units (volumes) within a physical
disk
- name: lun
overwrite: true
type: keyword
description: Logical Unit Number.This key is a very useful concept in Storage.
- name: pwwn
overwrite: true
type: keyword
description: This uniquely identifies a port on a HBA.
- name: physical
overwrite: true
type: group
fields:
- name: org_dst
overwrite: true
type: keyword
description: This is used to capture the destination organization based on the
GEOPIP Maxmind database.
- name: org_src
overwrite: true
type: keyword
description: This is used to capture the source organization based on the GEOPIP
Maxmind database.
- name: healthcare
overwrite: true
type: group
fields:
- name: patient_fname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_id
overwrite: true
type: keyword
description: This key captures the unique ID for a patient
- name: patient_lname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_mname
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: endpoint
overwrite: true
type: group
fields:
- name: host_state
overwrite: true
type: keyword
description: This key is used to capture the current state of the machine, such
as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
disabled</strong> and so on
- name: registry_key
overwrite: true
type: keyword
description: This key captures the path to the registry key
- name: registry_value
overwrite: true
type: keyword
description: This key captures values or decorators used within a registry entry
- key: bluecoat
title: Blue Coat Director
description: >
bluecoat fields.
fields:
- name: network.interface.name
overwrite: true
type: keyword
description: >
Name of the network interface where the traffic has been observed.
- name: rsa
overwrite: true
type: group
fields:
- name: internal
overwrite: true
type: group
fields:
- name: msg
overwrite: true
type: keyword
description: This key is used to capture the raw message that comes into the
Log Decoder
- name: messageid
overwrite: true
type: keyword
- name: event_desc
overwrite: true
type: keyword
- name: message
overwrite: true
type: keyword
description: This key captures the contents of instant messages
- name: time
overwrite: true
type: date
description: This is the time at which a session hits a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness.
- name: level
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: msg_id
overwrite: true
type: keyword
description: This is the Message ID1 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: msg_vid
overwrite: true
type: keyword
description: This is the Message ID2 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: data
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_server
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_val
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: resource
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_id
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: statement
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: audit_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: entry
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: hcode
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: inode
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: resource_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: dead
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: feed_desc
overwrite: true
type: keyword
description: This is used to capture the description of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: feed_name
overwrite: true
type: keyword
description: This is used to capture the name of the feed. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: cid
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Concentrator.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_class
overwrite: true
type: keyword
description: This is the Classification of the Log Event Source under a predefined
fixed set of Event Source Classifications. This key should never be used to
parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
key in NetWitness
- name: device_group
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_host
overwrite: true
type: keyword
description: This is the Hostname of the log Event Source sending the logs to
NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ip
overwrite: true
type: ip
description: This is the IPv4 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ipv6
overwrite: true
type: ip
description: This is the IPv6 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_type
overwrite: true
type: keyword
description: This is the name of the log parser which parsed a given session.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_type_id
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: did
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: entropy_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: entropy_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: event_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: feed_category
overwrite: true
type: keyword
description: This is used to capture the category of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: forward_ip
overwrite: true
type: ip
description: This key should be used to capture the IPV4 address of a relay
system which forwarded the events from the original system to NetWitness.
- name: forward_ipv6
overwrite: true
type: ip
description: This key is used to capture the IPV6 address of a relay system
which forwarded the events from the original system to NetWitness. This key
should never be used to parse Meta data from a session (Logs/Packets) Directly,
this is a Reserved key in NetWitness
- name: header_id
overwrite: true
type: keyword
description: This is the Header ID value that identifies the exact log parser
header definition that parses a particular log session. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: lc_cid
overwrite: true
type: keyword
description: This is a unique Identifier of a Log Collector. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: lc_ctime
overwrite: true
type: date
description: This is the time at which a log is collected in a NetWitness Log
Collector. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: mcb_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
request is simply which byte for each side (0 thru 255) was seen the most
- name: mcb_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
response is simply which byte for each side (0 thru 255) was seen the most
- name: mcbc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: mcbc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: medium
overwrite: true
type: long
description: "This key is used to identify if it\u2019s a log/packet session\
\ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
\ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
\ 32 = log, 33 = correlation session, < 32 is packet session"
- name: node_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: nwe_callback_id
overwrite: true
type: keyword
description: This key denotes that event is endpoint related
- name: parse_error
overwrite: true
type: keyword
description: This is a special key that stores any Meta key validation error
found while parsing a log session. This key should never be used to parse
Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
NetWitness
- name: payload_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: payload_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: process_vid_dst
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the target process.
- name: process_vid_src
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the source process.
- name: rid
overwrite: true
type: long
description: This is a special ID of the Remote Session created by NetWitness
Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: session_split
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: site
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: size
overwrite: true
type: long
description: This is the size of the session as seen by the NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: sourcefile
overwrite: true
type: keyword
description: This is the name of the log file or PCAPs that can be imported
into NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: ubc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: ubc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: word
overwrite: true
type: keyword
description: This is used by the Word Parsing technology to capture the first
5 character of every word in an unparsed log
- name: time
overwrite: true
type: group
fields:
- name: event_time
overwrite: true
type: date
description: This key is used to capture the time mentioned in a raw session
that represents the actual time an event occured in a standard normalized
form
- name: duration_time
overwrite: true
type: double
description: This key is used to capture the normalized duration/lifetime in
seconds.
- name: event_time_str
overwrite: true
type: keyword
description: This key is used to capture the incomplete time mentioned in a
session as a string
- name: starttime
overwrite: true
type: date
description: This key is used to capture the Start time mentioned in a session
in a standard form
- name: month
overwrite: true
type: keyword
- name: day
overwrite: true
type: keyword
- name: endtime
overwrite: true
type: date
description: This key is used to capture the End time mentioned in a session
in a standard form
- name: timezone
overwrite: true
type: keyword
description: This key is used to capture the timezone of the Event Time
- name: duration_str
overwrite: true
type: keyword
description: A text string version of the duration
- name: date
overwrite: true
type: keyword
- name: year
overwrite: true
type: keyword
- name: recorded_time
overwrite: true
type: date
description: The event time as recorded by the system the event is collected
from. The usage scenario is a multi-tier application where the management
layer of the system records it's own timestamp at the time of collection from
its child nodes. Must be in timestamp format.
- name: datetime
overwrite: true
type: keyword
- name: effective_time
overwrite: true
type: date
description: This key is the effective time referenced by an individual event
in a Standard Timestamp format
- name: expire_time
overwrite: true
type: date
description: This key is the timestamp that explicitly refers to an expiration.
- name: process_time
overwrite: true
type: keyword
description: Deprecated, use duration.time
- name: hour
overwrite: true
type: keyword
- name: min
overwrite: true
type: keyword
- name: timestamp
overwrite: true
type: keyword
- name: event_queue_time
overwrite: true
type: date
description: This key is the Time that the event was queued.
- name: p_time1
overwrite: true
type: keyword
- name: tzone
overwrite: true
type: keyword
- name: eventtime
overwrite: true
type: keyword
- name: gmtdate
overwrite: true
type: keyword
- name: gmttime
overwrite: true
type: keyword
- name: p_date
overwrite: true
type: keyword
- name: p_month
overwrite: true
type: keyword
- name: p_time
overwrite: true
type: keyword
- name: p_time2
overwrite: true
type: keyword
- name: p_year
overwrite: true
type: keyword
- name: expire_time_str
overwrite: true
type: keyword
description: This key is used to capture incomplete timestamp that explicitly
refers to an expiration.
- name: stamp
overwrite: true
type: date
description: Deprecated key defined only in table map.
- name: misc
overwrite: true
type: group
fields:
- name: action
overwrite: true
type: keyword
- name: result
overwrite: true
type: keyword
description: This key is used to capture the outcome/result string value of
an action in a session.
- name: severity
overwrite: true
type: keyword
description: This key is used to capture the severity given the session
- name: event_type
overwrite: true
type: keyword
description: This key captures the event category type as specified by the event
source.
- name: reference_id
overwrite: true
type: keyword
description: This key is used to capture an event id from the session directly
- name: version
overwrite: true
type: keyword
description: This key captures Version of the application or OS which is generating
the event.
- name: disposition
overwrite: true
type: keyword
description: This key captures the The end state of an action.
- name: result_code
overwrite: true
type: keyword
description: This key is used to capture the outcome/result numeric value of
an action in a session
- name: category
overwrite: true
type: keyword
description: This key is used to capture the category of an event given by the
vendor in the session
- name: obj_name
overwrite: true
type: keyword
description: This is used to capture name of object
- name: obj_type
overwrite: true
type: keyword
description: This is used to capture type of object
- name: event_source
overwrite: true
type: keyword
description: "This key captures Source of the event that\u2019s not a hostname"
- name: log_session_id
overwrite: true
type: keyword
description: This key is used to capture a sessionid from the session directly
- name: group
overwrite: true
type: keyword
description: This key captures the Group Name value
- name: policy_name
overwrite: true
type: keyword
description: This key is used to capture the Policy Name only.
- name: rule_name
overwrite: true
type: keyword
description: This key captures the Rule Name
- name: context
overwrite: true
type: keyword
description: This key captures Information which adds additional context to
the event.
- name: change_new
overwrite: true
type: keyword
description: "This key is used to capture the new values of the attribute that\u2019\
s changing in a session"
- name: space
overwrite: true
type: keyword
- name: client
overwrite: true
type: keyword
description: This key is used to capture only the name of the client application
requesting resources of the server. See the user.agent meta key for capture
of the specific user agent identifier or browser identification string.
- name: msgIdPart1
overwrite: true
type: keyword
- name: msgIdPart2
overwrite: true
type: keyword
- name: change_old
overwrite: true
type: keyword
description: "This key is used to capture the old value of the attribute that\u2019\
s changing in a session"
- name: operation_id
overwrite: true
type: keyword
description: An alert number or operation number. The values should be unique
and non-repeating.
- name: event_state
overwrite: true
type: keyword
description: This key captures the current state of the object/item referenced
within the event. Describing an on-going event.
- name: group_object
overwrite: true
type: keyword
description: This key captures a collection/grouping of entities. Specific usage
- name: node
overwrite: true
type: keyword
description: Common use case is the node name within a cluster. The cluster
name is reflected by the host name.
- name: rule
overwrite: true
type: keyword
description: This key captures the Rule number
- name: device_name
overwrite: true
type: keyword
description: 'This is used to capture name of the Device associated with the
node Like: a physical disk, printer, etc'
- name: param
overwrite: true
type: keyword
description: This key is the parameters passed as part of a command or application,
etc.
- name: change_attrib
overwrite: true
type: keyword
description: "This key is used to capture the name of the attribute that\u2019\
s changing in a session"
- name: event_computer
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
fully qualified domain name in a windows log.
- name: reference_id1
overwrite: true
type: keyword
description: This key is for Linked ID to be used as an addition to "reference.id"
- name: event_log
overwrite: true
type: keyword
description: This key captures the Name of the event log
- name: OS
overwrite: true
type: keyword
description: This key captures the Name of the Operating System
- name: terminal
overwrite: true
type: keyword
description: This key captures the Terminal Names only
- name: msgIdPart3
overwrite: true
type: keyword
- name: filter
overwrite: true
type: keyword
description: This key captures Filter used to reduce result set
- name: serial_number
overwrite: true
type: keyword
description: This key is the Serial number associated with a physical asset.
- name: checksum
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the entity
such as a file or process. Checksum should be used over checksum.src or checksum.dst
when it is unclear whether the entity is a source or target of an action.
- name: event_user
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
combination of domain name and username in a windows log.
- name: virusname
overwrite: true
type: keyword
description: This key captures the name of the virus
- name: content_type
overwrite: true
type: keyword
description: This key is used to capture Content Type only.
- name: group_id
overwrite: true
type: keyword
description: This key captures Group ID Number (related to the group name)
- name: policy_id
overwrite: true
type: keyword
description: This key is used to capture the Policy ID only, this should be
a numeric value, use policy.name otherwise
- name: vsys
overwrite: true
type: keyword
description: This key captures Virtual System Name
- name: connection_id
overwrite: true
type: keyword
description: This key captures the Connection ID
- name: reference_id2
overwrite: true
type: keyword
description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
or "reference.id1" value but should not be used unless the other two variables
are in play.
- name: sensor
overwrite: true
type: keyword
description: This key captures Name of the sensor. Typically used in IDS/IPS
based devices
- name: sig_id
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID
- name: port_name
overwrite: true
type: keyword
description: 'This key is used for Physical or logical port connection but does
NOT include a network port. (Example: Printer port name).'
- name: rule_group
overwrite: true
type: keyword
description: This key captures the Rule group name
- name: risk_num
overwrite: true
type: double
description: This key captures a Numeric Risk value
- name: trigger_val
overwrite: true
type: keyword
description: This key captures the Value of the trigger or threshold condition.
- name: log_session_id1
overwrite: true
type: keyword
description: This key is used to capture a Linked (Related) Session ID from
the session directly
- name: comp_version
overwrite: true
type: keyword
description: This key captures the Version level of a sub-component of a product.
- name: content_version
overwrite: true
type: keyword
description: This key captures Version level of a signature or database content.
- name: hardware_id
overwrite: true
type: keyword
description: This key is used to capture unique identifier for a device or system
(NOT a Mac address)
- name: risk
overwrite: true
type: keyword
description: This key captures the non-numeric risk value
- name: event_id
overwrite: true
type: keyword
- name: reason
overwrite: true
type: keyword
- name: status
overwrite: true
type: keyword
- name: mail_id
overwrite: true
type: keyword
description: This key is used to capture the mailbox id/name
- name: rule_uid
overwrite: true
type: keyword
description: This key is the Unique Identifier for a rule.
- name: trigger_desc
overwrite: true
type: keyword
description: This key captures the Description of the trigger or threshold condition.
- name: inout
overwrite: true
type: keyword
- name: p_msgid
overwrite: true
type: keyword
- name: data_type
overwrite: true
type: keyword
- name: msgIdPart4
overwrite: true
type: keyword
- name: error
overwrite: true
type: keyword
description: This key captures All non successful Error codes or responses
- name: index
overwrite: true
type: keyword
- name: listnum
overwrite: true
type: keyword
description: This key is used to capture listname or listnumber, primarily for
collecting access-list
- name: ntype
overwrite: true
type: keyword
- name: observed_val
overwrite: true
type: keyword
description: This key captures the Value observed (from the perspective of the
device generating the log).
- name: policy_value
overwrite: true
type: keyword
description: This key captures the contents of the policy. This contains details
about the policy
- name: pool_name
overwrite: true
type: keyword
description: This key captures the name of a resource pool
- name: rule_template
overwrite: true
type: keyword
description: A default set of parameters which are overlayed onto a rule (or
rulename) which efffectively constitutes a template
- name: count
overwrite: true
type: keyword
- name: number
overwrite: true
type: keyword
- name: sigcat
overwrite: true
type: keyword
- name: type
overwrite: true
type: keyword
- name: comments
overwrite: true
type: keyword
description: Comment information provided in the log message
- name: doc_number
overwrite: true
type: long
description: This key captures File Identification number
- name: expected_val
overwrite: true
type: keyword
description: This key captures the Value expected (from the perspective of the
device generating the log).
- name: job_num
overwrite: true
type: keyword
description: This key captures the Job Number
- name: spi_dst
overwrite: true
type: keyword
description: Destination SPI Index
- name: spi_src
overwrite: true
type: keyword
description: Source SPI Index
- name: code
overwrite: true
type: keyword
- name: agent_id
overwrite: true
type: keyword
description: This key is used to capture agent id
- name: message_body
overwrite: true
type: keyword
description: This key captures the The contents of the message body.
- name: phone
overwrite: true
type: keyword
- name: sig_id_str
overwrite: true
type: keyword
description: This key captures a string object of the sigid variable.
- name: cmd
overwrite: true
type: keyword
- name: misc
overwrite: true
type: keyword
- name: name
overwrite: true
type: keyword
- name: cpu
overwrite: true
type: long
description: This key is the CPU time used in the execution of the event being
recorded.
- name: event_desc
overwrite: true
type: keyword
description: This key is used to capture a description of an event available
directly or inferred
- name: sig_id1
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID. This must be linked
to the sig.id
- name: im_buddyid
overwrite: true
type: keyword
- name: im_client
overwrite: true
type: keyword
- name: im_userid
overwrite: true
type: keyword
- name: pid
overwrite: true
type: keyword
- name: priority
overwrite: true
type: keyword
- name: context_subject
overwrite: true
type: keyword
description: This key is to be used in an audit context where the subject is
the object being identified
- name: context_target
overwrite: true
type: keyword
- name: cve
overwrite: true
type: keyword
description: This key captures CVE (Common Vulnerabilities and Exposures) -
an identifier for known information security vulnerabilities.
- name: fcatnum
overwrite: true
type: keyword
description: This key captures Filter Category Number. Legacy Usage
- name: library
overwrite: true
type: keyword
description: This key is used to capture library information in mainframe devices
- name: parent_node
overwrite: true
type: keyword
description: This key captures the Parent Node Name. Must be related to node
variable.
- name: risk_info
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: tcp_flags
overwrite: true
type: long
description: This key is captures the TCP flags set in any packet of session
- name: tos
overwrite: true
type: long
description: This key describes the type of service
- name: vm_target
overwrite: true
type: keyword
description: VMWare Target **VMWARE** only varaible.
- name: workspace
overwrite: true
type: keyword
description: This key captures Workspace Description
- name: command
overwrite: true
type: keyword
- name: event_category
overwrite: true
type: keyword
- name: facilityname
overwrite: true
type: keyword
- name: forensic_info
overwrite: true
type: keyword
- name: jobname
overwrite: true
type: keyword
- name: mode
overwrite: true
type: keyword
- name: policy
overwrite: true
type: keyword
- name: policy_waiver
overwrite: true
type: keyword
- name: second
overwrite: true
type: keyword
- name: space1
overwrite: true
type: keyword
- name: subcategory
overwrite: true
type: keyword
- name: tbdstr2
overwrite: true
type: keyword
- name: alert_id
overwrite: true
type: keyword
description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: checksum_dst
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the the target
entity such as a process or file.
- name: checksum_src
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the source
entity such as a file or process.
- name: fresult
overwrite: true
type: long
description: This key captures the Filter Result
- name: payload_dst
overwrite: true
type: keyword
description: This key is used to capture destination payload
- name: payload_src
overwrite: true
type: keyword
description: This key is used to capture source payload
- name: pool_id
overwrite: true
type: keyword
description: This key captures the identifier (typically numeric field) of a
resource pool
- name: process_id_val
overwrite: true
type: keyword
description: This key is a failure key for Process ID when it is not an integer
value
- name: risk_num_comm
overwrite: true
type: double
description: This key captures Risk Number Community
- name: risk_num_next
overwrite: true
type: double
description: This key captures Risk Number NextGen
- name: risk_num_sand
overwrite: true
type: double
description: This key captures Risk Number SandBox
- name: risk_num_static
overwrite: true
type: double
description: This key captures Risk Number Static
- name: risk_suspicious
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: risk_warning
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: snmp_oid
overwrite: true
type: keyword
description: SNMP Object Identifier
- name: sql
overwrite: true
type: keyword
description: This key captures the SQL query
- name: vuln_ref
overwrite: true
type: keyword
description: This key captures the Vulnerability Reference details
- name: acl_id
overwrite: true
type: keyword
- name: acl_op
overwrite: true
type: keyword
- name: acl_pos
overwrite: true
type: keyword
- name: acl_table
overwrite: true
type: keyword
- name: admin
overwrite: true
type: keyword
- name: alarm_id
overwrite: true
type: keyword
- name: alarmname
overwrite: true
type: keyword
- name: app_id
overwrite: true
type: keyword
- name: audit
overwrite: true
type: keyword
- name: audit_object
overwrite: true
type: keyword
- name: auditdata
overwrite: true
type: keyword
- name: benchmark
overwrite: true
type: keyword
- name: bypass
overwrite: true
type: keyword
- name: cache
overwrite: true
type: keyword
- name: cache_hit
overwrite: true
type: keyword
- name: cefversion
overwrite: true
type: keyword
- name: cfg_attr
overwrite: true
type: keyword
- name: cfg_obj
overwrite: true
type: keyword
- name: cfg_path
overwrite: true
type: keyword
- name: changes
overwrite: true
type: keyword
- name: client_ip
overwrite: true
type: keyword
- name: clustermembers
overwrite: true
type: keyword
- name: cn_acttimeout
overwrite: true
type: keyword
- name: cn_asn_src
overwrite: true
type: keyword
- name: cn_bgpv4nxthop
overwrite: true
type: keyword
- name: cn_ctr_dst_code
overwrite: true
type: keyword
- name: cn_dst_tos
overwrite: true
type: keyword
- name: cn_dst_vlan
overwrite: true
type: keyword
- name: cn_engine_id
overwrite: true
type: keyword
- name: cn_engine_type
overwrite: true
type: keyword
- name: cn_f_switch
overwrite: true
type: keyword
- name: cn_flowsampid
overwrite: true
type: keyword
- name: cn_flowsampintv
overwrite: true
type: keyword
- name: cn_flowsampmode
overwrite: true
type: keyword
- name: cn_inacttimeout
overwrite: true
type: keyword
- name: cn_inpermbyts
overwrite: true
type: keyword
- name: cn_inpermpckts
overwrite: true
type: keyword
- name: cn_invalid
overwrite: true
type: keyword
- name: cn_ip_proto_ver
overwrite: true
type: keyword
- name: cn_ipv4_ident
overwrite: true
type: keyword
- name: cn_l_switch
overwrite: true
type: keyword
- name: cn_log_did
overwrite: true
type: keyword
- name: cn_log_rid
overwrite: true
type: keyword
- name: cn_max_ttl
overwrite: true
type: keyword
- name: cn_maxpcktlen
overwrite: true
type: keyword
- name: cn_min_ttl
overwrite: true
type: keyword
- name: cn_minpcktlen
overwrite: true
type: keyword
- name: cn_mpls_lbl_1
overwrite: true
type: keyword
- name: cn_mpls_lbl_10
overwrite: true
type: keyword
- name: cn_mpls_lbl_2
overwrite: true
type: keyword
- name: cn_mpls_lbl_3
overwrite: true
type: keyword
- name: cn_mpls_lbl_4
overwrite: true
type: keyword
- name: cn_mpls_lbl_5
overwrite: true
type: keyword
- name: cn_mpls_lbl_6
overwrite: true
type: keyword
- name: cn_mpls_lbl_7
overwrite: true
type: keyword
- name: cn_mpls_lbl_8
overwrite: true
type: keyword
- name: cn_mpls_lbl_9
overwrite: true
type: keyword
- name: cn_mplstoplabel
overwrite: true
type: keyword
- name: cn_mplstoplabip
overwrite: true
type: keyword
- name: cn_mul_dst_byt
overwrite: true
type: keyword
- name: cn_mul_dst_pks
overwrite: true
type: keyword
- name: cn_muligmptype
overwrite: true
type: keyword
- name: cn_sampalgo
overwrite: true
type: keyword
- name: cn_sampint
overwrite: true
type: keyword
- name: cn_seqctr
overwrite: true
type: keyword
- name: cn_spackets
overwrite: true
type: keyword
- name: cn_src_tos
overwrite: true
type: keyword
- name: cn_src_vlan
overwrite: true
type: keyword
- name: cn_sysuptime
overwrite: true
type: keyword
- name: cn_template_id
overwrite: true
type: keyword
- name: cn_totbytsexp
overwrite: true
type: keyword
- name: cn_totflowexp
overwrite: true
type: keyword
- name: cn_totpcktsexp
overwrite: true
type: keyword
- name: cn_unixnanosecs
overwrite: true
type: keyword
- name: cn_v6flowlabel
overwrite: true
type: keyword
- name: cn_v6optheaders
overwrite: true
type: keyword
- name: comp_class
overwrite: true
type: keyword
- name: comp_name
overwrite: true
type: keyword
- name: comp_rbytes
overwrite: true
type: keyword
- name: comp_sbytes
overwrite: true
type: keyword
- name: cpu_data
overwrite: true
type: keyword
- name: criticality
overwrite: true
type: keyword
- name: cs_agency_dst
overwrite: true
type: keyword
- name: cs_analyzedby
overwrite: true
type: keyword
- name: cs_av_other
overwrite: true
type: keyword
- name: cs_av_primary
overwrite: true
type: keyword
- name: cs_av_secondary
overwrite: true
type: keyword
- name: cs_bgpv6nxthop
overwrite: true
type: keyword
- name: cs_bit9status
overwrite: true
type: keyword
- name: cs_context
overwrite: true
type: keyword
- name: cs_control
overwrite: true
type: keyword
- name: cs_data
overwrite: true
type: keyword
- name: cs_datecret
overwrite: true
type: keyword
- name: cs_dst_tld
overwrite: true
type: keyword
- name: cs_eth_dst_ven
overwrite: true
type: keyword
- name: cs_eth_src_ven
overwrite: true
type: keyword
- name: cs_event_uuid
overwrite: true
type: keyword
- name: cs_filetype
overwrite: true
type: keyword
- name: cs_fld
overwrite: true
type: keyword
- name: cs_if_desc
overwrite: true
type: keyword
- name: cs_if_name
overwrite: true
type: keyword
- name: cs_ip_next_hop
overwrite: true
type: keyword
- name: cs_ipv4dstpre
overwrite: true
type: keyword
- name: cs_ipv4srcpre
overwrite: true
type: keyword
- name: cs_lifetime
overwrite: true
type: keyword
- name: cs_log_medium
overwrite: true
type: keyword
- name: cs_loginname
overwrite: true
type: keyword
- name: cs_modulescore
overwrite: true
type: keyword
- name: cs_modulesign
overwrite: true
type: keyword
- name: cs_opswatresult
overwrite: true
type: keyword
- name: cs_payload
overwrite: true
type: keyword
- name: cs_registrant
overwrite: true
type: keyword
- name: cs_registrar
overwrite: true
type: keyword
- name: cs_represult
overwrite: true
type: keyword
- name: cs_rpayload
overwrite: true
type: keyword
- name: cs_sampler_name
overwrite: true
type: keyword
- name: cs_sourcemodule
overwrite: true
type: keyword
- name: cs_streams
overwrite: true
type: keyword
- name: cs_targetmodule
overwrite: true
type: keyword
- name: cs_v6nxthop
overwrite: true
type: keyword
- name: cs_whois_server
overwrite: true
type: keyword
- name: cs_yararesult
overwrite: true
type: keyword
- name: description
overwrite: true
type: keyword
- name: devvendor
overwrite: true
type: keyword
- name: distance
overwrite: true
type: keyword
- name: dstburb
overwrite: true
type: keyword
- name: edomain
overwrite: true
type: keyword
- name: edomaub
overwrite: true
type: keyword
- name: euid
overwrite: true
type: keyword
- name: facility
overwrite: true
type: keyword
- name: finterface
overwrite: true
type: keyword
- name: flags
overwrite: true
type: keyword
- name: gaddr
overwrite: true
type: keyword
- name: id3
overwrite: true
type: keyword
- name: im_buddyname
overwrite: true
type: keyword
- name: im_croomid
overwrite: true
type: keyword
- name: im_croomtype
overwrite: true
type: keyword
- name: im_members
overwrite: true
type: keyword
- name: im_username
overwrite: true
type: keyword
- name: ipkt
overwrite: true
type: keyword
- name: ipscat
overwrite: true
type: keyword
- name: ipspri
overwrite: true
type: keyword
- name: latitude
overwrite: true
type: keyword
- name: linenum
overwrite: true
type: keyword
- name: list_name
overwrite: true
type: keyword
- name: load_data
overwrite: true
type: keyword
- name: location_floor
overwrite: true
type: keyword
- name: location_mark
overwrite: true
type: keyword
- name: log_id
overwrite: true
type: keyword
- name: log_type
overwrite: true
type: keyword
- name: logid
overwrite: true
type: keyword
- name: logip
overwrite: true
type: keyword
- name: logname
overwrite: true
type: keyword
- name: longitude
overwrite: true
type: keyword
- name: lport
overwrite: true
type: keyword
- name: mbug_data
overwrite: true
type: keyword
- name: misc_name
overwrite: true
type: keyword
- name: msg_type
overwrite: true
type: keyword
- name: msgid
overwrite: true
type: keyword
- name: netsessid
overwrite: true
type: keyword
- name: num
overwrite: true
type: keyword
- name: number1
overwrite: true
type: keyword
- name: number2
overwrite: true
type: keyword
- name: nwwn
overwrite: true
type: keyword
- name: object
overwrite: true
type: keyword
- name: operation
overwrite: true
type: keyword
- name: opkt
overwrite: true
type: keyword
- name: orig_from
overwrite: true
type: keyword
- name: owner_id
overwrite: true
type: keyword
- name: p_action
overwrite: true
type: keyword
- name: p_filter
overwrite: true
type: keyword
- name: p_group_object
overwrite: true
type: keyword
- name: p_id
overwrite: true
type: keyword
- name: p_msgid1
overwrite: true
type: keyword
- name: p_msgid2
overwrite: true
type: keyword
- name: p_result1
overwrite: true
type: keyword
- name: password_chg
overwrite: true
type: keyword
- name: password_expire
overwrite: true
type: keyword
- name: permgranted
overwrite: true
type: keyword
- name: permwanted
overwrite: true
type: keyword
- name: pgid
overwrite: true
type: keyword
- name: policyUUID
overwrite: true
type: keyword
- name: prog_asp_num
overwrite: true
type: keyword
- name: program
overwrite: true
type: keyword
- name: real_data
overwrite: true
type: keyword
- name: rec_asp_device
overwrite: true
type: keyword
- name: rec_asp_num
overwrite: true
type: keyword
- name: rec_library
overwrite: true
type: keyword
- name: recordnum
overwrite: true
type: keyword
- name: ruid
overwrite: true
type: keyword
- name: sburb
overwrite: true
type: keyword
- name: sdomain_fld
overwrite: true
type: keyword
- name: sec
overwrite: true
type: keyword
- name: sensorname
overwrite: true
type: keyword
- name: seqnum
overwrite: true
type: keyword
- name: session
overwrite: true
type: keyword
- name: sessiontype
overwrite: true
type: keyword
- name: sigUUID
overwrite: true
type: keyword
- name: spi
overwrite: true
type: keyword
- name: srcburb
overwrite: true
type: keyword
- name: srcdom
overwrite: true
type: keyword
- name: srcservice
overwrite: true
type: keyword
- name: state
overwrite: true
type: keyword
- name: status1
overwrite: true
type: keyword
- name: svcno
overwrite: true
type: keyword
- name: system
overwrite: true
type: keyword
- name: tbdstr1
overwrite: true
type: keyword
- name: tgtdom
overwrite: true
type: keyword
- name: tgtdomain
overwrite: true
type: keyword
- name: threshold
overwrite: true
type: keyword
- name: type1
overwrite: true
type: keyword
- name: udb_class
overwrite: true
type: keyword
- name: url_fld
overwrite: true
type: keyword
- name: user_div
overwrite: true
type: keyword
- name: userid
overwrite: true
type: keyword
- name: username_fld
overwrite: true
type: keyword
- name: utcstamp
overwrite: true
type: keyword
- name: v_instafname
overwrite: true
type: keyword
- name: virt_data
overwrite: true
type: keyword
- name: vpnid
overwrite: true
type: keyword
- name: autorun_type
overwrite: true
type: keyword
description: This is used to capture Auto Run type
- name: cc_number
overwrite: true
type: long
description: Valid Credit Card Numbers only
- name: content
overwrite: true
type: keyword
description: This key captures the content type from protocol headers
- name: ein_number
overwrite: true
type: long
description: Employee Identification Numbers only
- name: found
overwrite: true
type: keyword
description: This is used to capture the results of regex match
- name: language
overwrite: true
type: keyword
description: This is used to capture list of languages the client support and
what it prefers
- name: lifetime
overwrite: true
type: long
description: This key is used to capture the session lifetime in seconds.
- name: link
overwrite: true
type: keyword
description: This key is used to link the sessions together. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: match
overwrite: true
type: keyword
description: This key is for regex match name from search.ini
- name: param_dst
overwrite: true
type: keyword
description: This key captures the command line/launch argument of the target
process or file
- name: param_src
overwrite: true
type: keyword
description: This key captures source parameter
- name: search_text
overwrite: true
type: keyword
description: This key captures the Search Text used
- name: sig_name
overwrite: true
type: keyword
description: This key is used to capture the Signature Name only.
- name: snmp_value
overwrite: true
type: keyword
description: SNMP set request value
- name: streams
overwrite: true
type: long
description: This key captures number of streams in session
- name: db
overwrite: true
type: group
fields:
- name: index
overwrite: true
type: keyword
description: This key captures IndexID of the index.
- name: instance
overwrite: true
type: keyword
description: This key is used to capture the database server instance name
- name: database
overwrite: true
type: keyword
description: This key is used to capture the name of a database or an instance
as seen in a session
- name: transact_id
overwrite: true
type: keyword
description: This key captures the SQL transantion ID of the current session
- name: permissions
overwrite: true
type: keyword
description: This key captures permission or privilege level assigned to a resource.
- name: table_name
overwrite: true
type: keyword
description: This key is used to capture the table name
- name: db_id
overwrite: true
type: keyword
description: This key is used to capture the unique identifier for a database
- name: db_pid
overwrite: true
type: long
description: This key captures the process id of a connection with database
server
- name: lread
overwrite: true
type: long
description: This key is used for the number of logical reads
- name: lwrite
overwrite: true
type: long
description: This key is used for the number of logical writes
- name: pread
overwrite: true
type: long
description: This key is used for the number of physical writes
- name: network
overwrite: true
type: group
fields:
- name: alias_host
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
that isnt ad.computer.
- name: domain
overwrite: true
type: keyword
- name: host_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Hostname"
- name: network_service
overwrite: true
type: keyword
description: This is used to capture layer 7 protocols/service names
- name: interface
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of an interface is not clear
- name: network_port
overwrite: true
type: long
description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
- name: eth_host
overwrite: true
type: keyword
description: Deprecated, use alias.mac
- name: sinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Interface"
- name: dinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Interface"
- name: vlan
overwrite: true
type: long
description: This key should only be used to capture the ID of the Virtual LAN
- name: zone_src
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Zone."
- name: zone
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a Zone is not clear
- name: zone_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Zone."
- name: gateway
overwrite: true
type: keyword
description: This key is used to capture the IP Address of the gateway
- name: icmp_type
overwrite: true
type: long
description: This key is used to capture the ICMP type only
- name: mask
overwrite: true
type: keyword
description: This key is used to capture the device network IPmask.
- name: icmp_code
overwrite: true
type: long
description: This key is used to capture the ICMP code only
- name: protocol_detail
overwrite: true
type: keyword
description: This key should be used to capture additional protocol information
- name: dmask
overwrite: true
type: keyword
description: This key is used for Destionation Device network mask
- name: port
overwrite: true
type: long
description: This key should only be used to capture a Network Port when the
directionality is not clear
- name: smask
overwrite: true
type: keyword
description: This key is used for capturing source Network Mask
- name: netname
overwrite: true
type: keyword
description: This key is used to capture the network name associated with an
IP range. This is configured by the end user.
- name: paddr
overwrite: true
type: ip
description: Deprecated
- name: faddr
overwrite: true
type: keyword
- name: lhost
overwrite: true
type: keyword
- name: origin
overwrite: true
type: keyword
- name: remote_domain_id
overwrite: true
type: keyword
- name: addr
overwrite: true
type: keyword
- name: dns_a_record
overwrite: true
type: keyword
- name: dns_ptr_record
overwrite: true
type: keyword
- name: fhost
overwrite: true
type: keyword
- name: fport
overwrite: true
type: keyword
- name: laddr
overwrite: true
type: keyword
- name: linterface
overwrite: true
type: keyword
- name: phost
overwrite: true
type: keyword
- name: ad_computer_dst
overwrite: true
type: keyword
description: Deprecated, use host.dst
- name: eth_type
overwrite: true
type: long
description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
Only
- name: ip_proto
overwrite: true
type: long
description: This key should be used to capture the Protocol number, all the
protocol nubers are converted into string in UI
- name: dns_cname_record
overwrite: true
type: keyword
- name: dns_id
overwrite: true
type: keyword
- name: dns_opcode
overwrite: true
type: keyword
- name: dns_resp
overwrite: true
type: keyword
- name: dns_type
overwrite: true
type: keyword
- name: domain1
overwrite: true
type: keyword
- name: host_type
overwrite: true
type: keyword
- name: packet_length
overwrite: true
type: keyword
- name: host_orig
overwrite: true
type: keyword
description: This is used to capture the original hostname in case of a Forwarding
Agent or a Proxy in between.
- name: rpayload
overwrite: true
type: keyword
description: This key is used to capture the total number of payload bytes seen
in the retransmitted packets.
- name: vlan_name
overwrite: true
type: keyword
description: This key should only be used to capture the name of the Virtual
LAN
- name: investigations
overwrite: true
type: group
fields:
- name: ec_activity
overwrite: true
type: keyword
description: This key captures the particular event activity(Ex:Logoff)
- name: ec_theme
overwrite: true
type: keyword
description: This key captures the Theme of a particular Event(Ex:Authentication)
- name: ec_subject
overwrite: true
type: keyword
description: This key captures the Subject of a particular Event(Ex:User)
- name: ec_outcome
overwrite: true
type: keyword
description: This key captures the outcome of a particular Event(Ex:Success)
- name: event_cat
overwrite: true
type: long
description: This key captures the Event category number
- name: event_cat_name
overwrite: true
type: keyword
description: This key captures the event category name corresponding to the
event cat code
- name: event_vcat
overwrite: true
type: keyword
description: This is a vendor supplied category. This should be used in situations
where the vendor has adopted their own event_category taxonomy.
- name: analysis_file
overwrite: true
type: keyword
description: This is used to capture all indicators used in a File Analysis.
This key should be used to capture an analysis of a file
- name: analysis_service
overwrite: true
type: keyword
description: This is used to capture all indicators used in a Service Analysis.
This key should be used to capture an analysis of a service
- name: analysis_session
overwrite: true
type: keyword
description: This is used to capture all indicators used for a Session Analysis.
This key should be used to capture an analysis of a session
- name: boc
overwrite: true
type: keyword
description: This is used to capture behaviour of compromise
- name: eoc
overwrite: true
type: keyword
description: This is used to capture Enablers of Compromise
- name: inv_category
overwrite: true
type: keyword
description: This used to capture investigation category
- name: inv_context
overwrite: true
type: keyword
description: This used to capture investigation context
- name: ioc
overwrite: true
type: keyword
description: This is key capture indicator of compromise
- name: counters
overwrite: true
type: group
fields:
- name: dclass_c1
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c1.str only
- name: dclass_c2
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c2.str only
- name: event_counter
overwrite: true
type: long
description: This is used to capture the number of times an event repeated
- name: dclass_r1
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r1.str only
- name: dclass_c3
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c3.str only
- name: dclass_c1_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c1 only
- name: dclass_c2_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c2 only
- name: dclass_r1_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r1 only
- name: dclass_r2
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r2.str only
- name: dclass_c3_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c3 only
- name: dclass_r3
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r3.str only
- name: dclass_r2_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r2 only
- name: dclass_r3_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r3 only
- name: identity
overwrite: true
type: group
fields:
- name: auth_method
overwrite: true
type: keyword
description: This key is used to capture authentication methods used only
- name: user_role
overwrite: true
type: keyword
description: This key is used to capture the Role of a user only
- name: dn
overwrite: true
type: keyword
description: X.500 (LDAP) Distinguished Name
- name: logon_type
overwrite: true
type: keyword
description: This key is used to capture the type of logon method used.
- name: profile
overwrite: true
type: keyword
description: This key is used to capture the user profile
- name: accesses
overwrite: true
type: keyword
description: This key is used to capture actual privileges used in accessing
an object
- name: realm
overwrite: true
type: keyword
description: Radius realm or similar grouping of accounts
- name: user_sid_dst
overwrite: true
type: keyword
description: This key captures Destination User Session ID
- name: dn_src
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that is used in a context that
indicates a Source dn
- name: org
overwrite: true
type: keyword
description: This key captures the User organization
- name: dn_dst
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that used in a context that
indicates a Destination dn
- name: firstname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: lastname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: user_dept
overwrite: true
type: keyword
description: User's Department Names only
- name: user_sid_src
overwrite: true
type: keyword
description: This key captures Source User Session ID
- name: federated_sp
overwrite: true
type: keyword
description: This key is the Federated Service Provider. This is the application
requesting authentication.
- name: federated_idp
overwrite: true
type: keyword
description: This key is the federated Identity Provider. This is the server
providing the authentication.
- name: logon_type_desc
overwrite: true
type: keyword
description: This key is used to capture the textual description of an integer
logon type as stored in the meta key 'logon.type'.
- name: middlename
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: password
overwrite: true
type: keyword
description: This key is for Passwords seen in any session, plain text or encrypted
- name: host_role
overwrite: true
type: keyword
description: This key should only be used to capture the role of a Host Machine
- name: ldap
overwrite: true
type: keyword
description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
t have a clear query or response context"
- name: ldap_query
overwrite: true
type: keyword
description: This key is the Search criteria from an LDAP search
- name: ldap_response
overwrite: true
type: keyword
description: This key is to capture Results from an LDAP search
- name: owner
overwrite: true
type: keyword
description: This is used to capture username the process or service is running
as, the author of the task
- name: service_account
overwrite: true
type: keyword
description: This key is a windows specific key, used for capturing name of
the account a service (referenced in the event) is running under. Legacy Usage
- name: email
overwrite: true
type: group
fields:
- name: email_dst
overwrite: true
type: keyword
description: This key is used to capture the Destination email address only,
when the destination context is not clear use email
- name: email_src
overwrite: true
type: keyword
description: This key is used to capture the source email address only, when
the source context is not clear use email
- name: subject
overwrite: true
type: keyword
description: This key is used to capture the subject string from an Email only.
- name: email
overwrite: true
type: keyword
description: This key is used to capture a generic email address where the source
or destination context is not clear
- name: trans_from
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: trans_to
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: file
overwrite: true
type: group
fields:
- name: privilege
overwrite: true
type: keyword
description: Deprecated, use permissions
- name: attachment
overwrite: true
type: keyword
description: This key captures the attachment file name
- name: filesystem
overwrite: true
type: keyword
- name: binary
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: filename_dst
overwrite: true
type: keyword
description: This is used to capture name of the file targeted by the action
- name: filename_src
overwrite: true
type: keyword
description: This is used to capture name of the parent filename, the file which
performed the action
- name: filename_tmp
overwrite: true
type: keyword
- name: directory_dst
overwrite: true
type: keyword
description: <span>This key is used to capture the directory of the target process
or file</span>
- name: directory_src
overwrite: true
type: keyword
description: This key is used to capture the directory of the source process
or file
- name: file_entropy
overwrite: true
type: double
description: This is used to capture entropy vale of a file
- name: file_vendor
overwrite: true
type: keyword
description: This is used to capture Company name of file located in version_info
- name: task_name
overwrite: true
type: keyword
description: This is used to capture name of the task
- name: web
overwrite: true
type: group
fields:
- name: fqdn
overwrite: true
type: keyword
description: Fully Qualified Domain Names
- name: web_cookie
overwrite: true
type: keyword
description: This key is used to capture the Web cookies specifically.
- name: alias_host
overwrite: true
type: keyword
- name: reputation_num
overwrite: true
type: double
description: Reputation Number of an entity. Typically used for Web Domains
- name: web_ref_domain
overwrite: true
type: keyword
description: Web referer's domain
- name: web_ref_query
overwrite: true
type: keyword
description: This key captures Web referer's query portion of the URL
- name: remote_domain
overwrite: true
type: keyword
- name: web_ref_page
overwrite: true
type: keyword
description: This key captures Web referer's page information
- name: web_ref_root
overwrite: true
type: keyword
description: Web referer's root URL path
- name: cn_asn_dst
overwrite: true
type: keyword
- name: cn_rpackets
overwrite: true
type: keyword
- name: urlpage
overwrite: true
type: keyword
- name: urlroot
overwrite: true
type: keyword
- name: p_url
overwrite: true
type: keyword
- name: p_user_agent
overwrite: true
type: keyword
- name: p_web_cookie
overwrite: true
type: keyword
- name: p_web_method
overwrite: true
type: keyword
- name: p_web_referer
overwrite: true
type: keyword
- name: web_extension_tmp
overwrite: true
type: keyword
- name: web_page
overwrite: true
type: keyword
- name: threat
overwrite: true
type: group
fields:
- name: threat_category
overwrite: true
type: keyword
description: This key captures Threat Name/Threat Category/Categorization of
alert
- name: threat_desc
overwrite: true
type: keyword
description: This key is used to capture the threat description from the session
directly or inferred
- name: alert
overwrite: true
type: keyword
description: This key is used to capture name of the alert
- name: threat_source
overwrite: true
type: keyword
description: This key is used to capture source of the threat
- name: crypto
overwrite: true
type: group
fields:
- name: crypto
overwrite: true
type: keyword
description: This key is used to capture the Encryption Type or Encryption Key
only
- name: cipher_src
overwrite: true
type: keyword
description: This key is for Source (Client) Cipher
- name: cert_subject
overwrite: true
type: keyword
description: This key is used to capture the Certificate organization only
- name: peer
overwrite: true
type: keyword
description: This key is for Encryption peer's IP Address
- name: cipher_size_src
overwrite: true
type: long
description: This key captures Source (Client) Cipher Size
- name: ike
overwrite: true
type: keyword
description: IKE negotiation phase.
- name: scheme
overwrite: true
type: keyword
description: This key captures the Encryption scheme used
- name: peer_id
overwrite: true
type: keyword
description: "This key is for Encryption peer\u2019s identity"
- name: sig_type
overwrite: true
type: keyword
description: This key captures the Signature Type
- name: cert_issuer
overwrite: true
type: keyword
- name: cert_host_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: cert_error
overwrite: true
type: keyword
description: This key captures the Certificate Error String
- name: cipher_dst
overwrite: true
type: keyword
description: This key is for Destination (Server) Cipher
- name: cipher_size_dst
overwrite: true
type: long
description: This key captures Destination (Server) Cipher Size
- name: ssl_ver_src
overwrite: true
type: keyword
description: Deprecated, use version
- name: d_certauth
overwrite: true
type: keyword
- name: s_certauth
overwrite: true
type: keyword
- name: ike_cookie1
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
- name: ike_cookie2
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
- name: cert_checksum
overwrite: true
type: keyword
- name: cert_host_cat
overwrite: true
type: keyword
description: This key is used for the hostname category value of a certificate
- name: cert_serial
overwrite: true
type: keyword
description: This key is used to capture the Certificate serial number only
- name: cert_status
overwrite: true
type: keyword
description: This key captures Certificate validation status
- name: ssl_ver_dst
overwrite: true
type: keyword
description: Deprecated, use version
- name: cert_keysize
overwrite: true
type: keyword
- name: cert_username
overwrite: true
type: keyword
- name: https_insact
overwrite: true
type: keyword
- name: https_valid
overwrite: true
type: keyword
- name: cert_ca
overwrite: true
type: keyword
description: This key is used to capture the Certificate signing authority only
- name: cert_common
overwrite: true
type: keyword
description: This key is used to capture the Certificate common name only
- name: wireless
overwrite: true
type: group
fields:
- name: wlan_ssid
overwrite: true
type: keyword
description: This key is used to capture the ssid of a Wireless Session
- name: access_point
overwrite: true
type: keyword
description: This key is used to capture the access point name.
- name: wlan_channel
overwrite: true
type: long
description: This is used to capture the channel names
- name: wlan_name
overwrite: true
type: keyword
description: This key captures either WLAN number/name
- name: storage
overwrite: true
type: group
fields:
- name: disk_volume
overwrite: true
type: keyword
description: A unique name assigned to logical units (volumes) within a physical
disk
- name: lun
overwrite: true
type: keyword
description: Logical Unit Number.This key is a very useful concept in Storage.
- name: pwwn
overwrite: true
type: keyword
description: This uniquely identifies a port on a HBA.
- name: physical
overwrite: true
type: group
fields:
- name: org_dst
overwrite: true
type: keyword
description: This is used to capture the destination organization based on the
GEOPIP Maxmind database.
- name: org_src
overwrite: true
type: keyword
description: This is used to capture the source organization based on the GEOPIP
Maxmind database.
- name: healthcare
overwrite: true
type: group
fields:
- name: patient_fname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_id
overwrite: true
type: keyword
description: This key captures the unique ID for a patient
- name: patient_lname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_mname
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: endpoint
overwrite: true
type: group
fields:
- name: host_state
overwrite: true
type: keyword
description: This key is used to capture the current state of the machine, such
as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
disabled</strong> and so on
- name: registry_key
overwrite: true
type: keyword
description: This key captures the path to the registry key
- name: registry_value
overwrite: true
type: keyword
description: This key captures values or decorators used within a registry entry
- key: cef-module
title: CEF
description: >
Module for receiving CEF logs over Syslog. The module adds vendor
specific fields in addition to the fields the decode_cef processor
provides.
fields:
- name: forcepoint
type: group
description: >
Fields for Forcepoint Custom String mappings
fields:
- name: virus_id
type: keyword
description: >
Virus ID
- name: checkpoint
type: group
description: >
Fields for Check Point custom string mappings.
fields:
- name: app_risk
type: keyword
overwrite: true
description: Application risk.
- name: app_severity
type: keyword
overwrite: true
description: Application threat severity.
- name: app_sig_id
type: keyword
overwrite: true
description: The signature ID which the application was detected by.
- name: auth_method
type: keyword
overwrite: true
description: Password authentication protocol used.
- name: category
type: keyword
overwrite: true
description: Category.
- name: confidence_level
type: integer
overwrite: true
description: Confidence level determined.
- name: connectivity_state
type: keyword
overwrite: true
description: Connectivity state.
- name: cookie
type: keyword
overwrite: true
description: IKE cookie.
- name: dst_phone_number
type: keyword
overwrite: true
description: Destination IP-Phone.
- name: email_control
type: keyword
overwrite: true
description: Engine name.
- name: email_id
type: keyword
overwrite: true
description: Internal email ID.
- name: email_recipients_num
type: long
overwrite: true
description: Number of recipients.
- name: email_session_id
type: keyword
overwrite: true
description: Internal email session ID.
- name: email_spool_id
overwrite: true
type: keyword
description: Internal email spool ID.
- name: email_subject
type: keyword
overwrite: true
description: Email subject.
- name: event_count
type: long
overwrite: true
description: Number of events associated with the log.
- name: frequency
type: keyword
overwrite: true
description: Scan frequency.
- name: icmp_type
type: long
overwrite: true
description: ICMP type.
- name: icmp_code
type: long
overwrite: true
description: ICMP code.
- name: identity_type
type: keyword
overwrite: true
description: Identity type.
- name: incident_extension
type: keyword
overwrite: true
description: Format of original data.
- name: integrity_av_invoke_type
type: keyword
overwrite: true
description: Scan invoke type.
- name: malware_family
type: keyword
overwrite: true
description: Malware family.
- name: peer_gateway
type: ip
overwrite: true
description: Main IP of the peer Security Gateway.
- name: performance_impact
type: integer
overwrite: true
description: Protection performance impact.
- name: protection_id
type: keyword
overwrite: true
description: Protection malware ID.
- name: protection_name
type: keyword
overwrite: true
description: Specific signature name of the attack.
- name: protection_type
type: keyword
overwrite: true
description: Type of protection used to detect the attack.
- name: scan_result
type: keyword
overwrite: true
description: Scan result.
- name: sensor_mode
type: keyword
overwrite: true
description: Sensor mode.
- name: severity
type: keyword
overwrite: true
description: Threat severity.
- name: spyware_name
type: keyword
overwrite: true
description: Spyware name.
- name: spyware_status
type: keyword
overwrite: true
description: Spyware status.
- name: subs_exp
type: date
overwrite: true
description: The expiration date of the subscription.
- name: tcp_flags
type: keyword
overwrite: true
description: TCP packet flags.
- name: termination_reason
type: keyword
overwrite: true
description: Termination reason.
- name: update_status
type: keyword
overwrite: true
description: Update status.
- name: user_status
type: keyword
overwrite: true
description: User response.
- name: uuid
type: keyword
overwrite: true
description: External ID.
- name: virus_name
type: keyword
overwrite: true
description: Virus name.
- name: voip_log_type
type: keyword
overwrite: true
description: VoIP log types.
- name: cef.extensions
type: group
description: >
Extra vendor-specific extensions.
fields:
- name: cp_app_risk
type: keyword
- name: cp_severity
type: keyword
- name: ifname
type: keyword
- name: inzone
type: keyword
- name: layer_uuid
type: keyword
- name: layer_name
type: keyword
- name: logid
type: keyword
- name: loguid
type: keyword
- name: match_id
type: keyword
- name: nat_addtnl_rulenum
type: keyword
- name: nat_rulenum
type: keyword
- name: origin
type: keyword
- name: originsicname
type: keyword
- name: outzone
type: keyword
- name: parent_rule
type: keyword
- name: product
type: keyword
- name: rule_action
type: keyword
- name: rule_uid
type: keyword
- name: sequencenum
type: keyword
- name: service_id
type: keyword
- name: version
type: keyword
- key: checkpoint
title: Checkpoint
description: >
Some checkpoint module
fields:
- name: checkpoint
type: group
release: ga
description: >
Module for parsing Checkpoint syslog.
fields:
- name: confidence_level
type: integer
overwrite: true
description: >
Confidence level determined by ThreatCloud.
- name: calc_desc
type: keyword
overwrite: true
description: >
Log description.
- name: dst_country
type: keyword
overwrite: true
description: >
Destination country.
- name: dst_user_name
type: keyword
overwrite: true
description: >
Connected user name on the destination IP.
- name: email_id
type: keyword
overwrite: true
description: >
Email number in smtp connection.
- name: email_subject
type: keyword
overwrite: true
description: >
Original email subject.
- name: email_session_id
type: keyword
overwrite: true
description: >
Connection uuid.
- name: event_count
type: long
overwrite: true
description: >
Number of events associated with the log.
- name: sys_message
type: keyword
overwrite: true
description: >
System messages
- name: logid
type: keyword
overwrite: true
description: >
System messages
- name: failure_impact
type: keyword
overwrite: true
description: >
The impact of update service failure.
- name: id
type: integer
overwrite: true
description: >
Override application ID.
- name: identity_src
type: keyword
description: >
The source for authentication identity information.
- name: information
type: keyword
overwrite: true
description: >
Policy installation status for a specific blade.
- name: layer_name
type: keyword
overwrite: true
description: >
Layer name.
- name: layer_uuid
type: keyword
overwrite: true
description: >
Layer UUID.
- name: log_id
type: integer
overwrite: true
description: >
Unique identity for logs.
- name: malware_family
type: keyword
overwrite: true
description: >
Additional information on protection.
- name: origin_sic_name
type: keyword
overwrite: true
description: >
Machine SIC.
- name: policy_mgmt
type: keyword
overwrite: true
description: >
Name of the Management Server that manages this Security Gateway.
- name: policy_name
type: keyword
overwrite: true
description: >
Name of the last policy that this Security Gateway fetched.
- name: protection_id
type: keyword
overwrite: true
description: >
Protection malware id.
- name: protection_name
type: keyword
overwrite: true
description: >
Specific signature name of the attack.
- name: protection_type
type: keyword
overwrite: true
description: >
Type of protection used to detect the attack.
- name: protocol
type: keyword
overwrite: true
description: >
Protocol detected on the connection.
- name: proxy_src_ip
type: ip
overwrite: true
description: >
Sender source IP (even when using proxy).
- name: rule
type: integer
overwrite: true
description: >
Matched rule number.
- name: rule_action
type: keyword
overwrite: true
description: >
Action of the matched rule in the access policy.
- name: scan_direction
type: keyword
overwrite: true
description: >
Scan direction.
- name: session_id
type: keyword
overwrite: true
description: >
Log uuid.
- name: source_os
type: keyword
overwrite: true
description: >
OS which generated the attack.
- name: src_country
type: keyword
overwrite: true
description: >
Country name, derived from connection source IP address.
- name: src_user_name
type: keyword
overwrite: true
description: >
User name connected to source IP
- name: ticket_id
type: keyword
overwrite: true
description: >
Unique ID per file.
- name: tls_server_host_name
type: keyword
overwrite: true
description: >
SNI/CN from encrypted TLS connection used by URLF for categorization.
- name: verdict
type: keyword
overwrite: true
description: >
TE engine verdict Possible values: Malicious/Benign/Error.
- name: user
type: keyword
overwrite: true
description: >
Source user name.
- name: vendor_list
type: keyword
overwrite: true
description: >
The vendor name that provided the verdict for a malicious URL.
- name: web_server_type
type: keyword
overwrite: true
description: >
Web server detected in the HTTP response.
- name: client_name
type: keyword
overwrite: true
description: >
Client Application or Software Blade that detected the event.
- name: client_version
type: keyword
overwrite: true
description: >
Build version of SandBlast Agent client installed on the computer.
- name: extension_version
type: keyword
overwrite: true
description: >
Build version of the SandBlast Agent browser extension.
- name: host_time
type: keyword
overwrite: true
description: >
Local time on the endpoint computer.
- name: installed_products
type: keyword
overwrite: true
description: >
List of installed Endpoint Software Blades.
- name: cc
type: keyword
overwrite: true
description: >
The Carbon Copy address of the email.
- name: parent_process_username
type: keyword
overwrite: true
description: >
Owner username of the parent process of the process that triggered the attack.
- name: process_username
type: keyword
overwrite: true
description: >
Owner username of the process that triggered the attack.
- name: audit_status
type: keyword
overwrite: true
description: >
Audit Status. Can be Success or Failure.
- name: objecttable
type: keyword
overwrite: true
description: >
Table of affected objects.
- name: objecttype
type: keyword
overwrite: true
description: >
The type of the affected object.
- name: operation_number
type: keyword
overwrite: true
description: >
The operation nuber.
- name: email_recipients_num
type: integer
overwrite: true
description: >
Amount of recipients whom the mail was sent to.
- name: suppressed_logs
type: integer
overwrite: true
description: >
Aggregated connections for five minutes on the same source, destination and port.
- name: blade_name
type: keyword
overwrite: true
description: >
Blade name.
- name: status
type: keyword
overwrite: true
description: >
Ok/Warning/Error.
- name: short_desc
type: keyword
overwrite: true
description: >
Short description of the process that was executed.
- name: long_desc
type: keyword
overwrite: true
description: >
More information on the process (usually describing error reason in failure).
- name: scan_hosts_hour
type: integer
overwrite: true
description: >
Number of unique hosts during the last hour.
- name: scan_hosts_day
type: integer
overwrite: true
description: >
Number of unique hosts during the last day.
- name: scan_hosts_week
type: integer
overwrite: true
description: >
Number of unique hosts during the last week.
- name: unique_detected_hour
type: integer
overwrite: true
description: >
Detected virus for a specific host during the last hour.
- name: unique_detected_day
type: integer
overwrite: true
description: >
Detected virus for a specific host during the last day.
- name: unique_detected_week
type: integer
overwrite: true
description: >
Detected virus for a specific host during the last week.
- name: scan_mail
type: integer
overwrite: true
description: >
Number of emails that were scanned by "AB malicious activity" engine.
- name: additional_ip
type: keyword
overwrite: true
description: >
DNS host name.
- name: description
type: keyword
overwrite: true
description: >
Additional explanation how the security gateway enforced the connection.
- name: email_spam_category
type: keyword
overwrite: true
description: >
Email categories. Possible values: spam/not spam/phishing.
- name: email_control_analysis
type: keyword
overwrite: true
description: >
Message classification, received from spam vendor engine.
- name: scan_results
type: keyword
overwrite: true
description: >
"Infected"/description of a failure.
- name: original_queue_id
type: keyword
overwrite: true
description: >
Original postfix email queue id.
- name: risk
type: keyword
overwrite: true
description: >
Risk level we got from the engine.
- name: roles
type: keyword
description: >
The role of identity.
- name: observable_name
type: keyword
overwrite: true
description: >
IOC observable signature name.
- name: observable_id
type: keyword
overwrite: true
description: >
IOC observable signature id.
- name: observable_comment
type: keyword
overwrite: true
description: >
IOC observable signature description.
- name: indicator_name
type: keyword
overwrite: true
description: >
IOC indicator name.
- name: indicator_description
type: keyword
overwrite: true
description: >
IOC indicator description.
- name: indicator_reference
type: keyword
overwrite: true
description: >
IOC indicator reference.
- name: indicator_uuid
type: keyword
overwrite: true
description: >
IOC indicator uuid.
- name: app_desc
type: keyword
overwrite: true
description: >
Application description.
- name: app_id
type: integer
overwrite: true
description: >
Application ID.
- name: app_sig_id
type: keyword
overwrite: true
description: >
IOC indicator description.
- name: certificate_resource
type: keyword
overwrite: true
description: >
HTTPS resource Possible values: SNI or domain name (DN).
- name: certificate_validation
type: keyword
overwrite: true
description: >
Precise error, describing HTTPS certificate failure under "HTTPS categorize websites" feature.
- name: browse_time
type: keyword
overwrite: true
description: >
Application session browse time.
- name: limit_requested
type: integer
overwrite: true
description: >
Indicates whether data limit was requested for the session.
- name: limit_applied
type: integer
overwrite: true
description: >
Indicates whether the session was actually date limited.
- name: dropped_total
type: integer
overwrite: true
description: >
Amount of dropped packets (both incoming and outgoing).
- name: client_type_os
type: keyword
overwrite: true
description: >
Client OS detected in the HTTP request.
- name: name
type: keyword
overwrite: true
description: >
Application name.
- name: properties
type: keyword
overwrite: true
description: >
Application categories.
- name: sig_id
type: keyword
overwrite: true
description: >
Application's signature ID which how it was detected by.
- name: desc
type: keyword
overwrite: true
description: >
Override application description.
- name: referrer_self_uid
type: keyword
overwrite: true
description: >
UUID of the current log.
- name: referrer_parent_uid
type: keyword
overwrite: true
description: >
Log UUID of the referring application.
- name: needs_browse_time
type: integer
overwrite: true
description: >
Browse time required for the connection.
- name: cluster_info
type: keyword
overwrite: true
description: >
Cluster information. Possible options: Failover reason/cluster state changes/CP cluster or 3rd party.
- name: sync
type: keyword
overwrite: true
description: >
Sync status and the reason (stable, at risk).
- name: file_direction
type: keyword
overwrite: true
description: >
File direction. Possible options: upload/download.
- name: invalid_file_size
type: integer
overwrite: true
description: >
File_size field is valid only if this field is set to 0.
- name: top_archive_file_name
type: keyword
overwrite: true
description: >
In case of archive file: the file that was sent/received.
- name: data_type_name
type: keyword
overwrite: true
description: >
Data type in rulebase that was matched.
- name: specific_data_type_name
type: keyword
overwrite: true
description: >
Compound/Group scenario, data type that was matched.
- name: word_list
type: keyword
overwrite: true
description: >
Words matched by data type.
- name: info
type: keyword
overwrite: true
description: >
Special log message.
- name: outgoing_url
type: keyword
overwrite: true
description: >
URL related to this log (for HTTP).
- name: dlp_rule_name
type: keyword
overwrite: true
description: >
Matched rule name.
- name: dlp_recipients
type: keyword
overwrite: true
description: >
Mail recipients.
- name: dlp_subject
type: keyword
overwrite: true
description: >
Mail subject.
- name: dlp_word_list
type: keyword
overwrite: true
description: >
Phrases matched by data type.
- name: dlp_template_score
type: keyword
overwrite: true
description: >
Template data type match score.
- name: message_size
type: integer
overwrite: true
description: >
Mail/post size.
- name: dlp_incident_uid
type: keyword
overwrite: true
description: >
Unique ID of the matched rule.
- name: dlp_related_incident_uid
type: keyword
overwrite: true
description: >
Other ID related to this one.
- name: dlp_data_type_name
type: keyword
overwrite: true
description: >
Matched data type.
- name: dlp_data_type_uid
type: keyword
overwrite: true
description: >
Unique ID of the matched data type.
- name: dlp_violation_description
type: keyword
overwrite: true
description: >
Violation descriptions described in the rulebase.
- name: dlp_relevant_data_types
type: keyword
overwrite: true
description: >
In case of Compound/Group: the inner data types that were matched.
- name: dlp_action_reason
type: keyword
overwrite: true
description: >
Action chosen reason.
- name: dlp_categories
type: keyword
overwrite: true
description: >
Data type category.
- name: dlp_transint
type: keyword
overwrite: true
description: >
HTTP/SMTP/FTP.
- name: duplicate
type: keyword
overwrite: true
description: >
Log marked as duplicated, when mail is split and the Security Gateway sees it twice.
- name: incident_extension
type: keyword
overwrite: true
description: >
Matched data type.
- name: matched_file
type: keyword
overwrite: true
description: >
Unique ID of the matched data type.
- name: matched_file_text_segments
type: integer
overwrite: true
description: >
Fingerprint: number of text segments matched by this traffic.
- name: matched_file_percentage
type: integer
overwrite: true
description: >
Fingerprint: match percentage of the traffic.
- name: dlp_additional_action
type: keyword
overwrite: true
description: >
Watermark/None.
- name: dlp_watermark_profile
type: keyword
overwrite: true
description: >
Watermark which was applied.
- name: dlp_repository_id
type: keyword
overwrite: true
description: >
ID of scanned repository.
- name: dlp_repository_root_path
type: keyword
overwrite: true
description: >
Repository path.
- name: scan_id
type: keyword
overwrite: true
description: >
Sequential number of scan.
- name: special_properties
type: integer
overwrite: true
description: >
If this field is set to '1' the log will not be shown (in use for monitoring scan progress).
- name: dlp_repository_total_size
type: integer
overwrite: true
description: >
Repository size.
- name: dlp_repository_files_number
type: integer
overwrite: true
description: >
Number of files in repository.
- name: dlp_repository_scanned_files_number
type: integer
overwrite: true
description: >
Number of scanned files in repository.
- name: duration
type: keyword
overwrite: true
description: >
Scan duration.
- name: dlp_fingerprint_long_status
type: keyword
overwrite: true
description: >
Scan status - long format.
- name: dlp_fingerprint_short_status
type: keyword
overwrite: true
description: >
Scan status - short format.
- name: dlp_repository_directories_number
type: integer
overwrite: true
description: >
Number of directories in repository.
- name: dlp_repository_unreachable_directories_number
type: integer
overwrite: true
description: >
Number of directories the Security Gateway was unable to read.
- name: dlp_fingerprint_files_number
type: integer
overwrite: true
description: >
Number of successfully scanned files in repository.
- name: dlp_repository_skipped_files_number
type: integer
overwrite: true
description: >
Skipped number of files because of configuration.
- name: dlp_repository_scanned_directories_number
type: integer
overwrite: true
description: >
Amount of directories scanned.
- name: number_of_errors
type: integer
overwrite: true
description: >
Number of files that were not scanned due to an error.
- name: next_scheduled_scan_date
type: keyword
overwrite: true
description: >
Next scan scheduled time according to time object.
- name: dlp_repository_scanned_total_size
type: integer
overwrite: true
description: >
Size scanned.
- name: dlp_repository_reached_directories_number
type: integer
overwrite: true
description: >
Number of scanned directories in repository.
- name: dlp_repository_not_scanned_directories_percentage
type: integer
overwrite: true
description: >
Percentage of directories the Security Gateway was unable to read.
- name: speed
type: integer
overwrite: true
description: >
Current scan speed.
- name: dlp_repository_scan_progress
type: integer
overwrite: true
description: >
Scan percentage.
- name: sub_policy_name
type: keyword
overwrite: true
description: >
Layer name.
- name: sub_policy_uid
type: keyword
overwrite: true
description: >
Layer uid.
- name: fw_message
type: keyword
overwrite: true
description: >
Used for various firewall errors.
- name: message
type: keyword
overwrite: true
description: >
ISP link has failed.
- name: isp_link
type: keyword
overwrite: true
description: >
Name of ISP link.
- name: fw_subproduct
type: keyword
overwrite: true
description: >
Can be vpn/non vpn.
- name: sctp_error
type: keyword
overwrite: true
description: >
Error information, what caused sctp to fail on out_of_state.
- name: chunk_type
type: keyword
overwrite: true
description: >
Chunck of the sctp stream.
- name: sctp_association_state
type: keyword
overwrite: true
description: >
The bad state you were trying to update to.
- name: tcp_packet_out_of_state
type: keyword
overwrite: true
description: >
State violation.
- name: tcp_flags
type: keyword
overwrite: true
description: >
TCP packet flags (SYN, ACK, etc.,).
- name: connectivity_level
type: keyword
overwrite: true
description: >
Log for a new connection in wire mode.
- name: ip_option
type: integer
overwrite: true
description: >
IP option that was dropped.
- name: tcp_state
type: keyword
overwrite: true
description: >
Log reinting a tcp state change.
- name: expire_time
type: keyword
overwrite: true
description: >
Connection closing time.
- name: icmp_type
type: integer
overwrite: true
description: >
In case a connection is ICMP, type info will be added to the log.
- name: icmp_code
type: integer
overwrite: true
description: >
In case a connection is ICMP, code info will be added to the log.
- name: rpc_prog
type: integer
overwrite: true
description: >
Log for new RPC state - prog values.
- name: dce-rpc_interface_uuid
type: keyword
overwrite: true
description: >
Log for new RPC state - UUID values
- name: elapsed
type: keyword
overwrite: true
description: >
Time passed since start time.
- name: icmp
type: keyword
overwrite: true
description: >
Number of packets, received by the client.
- name: capture_uuid
type: keyword
overwrite: true
description: >
UUID generated for the capture. Used when enabling the capture when logging.
- name: diameter_app_ID
type: integer
overwrite: true
description: >
The ID of diameter application.
- name: diameter_cmd_code
type: integer
overwrite: true
description: >
Diameter not allowed application command id.
- name: diameter_msg_type
type: keyword
overwrite: true
description: >
Diameter message type.
- name: cp_message
type: integer
overwrite: true
description: >
Used to log a general message.
- name: log_delay
type: integer
overwrite: true
description: >
Time left before deleting template.
- name: attack_status
type: keyword
overwrite: true
description: >
In case of a malicious event on an endpoint computer, the status of the attack.
- name: impacted_files
type: keyword
overwrite: true
description: >
In case of an infection on an endpoint computer, the list of files that the malware impacted.
- name: remediated_files
type: keyword
overwrite: true
description: >
In case of an infection and a successful cleaning of that infection, this is a list of remediated files on the computer.
- name: triggered_by
type: keyword
overwrite: true
description: >
The name of the mechanism that triggered the Software Blade to enforce a protection.
- name: https_inspection_rule_id
type: keyword
overwrite: true
description: >
ID of the matched rule.
- name: https_inspection_rule_name
type: keyword
overwrite: true
description: >
Name of the matched rule.
- name: app_properties
type: keyword
overwrite: true
description: >
List of all found categories.
- name: https_validation
type: keyword
overwrite: true
description: >
Precise error, describing HTTPS inspection failure.
- name: https_inspection_action
type: keyword
overwrite: true
description: >
HTTPS inspection action (Inspect/Bypass/Error).
- name: icap_service_id
type: integer
overwrite: true
description: >
Service ID, can work with multiple servers, treated as services.
- name: icap_server_name
type: keyword
overwrite: true
description: >
Server name.
- name: internal_error
type: keyword
overwrite: true
description: >
Internal error, for troubleshooting
- name: icap_more_info
type: integer
overwrite: true
description: >
Free text for verdict.
- name: reply_status
type: integer
overwrite: true
description: >
ICAP reply status code, e.g. 200 or 204.
- name: icap_server_service
type: keyword
overwrite: true
description: >
Service name, as given in the ICAP URI
- name: mirror_and_decrypt_type
type: keyword
overwrite: true
description: >
Information about decrypt and forward. Possible values: Mirror only, Decrypt and mirror, Partial mirroring (HTTPS inspection Bypass).
- name: interface_name
type: keyword
overwrite: true
description: >
Designated interface for mirror And decrypt.
- name: session_uid
type: keyword
overwrite: true
description: >
HTTP session-id.
- name: broker_publisher
type: ip
overwrite: true
description: >
IP address of the broker publisher who shared the session information.
- name: src_user_dn
type: keyword
overwrite: true
description: >
User distinguished name connected to source IP.
- name: proxy_user_name
type: keyword
overwrite: true
description: >
User name connected to proxy IP.
- name: proxy_machine_name
type: integer
overwrite: true
description: >
Machine name connected to proxy IP.
- name: proxy_user_dn
type: keyword
overwrite: true
description: >
User distinguished name connected to proxy IP.
- name: query
type: keyword
overwrite: true
description: >
DNS query.
- name: dns_query
type: keyword
overwrite: true
description: >
DNS query.
- name: inspection_item
type: keyword
overwrite: true
description: >
Blade element performed inspection.
- name: performance_impact
type: integer
overwrite: true
description: >
Protection performance impact.
- name: inspection_category
type: keyword
overwrite: true
description: >
Inspection category: protocol anomaly, signature etc.
- name: inspection_profile
type: keyword
overwrite: true
description: >
Profile which the activated protection belongs to.
- name: summary
type: keyword
overwrite: true
description: >
Summary message of a non-compliant DNS traffic drops or detects.
- name: question_rdata
type: keyword
overwrite: true
description: >
List of question records domains.
- name: answer_rdata
type: keyword
overwrite: true
description: >
List of answer resource records to the questioned domains.
- name: authority_rdata
type: keyword
overwrite: true
description: >
List of authoritative servers.
- name: additional_rdata
type: keyword
overwrite: true
description: >
List of additional resource records.
- name: files_names
type: keyword
overwrite: true
description: >
List of files requested by FTP.
- name: ftp_user
type: keyword
overwrite: true
description: >
FTP username.
- name: mime_from
type: keyword
overwrite: true
description: >
Sender's address.
- name: mime_to
type: keyword
overwrite: true
description: >
List of receiver address.
- name: bcc
type: keyword
overwrite: true
description: >
List of BCC addresses.
- name: content_type
type: keyword
overwrite: true
description: >
Mail content type. Possible values: application/msword, text/html, image/gif etc.
- name: user_agent
type: keyword
overwrite: true
description: >
String identifying requesting software user agent.
- name: referrer
type: keyword
overwrite: true
description: >
Referrer HTTP request header, previous web page address.
- name: http_location
type: keyword
overwrite: true
description: >
Response header, indicates the URL to redirect a page to.
- name: content_disposition
type: keyword
overwrite: true
description: >
Indicates how the content is expected to be displayed inline in the browser.
- name: via
type: keyword
overwrite: true
description: >
Via header is added by proxies for tracking purposes to avoid sending reqests in loop.
- name: http_server
type: keyword
overwrite: true
description: >
Server HTTP header value, contains information about the software used by the origin server, which handles the request.
- name: content_length
type: keyword
overwrite: true
description: >
Indicates the size of the entity-body of the HTTP header.
- name: authorization
type: keyword
overwrite: true
description: >
Authorization HTTP header value.
- name: http_host
type: keyword
overwrite: true
description: >
Domain name of the server that the HTTP request is sent to.
- name: inspection_settings_log
type: keyword
overwrite: true
description: >
Indicats that the log was released by inspection settings.
- name: cvpn_resource
type: keyword
overwrite: true
description: >
Mobile Access application.
- name: cvpn_category
type: keyword
overwrite: true
description: >
Mobile Access application type.
- name: url
type: keyword
overwrite: true
description: >
Translated URL.
- name: reject_id
type: keyword
overwrite: true
description: >
A reject ID that corresponds to the one presented in the Mobile Access error page.
- name: fs-proto
type: keyword
overwrite: true
description: >
The file share protocol used in mobile acess file share application.
- name: app_package
type: keyword
overwrite: true
description: >
Unique identifier of the application on the protected mobile device.
- name: appi_name
type: keyword
overwrite: true
description: >
Name of application downloaded on the protected mobile device.
- name: app_repackaged
type: keyword
overwrite: true
description: >
Indicates whether the original application was repackage not by the official developer.
- name: app_sid_id
type: keyword
overwrite: true
description: >
Unique SHA identifier of a mobile application.
- name: app_version
type: keyword
overwrite: true
description: >
Version of the application downloaded on the protected mobile device.
- name: developer_certificate_name
type: keyword
overwrite: true
description: >
Name of the developer's certificate that was used to sign the mobile application.
- name: email_control
type: keyword
overwrite: true
description: >
Engine name.
- name: email_message_id
type: keyword
overwrite: true
description: >
Email session id (uniqe ID of the mail).
- name: email_queue_id
type: keyword
overwrite: true
description: >
Postfix email queue id.
- name: email_queue_name
type: keyword
overwrite: true
description: >
Postfix email queue name.
- name: file_name
type: keyword
overwrite: true
description: >
Malicious file name.
- name: failure_reason
type: keyword
overwrite: true
description: >
MTA failure description.
- name: email_headers
type: keyword
overwrite: true
description: >
String containing all the email headers.
- name: arrival_time
type: keyword
overwrite: true
description: >
Email arrival timestamp.
- name: email_status
type: keyword
overwrite: true
description: >
Describes the email's state. Possible options: delivered, deferred, skipped, bounced, hold, new, scan_started, scan_ended
- name: status_update
type: keyword
overwrite: true
description: >
Last time log was updated.
- name: delivery_time
type: keyword
overwrite: true
description: >
Timestamp of when email was delivered (MTA finished handling the email.
- name: links_num
type: integer
overwrite: true
description: >
Number of links in the mail.
- name: attachments_num
type: integer
overwrite: true
description: >
Number of attachments in the mail.
- name: email_content
type: keyword
overwrite: true
description: >
Mail contents. Possible options: attachments/links & attachments/links/text only.
- name: allocated_ports
type: integer
overwrite: true
description: >
Amount of allocated ports.
- name: capacity
type: integer
overwrite: true
description: >
Capacity of the ports.
- name: ports_usage
type: integer
overwrite: true
description: >
Percentage of allocated ports.
- name: nat_exhausted_pool
type: keyword
overwrite: true
description: >
4-tuple of an exhausted pool.
- name: nat_rulenum
type: integer
overwrite: true
description: >
NAT rulebase first matched rule.
- name: nat_addtnl_rulenum
type: integer
overwrite: true
description: >
When matching 2 automatic rules , second rule match will be shown otherwise field will be 0.
- name: message_info
type: keyword
overwrite: true
description: >
Used for information messages, for example:NAT connection has ended.
- name: nat46
type: keyword
overwrite: true
description: >
NAT 46 status, in most cases "enabled".
- name: end_time
type: keyword
overwrite: true
description: >
TCP connection end time.
- name: tcp_end_reason
type: keyword
overwrite: true
description: >
Reason for TCP connection closure.
- name: cgnet
type: keyword
overwrite: true
description: >
Describes NAT allocation for specific subscriber.
- name: subscriber
type: ip
overwrite: true
description: >
Source IP before CGNAT.
- name: hide_ip
type: ip
overwrite: true
description: >
Source IP which will be used after CGNAT.
- name: int_start
type: integer
overwrite: true
description: >
Subscriber start int which will be used for NAT.
- name: int_end
type: integer
overwrite: true
description: >
Subscriber end int which will be used for NAT.
- name: packet_amount
type: integer
overwrite: true
description: >
Amount of packets dropped.
- name: monitor_reason
type: keyword
overwrite: true
description: >
Aggregated logs of monitored packets.
- name: drops_amount
type: integer
overwrite: true
description: >
Amount of multicast packets dropped.
- name: securexl_message
type: keyword
overwrite: true
description: >
Two options for a SecureXL message: 1. Missed accounting records after heavy load on logging system. 2. FW log message regarding a packet drop.
- name: conns_amount
type: integer
overwrite: true
description: >
Connections amount of aggregated log info.
- name: scope
type: keyword
overwrite: true
description: >
IP related to the attack.
- name: analyzed_on
type: keyword
overwrite: true
description: >
Check Point ThreatCloud / emulator name.
- name: detected_on
type: keyword
overwrite: true
description: >
System and applications version the file was emulated on.
- name: dropped_file_name
type: keyword
overwrite: true
description: >
List of names dropped from the original file.
- name: dropped_file_type
type: keyword
overwrite: true
description: >
List of file types dropped from the original file.
- name: dropped_file_hash
type: keyword
overwrite: true
description: >
List of file hashes dropped from the original file.
- name: dropped_file_verdict
type: keyword
overwrite: true
description: >
List of file verdics dropped from the original file.
- name: emulated_on
type: keyword
overwrite: true
description: >
Images the files were emulated on.
- name: extracted_file_type
type: keyword
overwrite: true
description: >
Types of extracted files in case of an archive.
- name: extracted_file_names
type: keyword
overwrite: true
description: >
Names of extracted files in case of an archive.
- name: extracted_file_hash
type: keyword
overwrite: true
description: >
Archive hash in case of extracted files.
- name: extracted_file_verdict
type: keyword
overwrite: true
description: >
Verdict of extracted files in case of an archive.
- name: extracted_file_uid
type: keyword
overwrite: true
description: >
UID of extracted files in case of an archive.
- name: mitre_initial_access
type: keyword
overwrite: true
description: >
The adversary is trying to break into your network.
- name: mitre_execution
type: keyword
overwrite: true
description: >
The adversary is trying to run malicious code.
- name: mitre_persistence
type: keyword
overwrite: true
description: >
The adversary is trying to maintain his foothold.
- name: mitre_privilege_escalation
type: keyword
overwrite: true
description: >
The adversary is trying to gain higher-level permissions.
- name: mitre_defense_evasion
type: keyword
overwrite: true
description: >
The adversary is trying to avoid being detected.
- name: mitre_credential_access
type: keyword
overwrite: true
description: >
The adversary is trying to steal account names and passwords.
- name: mitre_discovery
type: keyword
overwrite: true
description: >
The adversary is trying to expose information about your environment.
- name: mitre_lateral_movement
type: keyword
overwrite: true
description: >
The adversary is trying to explore your environment.
- name: mitre_collection
type: keyword
overwrite: true
description: >
The adversary is trying to collect data of interest to achieve his goal.
- name: mitre_command_and_control
type: keyword
overwrite: true
description: >
The adversary is trying to communicate with compromised systems in order to control them.
- name: mitre_exfiltration
type: keyword
overwrite: true
description: >
The adversary is trying to steal data.
- name: mitre_impact
type: keyword
overwrite: true
description: >
The adversary is trying to manipulate, interrupt, or destroy your systems and data.
- name: parent_file_hash
type: keyword
overwrite: true
description: >
Archive's hash in case of extracted files.
- name: parent_file_name
type: keyword
overwrite: true
description: >
Archive's name in case of extracted files.
- name: parent_file_uid
type: keyword
overwrite: true
description: >
Archive's UID in case of extracted files.
- name: similiar_iocs
type: keyword
overwrite: true
description: >
Other IoCs similar to the ones found, related to the malicious file.
- name: similar_hashes
type: keyword
overwrite: true
description: >
Hashes found similar to the malicious file.
- name: similar_strings
type: keyword
overwrite: true
description: >
Strings found similar to the malicious file.
- name: similar_communication
type: keyword
overwrite: true
description: >
Network action found similar to the malicious file.
- name: te_verdict_determined_by
type: keyword
overwrite: true
description: >
Emulators determined file verdict.
- name: packet_capture_unique_id
type: keyword
overwrite: true
description: >
Identifier of the packet capture files.
- name: total_attachments
type: integer
overwrite: true
description: >
The number of attachments in an email.
- name: additional_info
type: keyword
overwrite: true
description: >
ID of original file/mail which are sent by admin.
- name: content_risk
type: integer
overwrite: true
description: >
File risk.
- name: operation
type: keyword
overwrite: true
description: >
Operation made by Threat Extraction.
- name: scrubbed_content
type: keyword
overwrite: true
description: >
Active content that was found.
- name: scrub_time
type: keyword
overwrite: true
description: >
Extraction process duration.
- name: scrub_download_time
type: keyword
overwrite: true
description: >
File download time from resource.
- name: scrub_total_time
type: keyword
overwrite: true
description: >
Threat extraction total file handling time.
- name: scrub_activity
type: keyword
overwrite: true
description: >
The result of the extraction
- name: watermark
type: keyword
overwrite: true
description: >
Reports whether watermark is added to the cleaned file.
- name: snid
type: keyword
description: >
The Check Point session ID.
- name: source_object
type: keyword
overwrite: true
description: >
Matched object name on source column.
- name: destination_object
type: keyword
overwrite: true
description: >
Matched object name on destination column.
- name: drop_reason
type: keyword
overwrite: true
description: >
Drop reason description.
- name: hit
type: integer
overwrite: true
description: >
Number of hits on a rule.
- name: rulebase_id
type: integer
overwrite: true
description: >
Layer number.
- name: first_hit_time
type: integer
overwrite: true
description: >
First hit time in current interval.
- name: last_hit_time
type: integer
overwrite: true
description: >
Last hit time in current interval.
- name: rematch_info
type: keyword
overwrite: true
description: >
Information sent when old connections cannot be matched during policy installation.
- name: last_rematch_time
type: keyword
overwrite: true
description: >
Connection rematched time.
- name: action_reason
type: integer
overwrite: true
description: >
Connection drop reason.
- name: action_reason_msg
type: keyword
overwrite: true
description: >
Connection drop reason message.
- name: c_bytes
type: integer
overwrite: true
description: >
Boolean value indicates whether bytes sent from the client side are used.
- name: context_num
type: integer
overwrite: true
description: >
Serial number of the log for a specific connection.
- name: match_id
type: integer
overwrite: true
description: >
Private key of the rule
- name: alert
type: keyword
overwrite: true
description: >
Alert level of matched rule (for connection logs).
- name: parent_rule
type: integer
overwrite: true
description: >
Parent rule number, in case of inline layer.
- name: match_fk
type: integer
overwrite: true
description: >
Rule number.
- name: dropped_outgoing
type: integer
overwrite: true
description: >
Number of outgoing bytes dropped when using UP-limit feature.
- name: dropped_incoming
type: integer
overwrite: true
description: >
Number of incoming bytes dropped when using UP-limit feature.
- name: media_type
type: keyword
overwrite: true
description: >
Media used (audio, video, etc.)
- name: sip_reason
type: keyword
overwrite: true
description: >
Explains why 'source_ip' isn't allowed to redirect (handover).
- name: voip_method
type: keyword
overwrite: true
description: >
Registration request.
- name: registered_ip-phones
type: keyword
overwrite: true
description: >
Registered IP-Phones.
- name: voip_reg_user_type
type: keyword
overwrite: true
description: >
Registered IP-Phone type.
- name: voip_call_id
type: keyword
overwrite: true
description: >
Call-ID.
- name: voip_reg_int
type: integer
overwrite: true
description: >
Registration port.
- name: voip_reg_ipp
type: integer
overwrite: true
description: >
Registration IP protocol.
- name: voip_reg_period
type: integer
overwrite: true
description: >
Registration period.
- name: voip_log_type
type: keyword
overwrite: true
description: >
VoIP log types. Possible values: reject, call, registration.
- name: src_phone_number
type: keyword
overwrite: true
description: >
Source IP-Phone.
- name: voip_from_user_type
type: keyword
overwrite: true
description: >
Source IP-Phone type.
- name: dst_phone_number
type: keyword
overwrite: true
description: >
Destination IP-Phone.
- name: voip_to_user_type
type: keyword
overwrite: true
description: >
Destination IP-Phone type.
- name: voip_call_dir
type: keyword
overwrite: true
description: >
Call direction: in/out.
- name: voip_call_state
type: keyword
overwrite: true
description: >
Call state. Possible values: in/out.
- name: voip_call_term_time
type: keyword
overwrite: true
description: >
Call termination time stamp.
- name: voip_duration
type: keyword
overwrite: true
description: >
Call duration (seconds).
- name: voip_media_port
type: keyword
overwrite: true
description: >
Media int.
- name: voip_media_ipp
type: keyword
overwrite: true
description: >
Media IP protocol.
- name: voip_est_codec
type: keyword
overwrite: true
description: >
Estimated codec.
- name: voip_exp
type: integer
overwrite: true
description: >
Expiration.
- name: voip_attach_sz
type: integer
overwrite: true
description: >
Attachment size.
- name: voip_attach_action_info
type: keyword
overwrite: true
description: >
Attachment action Info.
- name: voip_media_codec
type: keyword
overwrite: true
description: >
Estimated codec.
- name: voip_reject_reason
type: keyword
overwrite: true
description: >
Reject reason.
- name: voip_reason_info
type: keyword
overwrite: true
description: >
Information.
- name: voip_config
type: keyword
overwrite: true
description: >
Configuration.
- name: voip_reg_server
type: ip
overwrite: true
description: >
Registrar server IP address.
- name: scv_user
type: keyword
overwrite: true
description: >
Username whose packets are dropped on SCV.
- name: scv_message_info
type: keyword
overwrite: true
description: >
Drop reason.
- name: ppp
type: keyword
overwrite: true
description: >
Authentication status.
- name: scheme
type: keyword
overwrite: true
description: >
Describes the scheme used for the log.
- name: auth_method
type: keyword
overwrite: true
description: >
Password authentication protocol used (PAP or EAP).
- name: auth_status
type: keyword
description: >
The authentication status for an event.
- name: machine
type: keyword
overwrite: true
description: >
L2TP machine which triggered the log and the log refers to it.
- name: vpn_feature_name
type: keyword
overwrite: true
description: >
L2TP /IKE / Link Selection.
- name: reject_category
type: keyword
overwrite: true
description: >
Authentication failure reason.
- name: peer_ip_probing_status_update
type: keyword
overwrite: true
description: >
IP address response status.
- name: peer_ip
type: keyword
overwrite: true
description: >
IP address which the client connects to.
- name: peer_gateway
type: ip
overwrite: true
description: >
Main IP of the peer Security Gateway.
- name: link_probing_status_update
type: keyword
overwrite: true
description: >
IP address response status.
- name: source_interface
type: keyword
overwrite: true
description: >
External Interface name for source interface or Null if not found.
- name: next_hop_ip
type: keyword
overwrite: true
description: >
Next hop IP address.
- name: srckeyid
type: keyword
overwrite: true
description: >
Initiator Spi ID.
- name: dstkeyid
type: keyword
overwrite: true
description: >
Responder Spi ID.
- name: encryption_failure
type: keyword
overwrite: true
description: >
Message indicating why the encryption failed.
- name: ike_ids
type: keyword
overwrite: true
description: >
All QM ids.
- name: community
type: keyword
overwrite: true
description: >
Community name for the IPSec key and the use of the IKEv.
- name: ike
type: keyword
overwrite: true
description: >
IKEMode (PHASE1, PHASE2, etc..).
- name: cookieI
type: keyword
overwrite: true
description: >
Initiator cookie.
- name: cookieR
type: keyword
overwrite: true
description: >
Responder cookie.
- name: msgid
type: keyword
overwrite: true
description: >
Message ID.
- name: methods
type: keyword
overwrite: true
description: >
IPSEc methods.
- name: connection_uid
type: keyword
overwrite: true
description: >
Calculation of md5 of the IP and user name as UID.
- name: site_name
type: keyword
overwrite: true
description: >
Site name.
- name: esod_rule_name
type: keyword
overwrite: true
description: >
Unknown rule name.
- name: esod_rule_action
type: keyword
overwrite: true
description: >
Unknown rule action.
- name: esod_rule_type
type: keyword
overwrite: true
description: >
Unknown rule type.
- name: esod_noncompliance_reason
type: keyword
overwrite: true
description: >
Non-compliance reason.
- name: esod_associated_policies
type: keyword
overwrite: true
description: >
Associated policies.
- name: spyware_name
type: keyword
overwrite: true
description: >
Spyware name.
- name: spyware_type
type: keyword
overwrite: true
description: >
Spyware type.
- name: anti_virus_type
type: keyword
overwrite: true
description: >
Anti virus type.
- name: end_user_firewall_type
type: keyword
overwrite: true
description: >
End user firewall type.
- name: esod_scan_status
type: keyword
overwrite: true
description: >
Scan failed.
- name: esod_access_status
type: keyword
overwrite: true
description: >
Access denied.
- name: client_type
type: keyword
overwrite: true
description: >
Endpoint Connect.
- name: precise_error
type: keyword
overwrite: true
description: >
HTTP parser error.
- name: method
type: keyword
overwrite: true
description: >
HTTP method.
- name: trusted_domain
type: keyword
overwrite: true
description: >
In case of phishing event, the domain, which the attacker was impersonating.
- name: comment
type: keyword
- name: conn_direction
type: keyword
description: Connection direction
- name: db_ver
type: keyword
description: Database version
- name: update_status
type: keyword
overwrite: true
description: Status of database update
- key: cisco
title: Cisco
description: >
Module for handling Cisco network device logs.
fields:
- name: cisco.amp
type: group
release: beta
description: >
Module for parsing Cisco AMP logs.
fields:
- name: timestamp_nanoseconds
type: date
description: >
The timestamp in Epoch nanoseconds.
- name: event_type_id
type: keyword
description: >
A sub ID of the event, depending on event type.
- name: detection
type: keyword
description: >
The name of the malware detected.
- name: detection_id
type: keyword
description: >
The ID of the detection.
- name: connector_guid
type: keyword
description: >
The GUID of the connector sending information to AMP.
- name: group_guids
type: keyword
description: >
An array of group GUIDS related to the connector sending information to AMP.
- name: vulnerabilities
type: flattened
description: >
An array of related vulnerabilities to the malicious event.
- name: scan.description
type: keyword
description: >
Description of an event related to a scan being initiated, for example the specific directory name.
- name: scan.clean
type: boolean
description: >
Boolean value if a scanned file was clean or not.
- name: scan.scanned_files
type: long
description: >
Count of files scanned in a directory.
- name: scan.scanned_processes
type: long
description: >
Count of processes scanned related to a single scan event.
- name: scan.scanned_paths
type: long
description: >
Count of different directories scanned related to a single scan event.
- name: scan.malicious_detections
type: long
description: >
Count of malicious files or documents detected related to a single scan event.
- name: computer.connector_guid
type: keyword
description: >
The GUID of the connector, similar to top level connector_guid, but unique if multiple connectors are involved.
- name: computer.external_ip
type: ip
description: >
The external IP of the related host.
- name: computer.active
type: boolean
description: >
If the current endpoint is active or not.
- name: computer.network_addresses
type: flattened
description: >
All network interface information on the related host.
- name: file.disposition
type: keyword
description: >
Categorization of file, for example "Malicious" or "Clean".
- name: network_info.disposition
type: keyword
description: >
Categorization of a network event related to a file, for example "Malicious" or "Clean".
- name: network_info.nfm.direction
type: keyword
description: >
The current direction based on source and destination IP.
- name: related.mac
type: keyword
description: >
An array of all related MAC addresses.
- name: related.cve
type: keyword
description: >
An array of all related MAC addresses.
- name: cloud_ioc.description
type: keyword
description: >
Description of the related IOC for specific IOC events from AMP.
- name: cloud_ioc.short_description
type: keyword
description: >
Short description of the related IOC for specific IOC events from AMP.
- name: network_info.parent.disposition
type: keyword
description: >
Categorization of a IOC for example "Malicious" or "Clean".
- name: network_info.parent.identity.md5
type: keyword
description: >
MD5 hash of the related IOC.
- name: network_info.parent.identity.sha1
type: keyword
description: >
SHA1 hash of the related IOC.
- name: network_info.parent.identify.sha256
type: keyword
description: >
SHA256 hash of the related IOC.
- name: file.archived_file.disposition
type: keyword
description: >
Categorization of a file archive related to a file, for example "Malicious" or "Clean".
- name: file.archived_file.identity.md5
type: keyword
description: >
MD5 hash of the archived file related to the malicious event.
- name: file.archived_file.identity.sha1
type: keyword
description: >
SHA1 hash of the archived file related to the malicious event.
- name: file.archived_file.identity.sha256
type: keyword
description: >
SHA256 hash of the archived file related to the malicious event.
- name: file.attack_details.application
type: keyword
description: >
The application name related to Exploit Prevention events.
- name: file.attack_details.attacked_module
type: keyword
description: >
Path to the executable or dll that was attacked and detected by Exploit Prevention.
- name: file.attack_details.base_address
type: keyword
description: >
The base memory address related to the exploit detected.
- name: file.attack_details.suspicious_files
type: keyword
description: >
An array of related files when an attack is detected by Exploit Prevention.
- name: file.parent.disposition
type: keyword
description: >
Categorization of parrent, for example "Malicious" or "Clean".
- name: error.description
type: keyword
description: >
Description of an endpoint error event.
- name: error.error_code
type: keyword
description: >
The error code describing the related error event.
- name: threat_hunting.severity
type: keyword
description: >
Severity result of the threat hunt registered to the malicious event. Can be Low-Critical.
- name: threat_hunting.incident_report_guid
type: keyword
description: >
The GUID of the related threat hunting report.
- name: threat_hunting.incident_hunt_guid
type: keyword
description: >
The GUID of the related investigation tracking issue.
- name: threat_hunting.incident_title
type: keyword
description: >
Title of the incident related to the threat hunting activity.
- name: threat_hunting.incident_summary
type: keyword
description: >
Summary of the outcome on the threat hunting activity.
- name: threat_hunting.incident_remediation
type: keyword
description: >
Recommendations to resolve the vulnerability or exploited host.
- name: threat_hunting.incident_id
type: keyword
description: >
The id of the related incident for the threat hunting activity.
- name: threat_hunting.incident_end_time
type: date
description: >
When the threat hunt finalized or closed.
- name: threat_hunting.incident_start_time
type: date
description: >
When the threat hunt was initiated.
- name: file.attack_details.indicators
type: flattened
description: >
Different indicator types that matches the exploit detected, for example different MITRE tactics.
- name: threat_hunting.tactics
type: flattened
description: >
List of all MITRE tactics related to the incident found.
- name: threat_hunting.techniques
type: flattened
description: >
List of all MITRE techniques related to the incident found.
- name: tactics
type: flattened
description: >
List of all MITRE tactics related to the incident found.
- name: mitre_tactics
type: keyword
description: >
Array of all related mitre tactic ID's
- name: techniques
type: flattened
description: >
List of all MITRE techniques related to the incident found.
- name: mitre_techniques
type: keyword
description: >
Array of all related mitre technique ID's
- name: command_line.arguments
type: keyword
description: >
The CLI arguments related to the Cloud Threat IOC reported by Cisco.
- name: bp_data
type: flattened
description: >
Endpoint isolation information
- name: cisco.asa
type: group
description: >
Fields for Cisco ASA Firewall.
fields:
- name: message_id
type: keyword
description: >
The Cisco ASA message identifier.
- name: suffix
type: keyword
example: session
description: >
Optional suffix after %ASA identifier.
- name: source_interface
type: keyword
description: >
Source interface for the flow or event.
- name: destination_interface
type: keyword
description: >
Destination interface for the flow or event.
- name: rule_name
type: keyword
description: >
Name of the Access Control List rule that matched this event.
- name: source_username
type: keyword
description: >
Name of the user that is the source for this event.
- name: source_user_security_group_tag
type: long
description: >
The Security Group Tag for the source user. Security Group Tag are 16-bit identifiers used to represent logical group privilege.
- name: destination_username
type: keyword
description: >
Name of the user that is the destination for this event.
- name: destination_user_security_group_tag
type: long
description: >
The Security Group Tag for the destination user. Security Group Tag are 16-bit identifiers used to represent logical group privilege.
- name: mapped_source_ip
type: ip
description: >
The translated source IP address.
- name: mapped_source_host
type: keyword
description: >
The translated source host.
- name: mapped_source_port
type: long
description: >
The translated source port.
- name: mapped_destination_ip
type: ip
description: >
The translated destination IP address.
- name: mapped_destination_host
type: keyword
description: >
The translated destination host.
- name: mapped_destination_port
type: long
description: >
The translated destination port.
- name: threat_level
type: keyword
description: >
Threat level for malware / botnet traffic. One of very-low, low,
moderate, high or very-high.
- name: threat_category
type: keyword
description: >
Category for the malware / botnet traffic. For example: virus, botnet,
trojan, etc.
- name: connection_id
type: keyword
description: >
Unique identifier for a flow.
- name: icmp_type
type: short
description: >
ICMP type.
- name: icmp_code
type: short
description: >
ICMP code.
- name: connection_type
type: keyword
description: >
The VPN connection type
- name: dap_records
type: keyword
description: >
The assigned DAP records
- name: command_line_arguments
type: keyword
description: >
The command line arguments logged by the local audit log
- name: assigned_ip
type: ip
description: >
The IP address assigned to a VPN client successfully connecting
- name: privilege.old
type: keyword
description: >
When a users privilege is changed this is the old value
- name: privilege.new
type: keyword
description: >
When a users privilege is changed this is the new value
- name: burst.object
type: keyword
description: >
The related object for burst warnings
- name: burst.id
type: keyword
description: >
The related rate ID for burst warnings
- name: burst.current_rate
type: keyword
description: >
The current burst rate seen
- name: burst.configured_rate
type: keyword
description: >
The current configured burst rate
- name: burst.avg_rate
type: keyword
description: >
The current average burst rate seen
- name: burst.configured_avg_rate
type: keyword
description: >
The current configured average burst rate allowed
- name: burst.cumulative_count
type: keyword
description: >
The total count of burst rate hits since the object was created or cleared
- name: termination_user
type: keyword
description: >
AAA name of user requesting termination
- name: webvpn.group_name
type: keyword
description: >
The WebVPN group name the user belongs to
- name: termination_initiator
type: keyword
description: >
Interface name of the side that initiated the teardown
- name: tunnel_type
type: keyword
description: >
SA type (remote access or L2L)
- name: session_type
type: keyword
description: >
Session type (for example, IPsec or UDP)
- name: cisco.ftd
type: group
description: >
Fields for Cisco Firepower Threat Defense Firewall.
fields:
- name: message_id
type: keyword
description: >
The Cisco FTD message identifier.
- name: suffix
type: keyword
example: session
description: >
Optional suffix after %FTD identifier.
- name: source_interface
type: keyword
description: >
Source interface for the flow or event.
- name: destination_interface
type: keyword
description: >
Destination interface for the flow or event.
- name: rule_name
type: keyword
description: >
Name of the Access Control List rule that matched this event.
- name: source_username
type: keyword
description: >
Name of the user that is the source for this event.
- name: destination_username
type: keyword
description: >
Name of the user that is the destination for this event.
- name: mapped_source_ip
type: ip
description: >
The translated source IP address. Use ECS source.nat.ip.
- name: mapped_source_host
type: keyword
description: >
The translated source host.
- name: mapped_source_port
type: long
description: >
The translated source port. Use ECS source.nat.port.
- name: mapped_destination_ip
type: ip
description: >
The translated destination IP address. Use ECS destination.nat.ip.
- name: mapped_destination_host
type: keyword
description: >
The translated destination host.
- name: mapped_destination_port
type: long
description: >
The translated destination port. Use ECS destination.nat.port.
- name: threat_level
type: keyword
description: >
Threat level for malware / botnet traffic. One of very-low, low,
moderate, high or very-high.
- name: threat_category
type: keyword
description: >
Category for the malware / botnet traffic. For example: virus, botnet,
trojan, etc.
- name: connection_id
type: keyword
description: >
Unique identifier for a flow.
- name: icmp_type
type: short
description: >
ICMP type.
- name: icmp_code
type: short
description: >
ICMP code.
- name: security
type: object
description:
Raw fields for Security Events.
- name: connection_type
type: keyword
description: >
The VPN connection type
- name: dap_records
type: keyword
description: >
The assigned DAP records
- name: termination_user
type: keyword
description: >
AAA name of user requesting termination
- name: webvpn.group_name
type: keyword
description: >
The WebVPN group name the user belongs to
- name: termination_initiator
type: keyword
description: >
Interface name of the side that initiated the teardown
- name: cisco.ios
type: group
description: >
Fields for Cisco IOS logs.
fields:
- name: access_list
type: keyword
description: >
Name of the IP access list.
- name: facility
type: keyword
example: SEC
description: >
The facility to which the message refers (for example, SNMP, SYS, and so
forth). A facility can be a hardware device, a protocol, or a module of
the system software. It denotes the source or the cause of the system
message.
- name: network.interface.name
overwrite: true
type: keyword
description: >
Name of the network interface where the traffic has been observed.
- name: rsa
overwrite: true
type: group
fields:
- name: internal
overwrite: true
type: group
fields:
- name: msg
overwrite: true
type: keyword
description: This key is used to capture the raw message that comes into the
Log Decoder
- name: messageid
overwrite: true
type: keyword
- name: event_desc
overwrite: true
type: keyword
- name: message
overwrite: true
type: keyword
description: This key captures the contents of instant messages
- name: time
overwrite: true
type: date
description: This is the time at which a session hits a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness.
- name: level
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: msg_id
overwrite: true
type: keyword
description: This is the Message ID1 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: msg_vid
overwrite: true
type: keyword
description: This is the Message ID2 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: data
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_server
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_val
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: resource
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_id
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: statement
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: audit_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: entry
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: hcode
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: inode
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: resource_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: dead
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: feed_desc
overwrite: true
type: keyword
description: This is used to capture the description of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: feed_name
overwrite: true
type: keyword
description: This is used to capture the name of the feed. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: cid
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Concentrator.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_class
overwrite: true
type: keyword
description: This is the Classification of the Log Event Source under a predefined
fixed set of Event Source Classifications. This key should never be used to
parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
key in NetWitness
- name: device_group
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_host
overwrite: true
type: keyword
description: This is the Hostname of the log Event Source sending the logs to
NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ip
overwrite: true
type: ip
description: This is the IPv4 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ipv6
overwrite: true
type: ip
description: This is the IPv6 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_type
overwrite: true
type: keyword
description: This is the name of the log parser which parsed a given session.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_type_id
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: did
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: entropy_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: entropy_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: event_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: feed_category
overwrite: true
type: keyword
description: This is used to capture the category of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: forward_ip
overwrite: true
type: ip
description: This key should be used to capture the IPV4 address of a relay
system which forwarded the events from the original system to NetWitness.
- name: forward_ipv6
overwrite: true
type: ip
description: This key is used to capture the IPV6 address of a relay system
which forwarded the events from the original system to NetWitness. This key
should never be used to parse Meta data from a session (Logs/Packets) Directly,
this is a Reserved key in NetWitness
- name: header_id
overwrite: true
type: keyword
description: This is the Header ID value that identifies the exact log parser
header definition that parses a particular log session. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: lc_cid
overwrite: true
type: keyword
description: This is a unique Identifier of a Log Collector. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: lc_ctime
overwrite: true
type: date
description: This is the time at which a log is collected in a NetWitness Log
Collector. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: mcb_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
request is simply which byte for each side (0 thru 255) was seen the most
- name: mcb_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
response is simply which byte for each side (0 thru 255) was seen the most
- name: mcbc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: mcbc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: medium
overwrite: true
type: long
description: "This key is used to identify if it\u2019s a log/packet session\
\ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
\ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
\ 32 = log, 33 = correlation session, < 32 is packet session"
- name: node_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: nwe_callback_id
overwrite: true
type: keyword
description: This key denotes that event is endpoint related
- name: parse_error
overwrite: true
type: keyword
description: This is a special key that stores any Meta key validation error
found while parsing a log session. This key should never be used to parse
Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
NetWitness
- name: payload_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: payload_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: process_vid_dst
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the target process.
- name: process_vid_src
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the source process.
- name: rid
overwrite: true
type: long
description: This is a special ID of the Remote Session created by NetWitness
Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: session_split
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: site
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: size
overwrite: true
type: long
description: This is the size of the session as seen by the NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: sourcefile
overwrite: true
type: keyword
description: This is the name of the log file or PCAPs that can be imported
into NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: ubc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: ubc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: word
overwrite: true
type: keyword
description: This is used by the Word Parsing technology to capture the first
5 character of every word in an unparsed log
- name: time
overwrite: true
type: group
fields:
- name: event_time
overwrite: true
type: date
description: This key is used to capture the time mentioned in a raw session
that represents the actual time an event occured in a standard normalized
form
- name: duration_time
overwrite: true
type: double
description: This key is used to capture the normalized duration/lifetime in
seconds.
- name: event_time_str
overwrite: true
type: keyword
description: This key is used to capture the incomplete time mentioned in a
session as a string
- name: starttime
overwrite: true
type: date
description: This key is used to capture the Start time mentioned in a session
in a standard form
- name: month
overwrite: true
type: keyword
- name: day
overwrite: true
type: keyword
- name: endtime
overwrite: true
type: date
description: This key is used to capture the End time mentioned in a session
in a standard form
- name: timezone
overwrite: true
type: keyword
description: This key is used to capture the timezone of the Event Time
- name: duration_str
overwrite: true
type: keyword
description: A text string version of the duration
- name: date
overwrite: true
type: keyword
- name: year
overwrite: true
type: keyword
- name: recorded_time
overwrite: true
type: date
description: The event time as recorded by the system the event is collected
from. The usage scenario is a multi-tier application where the management
layer of the system records it's own timestamp at the time of collection from
its child nodes. Must be in timestamp format.
- name: datetime
overwrite: true
type: keyword
- name: effective_time
overwrite: true
type: date
description: This key is the effective time referenced by an individual event
in a Standard Timestamp format
- name: expire_time
overwrite: true
type: date
description: This key is the timestamp that explicitly refers to an expiration.
- name: process_time
overwrite: true
type: keyword
description: Deprecated, use duration.time
- name: hour
overwrite: true
type: keyword
- name: min
overwrite: true
type: keyword
- name: timestamp
overwrite: true
type: keyword
- name: event_queue_time
overwrite: true
type: date
description: This key is the Time that the event was queued.
- name: p_time1
overwrite: true
type: keyword
- name: tzone
overwrite: true
type: keyword
- name: eventtime
overwrite: true
type: keyword
- name: gmtdate
overwrite: true
type: keyword
- name: gmttime
overwrite: true
type: keyword
- name: p_date
overwrite: true
type: keyword
- name: p_month
overwrite: true
type: keyword
- name: p_time
overwrite: true
type: keyword
- name: p_time2
overwrite: true
type: keyword
- name: p_year
overwrite: true
type: keyword
- name: expire_time_str
overwrite: true
type: keyword
description: This key is used to capture incomplete timestamp that explicitly
refers to an expiration.
- name: stamp
overwrite: true
type: date
description: Deprecated key defined only in table map.
- name: misc
overwrite: true
type: group
fields:
- name: action
overwrite: true
type: keyword
- name: result
overwrite: true
type: keyword
description: This key is used to capture the outcome/result string value of
an action in a session.
- name: severity
overwrite: true
type: keyword
description: This key is used to capture the severity given the session
- name: event_type
overwrite: true
type: keyword
description: This key captures the event category type as specified by the event
source.
- name: reference_id
overwrite: true
type: keyword
description: This key is used to capture an event id from the session directly
- name: version
overwrite: true
type: keyword
description: This key captures Version of the application or OS which is generating
the event.
- name: disposition
overwrite: true
type: keyword
description: This key captures the The end state of an action.
- name: result_code
overwrite: true
type: keyword
description: This key is used to capture the outcome/result numeric value of
an action in a session
- name: category
overwrite: true
type: keyword
description: This key is used to capture the category of an event given by the
vendor in the session
- name: obj_name
overwrite: true
type: keyword
description: This is used to capture name of object
- name: obj_type
overwrite: true
type: keyword
description: This is used to capture type of object
- name: event_source
overwrite: true
type: keyword
description: "This key captures Source of the event that\u2019s not a hostname"
- name: log_session_id
overwrite: true
type: keyword
description: This key is used to capture a sessionid from the session directly
- name: group
overwrite: true
type: keyword
description: This key captures the Group Name value
- name: policy_name
overwrite: true
type: keyword
description: This key is used to capture the Policy Name only.
- name: rule_name
overwrite: true
type: keyword
description: This key captures the Rule Name
- name: context
overwrite: true
type: keyword
description: This key captures Information which adds additional context to
the event.
- name: change_new
overwrite: true
type: keyword
description: "This key is used to capture the new values of the attribute that\u2019\
s changing in a session"
- name: space
overwrite: true
type: keyword
- name: client
overwrite: true
type: keyword
description: This key is used to capture only the name of the client application
requesting resources of the server. See the user.agent meta key for capture
of the specific user agent identifier or browser identification string.
- name: msgIdPart1
overwrite: true
type: keyword
- name: msgIdPart2
overwrite: true
type: keyword
- name: change_old
overwrite: true
type: keyword
description: "This key is used to capture the old value of the attribute that\u2019\
s changing in a session"
- name: operation_id
overwrite: true
type: keyword
description: An alert number or operation number. The values should be unique
and non-repeating.
- name: event_state
overwrite: true
type: keyword
description: This key captures the current state of the object/item referenced
within the event. Describing an on-going event.
- name: group_object
overwrite: true
type: keyword
description: This key captures a collection/grouping of entities. Specific usage
- name: node
overwrite: true
type: keyword
description: Common use case is the node name within a cluster. The cluster
name is reflected by the host name.
- name: rule
overwrite: true
type: keyword
description: This key captures the Rule number
- name: device_name
overwrite: true
type: keyword
description: 'This is used to capture name of the Device associated with the
node Like: a physical disk, printer, etc'
- name: param
overwrite: true
type: keyword
description: This key is the parameters passed as part of a command or application,
etc.
- name: change_attrib
overwrite: true
type: keyword
description: "This key is used to capture the name of the attribute that\u2019\
s changing in a session"
- name: event_computer
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
fully qualified domain name in a windows log.
- name: reference_id1
overwrite: true
type: keyword
description: This key is for Linked ID to be used as an addition to "reference.id"
- name: event_log
overwrite: true
type: keyword
description: This key captures the Name of the event log
- name: OS
overwrite: true
type: keyword
description: This key captures the Name of the Operating System
- name: terminal
overwrite: true
type: keyword
description: This key captures the Terminal Names only
- name: msgIdPart3
overwrite: true
type: keyword
- name: filter
overwrite: true
type: keyword
description: This key captures Filter used to reduce result set
- name: serial_number
overwrite: true
type: keyword
description: This key is the Serial number associated with a physical asset.
- name: checksum
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the entity
such as a file or process. Checksum should be used over checksum.src or checksum.dst
when it is unclear whether the entity is a source or target of an action.
- name: event_user
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
combination of domain name and username in a windows log.
- name: virusname
overwrite: true
type: keyword
description: This key captures the name of the virus
- name: content_type
overwrite: true
type: keyword
description: This key is used to capture Content Type only.
- name: group_id
overwrite: true
type: keyword
description: This key captures Group ID Number (related to the group name)
- name: policy_id
overwrite: true
type: keyword
description: This key is used to capture the Policy ID only, this should be
a numeric value, use policy.name otherwise
- name: vsys
overwrite: true
type: keyword
description: This key captures Virtual System Name
- name: connection_id
overwrite: true
type: keyword
description: This key captures the Connection ID
- name: reference_id2
overwrite: true
type: keyword
description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
or "reference.id1" value but should not be used unless the other two variables
are in play.
- name: sensor
overwrite: true
type: keyword
description: This key captures Name of the sensor. Typically used in IDS/IPS
based devices
- name: sig_id
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID
- name: port_name
overwrite: true
type: keyword
description: 'This key is used for Physical or logical port connection but does
NOT include a network port. (Example: Printer port name).'
- name: rule_group
overwrite: true
type: keyword
description: This key captures the Rule group name
- name: risk_num
overwrite: true
type: double
description: This key captures a Numeric Risk value
- name: trigger_val
overwrite: true
type: keyword
description: This key captures the Value of the trigger or threshold condition.
- name: log_session_id1
overwrite: true
type: keyword
description: This key is used to capture a Linked (Related) Session ID from
the session directly
- name: comp_version
overwrite: true
type: keyword
description: This key captures the Version level of a sub-component of a product.
- name: content_version
overwrite: true
type: keyword
description: This key captures Version level of a signature or database content.
- name: hardware_id
overwrite: true
type: keyword
description: This key is used to capture unique identifier for a device or system
(NOT a Mac address)
- name: risk
overwrite: true
type: keyword
description: This key captures the non-numeric risk value
- name: event_id
overwrite: true
type: keyword
- name: reason
overwrite: true
type: keyword
- name: status
overwrite: true
type: keyword
- name: mail_id
overwrite: true
type: keyword
description: This key is used to capture the mailbox id/name
- name: rule_uid
overwrite: true
type: keyword
description: This key is the Unique Identifier for a rule.
- name: trigger_desc
overwrite: true
type: keyword
description: This key captures the Description of the trigger or threshold condition.
- name: inout
overwrite: true
type: keyword
- name: p_msgid
overwrite: true
type: keyword
- name: data_type
overwrite: true
type: keyword
- name: msgIdPart4
overwrite: true
type: keyword
- name: error
overwrite: true
type: keyword
description: This key captures All non successful Error codes or responses
- name: index
overwrite: true
type: keyword
- name: listnum
overwrite: true
type: keyword
description: This key is used to capture listname or listnumber, primarily for
collecting access-list
- name: ntype
overwrite: true
type: keyword
- name: observed_val
overwrite: true
type: keyword
description: This key captures the Value observed (from the perspective of the
device generating the log).
- name: policy_value
overwrite: true
type: keyword
description: This key captures the contents of the policy. This contains details
about the policy
- name: pool_name
overwrite: true
type: keyword
description: This key captures the name of a resource pool
- name: rule_template
overwrite: true
type: keyword
description: A default set of parameters which are overlayed onto a rule (or
rulename) which efffectively constitutes a template
- name: count
overwrite: true
type: keyword
- name: number
overwrite: true
type: keyword
- name: sigcat
overwrite: true
type: keyword
- name: type
overwrite: true
type: keyword
- name: comments
overwrite: true
type: keyword
description: Comment information provided in the log message
- name: doc_number
overwrite: true
type: long
description: This key captures File Identification number
- name: expected_val
overwrite: true
type: keyword
description: This key captures the Value expected (from the perspective of the
device generating the log).
- name: job_num
overwrite: true
type: keyword
description: This key captures the Job Number
- name: spi_dst
overwrite: true
type: keyword
description: Destination SPI Index
- name: spi_src
overwrite: true
type: keyword
description: Source SPI Index
- name: code
overwrite: true
type: keyword
- name: agent_id
overwrite: true
type: keyword
description: This key is used to capture agent id
- name: message_body
overwrite: true
type: keyword
description: This key captures the The contents of the message body.
- name: phone
overwrite: true
type: keyword
- name: sig_id_str
overwrite: true
type: keyword
description: This key captures a string object of the sigid variable.
- name: cmd
overwrite: true
type: keyword
- name: misc
overwrite: true
type: keyword
- name: name
overwrite: true
type: keyword
- name: cpu
overwrite: true
type: long
description: This key is the CPU time used in the execution of the event being
recorded.
- name: event_desc
overwrite: true
type: keyword
description: This key is used to capture a description of an event available
directly or inferred
- name: sig_id1
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID. This must be linked
to the sig.id
- name: im_buddyid
overwrite: true
type: keyword
- name: im_client
overwrite: true
type: keyword
- name: im_userid
overwrite: true
type: keyword
- name: pid
overwrite: true
type: keyword
- name: priority
overwrite: true
type: keyword
- name: context_subject
overwrite: true
type: keyword
description: This key is to be used in an audit context where the subject is
the object being identified
- name: context_target
overwrite: true
type: keyword
- name: cve
overwrite: true
type: keyword
description: This key captures CVE (Common Vulnerabilities and Exposures) -
an identifier for known information security vulnerabilities.
- name: fcatnum
overwrite: true
type: keyword
description: This key captures Filter Category Number. Legacy Usage
- name: library
overwrite: true
type: keyword
description: This key is used to capture library information in mainframe devices
- name: parent_node
overwrite: true
type: keyword
description: This key captures the Parent Node Name. Must be related to node
variable.
- name: risk_info
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: tcp_flags
overwrite: true
type: long
description: This key is captures the TCP flags set in any packet of session
- name: tos
overwrite: true
type: long
description: This key describes the type of service
- name: vm_target
overwrite: true
type: keyword
description: VMWare Target **VMWARE** only varaible.
- name: workspace
overwrite: true
type: keyword
description: This key captures Workspace Description
- name: command
overwrite: true
type: keyword
- name: event_category
overwrite: true
type: keyword
- name: facilityname
overwrite: true
type: keyword
- name: forensic_info
overwrite: true
type: keyword
- name: jobname
overwrite: true
type: keyword
- name: mode
overwrite: true
type: keyword
- name: policy
overwrite: true
type: keyword
- name: policy_waiver
overwrite: true
type: keyword
- name: second
overwrite: true
type: keyword
- name: space1
overwrite: true
type: keyword
- name: subcategory
overwrite: true
type: keyword
- name: tbdstr2
overwrite: true
type: keyword
- name: alert_id
overwrite: true
type: keyword
description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: checksum_dst
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the the target
entity such as a process or file.
- name: checksum_src
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the source
entity such as a file or process.
- name: fresult
overwrite: true
type: long
description: This key captures the Filter Result
- name: payload_dst
overwrite: true
type: keyword
description: This key is used to capture destination payload
- name: payload_src
overwrite: true
type: keyword
description: This key is used to capture source payload
- name: pool_id
overwrite: true
type: keyword
description: This key captures the identifier (typically numeric field) of a
resource pool
- name: process_id_val
overwrite: true
type: keyword
description: This key is a failure key for Process ID when it is not an integer
value
- name: risk_num_comm
overwrite: true
type: double
description: This key captures Risk Number Community
- name: risk_num_next
overwrite: true
type: double
description: This key captures Risk Number NextGen
- name: risk_num_sand
overwrite: true
type: double
description: This key captures Risk Number SandBox
- name: risk_num_static
overwrite: true
type: double
description: This key captures Risk Number Static
- name: risk_suspicious
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: risk_warning
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: snmp_oid
overwrite: true
type: keyword
description: SNMP Object Identifier
- name: sql
overwrite: true
type: keyword
description: This key captures the SQL query
- name: vuln_ref
overwrite: true
type: keyword
description: This key captures the Vulnerability Reference details
- name: acl_id
overwrite: true
type: keyword
- name: acl_op
overwrite: true
type: keyword
- name: acl_pos
overwrite: true
type: keyword
- name: acl_table
overwrite: true
type: keyword
- name: admin
overwrite: true
type: keyword
- name: alarm_id
overwrite: true
type: keyword
- name: alarmname
overwrite: true
type: keyword
- name: app_id
overwrite: true
type: keyword
- name: audit
overwrite: true
type: keyword
- name: audit_object
overwrite: true
type: keyword
- name: auditdata
overwrite: true
type: keyword
- name: benchmark
overwrite: true
type: keyword
- name: bypass
overwrite: true
type: keyword
- name: cache
overwrite: true
type: keyword
- name: cache_hit
overwrite: true
type: keyword
- name: cefversion
overwrite: true
type: keyword
- name: cfg_attr
overwrite: true
type: keyword
- name: cfg_obj
overwrite: true
type: keyword
- name: cfg_path
overwrite: true
type: keyword
- name: changes
overwrite: true
type: keyword
- name: client_ip
overwrite: true
type: keyword
- name: clustermembers
overwrite: true
type: keyword
- name: cn_acttimeout
overwrite: true
type: keyword
- name: cn_asn_src
overwrite: true
type: keyword
- name: cn_bgpv4nxthop
overwrite: true
type: keyword
- name: cn_ctr_dst_code
overwrite: true
type: keyword
- name: cn_dst_tos
overwrite: true
type: keyword
- name: cn_dst_vlan
overwrite: true
type: keyword
- name: cn_engine_id
overwrite: true
type: keyword
- name: cn_engine_type
overwrite: true
type: keyword
- name: cn_f_switch
overwrite: true
type: keyword
- name: cn_flowsampid
overwrite: true
type: keyword
- name: cn_flowsampintv
overwrite: true
type: keyword
- name: cn_flowsampmode
overwrite: true
type: keyword
- name: cn_inacttimeout
overwrite: true
type: keyword
- name: cn_inpermbyts
overwrite: true
type: keyword
- name: cn_inpermpckts
overwrite: true
type: keyword
- name: cn_invalid
overwrite: true
type: keyword
- name: cn_ip_proto_ver
overwrite: true
type: keyword
- name: cn_ipv4_ident
overwrite: true
type: keyword
- name: cn_l_switch
overwrite: true
type: keyword
- name: cn_log_did
overwrite: true
type: keyword
- name: cn_log_rid
overwrite: true
type: keyword
- name: cn_max_ttl
overwrite: true
type: keyword
- name: cn_maxpcktlen
overwrite: true
type: keyword
- name: cn_min_ttl
overwrite: true
type: keyword
- name: cn_minpcktlen
overwrite: true
type: keyword
- name: cn_mpls_lbl_1
overwrite: true
type: keyword
- name: cn_mpls_lbl_10
overwrite: true
type: keyword
- name: cn_mpls_lbl_2
overwrite: true
type: keyword
- name: cn_mpls_lbl_3
overwrite: true
type: keyword
- name: cn_mpls_lbl_4
overwrite: true
type: keyword
- name: cn_mpls_lbl_5
overwrite: true
type: keyword
- name: cn_mpls_lbl_6
overwrite: true
type: keyword
- name: cn_mpls_lbl_7
overwrite: true
type: keyword
- name: cn_mpls_lbl_8
overwrite: true
type: keyword
- name: cn_mpls_lbl_9
overwrite: true
type: keyword
- name: cn_mplstoplabel
overwrite: true
type: keyword
- name: cn_mplstoplabip
overwrite: true
type: keyword
- name: cn_mul_dst_byt
overwrite: true
type: keyword
- name: cn_mul_dst_pks
overwrite: true
type: keyword
- name: cn_muligmptype
overwrite: true
type: keyword
- name: cn_sampalgo
overwrite: true
type: keyword
- name: cn_sampint
overwrite: true
type: keyword
- name: cn_seqctr
overwrite: true
type: keyword
- name: cn_spackets
overwrite: true
type: keyword
- name: cn_src_tos
overwrite: true
type: keyword
- name: cn_src_vlan
overwrite: true
type: keyword
- name: cn_sysuptime
overwrite: true
type: keyword
- name: cn_template_id
overwrite: true
type: keyword
- name: cn_totbytsexp
overwrite: true
type: keyword
- name: cn_totflowexp
overwrite: true
type: keyword
- name: cn_totpcktsexp
overwrite: true
type: keyword
- name: cn_unixnanosecs
overwrite: true
type: keyword
- name: cn_v6flowlabel
overwrite: true
type: keyword
- name: cn_v6optheaders
overwrite: true
type: keyword
- name: comp_class
overwrite: true
type: keyword
- name: comp_name
overwrite: true
type: keyword
- name: comp_rbytes
overwrite: true
type: keyword
- name: comp_sbytes
overwrite: true
type: keyword
- name: cpu_data
overwrite: true
type: keyword
- name: criticality
overwrite: true
type: keyword
- name: cs_agency_dst
overwrite: true
type: keyword
- name: cs_analyzedby
overwrite: true
type: keyword
- name: cs_av_other
overwrite: true
type: keyword
- name: cs_av_primary
overwrite: true
type: keyword
- name: cs_av_secondary
overwrite: true
type: keyword
- name: cs_bgpv6nxthop
overwrite: true
type: keyword
- name: cs_bit9status
overwrite: true
type: keyword
- name: cs_context
overwrite: true
type: keyword
- name: cs_control
overwrite: true
type: keyword
- name: cs_data
overwrite: true
type: keyword
- name: cs_datecret
overwrite: true
type: keyword
- name: cs_dst_tld
overwrite: true
type: keyword
- name: cs_eth_dst_ven
overwrite: true
type: keyword
- name: cs_eth_src_ven
overwrite: true
type: keyword
- name: cs_event_uuid
overwrite: true
type: keyword
- name: cs_filetype
overwrite: true
type: keyword
- name: cs_fld
overwrite: true
type: keyword
- name: cs_if_desc
overwrite: true
type: keyword
- name: cs_if_name
overwrite: true
type: keyword
- name: cs_ip_next_hop
overwrite: true
type: keyword
- name: cs_ipv4dstpre
overwrite: true
type: keyword
- name: cs_ipv4srcpre
overwrite: true
type: keyword
- name: cs_lifetime
overwrite: true
type: keyword
- name: cs_log_medium
overwrite: true
type: keyword
- name: cs_loginname
overwrite: true
type: keyword
- name: cs_modulescore
overwrite: true
type: keyword
- name: cs_modulesign
overwrite: true
type: keyword
- name: cs_opswatresult
overwrite: true
type: keyword
- name: cs_payload
overwrite: true
type: keyword
- name: cs_registrant
overwrite: true
type: keyword
- name: cs_registrar
overwrite: true
type: keyword
- name: cs_represult
overwrite: true
type: keyword
- name: cs_rpayload
overwrite: true
type: keyword
- name: cs_sampler_name
overwrite: true
type: keyword
- name: cs_sourcemodule
overwrite: true
type: keyword
- name: cs_streams
overwrite: true
type: keyword
- name: cs_targetmodule
overwrite: true
type: keyword
- name: cs_v6nxthop
overwrite: true
type: keyword
- name: cs_whois_server
overwrite: true
type: keyword
- name: cs_yararesult
overwrite: true
type: keyword
- name: description
overwrite: true
type: keyword
- name: devvendor
overwrite: true
type: keyword
- name: distance
overwrite: true
type: keyword
- name: dstburb
overwrite: true
type: keyword
- name: edomain
overwrite: true
type: keyword
- name: edomaub
overwrite: true
type: keyword
- name: euid
overwrite: true
type: keyword
- name: facility
overwrite: true
type: keyword
- name: finterface
overwrite: true
type: keyword
- name: flags
overwrite: true
type: keyword
- name: gaddr
overwrite: true
type: keyword
- name: id3
overwrite: true
type: keyword
- name: im_buddyname
overwrite: true
type: keyword
- name: im_croomid
overwrite: true
type: keyword
- name: im_croomtype
overwrite: true
type: keyword
- name: im_members
overwrite: true
type: keyword
- name: im_username
overwrite: true
type: keyword
- name: ipkt
overwrite: true
type: keyword
- name: ipscat
overwrite: true
type: keyword
- name: ipspri
overwrite: true
type: keyword
- name: latitude
overwrite: true
type: keyword
- name: linenum
overwrite: true
type: keyword
- name: list_name
overwrite: true
type: keyword
- name: load_data
overwrite: true
type: keyword
- name: location_floor
overwrite: true
type: keyword
- name: location_mark
overwrite: true
type: keyword
- name: log_id
overwrite: true
type: keyword
- name: log_type
overwrite: true
type: keyword
- name: logid
overwrite: true
type: keyword
- name: logip
overwrite: true
type: keyword
- name: logname
overwrite: true
type: keyword
- name: longitude
overwrite: true
type: keyword
- name: lport
overwrite: true
type: keyword
- name: mbug_data
overwrite: true
type: keyword
- name: misc_name
overwrite: true
type: keyword
- name: msg_type
overwrite: true
type: keyword
- name: msgid
overwrite: true
type: keyword
- name: netsessid
overwrite: true
type: keyword
- name: num
overwrite: true
type: keyword
- name: number1
overwrite: true
type: keyword
- name: number2
overwrite: true
type: keyword
- name: nwwn
overwrite: true
type: keyword
- name: object
overwrite: true
type: keyword
- name: operation
overwrite: true
type: keyword
- name: opkt
overwrite: true
type: keyword
- name: orig_from
overwrite: true
type: keyword
- name: owner_id
overwrite: true
type: keyword
- name: p_action
overwrite: true
type: keyword
- name: p_filter
overwrite: true
type: keyword
- name: p_group_object
overwrite: true
type: keyword
- name: p_id
overwrite: true
type: keyword
- name: p_msgid1
overwrite: true
type: keyword
- name: p_msgid2
overwrite: true
type: keyword
- name: p_result1
overwrite: true
type: keyword
- name: password_chg
overwrite: true
type: keyword
- name: password_expire
overwrite: true
type: keyword
- name: permgranted
overwrite: true
type: keyword
- name: permwanted
overwrite: true
type: keyword
- name: pgid
overwrite: true
type: keyword
- name: policyUUID
overwrite: true
type: keyword
- name: prog_asp_num
overwrite: true
type: keyword
- name: program
overwrite: true
type: keyword
- name: real_data
overwrite: true
type: keyword
- name: rec_asp_device
overwrite: true
type: keyword
- name: rec_asp_num
overwrite: true
type: keyword
- name: rec_library
overwrite: true
type: keyword
- name: recordnum
overwrite: true
type: keyword
- name: ruid
overwrite: true
type: keyword
- name: sburb
overwrite: true
type: keyword
- name: sdomain_fld
overwrite: true
type: keyword
- name: sec
overwrite: true
type: keyword
- name: sensorname
overwrite: true
type: keyword
- name: seqnum
overwrite: true
type: keyword
- name: session
overwrite: true
type: keyword
- name: sessiontype
overwrite: true
type: keyword
- name: sigUUID
overwrite: true
type: keyword
- name: spi
overwrite: true
type: keyword
- name: srcburb
overwrite: true
type: keyword
- name: srcdom
overwrite: true
type: keyword
- name: srcservice
overwrite: true
type: keyword
- name: state
overwrite: true
type: keyword
- name: status1
overwrite: true
type: keyword
- name: svcno
overwrite: true
type: keyword
- name: system
overwrite: true
type: keyword
- name: tbdstr1
overwrite: true
type: keyword
- name: tgtdom
overwrite: true
type: keyword
- name: tgtdomain
overwrite: true
type: keyword
- name: threshold
overwrite: true
type: keyword
- name: type1
overwrite: true
type: keyword
- name: udb_class
overwrite: true
type: keyword
- name: url_fld
overwrite: true
type: keyword
- name: user_div
overwrite: true
type: keyword
- name: userid
overwrite: true
type: keyword
- name: username_fld
overwrite: true
type: keyword
- name: utcstamp
overwrite: true
type: keyword
- name: v_instafname
overwrite: true
type: keyword
- name: virt_data
overwrite: true
type: keyword
- name: vpnid
overwrite: true
type: keyword
- name: autorun_type
overwrite: true
type: keyword
description: This is used to capture Auto Run type
- name: cc_number
overwrite: true
type: long
description: Valid Credit Card Numbers only
- name: content
overwrite: true
type: keyword
description: This key captures the content type from protocol headers
- name: ein_number
overwrite: true
type: long
description: Employee Identification Numbers only
- name: found
overwrite: true
type: keyword
description: This is used to capture the results of regex match
- name: language
overwrite: true
type: keyword
description: This is used to capture list of languages the client support and
what it prefers
- name: lifetime
overwrite: true
type: long
description: This key is used to capture the session lifetime in seconds.
- name: link
overwrite: true
type: keyword
description: This key is used to link the sessions together. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: match
overwrite: true
type: keyword
description: This key is for regex match name from search.ini
- name: param_dst
overwrite: true
type: keyword
description: This key captures the command line/launch argument of the target
process or file
- name: param_src
overwrite: true
type: keyword
description: This key captures source parameter
- name: search_text
overwrite: true
type: keyword
description: This key captures the Search Text used
- name: sig_name
overwrite: true
type: keyword
description: This key is used to capture the Signature Name only.
- name: snmp_value
overwrite: true
type: keyword
description: SNMP set request value
- name: streams
overwrite: true
type: long
description: This key captures number of streams in session
- name: db
overwrite: true
type: group
fields:
- name: index
overwrite: true
type: keyword
description: This key captures IndexID of the index.
- name: instance
overwrite: true
type: keyword
description: This key is used to capture the database server instance name
- name: database
overwrite: true
type: keyword
description: This key is used to capture the name of a database or an instance
as seen in a session
- name: transact_id
overwrite: true
type: keyword
description: This key captures the SQL transantion ID of the current session
- name: permissions
overwrite: true
type: keyword
description: This key captures permission or privilege level assigned to a resource.
- name: table_name
overwrite: true
type: keyword
description: This key is used to capture the table name
- name: db_id
overwrite: true
type: keyword
description: This key is used to capture the unique identifier for a database
- name: db_pid
overwrite: true
type: long
description: This key captures the process id of a connection with database
server
- name: lread
overwrite: true
type: long
description: This key is used for the number of logical reads
- name: lwrite
overwrite: true
type: long
description: This key is used for the number of logical writes
- name: pread
overwrite: true
type: long
description: This key is used for the number of physical writes
- name: network
overwrite: true
type: group
fields:
- name: alias_host
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
that isnt ad.computer.
- name: domain
overwrite: true
type: keyword
- name: host_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Hostname"
- name: network_service
overwrite: true
type: keyword
description: This is used to capture layer 7 protocols/service names
- name: interface
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of an interface is not clear
- name: network_port
overwrite: true
type: long
description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
- name: eth_host
overwrite: true
type: keyword
description: Deprecated, use alias.mac
- name: sinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Interface"
- name: dinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Interface"
- name: vlan
overwrite: true
type: long
description: This key should only be used to capture the ID of the Virtual LAN
- name: zone_src
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Zone."
- name: zone
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a Zone is not clear
- name: zone_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Zone."
- name: gateway
overwrite: true
type: keyword
description: This key is used to capture the IP Address of the gateway
- name: icmp_type
overwrite: true
type: long
description: This key is used to capture the ICMP type only
- name: mask
overwrite: true
type: keyword
description: This key is used to capture the device network IPmask.
- name: icmp_code
overwrite: true
type: long
description: This key is used to capture the ICMP code only
- name: protocol_detail
overwrite: true
type: keyword
description: This key should be used to capture additional protocol information
- name: dmask
overwrite: true
type: keyword
description: This key is used for Destionation Device network mask
- name: port
overwrite: true
type: long
description: This key should only be used to capture a Network Port when the
directionality is not clear
- name: smask
overwrite: true
type: keyword
description: This key is used for capturing source Network Mask
- name: netname
overwrite: true
type: keyword
description: This key is used to capture the network name associated with an
IP range. This is configured by the end user.
- name: paddr
overwrite: true
type: ip
description: Deprecated
- name: faddr
overwrite: true
type: keyword
- name: lhost
overwrite: true
type: keyword
- name: origin
overwrite: true
type: keyword
- name: remote_domain_id
overwrite: true
type: keyword
- name: addr
overwrite: true
type: keyword
- name: dns_a_record
overwrite: true
type: keyword
- name: dns_ptr_record
overwrite: true
type: keyword
- name: fhost
overwrite: true
type: keyword
- name: fport
overwrite: true
type: keyword
- name: laddr
overwrite: true
type: keyword
- name: linterface
overwrite: true
type: keyword
- name: phost
overwrite: true
type: keyword
- name: ad_computer_dst
overwrite: true
type: keyword
description: Deprecated, use host.dst
- name: eth_type
overwrite: true
type: long
description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
Only
- name: ip_proto
overwrite: true
type: long
description: This key should be used to capture the Protocol number, all the
protocol nubers are converted into string in UI
- name: dns_cname_record
overwrite: true
type: keyword
- name: dns_id
overwrite: true
type: keyword
- name: dns_opcode
overwrite: true
type: keyword
- name: dns_resp
overwrite: true
type: keyword
- name: dns_type
overwrite: true
type: keyword
- name: domain1
overwrite: true
type: keyword
- name: host_type
overwrite: true
type: keyword
- name: packet_length
overwrite: true
type: keyword
- name: host_orig
overwrite: true
type: keyword
description: This is used to capture the original hostname in case of a Forwarding
Agent or a Proxy in between.
- name: rpayload
overwrite: true
type: keyword
description: This key is used to capture the total number of payload bytes seen
in the retransmitted packets.
- name: vlan_name
overwrite: true
type: keyword
description: This key should only be used to capture the name of the Virtual
LAN
- name: investigations
overwrite: true
type: group
fields:
- name: ec_activity
overwrite: true
type: keyword
description: This key captures the particular event activity(Ex:Logoff)
- name: ec_theme
overwrite: true
type: keyword
description: This key captures the Theme of a particular Event(Ex:Authentication)
- name: ec_subject
overwrite: true
type: keyword
description: This key captures the Subject of a particular Event(Ex:User)
- name: ec_outcome
overwrite: true
type: keyword
description: This key captures the outcome of a particular Event(Ex:Success)
- name: event_cat
overwrite: true
type: long
description: This key captures the Event category number
- name: event_cat_name
overwrite: true
type: keyword
description: This key captures the event category name corresponding to the
event cat code
- name: event_vcat
overwrite: true
type: keyword
description: This is a vendor supplied category. This should be used in situations
where the vendor has adopted their own event_category taxonomy.
- name: analysis_file
overwrite: true
type: keyword
description: This is used to capture all indicators used in a File Analysis.
This key should be used to capture an analysis of a file
- name: analysis_service
overwrite: true
type: keyword
description: This is used to capture all indicators used in a Service Analysis.
This key should be used to capture an analysis of a service
- name: analysis_session
overwrite: true
type: keyword
description: This is used to capture all indicators used for a Session Analysis.
This key should be used to capture an analysis of a session
- name: boc
overwrite: true
type: keyword
description: This is used to capture behaviour of compromise
- name: eoc
overwrite: true
type: keyword
description: This is used to capture Enablers of Compromise
- name: inv_category
overwrite: true
type: keyword
description: This used to capture investigation category
- name: inv_context
overwrite: true
type: keyword
description: This used to capture investigation context
- name: ioc
overwrite: true
type: keyword
description: This is key capture indicator of compromise
- name: counters
overwrite: true
type: group
fields:
- name: dclass_c1
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c1.str only
- name: dclass_c2
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c2.str only
- name: event_counter
overwrite: true
type: long
description: This is used to capture the number of times an event repeated
- name: dclass_r1
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r1.str only
- name: dclass_c3
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c3.str only
- name: dclass_c1_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c1 only
- name: dclass_c2_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c2 only
- name: dclass_r1_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r1 only
- name: dclass_r2
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r2.str only
- name: dclass_c3_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c3 only
- name: dclass_r3
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r3.str only
- name: dclass_r2_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r2 only
- name: dclass_r3_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r3 only
- name: identity
overwrite: true
type: group
fields:
- name: auth_method
overwrite: true
type: keyword
description: This key is used to capture authentication methods used only
- name: user_role
overwrite: true
type: keyword
description: This key is used to capture the Role of a user only
- name: dn
overwrite: true
type: keyword
description: X.500 (LDAP) Distinguished Name
- name: logon_type
overwrite: true
type: keyword
description: This key is used to capture the type of logon method used.
- name: profile
overwrite: true
type: keyword
description: This key is used to capture the user profile
- name: accesses
overwrite: true
type: keyword
description: This key is used to capture actual privileges used in accessing
an object
- name: realm
overwrite: true
type: keyword
description: Radius realm or similar grouping of accounts
- name: user_sid_dst
overwrite: true
type: keyword
description: This key captures Destination User Session ID
- name: dn_src
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that is used in a context that
indicates a Source dn
- name: org
overwrite: true
type: keyword
description: This key captures the User organization
- name: dn_dst
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that used in a context that
indicates a Destination dn
- name: firstname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: lastname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: user_dept
overwrite: true
type: keyword
description: User's Department Names only
- name: user_sid_src
overwrite: true
type: keyword
description: This key captures Source User Session ID
- name: federated_sp
overwrite: true
type: keyword
description: This key is the Federated Service Provider. This is the application
requesting authentication.
- name: federated_idp
overwrite: true
type: keyword
description: This key is the federated Identity Provider. This is the server
providing the authentication.
- name: logon_type_desc
overwrite: true
type: keyword
description: This key is used to capture the textual description of an integer
logon type as stored in the meta key 'logon.type'.
- name: middlename
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: password
overwrite: true
type: keyword
description: This key is for Passwords seen in any session, plain text or encrypted
- name: host_role
overwrite: true
type: keyword
description: This key should only be used to capture the role of a Host Machine
- name: ldap
overwrite: true
type: keyword
description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
t have a clear query or response context"
- name: ldap_query
overwrite: true
type: keyword
description: This key is the Search criteria from an LDAP search
- name: ldap_response
overwrite: true
type: keyword
description: This key is to capture Results from an LDAP search
- name: owner
overwrite: true
type: keyword
description: This is used to capture username the process or service is running
as, the author of the task
- name: service_account
overwrite: true
type: keyword
description: This key is a windows specific key, used for capturing name of
the account a service (referenced in the event) is running under. Legacy Usage
- name: email
overwrite: true
type: group
fields:
- name: email_dst
overwrite: true
type: keyword
description: This key is used to capture the Destination email address only,
when the destination context is not clear use email
- name: email_src
overwrite: true
type: keyword
description: This key is used to capture the source email address only, when
the source context is not clear use email
- name: subject
overwrite: true
type: keyword
description: This key is used to capture the subject string from an Email only.
- name: email
overwrite: true
type: keyword
description: This key is used to capture a generic email address where the source
or destination context is not clear
- name: trans_from
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: trans_to
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: file
overwrite: true
type: group
fields:
- name: privilege
overwrite: true
type: keyword
description: Deprecated, use permissions
- name: attachment
overwrite: true
type: keyword
description: This key captures the attachment file name
- name: filesystem
overwrite: true
type: keyword
- name: binary
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: filename_dst
overwrite: true
type: keyword
description: This is used to capture name of the file targeted by the action
- name: filename_src
overwrite: true
type: keyword
description: This is used to capture name of the parent filename, the file which
performed the action
- name: filename_tmp
overwrite: true
type: keyword
- name: directory_dst
overwrite: true
type: keyword
description: <span>This key is used to capture the directory of the target process
or file</span>
- name: directory_src
overwrite: true
type: keyword
description: This key is used to capture the directory of the source process
or file
- name: file_entropy
overwrite: true
type: double
description: This is used to capture entropy vale of a file
- name: file_vendor
overwrite: true
type: keyword
description: This is used to capture Company name of file located in version_info
- name: task_name
overwrite: true
type: keyword
description: This is used to capture name of the task
- name: web
overwrite: true
type: group
fields:
- name: fqdn
overwrite: true
type: keyword
description: Fully Qualified Domain Names
- name: web_cookie
overwrite: true
type: keyword
description: This key is used to capture the Web cookies specifically.
- name: alias_host
overwrite: true
type: keyword
- name: reputation_num
overwrite: true
type: double
description: Reputation Number of an entity. Typically used for Web Domains
- name: web_ref_domain
overwrite: true
type: keyword
description: Web referer's domain
- name: web_ref_query
overwrite: true
type: keyword
description: This key captures Web referer's query portion of the URL
- name: remote_domain
overwrite: true
type: keyword
- name: web_ref_page
overwrite: true
type: keyword
description: This key captures Web referer's page information
- name: web_ref_root
overwrite: true
type: keyword
description: Web referer's root URL path
- name: cn_asn_dst
overwrite: true
type: keyword
- name: cn_rpackets
overwrite: true
type: keyword
- name: urlpage
overwrite: true
type: keyword
- name: urlroot
overwrite: true
type: keyword
- name: p_url
overwrite: true
type: keyword
- name: p_user_agent
overwrite: true
type: keyword
- name: p_web_cookie
overwrite: true
type: keyword
- name: p_web_method
overwrite: true
type: keyword
- name: p_web_referer
overwrite: true
type: keyword
- name: web_extension_tmp
overwrite: true
type: keyword
- name: web_page
overwrite: true
type: keyword
- name: threat
overwrite: true
type: group
fields:
- name: threat_category
overwrite: true
type: keyword
description: This key captures Threat Name/Threat Category/Categorization of
alert
- name: threat_desc
overwrite: true
type: keyword
description: This key is used to capture the threat description from the session
directly or inferred
- name: alert
overwrite: true
type: keyword
description: This key is used to capture name of the alert
- name: threat_source
overwrite: true
type: keyword
description: This key is used to capture source of the threat
- name: crypto
overwrite: true
type: group
fields:
- name: crypto
overwrite: true
type: keyword
description: This key is used to capture the Encryption Type or Encryption Key
only
- name: cipher_src
overwrite: true
type: keyword
description: This key is for Source (Client) Cipher
- name: cert_subject
overwrite: true
type: keyword
description: This key is used to capture the Certificate organization only
- name: peer
overwrite: true
type: keyword
description: This key is for Encryption peer's IP Address
- name: cipher_size_src
overwrite: true
type: long
description: This key captures Source (Client) Cipher Size
- name: ike
overwrite: true
type: keyword
description: IKE negotiation phase.
- name: scheme
overwrite: true
type: keyword
description: This key captures the Encryption scheme used
- name: peer_id
overwrite: true
type: keyword
description: "This key is for Encryption peer\u2019s identity"
- name: sig_type
overwrite: true
type: keyword
description: This key captures the Signature Type
- name: cert_issuer
overwrite: true
type: keyword
- name: cert_host_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: cert_error
overwrite: true
type: keyword
description: This key captures the Certificate Error String
- name: cipher_dst
overwrite: true
type: keyword
description: This key is for Destination (Server) Cipher
- name: cipher_size_dst
overwrite: true
type: long
description: This key captures Destination (Server) Cipher Size
- name: ssl_ver_src
overwrite: true
type: keyword
description: Deprecated, use version
- name: d_certauth
overwrite: true
type: keyword
- name: s_certauth
overwrite: true
type: keyword
- name: ike_cookie1
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
- name: ike_cookie2
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
- name: cert_checksum
overwrite: true
type: keyword
- name: cert_host_cat
overwrite: true
type: keyword
description: This key is used for the hostname category value of a certificate
- name: cert_serial
overwrite: true
type: keyword
description: This key is used to capture the Certificate serial number only
- name: cert_status
overwrite: true
type: keyword
description: This key captures Certificate validation status
- name: ssl_ver_dst
overwrite: true
type: keyword
description: Deprecated, use version
- name: cert_keysize
overwrite: true
type: keyword
- name: cert_username
overwrite: true
type: keyword
- name: https_insact
overwrite: true
type: keyword
- name: https_valid
overwrite: true
type: keyword
- name: cert_ca
overwrite: true
type: keyword
description: This key is used to capture the Certificate signing authority only
- name: cert_common
overwrite: true
type: keyword
description: This key is used to capture the Certificate common name only
- name: wireless
overwrite: true
type: group
fields:
- name: wlan_ssid
overwrite: true
type: keyword
description: This key is used to capture the ssid of a Wireless Session
- name: access_point
overwrite: true
type: keyword
description: This key is used to capture the access point name.
- name: wlan_channel
overwrite: true
type: long
description: This is used to capture the channel names
- name: wlan_name
overwrite: true
type: keyword
description: This key captures either WLAN number/name
- name: storage
overwrite: true
type: group
fields:
- name: disk_volume
overwrite: true
type: keyword
description: A unique name assigned to logical units (volumes) within a physical
disk
- name: lun
overwrite: true
type: keyword
description: Logical Unit Number.This key is a very useful concept in Storage.
- name: pwwn
overwrite: true
type: keyword
description: This uniquely identifies a port on a HBA.
- name: physical
overwrite: true
type: group
fields:
- name: org_dst
overwrite: true
type: keyword
description: This is used to capture the destination organization based on the
GEOPIP Maxmind database.
- name: org_src
overwrite: true
type: keyword
description: This is used to capture the source organization based on the GEOPIP
Maxmind database.
- name: healthcare
overwrite: true
type: group
fields:
- name: patient_fname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_id
overwrite: true
type: keyword
description: This key captures the unique ID for a patient
- name: patient_lname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_mname
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: endpoint
overwrite: true
type: group
fields:
- name: host_state
overwrite: true
type: keyword
description: This key is used to capture the current state of the machine, such
as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
disabled</strong> and so on
- name: registry_key
overwrite: true
type: keyword
description: This key captures the path to the registry key
- name: registry_value
overwrite: true
type: keyword
description: This key captures values or decorators used within a registry entry
- name: network.interface.name
overwrite: true
type: keyword
description: >
Name of the network interface where the traffic has been observed.
- name: rsa
overwrite: true
type: group
fields:
- name: internal
overwrite: true
type: group
fields:
- name: msg
overwrite: true
type: keyword
description: This key is used to capture the raw message that comes into the
Log Decoder
- name: messageid
overwrite: true
type: keyword
- name: event_desc
overwrite: true
type: keyword
- name: message
overwrite: true
type: keyword
description: This key captures the contents of instant messages
- name: time
overwrite: true
type: date
description: This is the time at which a session hits a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness.
- name: level
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: msg_id
overwrite: true
type: keyword
description: This is the Message ID1 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: msg_vid
overwrite: true
type: keyword
description: This is the Message ID2 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: data
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_server
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_val
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: resource
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_id
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: statement
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: audit_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: entry
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: hcode
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: inode
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: resource_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: dead
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: feed_desc
overwrite: true
type: keyword
description: This is used to capture the description of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: feed_name
overwrite: true
type: keyword
description: This is used to capture the name of the feed. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: cid
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Concentrator.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_class
overwrite: true
type: keyword
description: This is the Classification of the Log Event Source under a predefined
fixed set of Event Source Classifications. This key should never be used to
parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
key in NetWitness
- name: device_group
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_host
overwrite: true
type: keyword
description: This is the Hostname of the log Event Source sending the logs to
NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ip
overwrite: true
type: ip
description: This is the IPv4 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ipv6
overwrite: true
type: ip
description: This is the IPv6 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_type
overwrite: true
type: keyword
description: This is the name of the log parser which parsed a given session.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_type_id
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: did
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: entropy_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: entropy_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: event_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: feed_category
overwrite: true
type: keyword
description: This is used to capture the category of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: forward_ip
overwrite: true
type: ip
description: This key should be used to capture the IPV4 address of a relay
system which forwarded the events from the original system to NetWitness.
- name: forward_ipv6
overwrite: true
type: ip
description: This key is used to capture the IPV6 address of a relay system
which forwarded the events from the original system to NetWitness. This key
should never be used to parse Meta data from a session (Logs/Packets) Directly,
this is a Reserved key in NetWitness
- name: header_id
overwrite: true
type: keyword
description: This is the Header ID value that identifies the exact log parser
header definition that parses a particular log session. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: lc_cid
overwrite: true
type: keyword
description: This is a unique Identifier of a Log Collector. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: lc_ctime
overwrite: true
type: date
description: This is the time at which a log is collected in a NetWitness Log
Collector. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: mcb_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
request is simply which byte for each side (0 thru 255) was seen the most
- name: mcb_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
response is simply which byte for each side (0 thru 255) was seen the most
- name: mcbc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: mcbc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: medium
overwrite: true
type: long
description: "This key is used to identify if it\u2019s a log/packet session\
\ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
\ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
\ 32 = log, 33 = correlation session, < 32 is packet session"
- name: node_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: nwe_callback_id
overwrite: true
type: keyword
description: This key denotes that event is endpoint related
- name: parse_error
overwrite: true
type: keyword
description: This is a special key that stores any Meta key validation error
found while parsing a log session. This key should never be used to parse
Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
NetWitness
- name: payload_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: payload_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: process_vid_dst
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the target process.
- name: process_vid_src
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the source process.
- name: rid
overwrite: true
type: long
description: This is a special ID of the Remote Session created by NetWitness
Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: session_split
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: site
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: size
overwrite: true
type: long
description: This is the size of the session as seen by the NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: sourcefile
overwrite: true
type: keyword
description: This is the name of the log file or PCAPs that can be imported
into NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: ubc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: ubc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: word
overwrite: true
type: keyword
description: This is used by the Word Parsing technology to capture the first
5 character of every word in an unparsed log
- name: time
overwrite: true
type: group
fields:
- name: event_time
overwrite: true
type: date
description: This key is used to capture the time mentioned in a raw session
that represents the actual time an event occured in a standard normalized
form
- name: duration_time
overwrite: true
type: double
description: This key is used to capture the normalized duration/lifetime in
seconds.
- name: event_time_str
overwrite: true
type: keyword
description: This key is used to capture the incomplete time mentioned in a
session as a string
- name: starttime
overwrite: true
type: date
description: This key is used to capture the Start time mentioned in a session
in a standard form
- name: month
overwrite: true
type: keyword
- name: day
overwrite: true
type: keyword
- name: endtime
overwrite: true
type: date
description: This key is used to capture the End time mentioned in a session
in a standard form
- name: timezone
overwrite: true
type: keyword
description: This key is used to capture the timezone of the Event Time
- name: duration_str
overwrite: true
type: keyword
description: A text string version of the duration
- name: date
overwrite: true
type: keyword
- name: year
overwrite: true
type: keyword
- name: recorded_time
overwrite: true
type: date
description: The event time as recorded by the system the event is collected
from. The usage scenario is a multi-tier application where the management
layer of the system records it's own timestamp at the time of collection from
its child nodes. Must be in timestamp format.
- name: datetime
overwrite: true
type: keyword
- name: effective_time
overwrite: true
type: date
description: This key is the effective time referenced by an individual event
in a Standard Timestamp format
- name: expire_time
overwrite: true
type: date
description: This key is the timestamp that explicitly refers to an expiration.
- name: process_time
overwrite: true
type: keyword
description: Deprecated, use duration.time
- name: hour
overwrite: true
type: keyword
- name: min
overwrite: true
type: keyword
- name: timestamp
overwrite: true
type: keyword
- name: event_queue_time
overwrite: true
type: date
description: This key is the Time that the event was queued.
- name: p_time1
overwrite: true
type: keyword
- name: tzone
overwrite: true
type: keyword
- name: eventtime
overwrite: true
type: keyword
- name: gmtdate
overwrite: true
type: keyword
- name: gmttime
overwrite: true
type: keyword
- name: p_date
overwrite: true
type: keyword
- name: p_month
overwrite: true
type: keyword
- name: p_time
overwrite: true
type: keyword
- name: p_time2
overwrite: true
type: keyword
- name: p_year
overwrite: true
type: keyword
- name: expire_time_str
overwrite: true
type: keyword
description: This key is used to capture incomplete timestamp that explicitly
refers to an expiration.
- name: stamp
overwrite: true
type: date
description: Deprecated key defined only in table map.
- name: misc
overwrite: true
type: group
fields:
- name: action
overwrite: true
type: keyword
- name: result
overwrite: true
type: keyword
description: This key is used to capture the outcome/result string value of
an action in a session.
- name: severity
overwrite: true
type: keyword
description: This key is used to capture the severity given the session
- name: event_type
overwrite: true
type: keyword
description: This key captures the event category type as specified by the event
source.
- name: reference_id
overwrite: true
type: keyword
description: This key is used to capture an event id from the session directly
- name: version
overwrite: true
type: keyword
description: This key captures Version of the application or OS which is generating
the event.
- name: disposition
overwrite: true
type: keyword
description: This key captures the The end state of an action.
- name: result_code
overwrite: true
type: keyword
description: This key is used to capture the outcome/result numeric value of
an action in a session
- name: category
overwrite: true
type: keyword
description: This key is used to capture the category of an event given by the
vendor in the session
- name: obj_name
overwrite: true
type: keyword
description: This is used to capture name of object
- name: obj_type
overwrite: true
type: keyword
description: This is used to capture type of object
- name: event_source
overwrite: true
type: keyword
description: "This key captures Source of the event that\u2019s not a hostname"
- name: log_session_id
overwrite: true
type: keyword
description: This key is used to capture a sessionid from the session directly
- name: group
overwrite: true
type: keyword
description: This key captures the Group Name value
- name: policy_name
overwrite: true
type: keyword
description: This key is used to capture the Policy Name only.
- name: rule_name
overwrite: true
type: keyword
description: This key captures the Rule Name
- name: context
overwrite: true
type: keyword
description: This key captures Information which adds additional context to
the event.
- name: change_new
overwrite: true
type: keyword
description: "This key is used to capture the new values of the attribute that\u2019\
s changing in a session"
- name: space
overwrite: true
type: keyword
- name: client
overwrite: true
type: keyword
description: This key is used to capture only the name of the client application
requesting resources of the server. See the user.agent meta key for capture
of the specific user agent identifier or browser identification string.
- name: msgIdPart1
overwrite: true
type: keyword
- name: msgIdPart2
overwrite: true
type: keyword
- name: change_old
overwrite: true
type: keyword
description: "This key is used to capture the old value of the attribute that\u2019\
s changing in a session"
- name: operation_id
overwrite: true
type: keyword
description: An alert number or operation number. The values should be unique
and non-repeating.
- name: event_state
overwrite: true
type: keyword
description: This key captures the current state of the object/item referenced
within the event. Describing an on-going event.
- name: group_object
overwrite: true
type: keyword
description: This key captures a collection/grouping of entities. Specific usage
- name: node
overwrite: true
type: keyword
description: Common use case is the node name within a cluster. The cluster
name is reflected by the host name.
- name: rule
overwrite: true
type: keyword
description: This key captures the Rule number
- name: device_name
overwrite: true
type: keyword
description: 'This is used to capture name of the Device associated with the
node Like: a physical disk, printer, etc'
- name: param
overwrite: true
type: keyword
description: This key is the parameters passed as part of a command or application,
etc.
- name: change_attrib
overwrite: true
type: keyword
description: "This key is used to capture the name of the attribute that\u2019\
s changing in a session"
- name: event_computer
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
fully qualified domain name in a windows log.
- name: reference_id1
overwrite: true
type: keyword
description: This key is for Linked ID to be used as an addition to "reference.id"
- name: event_log
overwrite: true
type: keyword
description: This key captures the Name of the event log
- name: OS
overwrite: true
type: keyword
description: This key captures the Name of the Operating System
- name: terminal
overwrite: true
type: keyword
description: This key captures the Terminal Names only
- name: msgIdPart3
overwrite: true
type: keyword
- name: filter
overwrite: true
type: keyword
description: This key captures Filter used to reduce result set
- name: serial_number
overwrite: true
type: keyword
description: This key is the Serial number associated with a physical asset.
- name: checksum
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the entity
such as a file or process. Checksum should be used over checksum.src or checksum.dst
when it is unclear whether the entity is a source or target of an action.
- name: event_user
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
combination of domain name and username in a windows log.
- name: virusname
overwrite: true
type: keyword
description: This key captures the name of the virus
- name: content_type
overwrite: true
type: keyword
description: This key is used to capture Content Type only.
- name: group_id
overwrite: true
type: keyword
description: This key captures Group ID Number (related to the group name)
- name: policy_id
overwrite: true
type: keyword
description: This key is used to capture the Policy ID only, this should be
a numeric value, use policy.name otherwise
- name: vsys
overwrite: true
type: keyword
description: This key captures Virtual System Name
- name: connection_id
overwrite: true
type: keyword
description: This key captures the Connection ID
- name: reference_id2
overwrite: true
type: keyword
description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
or "reference.id1" value but should not be used unless the other two variables
are in play.
- name: sensor
overwrite: true
type: keyword
description: This key captures Name of the sensor. Typically used in IDS/IPS
based devices
- name: sig_id
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID
- name: port_name
overwrite: true
type: keyword
description: 'This key is used for Physical or logical port connection but does
NOT include a network port. (Example: Printer port name).'
- name: rule_group
overwrite: true
type: keyword
description: This key captures the Rule group name
- name: risk_num
overwrite: true
type: double
description: This key captures a Numeric Risk value
- name: trigger_val
overwrite: true
type: keyword
description: This key captures the Value of the trigger or threshold condition.
- name: log_session_id1
overwrite: true
type: keyword
description: This key is used to capture a Linked (Related) Session ID from
the session directly
- name: comp_version
overwrite: true
type: keyword
description: This key captures the Version level of a sub-component of a product.
- name: content_version
overwrite: true
type: keyword
description: This key captures Version level of a signature or database content.
- name: hardware_id
overwrite: true
type: keyword
description: This key is used to capture unique identifier for a device or system
(NOT a Mac address)
- name: risk
overwrite: true
type: keyword
description: This key captures the non-numeric risk value
- name: event_id
overwrite: true
type: keyword
- name: reason
overwrite: true
type: keyword
- name: status
overwrite: true
type: keyword
- name: mail_id
overwrite: true
type: keyword
description: This key is used to capture the mailbox id/name
- name: rule_uid
overwrite: true
type: keyword
description: This key is the Unique Identifier for a rule.
- name: trigger_desc
overwrite: true
type: keyword
description: This key captures the Description of the trigger or threshold condition.
- name: inout
overwrite: true
type: keyword
- name: p_msgid
overwrite: true
type: keyword
- name: data_type
overwrite: true
type: keyword
- name: msgIdPart4
overwrite: true
type: keyword
- name: error
overwrite: true
type: keyword
description: This key captures All non successful Error codes or responses
- name: index
overwrite: true
type: keyword
- name: listnum
overwrite: true
type: keyword
description: This key is used to capture listname or listnumber, primarily for
collecting access-list
- name: ntype
overwrite: true
type: keyword
- name: observed_val
overwrite: true
type: keyword
description: This key captures the Value observed (from the perspective of the
device generating the log).
- name: policy_value
overwrite: true
type: keyword
description: This key captures the contents of the policy. This contains details
about the policy
- name: pool_name
overwrite: true
type: keyword
description: This key captures the name of a resource pool
- name: rule_template
overwrite: true
type: keyword
description: A default set of parameters which are overlayed onto a rule (or
rulename) which efffectively constitutes a template
- name: count
overwrite: true
type: keyword
- name: number
overwrite: true
type: keyword
- name: sigcat
overwrite: true
type: keyword
- name: type
overwrite: true
type: keyword
- name: comments
overwrite: true
type: keyword
description: Comment information provided in the log message
- name: doc_number
overwrite: true
type: long
description: This key captures File Identification number
- name: expected_val
overwrite: true
type: keyword
description: This key captures the Value expected (from the perspective of the
device generating the log).
- name: job_num
overwrite: true
type: keyword
description: This key captures the Job Number
- name: spi_dst
overwrite: true
type: keyword
description: Destination SPI Index
- name: spi_src
overwrite: true
type: keyword
description: Source SPI Index
- name: code
overwrite: true
type: keyword
- name: agent_id
overwrite: true
type: keyword
description: This key is used to capture agent id
- name: message_body
overwrite: true
type: keyword
description: This key captures the The contents of the message body.
- name: phone
overwrite: true
type: keyword
- name: sig_id_str
overwrite: true
type: keyword
description: This key captures a string object of the sigid variable.
- name: cmd
overwrite: true
type: keyword
- name: misc
overwrite: true
type: keyword
- name: name
overwrite: true
type: keyword
- name: cpu
overwrite: true
type: long
description: This key is the CPU time used in the execution of the event being
recorded.
- name: event_desc
overwrite: true
type: keyword
description: This key is used to capture a description of an event available
directly or inferred
- name: sig_id1
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID. This must be linked
to the sig.id
- name: im_buddyid
overwrite: true
type: keyword
- name: im_client
overwrite: true
type: keyword
- name: im_userid
overwrite: true
type: keyword
- name: pid
overwrite: true
type: keyword
- name: priority
overwrite: true
type: keyword
- name: context_subject
overwrite: true
type: keyword
description: This key is to be used in an audit context where the subject is
the object being identified
- name: context_target
overwrite: true
type: keyword
- name: cve
overwrite: true
type: keyword
description: This key captures CVE (Common Vulnerabilities and Exposures) -
an identifier for known information security vulnerabilities.
- name: fcatnum
overwrite: true
type: keyword
description: This key captures Filter Category Number. Legacy Usage
- name: library
overwrite: true
type: keyword
description: This key is used to capture library information in mainframe devices
- name: parent_node
overwrite: true
type: keyword
description: This key captures the Parent Node Name. Must be related to node
variable.
- name: risk_info
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: tcp_flags
overwrite: true
type: long
description: This key is captures the TCP flags set in any packet of session
- name: tos
overwrite: true
type: long
description: This key describes the type of service
- name: vm_target
overwrite: true
type: keyword
description: VMWare Target **VMWARE** only varaible.
- name: workspace
overwrite: true
type: keyword
description: This key captures Workspace Description
- name: command
overwrite: true
type: keyword
- name: event_category
overwrite: true
type: keyword
- name: facilityname
overwrite: true
type: keyword
- name: forensic_info
overwrite: true
type: keyword
- name: jobname
overwrite: true
type: keyword
- name: mode
overwrite: true
type: keyword
- name: policy
overwrite: true
type: keyword
- name: policy_waiver
overwrite: true
type: keyword
- name: second
overwrite: true
type: keyword
- name: space1
overwrite: true
type: keyword
- name: subcategory
overwrite: true
type: keyword
- name: tbdstr2
overwrite: true
type: keyword
- name: alert_id
overwrite: true
type: keyword
description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: checksum_dst
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the the target
entity such as a process or file.
- name: checksum_src
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the source
entity such as a file or process.
- name: fresult
overwrite: true
type: long
description: This key captures the Filter Result
- name: payload_dst
overwrite: true
type: keyword
description: This key is used to capture destination payload
- name: payload_src
overwrite: true
type: keyword
description: This key is used to capture source payload
- name: pool_id
overwrite: true
type: keyword
description: This key captures the identifier (typically numeric field) of a
resource pool
- name: process_id_val
overwrite: true
type: keyword
description: This key is a failure key for Process ID when it is not an integer
value
- name: risk_num_comm
overwrite: true
type: double
description: This key captures Risk Number Community
- name: risk_num_next
overwrite: true
type: double
description: This key captures Risk Number NextGen
- name: risk_num_sand
overwrite: true
type: double
description: This key captures Risk Number SandBox
- name: risk_num_static
overwrite: true
type: double
description: This key captures Risk Number Static
- name: risk_suspicious
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: risk_warning
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: snmp_oid
overwrite: true
type: keyword
description: SNMP Object Identifier
- name: sql
overwrite: true
type: keyword
description: This key captures the SQL query
- name: vuln_ref
overwrite: true
type: keyword
description: This key captures the Vulnerability Reference details
- name: acl_id
overwrite: true
type: keyword
- name: acl_op
overwrite: true
type: keyword
- name: acl_pos
overwrite: true
type: keyword
- name: acl_table
overwrite: true
type: keyword
- name: admin
overwrite: true
type: keyword
- name: alarm_id
overwrite: true
type: keyword
- name: alarmname
overwrite: true
type: keyword
- name: app_id
overwrite: true
type: keyword
- name: audit
overwrite: true
type: keyword
- name: audit_object
overwrite: true
type: keyword
- name: auditdata
overwrite: true
type: keyword
- name: benchmark
overwrite: true
type: keyword
- name: bypass
overwrite: true
type: keyword
- name: cache
overwrite: true
type: keyword
- name: cache_hit
overwrite: true
type: keyword
- name: cefversion
overwrite: true
type: keyword
- name: cfg_attr
overwrite: true
type: keyword
- name: cfg_obj
overwrite: true
type: keyword
- name: cfg_path
overwrite: true
type: keyword
- name: changes
overwrite: true
type: keyword
- name: client_ip
overwrite: true
type: keyword
- name: clustermembers
overwrite: true
type: keyword
- name: cn_acttimeout
overwrite: true
type: keyword
- name: cn_asn_src
overwrite: true
type: keyword
- name: cn_bgpv4nxthop
overwrite: true
type: keyword
- name: cn_ctr_dst_code
overwrite: true
type: keyword
- name: cn_dst_tos
overwrite: true
type: keyword
- name: cn_dst_vlan
overwrite: true
type: keyword
- name: cn_engine_id
overwrite: true
type: keyword
- name: cn_engine_type
overwrite: true
type: keyword
- name: cn_f_switch
overwrite: true
type: keyword
- name: cn_flowsampid
overwrite: true
type: keyword
- name: cn_flowsampintv
overwrite: true
type: keyword
- name: cn_flowsampmode
overwrite: true
type: keyword
- name: cn_inacttimeout
overwrite: true
type: keyword
- name: cn_inpermbyts
overwrite: true
type: keyword
- name: cn_inpermpckts
overwrite: true
type: keyword
- name: cn_invalid
overwrite: true
type: keyword
- name: cn_ip_proto_ver
overwrite: true
type: keyword
- name: cn_ipv4_ident
overwrite: true
type: keyword
- name: cn_l_switch
overwrite: true
type: keyword
- name: cn_log_did
overwrite: true
type: keyword
- name: cn_log_rid
overwrite: true
type: keyword
- name: cn_max_ttl
overwrite: true
type: keyword
- name: cn_maxpcktlen
overwrite: true
type: keyword
- name: cn_min_ttl
overwrite: true
type: keyword
- name: cn_minpcktlen
overwrite: true
type: keyword
- name: cn_mpls_lbl_1
overwrite: true
type: keyword
- name: cn_mpls_lbl_10
overwrite: true
type: keyword
- name: cn_mpls_lbl_2
overwrite: true
type: keyword
- name: cn_mpls_lbl_3
overwrite: true
type: keyword
- name: cn_mpls_lbl_4
overwrite: true
type: keyword
- name: cn_mpls_lbl_5
overwrite: true
type: keyword
- name: cn_mpls_lbl_6
overwrite: true
type: keyword
- name: cn_mpls_lbl_7
overwrite: true
type: keyword
- name: cn_mpls_lbl_8
overwrite: true
type: keyword
- name: cn_mpls_lbl_9
overwrite: true
type: keyword
- name: cn_mplstoplabel
overwrite: true
type: keyword
- name: cn_mplstoplabip
overwrite: true
type: keyword
- name: cn_mul_dst_byt
overwrite: true
type: keyword
- name: cn_mul_dst_pks
overwrite: true
type: keyword
- name: cn_muligmptype
overwrite: true
type: keyword
- name: cn_sampalgo
overwrite: true
type: keyword
- name: cn_sampint
overwrite: true
type: keyword
- name: cn_seqctr
overwrite: true
type: keyword
- name: cn_spackets
overwrite: true
type: keyword
- name: cn_src_tos
overwrite: true
type: keyword
- name: cn_src_vlan
overwrite: true
type: keyword
- name: cn_sysuptime
overwrite: true
type: keyword
- name: cn_template_id
overwrite: true
type: keyword
- name: cn_totbytsexp
overwrite: true
type: keyword
- name: cn_totflowexp
overwrite: true
type: keyword
- name: cn_totpcktsexp
overwrite: true
type: keyword
- name: cn_unixnanosecs
overwrite: true
type: keyword
- name: cn_v6flowlabel
overwrite: true
type: keyword
- name: cn_v6optheaders
overwrite: true
type: keyword
- name: comp_class
overwrite: true
type: keyword
- name: comp_name
overwrite: true
type: keyword
- name: comp_rbytes
overwrite: true
type: keyword
- name: comp_sbytes
overwrite: true
type: keyword
- name: cpu_data
overwrite: true
type: keyword
- name: criticality
overwrite: true
type: keyword
- name: cs_agency_dst
overwrite: true
type: keyword
- name: cs_analyzedby
overwrite: true
type: keyword
- name: cs_av_other
overwrite: true
type: keyword
- name: cs_av_primary
overwrite: true
type: keyword
- name: cs_av_secondary
overwrite: true
type: keyword
- name: cs_bgpv6nxthop
overwrite: true
type: keyword
- name: cs_bit9status
overwrite: true
type: keyword
- name: cs_context
overwrite: true
type: keyword
- name: cs_control
overwrite: true
type: keyword
- name: cs_data
overwrite: true
type: keyword
- name: cs_datecret
overwrite: true
type: keyword
- name: cs_dst_tld
overwrite: true
type: keyword
- name: cs_eth_dst_ven
overwrite: true
type: keyword
- name: cs_eth_src_ven
overwrite: true
type: keyword
- name: cs_event_uuid
overwrite: true
type: keyword
- name: cs_filetype
overwrite: true
type: keyword
- name: cs_fld
overwrite: true
type: keyword
- name: cs_if_desc
overwrite: true
type: keyword
- name: cs_if_name
overwrite: true
type: keyword
- name: cs_ip_next_hop
overwrite: true
type: keyword
- name: cs_ipv4dstpre
overwrite: true
type: keyword
- name: cs_ipv4srcpre
overwrite: true
type: keyword
- name: cs_lifetime
overwrite: true
type: keyword
- name: cs_log_medium
overwrite: true
type: keyword
- name: cs_loginname
overwrite: true
type: keyword
- name: cs_modulescore
overwrite: true
type: keyword
- name: cs_modulesign
overwrite: true
type: keyword
- name: cs_opswatresult
overwrite: true
type: keyword
- name: cs_payload
overwrite: true
type: keyword
- name: cs_registrant
overwrite: true
type: keyword
- name: cs_registrar
overwrite: true
type: keyword
- name: cs_represult
overwrite: true
type: keyword
- name: cs_rpayload
overwrite: true
type: keyword
- name: cs_sampler_name
overwrite: true
type: keyword
- name: cs_sourcemodule
overwrite: true
type: keyword
- name: cs_streams
overwrite: true
type: keyword
- name: cs_targetmodule
overwrite: true
type: keyword
- name: cs_v6nxthop
overwrite: true
type: keyword
- name: cs_whois_server
overwrite: true
type: keyword
- name: cs_yararesult
overwrite: true
type: keyword
- name: description
overwrite: true
type: keyword
- name: devvendor
overwrite: true
type: keyword
- name: distance
overwrite: true
type: keyword
- name: dstburb
overwrite: true
type: keyword
- name: edomain
overwrite: true
type: keyword
- name: edomaub
overwrite: true
type: keyword
- name: euid
overwrite: true
type: keyword
- name: facility
overwrite: true
type: keyword
- name: finterface
overwrite: true
type: keyword
- name: flags
overwrite: true
type: keyword
- name: gaddr
overwrite: true
type: keyword
- name: id3
overwrite: true
type: keyword
- name: im_buddyname
overwrite: true
type: keyword
- name: im_croomid
overwrite: true
type: keyword
- name: im_croomtype
overwrite: true
type: keyword
- name: im_members
overwrite: true
type: keyword
- name: im_username
overwrite: true
type: keyword
- name: ipkt
overwrite: true
type: keyword
- name: ipscat
overwrite: true
type: keyword
- name: ipspri
overwrite: true
type: keyword
- name: latitude
overwrite: true
type: keyword
- name: linenum
overwrite: true
type: keyword
- name: list_name
overwrite: true
type: keyword
- name: load_data
overwrite: true
type: keyword
- name: location_floor
overwrite: true
type: keyword
- name: location_mark
overwrite: true
type: keyword
- name: log_id
overwrite: true
type: keyword
- name: log_type
overwrite: true
type: keyword
- name: logid
overwrite: true
type: keyword
- name: logip
overwrite: true
type: keyword
- name: logname
overwrite: true
type: keyword
- name: longitude
overwrite: true
type: keyword
- name: lport
overwrite: true
type: keyword
- name: mbug_data
overwrite: true
type: keyword
- name: misc_name
overwrite: true
type: keyword
- name: msg_type
overwrite: true
type: keyword
- name: msgid
overwrite: true
type: keyword
- name: netsessid
overwrite: true
type: keyword
- name: num
overwrite: true
type: keyword
- name: number1
overwrite: true
type: keyword
- name: number2
overwrite: true
type: keyword
- name: nwwn
overwrite: true
type: keyword
- name: object
overwrite: true
type: keyword
- name: operation
overwrite: true
type: keyword
- name: opkt
overwrite: true
type: keyword
- name: orig_from
overwrite: true
type: keyword
- name: owner_id
overwrite: true
type: keyword
- name: p_action
overwrite: true
type: keyword
- name: p_filter
overwrite: true
type: keyword
- name: p_group_object
overwrite: true
type: keyword
- name: p_id
overwrite: true
type: keyword
- name: p_msgid1
overwrite: true
type: keyword
- name: p_msgid2
overwrite: true
type: keyword
- name: p_result1
overwrite: true
type: keyword
- name: password_chg
overwrite: true
type: keyword
- name: password_expire
overwrite: true
type: keyword
- name: permgranted
overwrite: true
type: keyword
- name: permwanted
overwrite: true
type: keyword
- name: pgid
overwrite: true
type: keyword
- name: policyUUID
overwrite: true
type: keyword
- name: prog_asp_num
overwrite: true
type: keyword
- name: program
overwrite: true
type: keyword
- name: real_data
overwrite: true
type: keyword
- name: rec_asp_device
overwrite: true
type: keyword
- name: rec_asp_num
overwrite: true
type: keyword
- name: rec_library
overwrite: true
type: keyword
- name: recordnum
overwrite: true
type: keyword
- name: ruid
overwrite: true
type: keyword
- name: sburb
overwrite: true
type: keyword
- name: sdomain_fld
overwrite: true
type: keyword
- name: sec
overwrite: true
type: keyword
- name: sensorname
overwrite: true
type: keyword
- name: seqnum
overwrite: true
type: keyword
- name: session
overwrite: true
type: keyword
- name: sessiontype
overwrite: true
type: keyword
- name: sigUUID
overwrite: true
type: keyword
- name: spi
overwrite: true
type: keyword
- name: srcburb
overwrite: true
type: keyword
- name: srcdom
overwrite: true
type: keyword
- name: srcservice
overwrite: true
type: keyword
- name: state
overwrite: true
type: keyword
- name: status1
overwrite: true
type: keyword
- name: svcno
overwrite: true
type: keyword
- name: system
overwrite: true
type: keyword
- name: tbdstr1
overwrite: true
type: keyword
- name: tgtdom
overwrite: true
type: keyword
- name: tgtdomain
overwrite: true
type: keyword
- name: threshold
overwrite: true
type: keyword
- name: type1
overwrite: true
type: keyword
- name: udb_class
overwrite: true
type: keyword
- name: url_fld
overwrite: true
type: keyword
- name: user_div
overwrite: true
type: keyword
- name: userid
overwrite: true
type: keyword
- name: username_fld
overwrite: true
type: keyword
- name: utcstamp
overwrite: true
type: keyword
- name: v_instafname
overwrite: true
type: keyword
- name: virt_data
overwrite: true
type: keyword
- name: vpnid
overwrite: true
type: keyword
- name: autorun_type
overwrite: true
type: keyword
description: This is used to capture Auto Run type
- name: cc_number
overwrite: true
type: long
description: Valid Credit Card Numbers only
- name: content
overwrite: true
type: keyword
description: This key captures the content type from protocol headers
- name: ein_number
overwrite: true
type: long
description: Employee Identification Numbers only
- name: found
overwrite: true
type: keyword
description: This is used to capture the results of regex match
- name: language
overwrite: true
type: keyword
description: This is used to capture list of languages the client support and
what it prefers
- name: lifetime
overwrite: true
type: long
description: This key is used to capture the session lifetime in seconds.
- name: link
overwrite: true
type: keyword
description: This key is used to link the sessions together. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: match
overwrite: true
type: keyword
description: This key is for regex match name from search.ini
- name: param_dst
overwrite: true
type: keyword
description: This key captures the command line/launch argument of the target
process or file
- name: param_src
overwrite: true
type: keyword
description: This key captures source parameter
- name: search_text
overwrite: true
type: keyword
description: This key captures the Search Text used
- name: sig_name
overwrite: true
type: keyword
description: This key is used to capture the Signature Name only.
- name: snmp_value
overwrite: true
type: keyword
description: SNMP set request value
- name: streams
overwrite: true
type: long
description: This key captures number of streams in session
- name: db
overwrite: true
type: group
fields:
- name: index
overwrite: true
type: keyword
description: This key captures IndexID of the index.
- name: instance
overwrite: true
type: keyword
description: This key is used to capture the database server instance name
- name: database
overwrite: true
type: keyword
description: This key is used to capture the name of a database or an instance
as seen in a session
- name: transact_id
overwrite: true
type: keyword
description: This key captures the SQL transantion ID of the current session
- name: permissions
overwrite: true
type: keyword
description: This key captures permission or privilege level assigned to a resource.
- name: table_name
overwrite: true
type: keyword
description: This key is used to capture the table name
- name: db_id
overwrite: true
type: keyword
description: This key is used to capture the unique identifier for a database
- name: db_pid
overwrite: true
type: long
description: This key captures the process id of a connection with database
server
- name: lread
overwrite: true
type: long
description: This key is used for the number of logical reads
- name: lwrite
overwrite: true
type: long
description: This key is used for the number of logical writes
- name: pread
overwrite: true
type: long
description: This key is used for the number of physical writes
- name: network
overwrite: true
type: group
fields:
- name: alias_host
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
that isnt ad.computer.
- name: domain
overwrite: true
type: keyword
- name: host_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Hostname"
- name: network_service
overwrite: true
type: keyword
description: This is used to capture layer 7 protocols/service names
- name: interface
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of an interface is not clear
- name: network_port
overwrite: true
type: long
description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
- name: eth_host
overwrite: true
type: keyword
description: Deprecated, use alias.mac
- name: sinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Interface"
- name: dinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Interface"
- name: vlan
overwrite: true
type: long
description: This key should only be used to capture the ID of the Virtual LAN
- name: zone_src
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Zone."
- name: zone
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a Zone is not clear
- name: zone_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Zone."
- name: gateway
overwrite: true
type: keyword
description: This key is used to capture the IP Address of the gateway
- name: icmp_type
overwrite: true
type: long
description: This key is used to capture the ICMP type only
- name: mask
overwrite: true
type: keyword
description: This key is used to capture the device network IPmask.
- name: icmp_code
overwrite: true
type: long
description: This key is used to capture the ICMP code only
- name: protocol_detail
overwrite: true
type: keyword
description: This key should be used to capture additional protocol information
- name: dmask
overwrite: true
type: keyword
description: This key is used for Destionation Device network mask
- name: port
overwrite: true
type: long
description: This key should only be used to capture a Network Port when the
directionality is not clear
- name: smask
overwrite: true
type: keyword
description: This key is used for capturing source Network Mask
- name: netname
overwrite: true
type: keyword
description: This key is used to capture the network name associated with an
IP range. This is configured by the end user.
- name: paddr
overwrite: true
type: ip
description: Deprecated
- name: faddr
overwrite: true
type: keyword
- name: lhost
overwrite: true
type: keyword
- name: origin
overwrite: true
type: keyword
- name: remote_domain_id
overwrite: true
type: keyword
- name: addr
overwrite: true
type: keyword
- name: dns_a_record
overwrite: true
type: keyword
- name: dns_ptr_record
overwrite: true
type: keyword
- name: fhost
overwrite: true
type: keyword
- name: fport
overwrite: true
type: keyword
- name: laddr
overwrite: true
type: keyword
- name: linterface
overwrite: true
type: keyword
- name: phost
overwrite: true
type: keyword
- name: ad_computer_dst
overwrite: true
type: keyword
description: Deprecated, use host.dst
- name: eth_type
overwrite: true
type: long
description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
Only
- name: ip_proto
overwrite: true
type: long
description: This key should be used to capture the Protocol number, all the
protocol nubers are converted into string in UI
- name: dns_cname_record
overwrite: true
type: keyword
- name: dns_id
overwrite: true
type: keyword
- name: dns_opcode
overwrite: true
type: keyword
- name: dns_resp
overwrite: true
type: keyword
- name: dns_type
overwrite: true
type: keyword
- name: domain1
overwrite: true
type: keyword
- name: host_type
overwrite: true
type: keyword
- name: packet_length
overwrite: true
type: keyword
- name: host_orig
overwrite: true
type: keyword
description: This is used to capture the original hostname in case of a Forwarding
Agent or a Proxy in between.
- name: rpayload
overwrite: true
type: keyword
description: This key is used to capture the total number of payload bytes seen
in the retransmitted packets.
- name: vlan_name
overwrite: true
type: keyword
description: This key should only be used to capture the name of the Virtual
LAN
- name: investigations
overwrite: true
type: group
fields:
- name: ec_activity
overwrite: true
type: keyword
description: This key captures the particular event activity(Ex:Logoff)
- name: ec_theme
overwrite: true
type: keyword
description: This key captures the Theme of a particular Event(Ex:Authentication)
- name: ec_subject
overwrite: true
type: keyword
description: This key captures the Subject of a particular Event(Ex:User)
- name: ec_outcome
overwrite: true
type: keyword
description: This key captures the outcome of a particular Event(Ex:Success)
- name: event_cat
overwrite: true
type: long
description: This key captures the Event category number
- name: event_cat_name
overwrite: true
type: keyword
description: This key captures the event category name corresponding to the
event cat code
- name: event_vcat
overwrite: true
type: keyword
description: This is a vendor supplied category. This should be used in situations
where the vendor has adopted their own event_category taxonomy.
- name: analysis_file
overwrite: true
type: keyword
description: This is used to capture all indicators used in a File Analysis.
This key should be used to capture an analysis of a file
- name: analysis_service
overwrite: true
type: keyword
description: This is used to capture all indicators used in a Service Analysis.
This key should be used to capture an analysis of a service
- name: analysis_session
overwrite: true
type: keyword
description: This is used to capture all indicators used for a Session Analysis.
This key should be used to capture an analysis of a session
- name: boc
overwrite: true
type: keyword
description: This is used to capture behaviour of compromise
- name: eoc
overwrite: true
type: keyword
description: This is used to capture Enablers of Compromise
- name: inv_category
overwrite: true
type: keyword
description: This used to capture investigation category
- name: inv_context
overwrite: true
type: keyword
description: This used to capture investigation context
- name: ioc
overwrite: true
type: keyword
description: This is key capture indicator of compromise
- name: counters
overwrite: true
type: group
fields:
- name: dclass_c1
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c1.str only
- name: dclass_c2
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c2.str only
- name: event_counter
overwrite: true
type: long
description: This is used to capture the number of times an event repeated
- name: dclass_r1
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r1.str only
- name: dclass_c3
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c3.str only
- name: dclass_c1_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c1 only
- name: dclass_c2_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c2 only
- name: dclass_r1_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r1 only
- name: dclass_r2
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r2.str only
- name: dclass_c3_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c3 only
- name: dclass_r3
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r3.str only
- name: dclass_r2_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r2 only
- name: dclass_r3_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r3 only
- name: identity
overwrite: true
type: group
fields:
- name: auth_method
overwrite: true
type: keyword
description: This key is used to capture authentication methods used only
- name: user_role
overwrite: true
type: keyword
description: This key is used to capture the Role of a user only
- name: dn
overwrite: true
type: keyword
description: X.500 (LDAP) Distinguished Name
- name: logon_type
overwrite: true
type: keyword
description: This key is used to capture the type of logon method used.
- name: profile
overwrite: true
type: keyword
description: This key is used to capture the user profile
- name: accesses
overwrite: true
type: keyword
description: This key is used to capture actual privileges used in accessing
an object
- name: realm
overwrite: true
type: keyword
description: Radius realm or similar grouping of accounts
- name: user_sid_dst
overwrite: true
type: keyword
description: This key captures Destination User Session ID
- name: dn_src
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that is used in a context that
indicates a Source dn
- name: org
overwrite: true
type: keyword
description: This key captures the User organization
- name: dn_dst
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that used in a context that
indicates a Destination dn
- name: firstname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: lastname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: user_dept
overwrite: true
type: keyword
description: User's Department Names only
- name: user_sid_src
overwrite: true
type: keyword
description: This key captures Source User Session ID
- name: federated_sp
overwrite: true
type: keyword
description: This key is the Federated Service Provider. This is the application
requesting authentication.
- name: federated_idp
overwrite: true
type: keyword
description: This key is the federated Identity Provider. This is the server
providing the authentication.
- name: logon_type_desc
overwrite: true
type: keyword
description: This key is used to capture the textual description of an integer
logon type as stored in the meta key 'logon.type'.
- name: middlename
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: password
overwrite: true
type: keyword
description: This key is for Passwords seen in any session, plain text or encrypted
- name: host_role
overwrite: true
type: keyword
description: This key should only be used to capture the role of a Host Machine
- name: ldap
overwrite: true
type: keyword
description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
t have a clear query or response context"
- name: ldap_query
overwrite: true
type: keyword
description: This key is the Search criteria from an LDAP search
- name: ldap_response
overwrite: true
type: keyword
description: This key is to capture Results from an LDAP search
- name: owner
overwrite: true
type: keyword
description: This is used to capture username the process or service is running
as, the author of the task
- name: service_account
overwrite: true
type: keyword
description: This key is a windows specific key, used for capturing name of
the account a service (referenced in the event) is running under. Legacy Usage
- name: email
overwrite: true
type: group
fields:
- name: email_dst
overwrite: true
type: keyword
description: This key is used to capture the Destination email address only,
when the destination context is not clear use email
- name: email_src
overwrite: true
type: keyword
description: This key is used to capture the source email address only, when
the source context is not clear use email
- name: subject
overwrite: true
type: keyword
description: This key is used to capture the subject string from an Email only.
- name: email
overwrite: true
type: keyword
description: This key is used to capture a generic email address where the source
or destination context is not clear
- name: trans_from
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: trans_to
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: file
overwrite: true
type: group
fields:
- name: privilege
overwrite: true
type: keyword
description: Deprecated, use permissions
- name: attachment
overwrite: true
type: keyword
description: This key captures the attachment file name
- name: filesystem
overwrite: true
type: keyword
- name: binary
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: filename_dst
overwrite: true
type: keyword
description: This is used to capture name of the file targeted by the action
- name: filename_src
overwrite: true
type: keyword
description: This is used to capture name of the parent filename, the file which
performed the action
- name: filename_tmp
overwrite: true
type: keyword
- name: directory_dst
overwrite: true
type: keyword
description: <span>This key is used to capture the directory of the target process
or file</span>
- name: directory_src
overwrite: true
type: keyword
description: This key is used to capture the directory of the source process
or file
- name: file_entropy
overwrite: true
type: double
description: This is used to capture entropy vale of a file
- name: file_vendor
overwrite: true
type: keyword
description: This is used to capture Company name of file located in version_info
- name: task_name
overwrite: true
type: keyword
description: This is used to capture name of the task
- name: web
overwrite: true
type: group
fields:
- name: fqdn
overwrite: true
type: keyword
description: Fully Qualified Domain Names
- name: web_cookie
overwrite: true
type: keyword
description: This key is used to capture the Web cookies specifically.
- name: alias_host
overwrite: true
type: keyword
- name: reputation_num
overwrite: true
type: double
description: Reputation Number of an entity. Typically used for Web Domains
- name: web_ref_domain
overwrite: true
type: keyword
description: Web referer's domain
- name: web_ref_query
overwrite: true
type: keyword
description: This key captures Web referer's query portion of the URL
- name: remote_domain
overwrite: true
type: keyword
- name: web_ref_page
overwrite: true
type: keyword
description: This key captures Web referer's page information
- name: web_ref_root
overwrite: true
type: keyword
description: Web referer's root URL path
- name: cn_asn_dst
overwrite: true
type: keyword
- name: cn_rpackets
overwrite: true
type: keyword
- name: urlpage
overwrite: true
type: keyword
- name: urlroot
overwrite: true
type: keyword
- name: p_url
overwrite: true
type: keyword
- name: p_user_agent
overwrite: true
type: keyword
- name: p_web_cookie
overwrite: true
type: keyword
- name: p_web_method
overwrite: true
type: keyword
- name: p_web_referer
overwrite: true
type: keyword
- name: web_extension_tmp
overwrite: true
type: keyword
- name: web_page
overwrite: true
type: keyword
- name: threat
overwrite: true
type: group
fields:
- name: threat_category
overwrite: true
type: keyword
description: This key captures Threat Name/Threat Category/Categorization of
alert
- name: threat_desc
overwrite: true
type: keyword
description: This key is used to capture the threat description from the session
directly or inferred
- name: alert
overwrite: true
type: keyword
description: This key is used to capture name of the alert
- name: threat_source
overwrite: true
type: keyword
description: This key is used to capture source of the threat
- name: crypto
overwrite: true
type: group
fields:
- name: crypto
overwrite: true
type: keyword
description: This key is used to capture the Encryption Type or Encryption Key
only
- name: cipher_src
overwrite: true
type: keyword
description: This key is for Source (Client) Cipher
- name: cert_subject
overwrite: true
type: keyword
description: This key is used to capture the Certificate organization only
- name: peer
overwrite: true
type: keyword
description: This key is for Encryption peer's IP Address
- name: cipher_size_src
overwrite: true
type: long
description: This key captures Source (Client) Cipher Size
- name: ike
overwrite: true
type: keyword
description: IKE negotiation phase.
- name: scheme
overwrite: true
type: keyword
description: This key captures the Encryption scheme used
- name: peer_id
overwrite: true
type: keyword
description: "This key is for Encryption peer\u2019s identity"
- name: sig_type
overwrite: true
type: keyword
description: This key captures the Signature Type
- name: cert_issuer
overwrite: true
type: keyword
- name: cert_host_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: cert_error
overwrite: true
type: keyword
description: This key captures the Certificate Error String
- name: cipher_dst
overwrite: true
type: keyword
description: This key is for Destination (Server) Cipher
- name: cipher_size_dst
overwrite: true
type: long
description: This key captures Destination (Server) Cipher Size
- name: ssl_ver_src
overwrite: true
type: keyword
description: Deprecated, use version
- name: d_certauth
overwrite: true
type: keyword
- name: s_certauth
overwrite: true
type: keyword
- name: ike_cookie1
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
- name: ike_cookie2
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
- name: cert_checksum
overwrite: true
type: keyword
- name: cert_host_cat
overwrite: true
type: keyword
description: This key is used for the hostname category value of a certificate
- name: cert_serial
overwrite: true
type: keyword
description: This key is used to capture the Certificate serial number only
- name: cert_status
overwrite: true
type: keyword
description: This key captures Certificate validation status
- name: ssl_ver_dst
overwrite: true
type: keyword
description: Deprecated, use version
- name: cert_keysize
overwrite: true
type: keyword
- name: cert_username
overwrite: true
type: keyword
- name: https_insact
overwrite: true
type: keyword
- name: https_valid
overwrite: true
type: keyword
- name: cert_ca
overwrite: true
type: keyword
description: This key is used to capture the Certificate signing authority only
- name: cert_common
overwrite: true
type: keyword
description: This key is used to capture the Certificate common name only
- name: wireless
overwrite: true
type: group
fields:
- name: wlan_ssid
overwrite: true
type: keyword
description: This key is used to capture the ssid of a Wireless Session
- name: access_point
overwrite: true
type: keyword
description: This key is used to capture the access point name.
- name: wlan_channel
overwrite: true
type: long
description: This is used to capture the channel names
- name: wlan_name
overwrite: true
type: keyword
description: This key captures either WLAN number/name
- name: storage
overwrite: true
type: group
fields:
- name: disk_volume
overwrite: true
type: keyword
description: A unique name assigned to logical units (volumes) within a physical
disk
- name: lun
overwrite: true
type: keyword
description: Logical Unit Number.This key is a very useful concept in Storage.
- name: pwwn
overwrite: true
type: keyword
description: This uniquely identifies a port on a HBA.
- name: physical
overwrite: true
type: group
fields:
- name: org_dst
overwrite: true
type: keyword
description: This is used to capture the destination organization based on the
GEOPIP Maxmind database.
- name: org_src
overwrite: true
type: keyword
description: This is used to capture the source organization based on the GEOPIP
Maxmind database.
- name: healthcare
overwrite: true
type: group
fields:
- name: patient_fname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_id
overwrite: true
type: keyword
description: This key captures the unique ID for a patient
- name: patient_lname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_mname
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: endpoint
overwrite: true
type: group
fields:
- name: host_state
overwrite: true
type: keyword
description: This key is used to capture the current state of the machine, such
as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
disabled</strong> and so on
- name: registry_key
overwrite: true
type: keyword
description: This key captures the path to the registry key
- name: registry_value
overwrite: true
type: keyword
description: This key captures values or decorators used within a registry entry
- name: cisco.umbrella
type: group
description: >
Fields for Cisco Umbrella.
fields:
- name: identities
type: keyword
description: >
An array of the different identities related to the event.
- name: categories
type: keyword
description: >
The security or content categories that the destination matches.
- name: policy_identity_type
type: keyword
description: >
The first identity type matched with this request. Available in version 3 and above.
- name: identity_types
type: keyword
description: >
The type of identity that made the request. For example, Roaming Computer or Network.
- name: blocked_categories
type: keyword
description: >
The categories that resulted in the destination being blocked. Available in version 4 and above.
- name: content_type
type: keyword
description: >
The type of web content, typically text/html.
- name: sha_sha256
type: keyword
description: >
Hex digest of the response content.
- name: av_detections
type: keyword
description: >
The detection name according to the antivirus engine used in file inspection.
- name: puas
type: keyword
description: >
A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner.
- name: amp_disposition
type: keyword
description: >
The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown.
- name: amp_malware_name
type: keyword
description: >
If Malicious, the name of the malware according to AMP.
- name: amp_score
type: keyword
description: >
The score of the malware from AMP. This field is not currently used and will be blank.
- name: datacenter
type: keyword
description: >
The name of the Umbrella Data Center that processed the user-generated traffic.
- name: origin_id
type: keyword
description: >
The unique identity of the network tunnel.
- key: coredns
title: Coredns
description: >
Module for handling logs produced by coredns
fields:
- name: coredns
type: group
description: >
coredns fields after normalization
fields:
- name: query.size
type: integer
format: bytes
description: >
size of the DNS query
- name: response.size
type: integer
format: bytes
description: >
size of the DNS response
- key: crowdstrike
title: "Crowdstrike"
release: beta
description: >
Module for collecting Crowdstrike events.
fields:
- name: crowdstrike
type: group
description: >
Fields for Crowdstrike Falcon event and alert data.
fields:
- name: metadata
title: Metadata fields
description: >
Meta data fields for each event that include type and timestamp.
type: group
fields:
- name: eventType
type: keyword
description: >
DetectionSummaryEvent, FirewallMatchEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent
- name: eventCreationTime
type: date
description: >
The time this event occurred on the endpoint in UTC UNIX_MS format.
- name: offset
type: integer
description: >
Offset number that tracks the location of the event in stream. This is used to identify unique detection events.
- name: customerIDString
type: keyword
description: >
Customer identifier
- name: version
type: keyword
description: >
Schema version
- name: event
title: Event fields
description: >
Event data fields for each event and alert.
type: group
fields:
- name: ProcessStartTime
type: date
description: >
The process start time in UTC UNIX_MS format.
- name: ProcessEndTime
type: date
description: >
The process termination time in UTC UNIX_MS format.
- name: ProcessId
type: integer
description: >
Process ID related to the detection.
- name: ParentProcessId
type: integer
description: >
Parent process ID related to the detection.
- name: ComputerName
type: keyword
description: >
Name of the computer where the detection occurred.
- name: UserName
type: keyword
description: >
User name associated with the detection.
- name: DetectName
type: keyword
description: >
Name of the detection.
- name: DetectDescription
type: keyword
description: >
Description of the detection.
- name: Severity
type: integer
description: >
Severity score of the detection.
- name: SeverityName
type: keyword
description: >
Severity score text.
- name: FileName
type: keyword
description: >
File name of the associated process for the detection.
- name: FilePath
type: keyword
description: >
Path of the executable associated with the detection.
- name: CommandLine
type: keyword
description: >
Executable path with command line arguments.
- name: SHA1String
type: keyword
description: >
SHA1 sum of the executable associated with the detection.
- name: SHA256String
type: keyword
description: >
SHA256 sum of the executable associated with the detection.
- name: MD5String
type: keyword
description: >
MD5 sum of the executable associated with the detection.
- name: MachineDomain
type: keyword
description: >
Domain for the machine associated with the detection.
- name: FalconHostLink
type: keyword
description: >
URL to view the detection in Falcon.
- name: SensorId
type: keyword
description: >
Unique ID associated with the Falcon sensor.
- name: DetectId
type: keyword
description: >
Unique ID associated with the detection.
- name: LocalIP
type: keyword
description: >
IP address of the host associated with the detection.
- name: MACAddress
type: keyword
description: >
MAC address of the host associated with the detection.
- name: Tactic
type: keyword
description: >
MITRE tactic category of the detection.
- name: Technique
type: keyword
description: >
MITRE technique category of the detection.
- name: Objective
type: keyword
description: >
Method of detection.
- name: PatternDispositionDescription
type: keyword
description: >
Action taken by Falcon.
- name: PatternDispositionValue
type: integer
description: >
Unique ID associated with action taken.
- name: PatternDispositionFlags
type: object
description: >
Flags indicating actions taken.
- name: State
type: keyword
description: >
Whether the incident summary is open and ongoing or closed.
- name: IncidentStartTime
type: date
description: >
Start time for the incident in UTC UNIX format.
- name: IncidentEndTime
type: date
description: >
End time for the incident in UTC UNIX format.
- name: FineScore
type: float
description: >
Score for incident.
- name: UserId
type: keyword
description: >
Email address or user ID associated with the event.
- name: UserIp
type: keyword
description: >
IP address associated with the user.
- name: OperationName
type: keyword
description: >
Event subtype.
- name: ServiceName
type: keyword
description: >
Service associated with this event.
- name: Success
type: boolean
description: >
Indicator of whether or not this event was successful.
- name: UTCTimestamp
type: date
description: >
Timestamp associated with this event in UTC UNIX format.
- name: AuditKeyValues
type: nested
description: >
Fields that were changed in this event.
- name: ExecutablesWritten
type: nested
description: >
Detected executables written to disk by a process.
- name: SessionId
type: keyword
description: >
Session ID of the remote response session.
- name: HostnameField
type: keyword
description: >
Host name of the machine for the remote session.
- name: StartTimestamp
type: date
description: >
Start time for the remote session in UTC UNIX format.
- name: EndTimestamp
type: date
description: >
End time for the remote session in UTC UNIX format.
- name: LateralMovement
type: long
description: >
Lateral movement field for incident.
- name: ParentImageFileName
type: keyword
description: >
Path to the parent process.
- name: ParentCommandLine
type: keyword
description: >
Parent process command line arguments.
- name: GrandparentImageFileName
type: keyword
description: >
Path to the grandparent process.
- name: GrandparentCommandLine
type: keyword
description: >
Grandparent process command line arguments.
- name: IOCType
type: keyword
description: >
CrowdStrike type for indicator of compromise.
- name: IOCValue
type: keyword
description: >
CrowdStrike value for indicator of compromise.
# FirewallMatchEvent
- name: CustomerId
type: keyword
description: >
Customer identifier.
- name: DeviceId
type: keyword
description: >
Device on which the event occurred.
- name: Ipv
type: keyword
description: >
Protocol for network request.
- name: ConnectionDirection
type: keyword
description: >
Direction for network connection.
- name: EventType
type: keyword
description: >
CrowdStrike provided event type.
- name: HostName
type: keyword
description: >
Host name of the local machine.
- name: ICMPCode
type: keyword
description: >
RFC2780 ICMP Code field.
- name: ICMPType
type: keyword
description: >
RFC2780 ICMP Type field.
- name: ImageFileName
type: keyword
description: >
File name of the associated process for the detection.
- name: PID
type: long
description: >
Associated process id for the detection.
- name: LocalAddress
type: ip
description: >
IP address of local machine.
- name: LocalPort
type: long
description: >
Port of local machine.
- name: RemoteAddress
type: ip
description: >
IP address of remote machine.
- name: RemotePort
type: long
description: >
Port of remote machine.
- name: RuleAction
type: keyword
description: >
Firewall rule action.
- name: RuleDescription
type: keyword
description: >
Firewall rule description.
- name: RuleFamilyID
type: keyword
description: >
Firewall rule family id.
- name: RuleGroupName
type: keyword
description: >
Firewall rule group name.
- name: RuleName
type: keyword
description: >
Firewall rule name.
- name: RuleId
type: keyword
description: >
Firewall rule id.
- name: MatchCount
type: long
description: >
Number of firewall rule matches.
- name: MatchCountSinceLastReport
type: long
description: >
Number of firewall rule matches since the last report.
- name: Timestamp
type: date
description: >
Firewall rule triggered timestamp.
# Not entirely sure about the descriptions of the following fields
- name: Flags.Audit
type: boolean
description: >
CrowdStrike audit flag.
- name: Flags.Log
type: boolean
description: >
CrowdStrike log flag.
- name: Flags.Monitor
type: boolean
description: >
CrowdStrike monitor flag.
- name: Protocol
type: keyword
description: >
CrowdStrike provided protocol.
- name: NetworkProfile
type: keyword
description: >
CrowdStrike network profile.
- name: PolicyName
type: keyword
description: >
CrowdStrike policy name.
- name: PolicyID
type: keyword
description: >
CrowdStrike policy id.
- name: Status
type: keyword
description: >
CrowdStrike status.
- name: TreeID
type: keyword
description: >
CrowdStrike tree id.
# RemoteResponseSessionEndEvent
- name: Commands
type: keyword
description: >
Commands run in a remote session.
- key: cyberarkpas
title: CyberArk PAS
description: >
cyberarkpas fields.
fields:
- name: cyberarkpas
type: group
fields:
- name: audit
type: group
description: >
Cyberark Privileged Access Security Audit fields.
fields:
- name: action
type: keyword
description: A description of the audit record.
- name: ca_properties
type: group
description: Account metadata.
fields:
- name: address
type: keyword
- name: cpm_disabled
type: keyword
- name: cpm_error_details
type: keyword
- name: cpm_status
type: keyword
- name: creation_method
type: keyword
- name: customer
type: keyword
- name: database
type: keyword
- name: device_type
type: keyword
- name: dual_account_status
type: keyword
- name: group_name
type: keyword
- name: in_process
type: keyword
- name: index
type: keyword
- name: last_fail_date
type: keyword
- name: last_success_change
type: keyword
- name: last_success_reconciliation
type: keyword
- name: last_success_verification
type: keyword
- name: last_task
type: keyword
- name: logon_domain
type: keyword
- name: policy_id
type: keyword
- name: port
type: keyword
- name: privcloud
type: keyword
- name: reset_immediately
type: keyword
- name: retries_count
type: keyword
- name: sequence_id
type: keyword
- name: tags
type: keyword
- name: user_dn
type: keyword
- name: user_name
type: keyword
- name: virtual_username
type: keyword
- name: other
type: flattened
- name: category
type: keyword
description: The category name (for category-related operations).
- name: desc
type: keyword
description: A static value that displays a description of the audit codes.
- name: extra_details
type: group
description: Specific extra details of the audit records.
fields:
- name: ad_process_id
type: keyword
- name: ad_process_name
type: keyword
- name: application_type
type: keyword
- name: command
type: keyword
- name: connection_component_id
type: keyword
- name: dst_host
type: keyword
- name: logon_account
type: keyword
- name: managed_account
type: keyword
- name: process_id
type: keyword
- name: process_name
type: keyword
- name: protocol
type: keyword
- name: psmid
type: keyword
- name: session_duration
type: keyword
- name: session_id
type: keyword
- name: src_host
type: keyword
- name: username
type: keyword
- name: other
type: flattened
- name: file
type: keyword
description: The name of the target file.
- name: gateway_station
type: ip
description: The IP of the web application machine (PVWA).
- name: hostname
type: keyword
description: The hostname, in upper case.
example: MY-COMPUTER
- name: iso_timestamp
type: date
description: The timestamp, in ISO Timestamp format (RFC 3339).
example: 2013-6-25T10:47:19Z
- name: issuer
type: keyword
description: The Vault user who wrote the audit. This is usually the user who performed the operation.
- name: location
type: keyword
description: The target Location (for Location operations).
ignore_above: 4096
doc_values: false
index: false
- name: message
type: keyword
description: A description of the audit records (same information as in the Desc field).
- name: message_id
type: keyword
description: The code ID of the audit records.
- name: product
type: keyword
description: A static value that represents the product.
- name: pvwa_details
type: flattened
description: Specific details of the PVWA audit records.
- name: raw
type: keyword
description: >
Raw XML for the original audit record.
Only present when XSLT file has debugging enabled.
ignore_above: 4096
doc_values: false
index: false
- name: reason
type: text
description: The reason entered by the user.
norms: false
- name: rfc5424
type: boolean
description: Whether the syslog format complies with RFC5424.
example: yes
- name: safe
type: keyword
description: The name of the target Safe.
- name: severity
type: keyword
description: The severity of the audit records.
- name: source_user
type: keyword
description: The name of the Vault user who performed the operation.
- name: station
type: ip
description: The IP from where the operation was performed. For PVWA sessions, this will be the real client machine IP.
- name: target_user
type: keyword
description: The name of the Vault user on which the operation was performed.
- name: timestamp
type: keyword
description: The timestamp, in MMM DD HH:MM:SS format.
example: Jun 25 10:47:19
- name: vendor
type: keyword
description: A static value that represents the vendor.
- name: version
type: keyword
description: A static value that represents the version of the Vault.
- key: cylance
title: CylanceProtect
description: >
cylance fields.
fields:
- name: network.interface.name
overwrite: true
type: keyword
description: >
Name of the network interface where the traffic has been observed.
- name: rsa
overwrite: true
type: group
fields:
- name: internal
overwrite: true
type: group
fields:
- name: msg
overwrite: true
type: keyword
description: This key is used to capture the raw message that comes into the
Log Decoder
- name: messageid
overwrite: true
type: keyword
- name: event_desc
overwrite: true
type: keyword
- name: message
overwrite: true
type: keyword
description: This key captures the contents of instant messages
- name: time
overwrite: true
type: date
description: This is the time at which a session hits a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness.
- name: level
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: msg_id
overwrite: true
type: keyword
description: This is the Message ID1 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: msg_vid
overwrite: true
type: keyword
description: This is the Message ID2 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: data
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_server
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_val
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: resource
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_id
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: statement
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: audit_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: entry
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: hcode
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: inode
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: resource_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: dead
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: feed_desc
overwrite: true
type: keyword
description: This is used to capture the description of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: feed_name
overwrite: true
type: keyword
description: This is used to capture the name of the feed. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: cid
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Concentrator.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_class
overwrite: true
type: keyword
description: This is the Classification of the Log Event Source under a predefined
fixed set of Event Source Classifications. This key should never be used to
parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
key in NetWitness
- name: device_group
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_host
overwrite: true
type: keyword
description: This is the Hostname of the log Event Source sending the logs to
NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ip
overwrite: true
type: ip
description: This is the IPv4 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ipv6
overwrite: true
type: ip
description: This is the IPv6 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_type
overwrite: true
type: keyword
description: This is the name of the log parser which parsed a given session.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_type_id
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: did
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: entropy_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: entropy_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: event_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: feed_category
overwrite: true
type: keyword
description: This is used to capture the category of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: forward_ip
overwrite: true
type: ip
description: This key should be used to capture the IPV4 address of a relay
system which forwarded the events from the original system to NetWitness.
- name: forward_ipv6
overwrite: true
type: ip
description: This key is used to capture the IPV6 address of a relay system
which forwarded the events from the original system to NetWitness. This key
should never be used to parse Meta data from a session (Logs/Packets) Directly,
this is a Reserved key in NetWitness
- name: header_id
overwrite: true
type: keyword
description: This is the Header ID value that identifies the exact log parser
header definition that parses a particular log session. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: lc_cid
overwrite: true
type: keyword
description: This is a unique Identifier of a Log Collector. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: lc_ctime
overwrite: true
type: date
description: This is the time at which a log is collected in a NetWitness Log
Collector. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: mcb_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
request is simply which byte for each side (0 thru 255) was seen the most
- name: mcb_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
response is simply which byte for each side (0 thru 255) was seen the most
- name: mcbc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: mcbc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: medium
overwrite: true
type: long
description: "This key is used to identify if it\u2019s a log/packet session\
\ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
\ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
\ 32 = log, 33 = correlation session, < 32 is packet session"
- name: node_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: nwe_callback_id
overwrite: true
type: keyword
description: This key denotes that event is endpoint related
- name: parse_error
overwrite: true
type: keyword
description: This is a special key that stores any Meta key validation error
found while parsing a log session. This key should never be used to parse
Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
NetWitness
- name: payload_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: payload_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: process_vid_dst
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the target process.
- name: process_vid_src
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the source process.
- name: rid
overwrite: true
type: long
description: This is a special ID of the Remote Session created by NetWitness
Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: session_split
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: site
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: size
overwrite: true
type: long
description: This is the size of the session as seen by the NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: sourcefile
overwrite: true
type: keyword
description: This is the name of the log file or PCAPs that can be imported
into NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: ubc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: ubc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: word
overwrite: true
type: keyword
description: This is used by the Word Parsing technology to capture the first
5 character of every word in an unparsed log
- name: time
overwrite: true
type: group
fields:
- name: event_time
overwrite: true
type: date
description: This key is used to capture the time mentioned in a raw session
that represents the actual time an event occured in a standard normalized
form
- name: duration_time
overwrite: true
type: double
description: This key is used to capture the normalized duration/lifetime in
seconds.
- name: event_time_str
overwrite: true
type: keyword
description: This key is used to capture the incomplete time mentioned in a
session as a string
- name: starttime
overwrite: true
type: date
description: This key is used to capture the Start time mentioned in a session
in a standard form
- name: month
overwrite: true
type: keyword
- name: day
overwrite: true
type: keyword
- name: endtime
overwrite: true
type: date
description: This key is used to capture the End time mentioned in a session
in a standard form
- name: timezone
overwrite: true
type: keyword
description: This key is used to capture the timezone of the Event Time
- name: duration_str
overwrite: true
type: keyword
description: A text string version of the duration
- name: date
overwrite: true
type: keyword
- name: year
overwrite: true
type: keyword
- name: recorded_time
overwrite: true
type: date
description: The event time as recorded by the system the event is collected
from. The usage scenario is a multi-tier application where the management
layer of the system records it's own timestamp at the time of collection from
its child nodes. Must be in timestamp format.
- name: datetime
overwrite: true
type: keyword
- name: effective_time
overwrite: true
type: date
description: This key is the effective time referenced by an individual event
in a Standard Timestamp format
- name: expire_time
overwrite: true
type: date
description: This key is the timestamp that explicitly refers to an expiration.
- name: process_time
overwrite: true
type: keyword
description: Deprecated, use duration.time
- name: hour
overwrite: true
type: keyword
- name: min
overwrite: true
type: keyword
- name: timestamp
overwrite: true
type: keyword
- name: event_queue_time
overwrite: true
type: date
description: This key is the Time that the event was queued.
- name: p_time1
overwrite: true
type: keyword
- name: tzone
overwrite: true
type: keyword
- name: eventtime
overwrite: true
type: keyword
- name: gmtdate
overwrite: true
type: keyword
- name: gmttime
overwrite: true
type: keyword
- name: p_date
overwrite: true
type: keyword
- name: p_month
overwrite: true
type: keyword
- name: p_time
overwrite: true
type: keyword
- name: p_time2
overwrite: true
type: keyword
- name: p_year
overwrite: true
type: keyword
- name: expire_time_str
overwrite: true
type: keyword
description: This key is used to capture incomplete timestamp that explicitly
refers to an expiration.
- name: stamp
overwrite: true
type: date
description: Deprecated key defined only in table map.
- name: misc
overwrite: true
type: group
fields:
- name: action
overwrite: true
type: keyword
- name: result
overwrite: true
type: keyword
description: This key is used to capture the outcome/result string value of
an action in a session.
- name: severity
overwrite: true
type: keyword
description: This key is used to capture the severity given the session
- name: event_type
overwrite: true
type: keyword
description: This key captures the event category type as specified by the event
source.
- name: reference_id
overwrite: true
type: keyword
description: This key is used to capture an event id from the session directly
- name: version
overwrite: true
type: keyword
description: This key captures Version of the application or OS which is generating
the event.
- name: disposition
overwrite: true
type: keyword
description: This key captures the The end state of an action.
- name: result_code
overwrite: true
type: keyword
description: This key is used to capture the outcome/result numeric value of
an action in a session
- name: category
overwrite: true
type: keyword
description: This key is used to capture the category of an event given by the
vendor in the session
- name: obj_name
overwrite: true
type: keyword
description: This is used to capture name of object
- name: obj_type
overwrite: true
type: keyword
description: This is used to capture type of object
- name: event_source
overwrite: true
type: keyword
description: "This key captures Source of the event that\u2019s not a hostname"
- name: log_session_id
overwrite: true
type: keyword
description: This key is used to capture a sessionid from the session directly
- name: group
overwrite: true
type: keyword
description: This key captures the Group Name value
- name: policy_name
overwrite: true
type: keyword
description: This key is used to capture the Policy Name only.
- name: rule_name
overwrite: true
type: keyword
description: This key captures the Rule Name
- name: context
overwrite: true
type: keyword
description: This key captures Information which adds additional context to
the event.
- name: change_new
overwrite: true
type: keyword
description: "This key is used to capture the new values of the attribute that\u2019\
s changing in a session"
- name: space
overwrite: true
type: keyword
- name: client
overwrite: true
type: keyword
description: This key is used to capture only the name of the client application
requesting resources of the server. See the user.agent meta key for capture
of the specific user agent identifier or browser identification string.
- name: msgIdPart1
overwrite: true
type: keyword
- name: msgIdPart2
overwrite: true
type: keyword
- name: change_old
overwrite: true
type: keyword
description: "This key is used to capture the old value of the attribute that\u2019\
s changing in a session"
- name: operation_id
overwrite: true
type: keyword
description: An alert number or operation number. The values should be unique
and non-repeating.
- name: event_state
overwrite: true
type: keyword
description: This key captures the current state of the object/item referenced
within the event. Describing an on-going event.
- name: group_object
overwrite: true
type: keyword
description: This key captures a collection/grouping of entities. Specific usage
- name: node
overwrite: true
type: keyword
description: Common use case is the node name within a cluster. The cluster
name is reflected by the host name.
- name: rule
overwrite: true
type: keyword
description: This key captures the Rule number
- name: device_name
overwrite: true
type: keyword
description: 'This is used to capture name of the Device associated with the
node Like: a physical disk, printer, etc'
- name: param
overwrite: true
type: keyword
description: This key is the parameters passed as part of a command or application,
etc.
- name: change_attrib
overwrite: true
type: keyword
description: "This key is used to capture the name of the attribute that\u2019\
s changing in a session"
- name: event_computer
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
fully qualified domain name in a windows log.
- name: reference_id1
overwrite: true
type: keyword
description: This key is for Linked ID to be used as an addition to "reference.id"
- name: event_log
overwrite: true
type: keyword
description: This key captures the Name of the event log
- name: OS
overwrite: true
type: keyword
description: This key captures the Name of the Operating System
- name: terminal
overwrite: true
type: keyword
description: This key captures the Terminal Names only
- name: msgIdPart3
overwrite: true
type: keyword
- name: filter
overwrite: true
type: keyword
description: This key captures Filter used to reduce result set
- name: serial_number
overwrite: true
type: keyword
description: This key is the Serial number associated with a physical asset.
- name: checksum
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the entity
such as a file or process. Checksum should be used over checksum.src or checksum.dst
when it is unclear whether the entity is a source or target of an action.
- name: event_user
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
combination of domain name and username in a windows log.
- name: virusname
overwrite: true
type: keyword
description: This key captures the name of the virus
- name: content_type
overwrite: true
type: keyword
description: This key is used to capture Content Type only.
- name: group_id
overwrite: true
type: keyword
description: This key captures Group ID Number (related to the group name)
- name: policy_id
overwrite: true
type: keyword
description: This key is used to capture the Policy ID only, this should be
a numeric value, use policy.name otherwise
- name: vsys
overwrite: true
type: keyword
description: This key captures Virtual System Name
- name: connection_id
overwrite: true
type: keyword
description: This key captures the Connection ID
- name: reference_id2
overwrite: true
type: keyword
description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
or "reference.id1" value but should not be used unless the other two variables
are in play.
- name: sensor
overwrite: true
type: keyword
description: This key captures Name of the sensor. Typically used in IDS/IPS
based devices
- name: sig_id
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID
- name: port_name
overwrite: true
type: keyword
description: 'This key is used for Physical or logical port connection but does
NOT include a network port. (Example: Printer port name).'
- name: rule_group
overwrite: true
type: keyword
description: This key captures the Rule group name
- name: risk_num
overwrite: true
type: double
description: This key captures a Numeric Risk value
- name: trigger_val
overwrite: true
type: keyword
description: This key captures the Value of the trigger or threshold condition.
- name: log_session_id1
overwrite: true
type: keyword
description: This key is used to capture a Linked (Related) Session ID from
the session directly
- name: comp_version
overwrite: true
type: keyword
description: This key captures the Version level of a sub-component of a product.
- name: content_version
overwrite: true
type: keyword
description: This key captures Version level of a signature or database content.
- name: hardware_id
overwrite: true
type: keyword
description: This key is used to capture unique identifier for a device or system
(NOT a Mac address)
- name: risk
overwrite: true
type: keyword
description: This key captures the non-numeric risk value
- name: event_id
overwrite: true
type: keyword
- name: reason
overwrite: true
type: keyword
- name: status
overwrite: true
type: keyword
- name: mail_id
overwrite: true
type: keyword
description: This key is used to capture the mailbox id/name
- name: rule_uid
overwrite: true
type: keyword
description: This key is the Unique Identifier for a rule.
- name: trigger_desc
overwrite: true
type: keyword
description: This key captures the Description of the trigger or threshold condition.
- name: inout
overwrite: true
type: keyword
- name: p_msgid
overwrite: true
type: keyword
- name: data_type
overwrite: true
type: keyword
- name: msgIdPart4
overwrite: true
type: keyword
- name: error
overwrite: true
type: keyword
description: This key captures All non successful Error codes or responses
- name: index
overwrite: true
type: keyword
- name: listnum
overwrite: true
type: keyword
description: This key is used to capture listname or listnumber, primarily for
collecting access-list
- name: ntype
overwrite: true
type: keyword
- name: observed_val
overwrite: true
type: keyword
description: This key captures the Value observed (from the perspective of the
device generating the log).
- name: policy_value
overwrite: true
type: keyword
description: This key captures the contents of the policy. This contains details
about the policy
- name: pool_name
overwrite: true
type: keyword
description: This key captures the name of a resource pool
- name: rule_template
overwrite: true
type: keyword
description: A default set of parameters which are overlayed onto a rule (or
rulename) which efffectively constitutes a template
- name: count
overwrite: true
type: keyword
- name: number
overwrite: true
type: keyword
- name: sigcat
overwrite: true
type: keyword
- name: type
overwrite: true
type: keyword
- name: comments
overwrite: true
type: keyword
description: Comment information provided in the log message
- name: doc_number
overwrite: true
type: long
description: This key captures File Identification number
- name: expected_val
overwrite: true
type: keyword
description: This key captures the Value expected (from the perspective of the
device generating the log).
- name: job_num
overwrite: true
type: keyword
description: This key captures the Job Number
- name: spi_dst
overwrite: true
type: keyword
description: Destination SPI Index
- name: spi_src
overwrite: true
type: keyword
description: Source SPI Index
- name: code
overwrite: true
type: keyword
- name: agent_id
overwrite: true
type: keyword
description: This key is used to capture agent id
- name: message_body
overwrite: true
type: keyword
description: This key captures the The contents of the message body.
- name: phone
overwrite: true
type: keyword
- name: sig_id_str
overwrite: true
type: keyword
description: This key captures a string object of the sigid variable.
- name: cmd
overwrite: true
type: keyword
- name: misc
overwrite: true
type: keyword
- name: name
overwrite: true
type: keyword
- name: cpu
overwrite: true
type: long
description: This key is the CPU time used in the execution of the event being
recorded.
- name: event_desc
overwrite: true
type: keyword
description: This key is used to capture a description of an event available
directly or inferred
- name: sig_id1
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID. This must be linked
to the sig.id
- name: im_buddyid
overwrite: true
type: keyword
- name: im_client
overwrite: true
type: keyword
- name: im_userid
overwrite: true
type: keyword
- name: pid
overwrite: true
type: keyword
- name: priority
overwrite: true
type: keyword
- name: context_subject
overwrite: true
type: keyword
description: This key is to be used in an audit context where the subject is
the object being identified
- name: context_target
overwrite: true
type: keyword
- name: cve
overwrite: true
type: keyword
description: This key captures CVE (Common Vulnerabilities and Exposures) -
an identifier for known information security vulnerabilities.
- name: fcatnum
overwrite: true
type: keyword
description: This key captures Filter Category Number. Legacy Usage
- name: library
overwrite: true
type: keyword
description: This key is used to capture library information in mainframe devices
- name: parent_node
overwrite: true
type: keyword
description: This key captures the Parent Node Name. Must be related to node
variable.
- name: risk_info
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: tcp_flags
overwrite: true
type: long
description: This key is captures the TCP flags set in any packet of session
- name: tos
overwrite: true
type: long
description: This key describes the type of service
- name: vm_target
overwrite: true
type: keyword
description: VMWare Target **VMWARE** only varaible.
- name: workspace
overwrite: true
type: keyword
description: This key captures Workspace Description
- name: command
overwrite: true
type: keyword
- name: event_category
overwrite: true
type: keyword
- name: facilityname
overwrite: true
type: keyword
- name: forensic_info
overwrite: true
type: keyword
- name: jobname
overwrite: true
type: keyword
- name: mode
overwrite: true
type: keyword
- name: policy
overwrite: true
type: keyword
- name: policy_waiver
overwrite: true
type: keyword
- name: second
overwrite: true
type: keyword
- name: space1
overwrite: true
type: keyword
- name: subcategory
overwrite: true
type: keyword
- name: tbdstr2
overwrite: true
type: keyword
- name: alert_id
overwrite: true
type: keyword
description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: checksum_dst
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the the target
entity such as a process or file.
- name: checksum_src
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the source
entity such as a file or process.
- name: fresult
overwrite: true
type: long
description: This key captures the Filter Result
- name: payload_dst
overwrite: true
type: keyword
description: This key is used to capture destination payload
- name: payload_src
overwrite: true
type: keyword
description: This key is used to capture source payload
- name: pool_id
overwrite: true
type: keyword
description: This key captures the identifier (typically numeric field) of a
resource pool
- name: process_id_val
overwrite: true
type: keyword
description: This key is a failure key for Process ID when it is not an integer
value
- name: risk_num_comm
overwrite: true
type: double
description: This key captures Risk Number Community
- name: risk_num_next
overwrite: true
type: double
description: This key captures Risk Number NextGen
- name: risk_num_sand
overwrite: true
type: double
description: This key captures Risk Number SandBox
- name: risk_num_static
overwrite: true
type: double
description: This key captures Risk Number Static
- name: risk_suspicious
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: risk_warning
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: snmp_oid
overwrite: true
type: keyword
description: SNMP Object Identifier
- name: sql
overwrite: true
type: keyword
description: This key captures the SQL query
- name: vuln_ref
overwrite: true
type: keyword
description: This key captures the Vulnerability Reference details
- name: acl_id
overwrite: true
type: keyword
- name: acl_op
overwrite: true
type: keyword
- name: acl_pos
overwrite: true
type: keyword
- name: acl_table
overwrite: true
type: keyword
- name: admin
overwrite: true
type: keyword
- name: alarm_id
overwrite: true
type: keyword
- name: alarmname
overwrite: true
type: keyword
- name: app_id
overwrite: true
type: keyword
- name: audit
overwrite: true
type: keyword
- name: audit_object
overwrite: true
type: keyword
- name: auditdata
overwrite: true
type: keyword
- name: benchmark
overwrite: true
type: keyword
- name: bypass
overwrite: true
type: keyword
- name: cache
overwrite: true
type: keyword
- name: cache_hit
overwrite: true
type: keyword
- name: cefversion
overwrite: true
type: keyword
- name: cfg_attr
overwrite: true
type: keyword
- name: cfg_obj
overwrite: true
type: keyword
- name: cfg_path
overwrite: true
type: keyword
- name: changes
overwrite: true
type: keyword
- name: client_ip
overwrite: true
type: keyword
- name: clustermembers
overwrite: true
type: keyword
- name: cn_acttimeout
overwrite: true
type: keyword
- name: cn_asn_src
overwrite: true
type: keyword
- name: cn_bgpv4nxthop
overwrite: true
type: keyword
- name: cn_ctr_dst_code
overwrite: true
type: keyword
- name: cn_dst_tos
overwrite: true
type: keyword
- name: cn_dst_vlan
overwrite: true
type: keyword
- name: cn_engine_id
overwrite: true
type: keyword
- name: cn_engine_type
overwrite: true
type: keyword
- name: cn_f_switch
overwrite: true
type: keyword
- name: cn_flowsampid
overwrite: true
type: keyword
- name: cn_flowsampintv
overwrite: true
type: keyword
- name: cn_flowsampmode
overwrite: true
type: keyword
- name: cn_inacttimeout
overwrite: true
type: keyword
- name: cn_inpermbyts
overwrite: true
type: keyword
- name: cn_inpermpckts
overwrite: true
type: keyword
- name: cn_invalid
overwrite: true
type: keyword
- name: cn_ip_proto_ver
overwrite: true
type: keyword
- name: cn_ipv4_ident
overwrite: true
type: keyword
- name: cn_l_switch
overwrite: true
type: keyword
- name: cn_log_did
overwrite: true
type: keyword
- name: cn_log_rid
overwrite: true
type: keyword
- name: cn_max_ttl
overwrite: true
type: keyword
- name: cn_maxpcktlen
overwrite: true
type: keyword
- name: cn_min_ttl
overwrite: true
type: keyword
- name: cn_minpcktlen
overwrite: true
type: keyword
- name: cn_mpls_lbl_1
overwrite: true
type: keyword
- name: cn_mpls_lbl_10
overwrite: true
type: keyword
- name: cn_mpls_lbl_2
overwrite: true
type: keyword
- name: cn_mpls_lbl_3
overwrite: true
type: keyword
- name: cn_mpls_lbl_4
overwrite: true
type: keyword
- name: cn_mpls_lbl_5
overwrite: true
type: keyword
- name: cn_mpls_lbl_6
overwrite: true
type: keyword
- name: cn_mpls_lbl_7
overwrite: true
type: keyword
- name: cn_mpls_lbl_8
overwrite: true
type: keyword
- name: cn_mpls_lbl_9
overwrite: true
type: keyword
- name: cn_mplstoplabel
overwrite: true
type: keyword
- name: cn_mplstoplabip
overwrite: true
type: keyword
- name: cn_mul_dst_byt
overwrite: true
type: keyword
- name: cn_mul_dst_pks
overwrite: true
type: keyword
- name: cn_muligmptype
overwrite: true
type: keyword
- name: cn_sampalgo
overwrite: true
type: keyword
- name: cn_sampint
overwrite: true
type: keyword
- name: cn_seqctr
overwrite: true
type: keyword
- name: cn_spackets
overwrite: true
type: keyword
- name: cn_src_tos
overwrite: true
type: keyword
- name: cn_src_vlan
overwrite: true
type: keyword
- name: cn_sysuptime
overwrite: true
type: keyword
- name: cn_template_id
overwrite: true
type: keyword
- name: cn_totbytsexp
overwrite: true
type: keyword
- name: cn_totflowexp
overwrite: true
type: keyword
- name: cn_totpcktsexp
overwrite: true
type: keyword
- name: cn_unixnanosecs
overwrite: true
type: keyword
- name: cn_v6flowlabel
overwrite: true
type: keyword
- name: cn_v6optheaders
overwrite: true
type: keyword
- name: comp_class
overwrite: true
type: keyword
- name: comp_name
overwrite: true
type: keyword
- name: comp_rbytes
overwrite: true
type: keyword
- name: comp_sbytes
overwrite: true
type: keyword
- name: cpu_data
overwrite: true
type: keyword
- name: criticality
overwrite: true
type: keyword
- name: cs_agency_dst
overwrite: true
type: keyword
- name: cs_analyzedby
overwrite: true
type: keyword
- name: cs_av_other
overwrite: true
type: keyword
- name: cs_av_primary
overwrite: true
type: keyword
- name: cs_av_secondary
overwrite: true
type: keyword
- name: cs_bgpv6nxthop
overwrite: true
type: keyword
- name: cs_bit9status
overwrite: true
type: keyword
- name: cs_context
overwrite: true
type: keyword
- name: cs_control
overwrite: true
type: keyword
- name: cs_data
overwrite: true
type: keyword
- name: cs_datecret
overwrite: true
type: keyword
- name: cs_dst_tld
overwrite: true
type: keyword
- name: cs_eth_dst_ven
overwrite: true
type: keyword
- name: cs_eth_src_ven
overwrite: true
type: keyword
- name: cs_event_uuid
overwrite: true
type: keyword
- name: cs_filetype
overwrite: true
type: keyword
- name: cs_fld
overwrite: true
type: keyword
- name: cs_if_desc
overwrite: true
type: keyword
- name: cs_if_name
overwrite: true
type: keyword
- name: cs_ip_next_hop
overwrite: true
type: keyword
- name: cs_ipv4dstpre
overwrite: true
type: keyword
- name: cs_ipv4srcpre
overwrite: true
type: keyword
- name: cs_lifetime
overwrite: true
type: keyword
- name: cs_log_medium
overwrite: true
type: keyword
- name: cs_loginname
overwrite: true
type: keyword
- name: cs_modulescore
overwrite: true
type: keyword
- name: cs_modulesign
overwrite: true
type: keyword
- name: cs_opswatresult
overwrite: true
type: keyword
- name: cs_payload
overwrite: true
type: keyword
- name: cs_registrant
overwrite: true
type: keyword
- name: cs_registrar
overwrite: true
type: keyword
- name: cs_represult
overwrite: true
type: keyword
- name: cs_rpayload
overwrite: true
type: keyword
- name: cs_sampler_name
overwrite: true
type: keyword
- name: cs_sourcemodule
overwrite: true
type: keyword
- name: cs_streams
overwrite: true
type: keyword
- name: cs_targetmodule
overwrite: true
type: keyword
- name: cs_v6nxthop
overwrite: true
type: keyword
- name: cs_whois_server
overwrite: true
type: keyword
- name: cs_yararesult
overwrite: true
type: keyword
- name: description
overwrite: true
type: keyword
- name: devvendor
overwrite: true
type: keyword
- name: distance
overwrite: true
type: keyword
- name: dstburb
overwrite: true
type: keyword
- name: edomain
overwrite: true
type: keyword
- name: edomaub
overwrite: true
type: keyword
- name: euid
overwrite: true
type: keyword
- name: facility
overwrite: true
type: keyword
- name: finterface
overwrite: true
type: keyword
- name: flags
overwrite: true
type: keyword
- name: gaddr
overwrite: true
type: keyword
- name: id3
overwrite: true
type: keyword
- name: im_buddyname
overwrite: true
type: keyword
- name: im_croomid
overwrite: true
type: keyword
- name: im_croomtype
overwrite: true
type: keyword
- name: im_members
overwrite: true
type: keyword
- name: im_username
overwrite: true
type: keyword
- name: ipkt
overwrite: true
type: keyword
- name: ipscat
overwrite: true
type: keyword
- name: ipspri
overwrite: true
type: keyword
- name: latitude
overwrite: true
type: keyword
- name: linenum
overwrite: true
type: keyword
- name: list_name
overwrite: true
type: keyword
- name: load_data
overwrite: true
type: keyword
- name: location_floor
overwrite: true
type: keyword
- name: location_mark
overwrite: true
type: keyword
- name: log_id
overwrite: true
type: keyword
- name: log_type
overwrite: true
type: keyword
- name: logid
overwrite: true
type: keyword
- name: logip
overwrite: true
type: keyword
- name: logname
overwrite: true
type: keyword
- name: longitude
overwrite: true
type: keyword
- name: lport
overwrite: true
type: keyword
- name: mbug_data
overwrite: true
type: keyword
- name: misc_name
overwrite: true
type: keyword
- name: msg_type
overwrite: true
type: keyword
- name: msgid
overwrite: true
type: keyword
- name: netsessid
overwrite: true
type: keyword
- name: num
overwrite: true
type: keyword
- name: number1
overwrite: true
type: keyword
- name: number2
overwrite: true
type: keyword
- name: nwwn
overwrite: true
type: keyword
- name: object
overwrite: true
type: keyword
- name: operation
overwrite: true
type: keyword
- name: opkt
overwrite: true
type: keyword
- name: orig_from
overwrite: true
type: keyword
- name: owner_id
overwrite: true
type: keyword
- name: p_action
overwrite: true
type: keyword
- name: p_filter
overwrite: true
type: keyword
- name: p_group_object
overwrite: true
type: keyword
- name: p_id
overwrite: true
type: keyword
- name: p_msgid1
overwrite: true
type: keyword
- name: p_msgid2
overwrite: true
type: keyword
- name: p_result1
overwrite: true
type: keyword
- name: password_chg
overwrite: true
type: keyword
- name: password_expire
overwrite: true
type: keyword
- name: permgranted
overwrite: true
type: keyword
- name: permwanted
overwrite: true
type: keyword
- name: pgid
overwrite: true
type: keyword
- name: policyUUID
overwrite: true
type: keyword
- name: prog_asp_num
overwrite: true
type: keyword
- name: program
overwrite: true
type: keyword
- name: real_data
overwrite: true
type: keyword
- name: rec_asp_device
overwrite: true
type: keyword
- name: rec_asp_num
overwrite: true
type: keyword
- name: rec_library
overwrite: true
type: keyword
- name: recordnum
overwrite: true
type: keyword
- name: ruid
overwrite: true
type: keyword
- name: sburb
overwrite: true
type: keyword
- name: sdomain_fld
overwrite: true
type: keyword
- name: sec
overwrite: true
type: keyword
- name: sensorname
overwrite: true
type: keyword
- name: seqnum
overwrite: true
type: keyword
- name: session
overwrite: true
type: keyword
- name: sessiontype
overwrite: true
type: keyword
- name: sigUUID
overwrite: true
type: keyword
- name: spi
overwrite: true
type: keyword
- name: srcburb
overwrite: true
type: keyword
- name: srcdom
overwrite: true
type: keyword
- name: srcservice
overwrite: true
type: keyword
- name: state
overwrite: true
type: keyword
- name: status1
overwrite: true
type: keyword
- name: svcno
overwrite: true
type: keyword
- name: system
overwrite: true
type: keyword
- name: tbdstr1
overwrite: true
type: keyword
- name: tgtdom
overwrite: true
type: keyword
- name: tgtdomain
overwrite: true
type: keyword
- name: threshold
overwrite: true
type: keyword
- name: type1
overwrite: true
type: keyword
- name: udb_class
overwrite: true
type: keyword
- name: url_fld
overwrite: true
type: keyword
- name: user_div
overwrite: true
type: keyword
- name: userid
overwrite: true
type: keyword
- name: username_fld
overwrite: true
type: keyword
- name: utcstamp
overwrite: true
type: keyword
- name: v_instafname
overwrite: true
type: keyword
- name: virt_data
overwrite: true
type: keyword
- name: vpnid
overwrite: true
type: keyword
- name: autorun_type
overwrite: true
type: keyword
description: This is used to capture Auto Run type
- name: cc_number
overwrite: true
type: long
description: Valid Credit Card Numbers only
- name: content
overwrite: true
type: keyword
description: This key captures the content type from protocol headers
- name: ein_number
overwrite: true
type: long
description: Employee Identification Numbers only
- name: found
overwrite: true
type: keyword
description: This is used to capture the results of regex match
- name: language
overwrite: true
type: keyword
description: This is used to capture list of languages the client support and
what it prefers
- name: lifetime
overwrite: true
type: long
description: This key is used to capture the session lifetime in seconds.
- name: link
overwrite: true
type: keyword
description: This key is used to link the sessions together. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: match
overwrite: true
type: keyword
description: This key is for regex match name from search.ini
- name: param_dst
overwrite: true
type: keyword
description: This key captures the command line/launch argument of the target
process or file
- name: param_src
overwrite: true
type: keyword
description: This key captures source parameter
- name: search_text
overwrite: true
type: keyword
description: This key captures the Search Text used
- name: sig_name
overwrite: true
type: keyword
description: This key is used to capture the Signature Name only.
- name: snmp_value
overwrite: true
type: keyword
description: SNMP set request value
- name: streams
overwrite: true
type: long
description: This key captures number of streams in session
- name: db
overwrite: true
type: group
fields:
- name: index
overwrite: true
type: keyword
description: This key captures IndexID of the index.
- name: instance
overwrite: true
type: keyword
description: This key is used to capture the database server instance name
- name: database
overwrite: true
type: keyword
description: This key is used to capture the name of a database or an instance
as seen in a session
- name: transact_id
overwrite: true
type: keyword
description: This key captures the SQL transantion ID of the current session
- name: permissions
overwrite: true
type: keyword
description: This key captures permission or privilege level assigned to a resource.
- name: table_name
overwrite: true
type: keyword
description: This key is used to capture the table name
- name: db_id
overwrite: true
type: keyword
description: This key is used to capture the unique identifier for a database
- name: db_pid
overwrite: true
type: long
description: This key captures the process id of a connection with database
server
- name: lread
overwrite: true
type: long
description: This key is used for the number of logical reads
- name: lwrite
overwrite: true
type: long
description: This key is used for the number of logical writes
- name: pread
overwrite: true
type: long
description: This key is used for the number of physical writes
- name: network
overwrite: true
type: group
fields:
- name: alias_host
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
that isnt ad.computer.
- name: domain
overwrite: true
type: keyword
- name: host_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Hostname"
- name: network_service
overwrite: true
type: keyword
description: This is used to capture layer 7 protocols/service names
- name: interface
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of an interface is not clear
- name: network_port
overwrite: true
type: long
description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
- name: eth_host
overwrite: true
type: keyword
description: Deprecated, use alias.mac
- name: sinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Interface"
- name: dinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Interface"
- name: vlan
overwrite: true
type: long
description: This key should only be used to capture the ID of the Virtual LAN
- name: zone_src
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Zone."
- name: zone
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a Zone is not clear
- name: zone_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Zone."
- name: gateway
overwrite: true
type: keyword
description: This key is used to capture the IP Address of the gateway
- name: icmp_type
overwrite: true
type: long
description: This key is used to capture the ICMP type only
- name: mask
overwrite: true
type: keyword
description: This key is used to capture the device network IPmask.
- name: icmp_code
overwrite: true
type: long
description: This key is used to capture the ICMP code only
- name: protocol_detail
overwrite: true
type: keyword
description: This key should be used to capture additional protocol information
- name: dmask
overwrite: true
type: keyword
description: This key is used for Destionation Device network mask
- name: port
overwrite: true
type: long
description: This key should only be used to capture a Network Port when the
directionality is not clear
- name: smask
overwrite: true
type: keyword
description: This key is used for capturing source Network Mask
- name: netname
overwrite: true
type: keyword
description: This key is used to capture the network name associated with an
IP range. This is configured by the end user.
- name: paddr
overwrite: true
type: ip
description: Deprecated
- name: faddr
overwrite: true
type: keyword
- name: lhost
overwrite: true
type: keyword
- name: origin
overwrite: true
type: keyword
- name: remote_domain_id
overwrite: true
type: keyword
- name: addr
overwrite: true
type: keyword
- name: dns_a_record
overwrite: true
type: keyword
- name: dns_ptr_record
overwrite: true
type: keyword
- name: fhost
overwrite: true
type: keyword
- name: fport
overwrite: true
type: keyword
- name: laddr
overwrite: true
type: keyword
- name: linterface
overwrite: true
type: keyword
- name: phost
overwrite: true
type: keyword
- name: ad_computer_dst
overwrite: true
type: keyword
description: Deprecated, use host.dst
- name: eth_type
overwrite: true
type: long
description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
Only
- name: ip_proto
overwrite: true
type: long
description: This key should be used to capture the Protocol number, all the
protocol nubers are converted into string in UI
- name: dns_cname_record
overwrite: true
type: keyword
- name: dns_id
overwrite: true
type: keyword
- name: dns_opcode
overwrite: true
type: keyword
- name: dns_resp
overwrite: true
type: keyword
- name: dns_type
overwrite: true
type: keyword
- name: domain1
overwrite: true
type: keyword
- name: host_type
overwrite: true
type: keyword
- name: packet_length
overwrite: true
type: keyword
- name: host_orig
overwrite: true
type: keyword
description: This is used to capture the original hostname in case of a Forwarding
Agent or a Proxy in between.
- name: rpayload
overwrite: true
type: keyword
description: This key is used to capture the total number of payload bytes seen
in the retransmitted packets.
- name: vlan_name
overwrite: true
type: keyword
description: This key should only be used to capture the name of the Virtual
LAN
- name: investigations
overwrite: true
type: group
fields:
- name: ec_activity
overwrite: true
type: keyword
description: This key captures the particular event activity(Ex:Logoff)
- name: ec_theme
overwrite: true
type: keyword
description: This key captures the Theme of a particular Event(Ex:Authentication)
- name: ec_subject
overwrite: true
type: keyword
description: This key captures the Subject of a particular Event(Ex:User)
- name: ec_outcome
overwrite: true
type: keyword
description: This key captures the outcome of a particular Event(Ex:Success)
- name: event_cat
overwrite: true
type: long
description: This key captures the Event category number
- name: event_cat_name
overwrite: true
type: keyword
description: This key captures the event category name corresponding to the
event cat code
- name: event_vcat
overwrite: true
type: keyword
description: This is a vendor supplied category. This should be used in situations
where the vendor has adopted their own event_category taxonomy.
- name: analysis_file
overwrite: true
type: keyword
description: This is used to capture all indicators used in a File Analysis.
This key should be used to capture an analysis of a file
- name: analysis_service
overwrite: true
type: keyword
description: This is used to capture all indicators used in a Service Analysis.
This key should be used to capture an analysis of a service
- name: analysis_session
overwrite: true
type: keyword
description: This is used to capture all indicators used for a Session Analysis.
This key should be used to capture an analysis of a session
- name: boc
overwrite: true
type: keyword
description: This is used to capture behaviour of compromise
- name: eoc
overwrite: true
type: keyword
description: This is used to capture Enablers of Compromise
- name: inv_category
overwrite: true
type: keyword
description: This used to capture investigation category
- name: inv_context
overwrite: true
type: keyword
description: This used to capture investigation context
- name: ioc
overwrite: true
type: keyword
description: This is key capture indicator of compromise
- name: counters
overwrite: true
type: group
fields:
- name: dclass_c1
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c1.str only
- name: dclass_c2
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c2.str only
- name: event_counter
overwrite: true
type: long
description: This is used to capture the number of times an event repeated
- name: dclass_r1
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r1.str only
- name: dclass_c3
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c3.str only
- name: dclass_c1_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c1 only
- name: dclass_c2_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c2 only
- name: dclass_r1_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r1 only
- name: dclass_r2
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r2.str only
- name: dclass_c3_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c3 only
- name: dclass_r3
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r3.str only
- name: dclass_r2_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r2 only
- name: dclass_r3_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r3 only
- name: identity
overwrite: true
type: group
fields:
- name: auth_method
overwrite: true
type: keyword
description: This key is used to capture authentication methods used only
- name: user_role
overwrite: true
type: keyword
description: This key is used to capture the Role of a user only
- name: dn
overwrite: true
type: keyword
description: X.500 (LDAP) Distinguished Name
- name: logon_type
overwrite: true
type: keyword
description: This key is used to capture the type of logon method used.
- name: profile
overwrite: true
type: keyword
description: This key is used to capture the user profile
- name: accesses
overwrite: true
type: keyword
description: This key is used to capture actual privileges used in accessing
an object
- name: realm
overwrite: true
type: keyword
description: Radius realm or similar grouping of accounts
- name: user_sid_dst
overwrite: true
type: keyword
description: This key captures Destination User Session ID
- name: dn_src
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that is used in a context that
indicates a Source dn
- name: org
overwrite: true
type: keyword
description: This key captures the User organization
- name: dn_dst
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that used in a context that
indicates a Destination dn
- name: firstname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: lastname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: user_dept
overwrite: true
type: keyword
description: User's Department Names only
- name: user_sid_src
overwrite: true
type: keyword
description: This key captures Source User Session ID
- name: federated_sp
overwrite: true
type: keyword
description: This key is the Federated Service Provider. This is the application
requesting authentication.
- name: federated_idp
overwrite: true
type: keyword
description: This key is the federated Identity Provider. This is the server
providing the authentication.
- name: logon_type_desc
overwrite: true
type: keyword
description: This key is used to capture the textual description of an integer
logon type as stored in the meta key 'logon.type'.
- name: middlename
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: password
overwrite: true
type: keyword
description: This key is for Passwords seen in any session, plain text or encrypted
- name: host_role
overwrite: true
type: keyword
description: This key should only be used to capture the role of a Host Machine
- name: ldap
overwrite: true
type: keyword
description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
t have a clear query or response context"
- name: ldap_query
overwrite: true
type: keyword
description: This key is the Search criteria from an LDAP search
- name: ldap_response
overwrite: true
type: keyword
description: This key is to capture Results from an LDAP search
- name: owner
overwrite: true
type: keyword
description: This is used to capture username the process or service is running
as, the author of the task
- name: service_account
overwrite: true
type: keyword
description: This key is a windows specific key, used for capturing name of
the account a service (referenced in the event) is running under. Legacy Usage
- name: email
overwrite: true
type: group
fields:
- name: email_dst
overwrite: true
type: keyword
description: This key is used to capture the Destination email address only,
when the destination context is not clear use email
- name: email_src
overwrite: true
type: keyword
description: This key is used to capture the source email address only, when
the source context is not clear use email
- name: subject
overwrite: true
type: keyword
description: This key is used to capture the subject string from an Email only.
- name: email
overwrite: true
type: keyword
description: This key is used to capture a generic email address where the source
or destination context is not clear
- name: trans_from
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: trans_to
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: file
overwrite: true
type: group
fields:
- name: privilege
overwrite: true
type: keyword
description: Deprecated, use permissions
- name: attachment
overwrite: true
type: keyword
description: This key captures the attachment file name
- name: filesystem
overwrite: true
type: keyword
- name: binary
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: filename_dst
overwrite: true
type: keyword
description: This is used to capture name of the file targeted by the action
- name: filename_src
overwrite: true
type: keyword
description: This is used to capture name of the parent filename, the file which
performed the action
- name: filename_tmp
overwrite: true
type: keyword
- name: directory_dst
overwrite: true
type: keyword
description: <span>This key is used to capture the directory of the target process
or file</span>
- name: directory_src
overwrite: true
type: keyword
description: This key is used to capture the directory of the source process
or file
- name: file_entropy
overwrite: true
type: double
description: This is used to capture entropy vale of a file
- name: file_vendor
overwrite: true
type: keyword
description: This is used to capture Company name of file located in version_info
- name: task_name
overwrite: true
type: keyword
description: This is used to capture name of the task
- name: web
overwrite: true
type: group
fields:
- name: fqdn
overwrite: true
type: keyword
description: Fully Qualified Domain Names
- name: web_cookie
overwrite: true
type: keyword
description: This key is used to capture the Web cookies specifically.
- name: alias_host
overwrite: true
type: keyword
- name: reputation_num
overwrite: true
type: double
description: Reputation Number of an entity. Typically used for Web Domains
- name: web_ref_domain
overwrite: true
type: keyword
description: Web referer's domain
- name: web_ref_query
overwrite: true
type: keyword
description: This key captures Web referer's query portion of the URL
- name: remote_domain
overwrite: true
type: keyword
- name: web_ref_page
overwrite: true
type: keyword
description: This key captures Web referer's page information
- name: web_ref_root
overwrite: true
type: keyword
description: Web referer's root URL path
- name: cn_asn_dst
overwrite: true
type: keyword
- name: cn_rpackets
overwrite: true
type: keyword
- name: urlpage
overwrite: true
type: keyword
- name: urlroot
overwrite: true
type: keyword
- name: p_url
overwrite: true
type: keyword
- name: p_user_agent
overwrite: true
type: keyword
- name: p_web_cookie
overwrite: true
type: keyword
- name: p_web_method
overwrite: true
type: keyword
- name: p_web_referer
overwrite: true
type: keyword
- name: web_extension_tmp
overwrite: true
type: keyword
- name: web_page
overwrite: true
type: keyword
- name: threat
overwrite: true
type: group
fields:
- name: threat_category
overwrite: true
type: keyword
description: This key captures Threat Name/Threat Category/Categorization of
alert
- name: threat_desc
overwrite: true
type: keyword
description: This key is used to capture the threat description from the session
directly or inferred
- name: alert
overwrite: true
type: keyword
description: This key is used to capture name of the alert
- name: threat_source
overwrite: true
type: keyword
description: This key is used to capture source of the threat
- name: crypto
overwrite: true
type: group
fields:
- name: crypto
overwrite: true
type: keyword
description: This key is used to capture the Encryption Type or Encryption Key
only
- name: cipher_src
overwrite: true
type: keyword
description: This key is for Source (Client) Cipher
- name: cert_subject
overwrite: true
type: keyword
description: This key is used to capture the Certificate organization only
- name: peer
overwrite: true
type: keyword
description: This key is for Encryption peer's IP Address
- name: cipher_size_src
overwrite: true
type: long
description: This key captures Source (Client) Cipher Size
- name: ike
overwrite: true
type: keyword
description: IKE negotiation phase.
- name: scheme
overwrite: true
type: keyword
description: This key captures the Encryption scheme used
- name: peer_id
overwrite: true
type: keyword
description: "This key is for Encryption peer\u2019s identity"
- name: sig_type
overwrite: true
type: keyword
description: This key captures the Signature Type
- name: cert_issuer
overwrite: true
type: keyword
- name: cert_host_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: cert_error
overwrite: true
type: keyword
description: This key captures the Certificate Error String
- name: cipher_dst
overwrite: true
type: keyword
description: This key is for Destination (Server) Cipher
- name: cipher_size_dst
overwrite: true
type: long
description: This key captures Destination (Server) Cipher Size
- name: ssl_ver_src
overwrite: true
type: keyword
description: Deprecated, use version
- name: d_certauth
overwrite: true
type: keyword
- name: s_certauth
overwrite: true
type: keyword
- name: ike_cookie1
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
- name: ike_cookie2
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
- name: cert_checksum
overwrite: true
type: keyword
- name: cert_host_cat
overwrite: true
type: keyword
description: This key is used for the hostname category value of a certificate
- name: cert_serial
overwrite: true
type: keyword
description: This key is used to capture the Certificate serial number only
- name: cert_status
overwrite: true
type: keyword
description: This key captures Certificate validation status
- name: ssl_ver_dst
overwrite: true
type: keyword
description: Deprecated, use version
- name: cert_keysize
overwrite: true
type: keyword
- name: cert_username
overwrite: true
type: keyword
- name: https_insact
overwrite: true
type: keyword
- name: https_valid
overwrite: true
type: keyword
- name: cert_ca
overwrite: true
type: keyword
description: This key is used to capture the Certificate signing authority only
- name: cert_common
overwrite: true
type: keyword
description: This key is used to capture the Certificate common name only
- name: wireless
overwrite: true
type: group
fields:
- name: wlan_ssid
overwrite: true
type: keyword
description: This key is used to capture the ssid of a Wireless Session
- name: access_point
overwrite: true
type: keyword
description: This key is used to capture the access point name.
- name: wlan_channel
overwrite: true
type: long
description: This is used to capture the channel names
- name: wlan_name
overwrite: true
type: keyword
description: This key captures either WLAN number/name
- name: storage
overwrite: true
type: group
fields:
- name: disk_volume
overwrite: true
type: keyword
description: A unique name assigned to logical units (volumes) within a physical
disk
- name: lun
overwrite: true
type: keyword
description: Logical Unit Number.This key is a very useful concept in Storage.
- name: pwwn
overwrite: true
type: keyword
description: This uniquely identifies a port on a HBA.
- name: physical
overwrite: true
type: group
fields:
- name: org_dst
overwrite: true
type: keyword
description: This is used to capture the destination organization based on the
GEOPIP Maxmind database.
- name: org_src
overwrite: true
type: keyword
description: This is used to capture the source organization based on the GEOPIP
Maxmind database.
- name: healthcare
overwrite: true
type: group
fields:
- name: patient_fname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_id
overwrite: true
type: keyword
description: This key captures the unique ID for a patient
- name: patient_lname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_mname
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: endpoint
overwrite: true
type: group
fields:
- name: host_state
overwrite: true
type: keyword
description: This key is used to capture the current state of the machine, such
as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
disabled</strong> and so on
- name: registry_key
overwrite: true
type: keyword
description: This key captures the path to the registry key
- name: registry_value
overwrite: true
type: keyword
description: This key captures values or decorators used within a registry entry
- key: envoyproxy
title: Envoyproxy
description: >
Module for handling logs produced by envoy
fields:
- name: envoyproxy
type: group
description: >
Fields from envoy proxy logs after normalization
fields:
- name: log_type
type: keyword
description: >
Envoy log type, normally ACCESS
- name: response_flags
type: keyword
description: >
Response flags
- name: upstream_service_time
type: long
format: duration
input_format: nanoseconds
description: >
Upstream service time in nanoseconds
- name: request_id
type: keyword
description: >
ID of the request
- name: authority
type: keyword
description: >
Envoy proxy authority field
- name: proxy_type
type: keyword
description: >
Envoy proxy type, tcp or http
- key: f5
title: Big-IP Access Policy Manager
description: >
f5 fields.
fields:
- name: network.interface.name
overwrite: true
type: keyword
description: >
Name of the network interface where the traffic has been observed.
- name: rsa
overwrite: true
type: group
fields:
- name: internal
overwrite: true
type: group
fields:
- name: msg
overwrite: true
type: keyword
description: This key is used to capture the raw message that comes into the
Log Decoder
- name: messageid
overwrite: true
type: keyword
- name: event_desc
overwrite: true
type: keyword
- name: message
overwrite: true
type: keyword
description: This key captures the contents of instant messages
- name: time
overwrite: true
type: date
description: This is the time at which a session hits a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness.
- name: level
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: msg_id
overwrite: true
type: keyword
description: This is the Message ID1 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: msg_vid
overwrite: true
type: keyword
description: This is the Message ID2 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: data
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_server
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_val
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: resource
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_id
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: statement
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: audit_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: entry
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: hcode
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: inode
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: resource_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: dead
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: feed_desc
overwrite: true
type: keyword
description: This is used to capture the description of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: feed_name
overwrite: true
type: keyword
description: This is used to capture the name of the feed. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: cid
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Concentrator.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_class
overwrite: true
type: keyword
description: This is the Classification of the Log Event Source under a predefined
fixed set of Event Source Classifications. This key should never be used to
parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
key in NetWitness
- name: device_group
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_host
overwrite: true
type: keyword
description: This is the Hostname of the log Event Source sending the logs to
NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ip
overwrite: true
type: ip
description: This is the IPv4 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ipv6
overwrite: true
type: ip
description: This is the IPv6 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_type
overwrite: true
type: keyword
description: This is the name of the log parser which parsed a given session.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_type_id
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: did
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: entropy_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: entropy_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: event_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: feed_category
overwrite: true
type: keyword
description: This is used to capture the category of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: forward_ip
overwrite: true
type: ip
description: This key should be used to capture the IPV4 address of a relay
system which forwarded the events from the original system to NetWitness.
- name: forward_ipv6
overwrite: true
type: ip
description: This key is used to capture the IPV6 address of a relay system
which forwarded the events from the original system to NetWitness. This key
should never be used to parse Meta data from a session (Logs/Packets) Directly,
this is a Reserved key in NetWitness
- name: header_id
overwrite: true
type: keyword
description: This is the Header ID value that identifies the exact log parser
header definition that parses a particular log session. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: lc_cid
overwrite: true
type: keyword
description: This is a unique Identifier of a Log Collector. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: lc_ctime
overwrite: true
type: date
description: This is the time at which a log is collected in a NetWitness Log
Collector. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: mcb_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
request is simply which byte for each side (0 thru 255) was seen the most
- name: mcb_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
response is simply which byte for each side (0 thru 255) was seen the most
- name: mcbc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: mcbc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: medium
overwrite: true
type: long
description: "This key is used to identify if it\u2019s a log/packet session\
\ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
\ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
\ 32 = log, 33 = correlation session, < 32 is packet session"
- name: node_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: nwe_callback_id
overwrite: true
type: keyword
description: This key denotes that event is endpoint related
- name: parse_error
overwrite: true
type: keyword
description: This is a special key that stores any Meta key validation error
found while parsing a log session. This key should never be used to parse
Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
NetWitness
- name: payload_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: payload_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: process_vid_dst
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the target process.
- name: process_vid_src
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the source process.
- name: rid
overwrite: true
type: long
description: This is a special ID of the Remote Session created by NetWitness
Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: session_split
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: site
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: size
overwrite: true
type: long
description: This is the size of the session as seen by the NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: sourcefile
overwrite: true
type: keyword
description: This is the name of the log file or PCAPs that can be imported
into NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: ubc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: ubc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: word
overwrite: true
type: keyword
description: This is used by the Word Parsing technology to capture the first
5 character of every word in an unparsed log
- name: time
overwrite: true
type: group
fields:
- name: event_time
overwrite: true
type: date
description: This key is used to capture the time mentioned in a raw session
that represents the actual time an event occured in a standard normalized
form
- name: duration_time
overwrite: true
type: double
description: This key is used to capture the normalized duration/lifetime in
seconds.
- name: event_time_str
overwrite: true
type: keyword
description: This key is used to capture the incomplete time mentioned in a
session as a string
- name: starttime
overwrite: true
type: date
description: This key is used to capture the Start time mentioned in a session
in a standard form
- name: month
overwrite: true
type: keyword
- name: day
overwrite: true
type: keyword
- name: endtime
overwrite: true
type: date
description: This key is used to capture the End time mentioned in a session
in a standard form
- name: timezone
overwrite: true
type: keyword
description: This key is used to capture the timezone of the Event Time
- name: duration_str
overwrite: true
type: keyword
description: A text string version of the duration
- name: date
overwrite: true
type: keyword
- name: year
overwrite: true
type: keyword
- name: recorded_time
overwrite: true
type: date
description: The event time as recorded by the system the event is collected
from. The usage scenario is a multi-tier application where the management
layer of the system records it's own timestamp at the time of collection from
its child nodes. Must be in timestamp format.
- name: datetime
overwrite: true
type: keyword
- name: effective_time
overwrite: true
type: date
description: This key is the effective time referenced by an individual event
in a Standard Timestamp format
- name: expire_time
overwrite: true
type: date
description: This key is the timestamp that explicitly refers to an expiration.
- name: process_time
overwrite: true
type: keyword
description: Deprecated, use duration.time
- name: hour
overwrite: true
type: keyword
- name: min
overwrite: true
type: keyword
- name: timestamp
overwrite: true
type: keyword
- name: event_queue_time
overwrite: true
type: date
description: This key is the Time that the event was queued.
- name: p_time1
overwrite: true
type: keyword
- name: tzone
overwrite: true
type: keyword
- name: eventtime
overwrite: true
type: keyword
- name: gmtdate
overwrite: true
type: keyword
- name: gmttime
overwrite: true
type: keyword
- name: p_date
overwrite: true
type: keyword
- name: p_month
overwrite: true
type: keyword
- name: p_time
overwrite: true
type: keyword
- name: p_time2
overwrite: true
type: keyword
- name: p_year
overwrite: true
type: keyword
- name: expire_time_str
overwrite: true
type: keyword
description: This key is used to capture incomplete timestamp that explicitly
refers to an expiration.
- name: stamp
overwrite: true
type: date
description: Deprecated key defined only in table map.
- name: misc
overwrite: true
type: group
fields:
- name: action
overwrite: true
type: keyword
- name: result
overwrite: true
type: keyword
description: This key is used to capture the outcome/result string value of
an action in a session.
- name: severity
overwrite: true
type: keyword
description: This key is used to capture the severity given the session
- name: event_type
overwrite: true
type: keyword
description: This key captures the event category type as specified by the event
source.
- name: reference_id
overwrite: true
type: keyword
description: This key is used to capture an event id from the session directly
- name: version
overwrite: true
type: keyword
description: This key captures Version of the application or OS which is generating
the event.
- name: disposition
overwrite: true
type: keyword
description: This key captures the The end state of an action.
- name: result_code
overwrite: true
type: keyword
description: This key is used to capture the outcome/result numeric value of
an action in a session
- name: category
overwrite: true
type: keyword
description: This key is used to capture the category of an event given by the
vendor in the session
- name: obj_name
overwrite: true
type: keyword
description: This is used to capture name of object
- name: obj_type
overwrite: true
type: keyword
description: This is used to capture type of object
- name: event_source
overwrite: true
type: keyword
description: "This key captures Source of the event that\u2019s not a hostname"
- name: log_session_id
overwrite: true
type: keyword
description: This key is used to capture a sessionid from the session directly
- name: group
overwrite: true
type: keyword
description: This key captures the Group Name value
- name: policy_name
overwrite: true
type: keyword
description: This key is used to capture the Policy Name only.
- name: rule_name
overwrite: true
type: keyword
description: This key captures the Rule Name
- name: context
overwrite: true
type: keyword
description: This key captures Information which adds additional context to
the event.
- name: change_new
overwrite: true
type: keyword
description: "This key is used to capture the new values of the attribute that\u2019\
s changing in a session"
- name: space
overwrite: true
type: keyword
- name: client
overwrite: true
type: keyword
description: This key is used to capture only the name of the client application
requesting resources of the server. See the user.agent meta key for capture
of the specific user agent identifier or browser identification string.
- name: msgIdPart1
overwrite: true
type: keyword
- name: msgIdPart2
overwrite: true
type: keyword
- name: change_old
overwrite: true
type: keyword
description: "This key is used to capture the old value of the attribute that\u2019\
s changing in a session"
- name: operation_id
overwrite: true
type: keyword
description: An alert number or operation number. The values should be unique
and non-repeating.
- name: event_state
overwrite: true
type: keyword
description: This key captures the current state of the object/item referenced
within the event. Describing an on-going event.
- name: group_object
overwrite: true
type: keyword
description: This key captures a collection/grouping of entities. Specific usage
- name: node
overwrite: true
type: keyword
description: Common use case is the node name within a cluster. The cluster
name is reflected by the host name.
- name: rule
overwrite: true
type: keyword
description: This key captures the Rule number
- name: device_name
overwrite: true
type: keyword
description: 'This is used to capture name of the Device associated with the
node Like: a physical disk, printer, etc'
- name: param
overwrite: true
type: keyword
description: This key is the parameters passed as part of a command or application,
etc.
- name: change_attrib
overwrite: true
type: keyword
description: "This key is used to capture the name of the attribute that\u2019\
s changing in a session"
- name: event_computer
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
fully qualified domain name in a windows log.
- name: reference_id1
overwrite: true
type: keyword
description: This key is for Linked ID to be used as an addition to "reference.id"
- name: event_log
overwrite: true
type: keyword
description: This key captures the Name of the event log
- name: OS
overwrite: true
type: keyword
description: This key captures the Name of the Operating System
- name: terminal
overwrite: true
type: keyword
description: This key captures the Terminal Names only
- name: msgIdPart3
overwrite: true
type: keyword
- name: filter
overwrite: true
type: keyword
description: This key captures Filter used to reduce result set
- name: serial_number
overwrite: true
type: keyword
description: This key is the Serial number associated with a physical asset.
- name: checksum
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the entity
such as a file or process. Checksum should be used over checksum.src or checksum.dst
when it is unclear whether the entity is a source or target of an action.
- name: event_user
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
combination of domain name and username in a windows log.
- name: virusname
overwrite: true
type: keyword
description: This key captures the name of the virus
- name: content_type
overwrite: true
type: keyword
description: This key is used to capture Content Type only.
- name: group_id
overwrite: true
type: keyword
description: This key captures Group ID Number (related to the group name)
- name: policy_id
overwrite: true
type: keyword
description: This key is used to capture the Policy ID only, this should be
a numeric value, use policy.name otherwise
- name: vsys
overwrite: true
type: keyword
description: This key captures Virtual System Name
- name: connection_id
overwrite: true
type: keyword
description: This key captures the Connection ID
- name: reference_id2
overwrite: true
type: keyword
description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
or "reference.id1" value but should not be used unless the other two variables
are in play.
- name: sensor
overwrite: true
type: keyword
description: This key captures Name of the sensor. Typically used in IDS/IPS
based devices
- name: sig_id
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID
- name: port_name
overwrite: true
type: keyword
description: 'This key is used for Physical or logical port connection but does
NOT include a network port. (Example: Printer port name).'
- name: rule_group
overwrite: true
type: keyword
description: This key captures the Rule group name
- name: risk_num
overwrite: true
type: double
description: This key captures a Numeric Risk value
- name: trigger_val
overwrite: true
type: keyword
description: This key captures the Value of the trigger or threshold condition.
- name: log_session_id1
overwrite: true
type: keyword
description: This key is used to capture a Linked (Related) Session ID from
the session directly
- name: comp_version
overwrite: true
type: keyword
description: This key captures the Version level of a sub-component of a product.
- name: content_version
overwrite: true
type: keyword
description: This key captures Version level of a signature or database content.
- name: hardware_id
overwrite: true
type: keyword
description: This key is used to capture unique identifier for a device or system
(NOT a Mac address)
- name: risk
overwrite: true
type: keyword
description: This key captures the non-numeric risk value
- name: event_id
overwrite: true
type: keyword
- name: reason
overwrite: true
type: keyword
- name: status
overwrite: true
type: keyword
- name: mail_id
overwrite: true
type: keyword
description: This key is used to capture the mailbox id/name
- name: rule_uid
overwrite: true
type: keyword
description: This key is the Unique Identifier for a rule.
- name: trigger_desc
overwrite: true
type: keyword
description: This key captures the Description of the trigger or threshold condition.
- name: inout
overwrite: true
type: keyword
- name: p_msgid
overwrite: true
type: keyword
- name: data_type
overwrite: true
type: keyword
- name: msgIdPart4
overwrite: true
type: keyword
- name: error
overwrite: true
type: keyword
description: This key captures All non successful Error codes or responses
- name: index
overwrite: true
type: keyword
- name: listnum
overwrite: true
type: keyword
description: This key is used to capture listname or listnumber, primarily for
collecting access-list
- name: ntype
overwrite: true
type: keyword
- name: observed_val
overwrite: true
type: keyword
description: This key captures the Value observed (from the perspective of the
device generating the log).
- name: policy_value
overwrite: true
type: keyword
description: This key captures the contents of the policy. This contains details
about the policy
- name: pool_name
overwrite: true
type: keyword
description: This key captures the name of a resource pool
- name: rule_template
overwrite: true
type: keyword
description: A default set of parameters which are overlayed onto a rule (or
rulename) which efffectively constitutes a template
- name: count
overwrite: true
type: keyword
- name: number
overwrite: true
type: keyword
- name: sigcat
overwrite: true
type: keyword
- name: type
overwrite: true
type: keyword
- name: comments
overwrite: true
type: keyword
description: Comment information provided in the log message
- name: doc_number
overwrite: true
type: long
description: This key captures File Identification number
- name: expected_val
overwrite: true
type: keyword
description: This key captures the Value expected (from the perspective of the
device generating the log).
- name: job_num
overwrite: true
type: keyword
description: This key captures the Job Number
- name: spi_dst
overwrite: true
type: keyword
description: Destination SPI Index
- name: spi_src
overwrite: true
type: keyword
description: Source SPI Index
- name: code
overwrite: true
type: keyword
- name: agent_id
overwrite: true
type: keyword
description: This key is used to capture agent id
- name: message_body
overwrite: true
type: keyword
description: This key captures the The contents of the message body.
- name: phone
overwrite: true
type: keyword
- name: sig_id_str
overwrite: true
type: keyword
description: This key captures a string object of the sigid variable.
- name: cmd
overwrite: true
type: keyword
- name: misc
overwrite: true
type: keyword
- name: name
overwrite: true
type: keyword
- name: cpu
overwrite: true
type: long
description: This key is the CPU time used in the execution of the event being
recorded.
- name: event_desc
overwrite: true
type: keyword
description: This key is used to capture a description of an event available
directly or inferred
- name: sig_id1
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID. This must be linked
to the sig.id
- name: im_buddyid
overwrite: true
type: keyword
- name: im_client
overwrite: true
type: keyword
- name: im_userid
overwrite: true
type: keyword
- name: pid
overwrite: true
type: keyword
- name: priority
overwrite: true
type: keyword
- name: context_subject
overwrite: true
type: keyword
description: This key is to be used in an audit context where the subject is
the object being identified
- name: context_target
overwrite: true
type: keyword
- name: cve
overwrite: true
type: keyword
description: This key captures CVE (Common Vulnerabilities and Exposures) -
an identifier for known information security vulnerabilities.
- name: fcatnum
overwrite: true
type: keyword
description: This key captures Filter Category Number. Legacy Usage
- name: library
overwrite: true
type: keyword
description: This key is used to capture library information in mainframe devices
- name: parent_node
overwrite: true
type: keyword
description: This key captures the Parent Node Name. Must be related to node
variable.
- name: risk_info
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: tcp_flags
overwrite: true
type: long
description: This key is captures the TCP flags set in any packet of session
- name: tos
overwrite: true
type: long
description: This key describes the type of service
- name: vm_target
overwrite: true
type: keyword
description: VMWare Target **VMWARE** only varaible.
- name: workspace
overwrite: true
type: keyword
description: This key captures Workspace Description
- name: command
overwrite: true
type: keyword
- name: event_category
overwrite: true
type: keyword
- name: facilityname
overwrite: true
type: keyword
- name: forensic_info
overwrite: true
type: keyword
- name: jobname
overwrite: true
type: keyword
- name: mode
overwrite: true
type: keyword
- name: policy
overwrite: true
type: keyword
- name: policy_waiver
overwrite: true
type: keyword
- name: second
overwrite: true
type: keyword
- name: space1
overwrite: true
type: keyword
- name: subcategory
overwrite: true
type: keyword
- name: tbdstr2
overwrite: true
type: keyword
- name: alert_id
overwrite: true
type: keyword
description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: checksum_dst
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the the target
entity such as a process or file.
- name: checksum_src
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the source
entity such as a file or process.
- name: fresult
overwrite: true
type: long
description: This key captures the Filter Result
- name: payload_dst
overwrite: true
type: keyword
description: This key is used to capture destination payload
- name: payload_src
overwrite: true
type: keyword
description: This key is used to capture source payload
- name: pool_id
overwrite: true
type: keyword
description: This key captures the identifier (typically numeric field) of a
resource pool
- name: process_id_val
overwrite: true
type: keyword
description: This key is a failure key for Process ID when it is not an integer
value
- name: risk_num_comm
overwrite: true
type: double
description: This key captures Risk Number Community
- name: risk_num_next
overwrite: true
type: double
description: This key captures Risk Number NextGen
- name: risk_num_sand
overwrite: true
type: double
description: This key captures Risk Number SandBox
- name: risk_num_static
overwrite: true
type: double
description: This key captures Risk Number Static
- name: risk_suspicious
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: risk_warning
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: snmp_oid
overwrite: true
type: keyword
description: SNMP Object Identifier
- name: sql
overwrite: true
type: keyword
description: This key captures the SQL query
- name: vuln_ref
overwrite: true
type: keyword
description: This key captures the Vulnerability Reference details
- name: acl_id
overwrite: true
type: keyword
- name: acl_op
overwrite: true
type: keyword
- name: acl_pos
overwrite: true
type: keyword
- name: acl_table
overwrite: true
type: keyword
- name: admin
overwrite: true
type: keyword
- name: alarm_id
overwrite: true
type: keyword
- name: alarmname
overwrite: true
type: keyword
- name: app_id
overwrite: true
type: keyword
- name: audit
overwrite: true
type: keyword
- name: audit_object
overwrite: true
type: keyword
- name: auditdata
overwrite: true
type: keyword
- name: benchmark
overwrite: true
type: keyword
- name: bypass
overwrite: true
type: keyword
- name: cache
overwrite: true
type: keyword
- name: cache_hit
overwrite: true
type: keyword
- name: cefversion
overwrite: true
type: keyword
- name: cfg_attr
overwrite: true
type: keyword
- name: cfg_obj
overwrite: true
type: keyword
- name: cfg_path
overwrite: true
type: keyword
- name: changes
overwrite: true
type: keyword
- name: client_ip
overwrite: true
type: keyword
- name: clustermembers
overwrite: true
type: keyword
- name: cn_acttimeout
overwrite: true
type: keyword
- name: cn_asn_src
overwrite: true
type: keyword
- name: cn_bgpv4nxthop
overwrite: true
type: keyword
- name: cn_ctr_dst_code
overwrite: true
type: keyword
- name: cn_dst_tos
overwrite: true
type: keyword
- name: cn_dst_vlan
overwrite: true
type: keyword
- name: cn_engine_id
overwrite: true
type: keyword
- name: cn_engine_type
overwrite: true
type: keyword
- name: cn_f_switch
overwrite: true
type: keyword
- name: cn_flowsampid
overwrite: true
type: keyword
- name: cn_flowsampintv
overwrite: true
type: keyword
- name: cn_flowsampmode
overwrite: true
type: keyword
- name: cn_inacttimeout
overwrite: true
type: keyword
- name: cn_inpermbyts
overwrite: true
type: keyword
- name: cn_inpermpckts
overwrite: true
type: keyword
- name: cn_invalid
overwrite: true
type: keyword
- name: cn_ip_proto_ver
overwrite: true
type: keyword
- name: cn_ipv4_ident
overwrite: true
type: keyword
- name: cn_l_switch
overwrite: true
type: keyword
- name: cn_log_did
overwrite: true
type: keyword
- name: cn_log_rid
overwrite: true
type: keyword
- name: cn_max_ttl
overwrite: true
type: keyword
- name: cn_maxpcktlen
overwrite: true
type: keyword
- name: cn_min_ttl
overwrite: true
type: keyword
- name: cn_minpcktlen
overwrite: true
type: keyword
- name: cn_mpls_lbl_1
overwrite: true
type: keyword
- name: cn_mpls_lbl_10
overwrite: true
type: keyword
- name: cn_mpls_lbl_2
overwrite: true
type: keyword
- name: cn_mpls_lbl_3
overwrite: true
type: keyword
- name: cn_mpls_lbl_4
overwrite: true
type: keyword
- name: cn_mpls_lbl_5
overwrite: true
type: keyword
- name: cn_mpls_lbl_6
overwrite: true
type: keyword
- name: cn_mpls_lbl_7
overwrite: true
type: keyword
- name: cn_mpls_lbl_8
overwrite: true
type: keyword
- name: cn_mpls_lbl_9
overwrite: true
type: keyword
- name: cn_mplstoplabel
overwrite: true
type: keyword
- name: cn_mplstoplabip
overwrite: true
type: keyword
- name: cn_mul_dst_byt
overwrite: true
type: keyword
- name: cn_mul_dst_pks
overwrite: true
type: keyword
- name: cn_muligmptype
overwrite: true
type: keyword
- name: cn_sampalgo
overwrite: true
type: keyword
- name: cn_sampint
overwrite: true
type: keyword
- name: cn_seqctr
overwrite: true
type: keyword
- name: cn_spackets
overwrite: true
type: keyword
- name: cn_src_tos
overwrite: true
type: keyword
- name: cn_src_vlan
overwrite: true
type: keyword
- name: cn_sysuptime
overwrite: true
type: keyword
- name: cn_template_id
overwrite: true
type: keyword
- name: cn_totbytsexp
overwrite: true
type: keyword
- name: cn_totflowexp
overwrite: true
type: keyword
- name: cn_totpcktsexp
overwrite: true
type: keyword
- name: cn_unixnanosecs
overwrite: true
type: keyword
- name: cn_v6flowlabel
overwrite: true
type: keyword
- name: cn_v6optheaders
overwrite: true
type: keyword
- name: comp_class
overwrite: true
type: keyword
- name: comp_name
overwrite: true
type: keyword
- name: comp_rbytes
overwrite: true
type: keyword
- name: comp_sbytes
overwrite: true
type: keyword
- name: cpu_data
overwrite: true
type: keyword
- name: criticality
overwrite: true
type: keyword
- name: cs_agency_dst
overwrite: true
type: keyword
- name: cs_analyzedby
overwrite: true
type: keyword
- name: cs_av_other
overwrite: true
type: keyword
- name: cs_av_primary
overwrite: true
type: keyword
- name: cs_av_secondary
overwrite: true
type: keyword
- name: cs_bgpv6nxthop
overwrite: true
type: keyword
- name: cs_bit9status
overwrite: true
type: keyword
- name: cs_context
overwrite: true
type: keyword
- name: cs_control
overwrite: true
type: keyword
- name: cs_data
overwrite: true
type: keyword
- name: cs_datecret
overwrite: true
type: keyword
- name: cs_dst_tld
overwrite: true
type: keyword
- name: cs_eth_dst_ven
overwrite: true
type: keyword
- name: cs_eth_src_ven
overwrite: true
type: keyword
- name: cs_event_uuid
overwrite: true
type: keyword
- name: cs_filetype
overwrite: true
type: keyword
- name: cs_fld
overwrite: true
type: keyword
- name: cs_if_desc
overwrite: true
type: keyword
- name: cs_if_name
overwrite: true
type: keyword
- name: cs_ip_next_hop
overwrite: true
type: keyword
- name: cs_ipv4dstpre
overwrite: true
type: keyword
- name: cs_ipv4srcpre
overwrite: true
type: keyword
- name: cs_lifetime
overwrite: true
type: keyword
- name: cs_log_medium
overwrite: true
type: keyword
- name: cs_loginname
overwrite: true
type: keyword
- name: cs_modulescore
overwrite: true
type: keyword
- name: cs_modulesign
overwrite: true
type: keyword
- name: cs_opswatresult
overwrite: true
type: keyword
- name: cs_payload
overwrite: true
type: keyword
- name: cs_registrant
overwrite: true
type: keyword
- name: cs_registrar
overwrite: true
type: keyword
- name: cs_represult
overwrite: true
type: keyword
- name: cs_rpayload
overwrite: true
type: keyword
- name: cs_sampler_name
overwrite: true
type: keyword
- name: cs_sourcemodule
overwrite: true
type: keyword
- name: cs_streams
overwrite: true
type: keyword
- name: cs_targetmodule
overwrite: true
type: keyword
- name: cs_v6nxthop
overwrite: true
type: keyword
- name: cs_whois_server
overwrite: true
type: keyword
- name: cs_yararesult
overwrite: true
type: keyword
- name: description
overwrite: true
type: keyword
- name: devvendor
overwrite: true
type: keyword
- name: distance
overwrite: true
type: keyword
- name: dstburb
overwrite: true
type: keyword
- name: edomain
overwrite: true
type: keyword
- name: edomaub
overwrite: true
type: keyword
- name: euid
overwrite: true
type: keyword
- name: facility
overwrite: true
type: keyword
- name: finterface
overwrite: true
type: keyword
- name: flags
overwrite: true
type: keyword
- name: gaddr
overwrite: true
type: keyword
- name: id3
overwrite: true
type: keyword
- name: im_buddyname
overwrite: true
type: keyword
- name: im_croomid
overwrite: true
type: keyword
- name: im_croomtype
overwrite: true
type: keyword
- name: im_members
overwrite: true
type: keyword
- name: im_username
overwrite: true
type: keyword
- name: ipkt
overwrite: true
type: keyword
- name: ipscat
overwrite: true
type: keyword
- name: ipspri
overwrite: true
type: keyword
- name: latitude
overwrite: true
type: keyword
- name: linenum
overwrite: true
type: keyword
- name: list_name
overwrite: true
type: keyword
- name: load_data
overwrite: true
type: keyword
- name: location_floor
overwrite: true
type: keyword
- name: location_mark
overwrite: true
type: keyword
- name: log_id
overwrite: true
type: keyword
- name: log_type
overwrite: true
type: keyword
- name: logid
overwrite: true
type: keyword
- name: logip
overwrite: true
type: keyword
- name: logname
overwrite: true
type: keyword
- name: longitude
overwrite: true
type: keyword
- name: lport
overwrite: true
type: keyword
- name: mbug_data
overwrite: true
type: keyword
- name: misc_name
overwrite: true
type: keyword
- name: msg_type
overwrite: true
type: keyword
- name: msgid
overwrite: true
type: keyword
- name: netsessid
overwrite: true
type: keyword
- name: num
overwrite: true
type: keyword
- name: number1
overwrite: true
type: keyword
- name: number2
overwrite: true
type: keyword
- name: nwwn
overwrite: true
type: keyword
- name: object
overwrite: true
type: keyword
- name: operation
overwrite: true
type: keyword
- name: opkt
overwrite: true
type: keyword
- name: orig_from
overwrite: true
type: keyword
- name: owner_id
overwrite: true
type: keyword
- name: p_action
overwrite: true
type: keyword
- name: p_filter
overwrite: true
type: keyword
- name: p_group_object
overwrite: true
type: keyword
- name: p_id
overwrite: true
type: keyword
- name: p_msgid1
overwrite: true
type: keyword
- name: p_msgid2
overwrite: true
type: keyword
- name: p_result1
overwrite: true
type: keyword
- name: password_chg
overwrite: true
type: keyword
- name: password_expire
overwrite: true
type: keyword
- name: permgranted
overwrite: true
type: keyword
- name: permwanted
overwrite: true
type: keyword
- name: pgid
overwrite: true
type: keyword
- name: policyUUID
overwrite: true
type: keyword
- name: prog_asp_num
overwrite: true
type: keyword
- name: program
overwrite: true
type: keyword
- name: real_data
overwrite: true
type: keyword
- name: rec_asp_device
overwrite: true
type: keyword
- name: rec_asp_num
overwrite: true
type: keyword
- name: rec_library
overwrite: true
type: keyword
- name: recordnum
overwrite: true
type: keyword
- name: ruid
overwrite: true
type: keyword
- name: sburb
overwrite: true
type: keyword
- name: sdomain_fld
overwrite: true
type: keyword
- name: sec
overwrite: true
type: keyword
- name: sensorname
overwrite: true
type: keyword
- name: seqnum
overwrite: true
type: keyword
- name: session
overwrite: true
type: keyword
- name: sessiontype
overwrite: true
type: keyword
- name: sigUUID
overwrite: true
type: keyword
- name: spi
overwrite: true
type: keyword
- name: srcburb
overwrite: true
type: keyword
- name: srcdom
overwrite: true
type: keyword
- name: srcservice
overwrite: true
type: keyword
- name: state
overwrite: true
type: keyword
- name: status1
overwrite: true
type: keyword
- name: svcno
overwrite: true
type: keyword
- name: system
overwrite: true
type: keyword
- name: tbdstr1
overwrite: true
type: keyword
- name: tgtdom
overwrite: true
type: keyword
- name: tgtdomain
overwrite: true
type: keyword
- name: threshold
overwrite: true
type: keyword
- name: type1
overwrite: true
type: keyword
- name: udb_class
overwrite: true
type: keyword
- name: url_fld
overwrite: true
type: keyword
- name: user_div
overwrite: true
type: keyword
- name: userid
overwrite: true
type: keyword
- name: username_fld
overwrite: true
type: keyword
- name: utcstamp
overwrite: true
type: keyword
- name: v_instafname
overwrite: true
type: keyword
- name: virt_data
overwrite: true
type: keyword
- name: vpnid
overwrite: true
type: keyword
- name: autorun_type
overwrite: true
type: keyword
description: This is used to capture Auto Run type
- name: cc_number
overwrite: true
type: long
description: Valid Credit Card Numbers only
- name: content
overwrite: true
type: keyword
description: This key captures the content type from protocol headers
- name: ein_number
overwrite: true
type: long
description: Employee Identification Numbers only
- name: found
overwrite: true
type: keyword
description: This is used to capture the results of regex match
- name: language
overwrite: true
type: keyword
description: This is used to capture list of languages the client support and
what it prefers
- name: lifetime
overwrite: true
type: long
description: This key is used to capture the session lifetime in seconds.
- name: link
overwrite: true
type: keyword
description: This key is used to link the sessions together. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: match
overwrite: true
type: keyword
description: This key is for regex match name from search.ini
- name: param_dst
overwrite: true
type: keyword
description: This key captures the command line/launch argument of the target
process or file
- name: param_src
overwrite: true
type: keyword
description: This key captures source parameter
- name: search_text
overwrite: true
type: keyword
description: This key captures the Search Text used
- name: sig_name
overwrite: true
type: keyword
description: This key is used to capture the Signature Name only.
- name: snmp_value
overwrite: true
type: keyword
description: SNMP set request value
- name: streams
overwrite: true
type: long
description: This key captures number of streams in session
- name: db
overwrite: true
type: group
fields:
- name: index
overwrite: true
type: keyword
description: This key captures IndexID of the index.
- name: instance
overwrite: true
type: keyword
description: This key is used to capture the database server instance name
- name: database
overwrite: true
type: keyword
description: This key is used to capture the name of a database or an instance
as seen in a session
- name: transact_id
overwrite: true
type: keyword
description: This key captures the SQL transantion ID of the current session
- name: permissions
overwrite: true
type: keyword
description: This key captures permission or privilege level assigned to a resource.
- name: table_name
overwrite: true
type: keyword
description: This key is used to capture the table name
- name: db_id
overwrite: true
type: keyword
description: This key is used to capture the unique identifier for a database
- name: db_pid
overwrite: true
type: long
description: This key captures the process id of a connection with database
server
- name: lread
overwrite: true
type: long
description: This key is used for the number of logical reads
- name: lwrite
overwrite: true
type: long
description: This key is used for the number of logical writes
- name: pread
overwrite: true
type: long
description: This key is used for the number of physical writes
- name: network
overwrite: true
type: group
fields:
- name: alias_host
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
that isnt ad.computer.
- name: domain
overwrite: true
type: keyword
- name: host_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Hostname"
- name: network_service
overwrite: true
type: keyword
description: This is used to capture layer 7 protocols/service names
- name: interface
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of an interface is not clear
- name: network_port
overwrite: true
type: long
description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
- name: eth_host
overwrite: true
type: keyword
description: Deprecated, use alias.mac
- name: sinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Interface"
- name: dinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Interface"
- name: vlan
overwrite: true
type: long
description: This key should only be used to capture the ID of the Virtual LAN
- name: zone_src
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Zone."
- name: zone
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a Zone is not clear
- name: zone_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Zone."
- name: gateway
overwrite: true
type: keyword
description: This key is used to capture the IP Address of the gateway
- name: icmp_type
overwrite: true
type: long
description: This key is used to capture the ICMP type only
- name: mask
overwrite: true
type: keyword
description: This key is used to capture the device network IPmask.
- name: icmp_code
overwrite: true
type: long
description: This key is used to capture the ICMP code only
- name: protocol_detail
overwrite: true
type: keyword
description: This key should be used to capture additional protocol information
- name: dmask
overwrite: true
type: keyword
description: This key is used for Destionation Device network mask
- name: port
overwrite: true
type: long
description: This key should only be used to capture a Network Port when the
directionality is not clear
- name: smask
overwrite: true
type: keyword
description: This key is used for capturing source Network Mask
- name: netname
overwrite: true
type: keyword
description: This key is used to capture the network name associated with an
IP range. This is configured by the end user.
- name: paddr
overwrite: true
type: ip
description: Deprecated
- name: faddr
overwrite: true
type: keyword
- name: lhost
overwrite: true
type: keyword
- name: origin
overwrite: true
type: keyword
- name: remote_domain_id
overwrite: true
type: keyword
- name: addr
overwrite: true
type: keyword
- name: dns_a_record
overwrite: true
type: keyword
- name: dns_ptr_record
overwrite: true
type: keyword
- name: fhost
overwrite: true
type: keyword
- name: fport
overwrite: true
type: keyword
- name: laddr
overwrite: true
type: keyword
- name: linterface
overwrite: true
type: keyword
- name: phost
overwrite: true
type: keyword
- name: ad_computer_dst
overwrite: true
type: keyword
description: Deprecated, use host.dst
- name: eth_type
overwrite: true
type: long
description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
Only
- name: ip_proto
overwrite: true
type: long
description: This key should be used to capture the Protocol number, all the
protocol nubers are converted into string in UI
- name: dns_cname_record
overwrite: true
type: keyword
- name: dns_id
overwrite: true
type: keyword
- name: dns_opcode
overwrite: true
type: keyword
- name: dns_resp
overwrite: true
type: keyword
- name: dns_type
overwrite: true
type: keyword
- name: domain1
overwrite: true
type: keyword
- name: host_type
overwrite: true
type: keyword
- name: packet_length
overwrite: true
type: keyword
- name: host_orig
overwrite: true
type: keyword
description: This is used to capture the original hostname in case of a Forwarding
Agent or a Proxy in between.
- name: rpayload
overwrite: true
type: keyword
description: This key is used to capture the total number of payload bytes seen
in the retransmitted packets.
- name: vlan_name
overwrite: true
type: keyword
description: This key should only be used to capture the name of the Virtual
LAN
- name: investigations
overwrite: true
type: group
fields:
- name: ec_activity
overwrite: true
type: keyword
description: This key captures the particular event activity(Ex:Logoff)
- name: ec_theme
overwrite: true
type: keyword
description: This key captures the Theme of a particular Event(Ex:Authentication)
- name: ec_subject
overwrite: true
type: keyword
description: This key captures the Subject of a particular Event(Ex:User)
- name: ec_outcome
overwrite: true
type: keyword
description: This key captures the outcome of a particular Event(Ex:Success)
- name: event_cat
overwrite: true
type: long
description: This key captures the Event category number
- name: event_cat_name
overwrite: true
type: keyword
description: This key captures the event category name corresponding to the
event cat code
- name: event_vcat
overwrite: true
type: keyword
description: This is a vendor supplied category. This should be used in situations
where the vendor has adopted their own event_category taxonomy.
- name: analysis_file
overwrite: true
type: keyword
description: This is used to capture all indicators used in a File Analysis.
This key should be used to capture an analysis of a file
- name: analysis_service
overwrite: true
type: keyword
description: This is used to capture all indicators used in a Service Analysis.
This key should be used to capture an analysis of a service
- name: analysis_session
overwrite: true
type: keyword
description: This is used to capture all indicators used for a Session Analysis.
This key should be used to capture an analysis of a session
- name: boc
overwrite: true
type: keyword
description: This is used to capture behaviour of compromise
- name: eoc
overwrite: true
type: keyword
description: This is used to capture Enablers of Compromise
- name: inv_category
overwrite: true
type: keyword
description: This used to capture investigation category
- name: inv_context
overwrite: true
type: keyword
description: This used to capture investigation context
- name: ioc
overwrite: true
type: keyword
description: This is key capture indicator of compromise
- name: counters
overwrite: true
type: group
fields:
- name: dclass_c1
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c1.str only
- name: dclass_c2
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c2.str only
- name: event_counter
overwrite: true
type: long
description: This is used to capture the number of times an event repeated
- name: dclass_r1
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r1.str only
- name: dclass_c3
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c3.str only
- name: dclass_c1_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c1 only
- name: dclass_c2_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c2 only
- name: dclass_r1_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r1 only
- name: dclass_r2
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r2.str only
- name: dclass_c3_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c3 only
- name: dclass_r3
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r3.str only
- name: dclass_r2_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r2 only
- name: dclass_r3_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r3 only
- name: identity
overwrite: true
type: group
fields:
- name: auth_method
overwrite: true
type: keyword
description: This key is used to capture authentication methods used only
- name: user_role
overwrite: true
type: keyword
description: This key is used to capture the Role of a user only
- name: dn
overwrite: true
type: keyword
description: X.500 (LDAP) Distinguished Name
- name: logon_type
overwrite: true
type: keyword
description: This key is used to capture the type of logon method used.
- name: profile
overwrite: true
type: keyword
description: This key is used to capture the user profile
- name: accesses
overwrite: true
type: keyword
description: This key is used to capture actual privileges used in accessing
an object
- name: realm
overwrite: true
type: keyword
description: Radius realm or similar grouping of accounts
- name: user_sid_dst
overwrite: true
type: keyword
description: This key captures Destination User Session ID
- name: dn_src
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that is used in a context that
indicates a Source dn
- name: org
overwrite: true
type: keyword
description: This key captures the User organization
- name: dn_dst
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that used in a context that
indicates a Destination dn
- name: firstname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: lastname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: user_dept
overwrite: true
type: keyword
description: User's Department Names only
- name: user_sid_src
overwrite: true
type: keyword
description: This key captures Source User Session ID
- name: federated_sp
overwrite: true
type: keyword
description: This key is the Federated Service Provider. This is the application
requesting authentication.
- name: federated_idp
overwrite: true
type: keyword
description: This key is the federated Identity Provider. This is the server
providing the authentication.
- name: logon_type_desc
overwrite: true
type: keyword
description: This key is used to capture the textual description of an integer
logon type as stored in the meta key 'logon.type'.
- name: middlename
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: password
overwrite: true
type: keyword
description: This key is for Passwords seen in any session, plain text or encrypted
- name: host_role
overwrite: true
type: keyword
description: This key should only be used to capture the role of a Host Machine
- name: ldap
overwrite: true
type: keyword
description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
t have a clear query or response context"
- name: ldap_query
overwrite: true
type: keyword
description: This key is the Search criteria from an LDAP search
- name: ldap_response
overwrite: true
type: keyword
description: This key is to capture Results from an LDAP search
- name: owner
overwrite: true
type: keyword
description: This is used to capture username the process or service is running
as, the author of the task
- name: service_account
overwrite: true
type: keyword
description: This key is a windows specific key, used for capturing name of
the account a service (referenced in the event) is running under. Legacy Usage
- name: email
overwrite: true
type: group
fields:
- name: email_dst
overwrite: true
type: keyword
description: This key is used to capture the Destination email address only,
when the destination context is not clear use email
- name: email_src
overwrite: true
type: keyword
description: This key is used to capture the source email address only, when
the source context is not clear use email
- name: subject
overwrite: true
type: keyword
description: This key is used to capture the subject string from an Email only.
- name: email
overwrite: true
type: keyword
description: This key is used to capture a generic email address where the source
or destination context is not clear
- name: trans_from
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: trans_to
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: file
overwrite: true
type: group
fields:
- name: privilege
overwrite: true
type: keyword
description: Deprecated, use permissions
- name: attachment
overwrite: true
type: keyword
description: This key captures the attachment file name
- name: filesystem
overwrite: true
type: keyword
- name: binary
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: filename_dst
overwrite: true
type: keyword
description: This is used to capture name of the file targeted by the action
- name: filename_src
overwrite: true
type: keyword
description: This is used to capture name of the parent filename, the file which
performed the action
- name: filename_tmp
overwrite: true
type: keyword
- name: directory_dst
overwrite: true
type: keyword
description: <span>This key is used to capture the directory of the target process
or file</span>
- name: directory_src
overwrite: true
type: keyword
description: This key is used to capture the directory of the source process
or file
- name: file_entropy
overwrite: true
type: double
description: This is used to capture entropy vale of a file
- name: file_vendor
overwrite: true
type: keyword
description: This is used to capture Company name of file located in version_info
- name: task_name
overwrite: true
type: keyword
description: This is used to capture name of the task
- name: web
overwrite: true
type: group
fields:
- name: fqdn
overwrite: true
type: keyword
description: Fully Qualified Domain Names
- name: web_cookie
overwrite: true
type: keyword
description: This key is used to capture the Web cookies specifically.
- name: alias_host
overwrite: true
type: keyword
- name: reputation_num
overwrite: true
type: double
description: Reputation Number of an entity. Typically used for Web Domains
- name: web_ref_domain
overwrite: true
type: keyword
description: Web referer's domain
- name: web_ref_query
overwrite: true
type: keyword
description: This key captures Web referer's query portion of the URL
- name: remote_domain
overwrite: true
type: keyword
- name: web_ref_page
overwrite: true
type: keyword
description: This key captures Web referer's page information
- name: web_ref_root
overwrite: true
type: keyword
description: Web referer's root URL path
- name: cn_asn_dst
overwrite: true
type: keyword
- name: cn_rpackets
overwrite: true
type: keyword
- name: urlpage
overwrite: true
type: keyword
- name: urlroot
overwrite: true
type: keyword
- name: p_url
overwrite: true
type: keyword
- name: p_user_agent
overwrite: true
type: keyword
- name: p_web_cookie
overwrite: true
type: keyword
- name: p_web_method
overwrite: true
type: keyword
- name: p_web_referer
overwrite: true
type: keyword
- name: web_extension_tmp
overwrite: true
type: keyword
- name: web_page
overwrite: true
type: keyword
- name: threat
overwrite: true
type: group
fields:
- name: threat_category
overwrite: true
type: keyword
description: This key captures Threat Name/Threat Category/Categorization of
alert
- name: threat_desc
overwrite: true
type: keyword
description: This key is used to capture the threat description from the session
directly or inferred
- name: alert
overwrite: true
type: keyword
description: This key is used to capture name of the alert
- name: threat_source
overwrite: true
type: keyword
description: This key is used to capture source of the threat
- name: crypto
overwrite: true
type: group
fields:
- name: crypto
overwrite: true
type: keyword
description: This key is used to capture the Encryption Type or Encryption Key
only
- name: cipher_src
overwrite: true
type: keyword
description: This key is for Source (Client) Cipher
- name: cert_subject
overwrite: true
type: keyword
description: This key is used to capture the Certificate organization only
- name: peer
overwrite: true
type: keyword
description: This key is for Encryption peer's IP Address
- name: cipher_size_src
overwrite: true
type: long
description: This key captures Source (Client) Cipher Size
- name: ike
overwrite: true
type: keyword
description: IKE negotiation phase.
- name: scheme
overwrite: true
type: keyword
description: This key captures the Encryption scheme used
- name: peer_id
overwrite: true
type: keyword
description: "This key is for Encryption peer\u2019s identity"
- name: sig_type
overwrite: true
type: keyword
description: This key captures the Signature Type
- name: cert_issuer
overwrite: true
type: keyword
- name: cert_host_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: cert_error
overwrite: true
type: keyword
description: This key captures the Certificate Error String
- name: cipher_dst
overwrite: true
type: keyword
description: This key is for Destination (Server) Cipher
- name: cipher_size_dst
overwrite: true
type: long
description: This key captures Destination (Server) Cipher Size
- name: ssl_ver_src
overwrite: true
type: keyword
description: Deprecated, use version
- name: d_certauth
overwrite: true
type: keyword
- name: s_certauth
overwrite: true
type: keyword
- name: ike_cookie1
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
- name: ike_cookie2
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
- name: cert_checksum
overwrite: true
type: keyword
- name: cert_host_cat
overwrite: true
type: keyword
description: This key is used for the hostname category value of a certificate
- name: cert_serial
overwrite: true
type: keyword
description: This key is used to capture the Certificate serial number only
- name: cert_status
overwrite: true
type: keyword
description: This key captures Certificate validation status
- name: ssl_ver_dst
overwrite: true
type: keyword
description: Deprecated, use version
- name: cert_keysize
overwrite: true
type: keyword
- name: cert_username
overwrite: true
type: keyword
- name: https_insact
overwrite: true
type: keyword
- name: https_valid
overwrite: true
type: keyword
- name: cert_ca
overwrite: true
type: keyword
description: This key is used to capture the Certificate signing authority only
- name: cert_common
overwrite: true
type: keyword
description: This key is used to capture the Certificate common name only
- name: wireless
overwrite: true
type: group
fields:
- name: wlan_ssid
overwrite: true
type: keyword
description: This key is used to capture the ssid of a Wireless Session
- name: access_point
overwrite: true
type: keyword
description: This key is used to capture the access point name.
- name: wlan_channel
overwrite: true
type: long
description: This is used to capture the channel names
- name: wlan_name
overwrite: true
type: keyword
description: This key captures either WLAN number/name
- name: storage
overwrite: true
type: group
fields:
- name: disk_volume
overwrite: true
type: keyword
description: A unique name assigned to logical units (volumes) within a physical
disk
- name: lun
overwrite: true
type: keyword
description: Logical Unit Number.This key is a very useful concept in Storage.
- name: pwwn
overwrite: true
type: keyword
description: This uniquely identifies a port on a HBA.
- name: physical
overwrite: true
type: group
fields:
- name: org_dst
overwrite: true
type: keyword
description: This is used to capture the destination organization based on the
GEOPIP Maxmind database.
- name: org_src
overwrite: true
type: keyword
description: This is used to capture the source organization based on the GEOPIP
Maxmind database.
- name: healthcare
overwrite: true
type: group
fields:
- name: patient_fname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_id
overwrite: true
type: keyword
description: This key captures the unique ID for a patient
- name: patient_lname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_mname
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: endpoint
overwrite: true
type: group
fields:
- name: host_state
overwrite: true
type: keyword
description: This key is used to capture the current state of the machine, such
as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
disabled</strong> and so on
- name: registry_key
overwrite: true
type: keyword
description: This key captures the path to the registry key
- name: registry_value
overwrite: true
type: keyword
description: This key captures values or decorators used within a registry entry
- name: network.interface.name
overwrite: true
type: keyword
description: >
Name of the network interface where the traffic has been observed.
- name: rsa
overwrite: true
type: group
fields:
- name: internal
overwrite: true
type: group
fields:
- name: msg
overwrite: true
type: keyword
description: This key is used to capture the raw message that comes into the
Log Decoder
- name: messageid
overwrite: true
type: keyword
- name: event_desc
overwrite: true
type: keyword
- name: message
overwrite: true
type: keyword
description: This key captures the contents of instant messages
- name: time
overwrite: true
type: date
description: This is the time at which a session hits a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness.
- name: level
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: msg_id
overwrite: true
type: keyword
description: This is the Message ID1 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: msg_vid
overwrite: true
type: keyword
description: This is the Message ID2 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: data
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_server
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_val
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: resource
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_id
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: statement
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: audit_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: entry
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: hcode
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: inode
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: resource_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: dead
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: feed_desc
overwrite: true
type: keyword
description: This is used to capture the description of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: feed_name
overwrite: true
type: keyword
description: This is used to capture the name of the feed. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: cid
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Concentrator.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_class
overwrite: true
type: keyword
description: This is the Classification of the Log Event Source under a predefined
fixed set of Event Source Classifications. This key should never be used to
parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
key in NetWitness
- name: device_group
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_host
overwrite: true
type: keyword
description: This is the Hostname of the log Event Source sending the logs to
NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ip
overwrite: true
type: ip
description: This is the IPv4 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ipv6
overwrite: true
type: ip
description: This is the IPv6 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_type
overwrite: true
type: keyword
description: This is the name of the log parser which parsed a given session.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_type_id
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: did
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: entropy_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: entropy_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: event_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: feed_category
overwrite: true
type: keyword
description: This is used to capture the category of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: forward_ip
overwrite: true
type: ip
description: This key should be used to capture the IPV4 address of a relay
system which forwarded the events from the original system to NetWitness.
- name: forward_ipv6
overwrite: true
type: ip
description: This key is used to capture the IPV6 address of a relay system
which forwarded the events from the original system to NetWitness. This key
should never be used to parse Meta data from a session (Logs/Packets) Directly,
this is a Reserved key in NetWitness
- name: header_id
overwrite: true
type: keyword
description: This is the Header ID value that identifies the exact log parser
header definition that parses a particular log session. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: lc_cid
overwrite: true
type: keyword
description: This is a unique Identifier of a Log Collector. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: lc_ctime
overwrite: true
type: date
description: This is the time at which a log is collected in a NetWitness Log
Collector. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: mcb_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
request is simply which byte for each side (0 thru 255) was seen the most
- name: mcb_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
response is simply which byte for each side (0 thru 255) was seen the most
- name: mcbc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: mcbc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: medium
overwrite: true
type: long
description: "This key is used to identify if it\u2019s a log/packet session\
\ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
\ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
\ 32 = log, 33 = correlation session, < 32 is packet session"
- name: node_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: nwe_callback_id
overwrite: true
type: keyword
description: This key denotes that event is endpoint related
- name: parse_error
overwrite: true
type: keyword
description: This is a special key that stores any Meta key validation error
found while parsing a log session. This key should never be used to parse
Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
NetWitness
- name: payload_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: payload_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: process_vid_dst
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the target process.
- name: process_vid_src
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the source process.
- name: rid
overwrite: true
type: long
description: This is a special ID of the Remote Session created by NetWitness
Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: session_split
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: site
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: size
overwrite: true
type: long
description: This is the size of the session as seen by the NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: sourcefile
overwrite: true
type: keyword
description: This is the name of the log file or PCAPs that can be imported
into NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: ubc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: ubc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: word
overwrite: true
type: keyword
description: This is used by the Word Parsing technology to capture the first
5 character of every word in an unparsed log
- name: time
overwrite: true
type: group
fields:
- name: event_time
overwrite: true
type: date
description: This key is used to capture the time mentioned in a raw session
that represents the actual time an event occured in a standard normalized
form
- name: duration_time
overwrite: true
type: double
description: This key is used to capture the normalized duration/lifetime in
seconds.
- name: event_time_str
overwrite: true
type: keyword
description: This key is used to capture the incomplete time mentioned in a
session as a string
- name: starttime
overwrite: true
type: date
description: This key is used to capture the Start time mentioned in a session
in a standard form
- name: month
overwrite: true
type: keyword
- name: day
overwrite: true
type: keyword
- name: endtime
overwrite: true
type: date
description: This key is used to capture the End time mentioned in a session
in a standard form
- name: timezone
overwrite: true
type: keyword
description: This key is used to capture the timezone of the Event Time
- name: duration_str
overwrite: true
type: keyword
description: A text string version of the duration
- name: date
overwrite: true
type: keyword
- name: year
overwrite: true
type: keyword
- name: recorded_time
overwrite: true
type: date
description: The event time as recorded by the system the event is collected
from. The usage scenario is a multi-tier application where the management
layer of the system records it's own timestamp at the time of collection from
its child nodes. Must be in timestamp format.
- name: datetime
overwrite: true
type: keyword
- name: effective_time
overwrite: true
type: date
description: This key is the effective time referenced by an individual event
in a Standard Timestamp format
- name: expire_time
overwrite: true
type: date
description: This key is the timestamp that explicitly refers to an expiration.
- name: process_time
overwrite: true
type: keyword
description: Deprecated, use duration.time
- name: hour
overwrite: true
type: keyword
- name: min
overwrite: true
type: keyword
- name: timestamp
overwrite: true
type: keyword
- name: event_queue_time
overwrite: true
type: date
description: This key is the Time that the event was queued.
- name: p_time1
overwrite: true
type: keyword
- name: tzone
overwrite: true
type: keyword
- name: eventtime
overwrite: true
type: keyword
- name: gmtdate
overwrite: true
type: keyword
- name: gmttime
overwrite: true
type: keyword
- name: p_date
overwrite: true
type: keyword
- name: p_month
overwrite: true
type: keyword
- name: p_time
overwrite: true
type: keyword
- name: p_time2
overwrite: true
type: keyword
- name: p_year
overwrite: true
type: keyword
- name: expire_time_str
overwrite: true
type: keyword
description: This key is used to capture incomplete timestamp that explicitly
refers to an expiration.
- name: stamp
overwrite: true
type: date
description: Deprecated key defined only in table map.
- name: misc
overwrite: true
type: group
fields:
- name: action
overwrite: true
type: keyword
- name: result
overwrite: true
type: keyword
description: This key is used to capture the outcome/result string value of
an action in a session.
- name: severity
overwrite: true
type: keyword
description: This key is used to capture the severity given the session
- name: event_type
overwrite: true
type: keyword
description: This key captures the event category type as specified by the event
source.
- name: reference_id
overwrite: true
type: keyword
description: This key is used to capture an event id from the session directly
- name: version
overwrite: true
type: keyword
description: This key captures Version of the application or OS which is generating
the event.
- name: disposition
overwrite: true
type: keyword
description: This key captures the The end state of an action.
- name: result_code
overwrite: true
type: keyword
description: This key is used to capture the outcome/result numeric value of
an action in a session
- name: category
overwrite: true
type: keyword
description: This key is used to capture the category of an event given by the
vendor in the session
- name: obj_name
overwrite: true
type: keyword
description: This is used to capture name of object
- name: obj_type
overwrite: true
type: keyword
description: This is used to capture type of object
- name: event_source
overwrite: true
type: keyword
description: "This key captures Source of the event that\u2019s not a hostname"
- name: log_session_id
overwrite: true
type: keyword
description: This key is used to capture a sessionid from the session directly
- name: group
overwrite: true
type: keyword
description: This key captures the Group Name value
- name: policy_name
overwrite: true
type: keyword
description: This key is used to capture the Policy Name only.
- name: rule_name
overwrite: true
type: keyword
description: This key captures the Rule Name
- name: context
overwrite: true
type: keyword
description: This key captures Information which adds additional context to
the event.
- name: change_new
overwrite: true
type: keyword
description: "This key is used to capture the new values of the attribute that\u2019\
s changing in a session"
- name: space
overwrite: true
type: keyword
- name: client
overwrite: true
type: keyword
description: This key is used to capture only the name of the client application
requesting resources of the server. See the user.agent meta key for capture
of the specific user agent identifier or browser identification string.
- name: msgIdPart1
overwrite: true
type: keyword
- name: msgIdPart2
overwrite: true
type: keyword
- name: change_old
overwrite: true
type: keyword
description: "This key is used to capture the old value of the attribute that\u2019\
s changing in a session"
- name: operation_id
overwrite: true
type: keyword
description: An alert number or operation number. The values should be unique
and non-repeating.
- name: event_state
overwrite: true
type: keyword
description: This key captures the current state of the object/item referenced
within the event. Describing an on-going event.
- name: group_object
overwrite: true
type: keyword
description: This key captures a collection/grouping of entities. Specific usage
- name: node
overwrite: true
type: keyword
description: Common use case is the node name within a cluster. The cluster
name is reflected by the host name.
- name: rule
overwrite: true
type: keyword
description: This key captures the Rule number
- name: device_name
overwrite: true
type: keyword
description: 'This is used to capture name of the Device associated with the
node Like: a physical disk, printer, etc'
- name: param
overwrite: true
type: keyword
description: This key is the parameters passed as part of a command or application,
etc.
- name: change_attrib
overwrite: true
type: keyword
description: "This key is used to capture the name of the attribute that\u2019\
s changing in a session"
- name: event_computer
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
fully qualified domain name in a windows log.
- name: reference_id1
overwrite: true
type: keyword
description: This key is for Linked ID to be used as an addition to "reference.id"
- name: event_log
overwrite: true
type: keyword
description: This key captures the Name of the event log
- name: OS
overwrite: true
type: keyword
description: This key captures the Name of the Operating System
- name: terminal
overwrite: true
type: keyword
description: This key captures the Terminal Names only
- name: msgIdPart3
overwrite: true
type: keyword
- name: filter
overwrite: true
type: keyword
description: This key captures Filter used to reduce result set
- name: serial_number
overwrite: true
type: keyword
description: This key is the Serial number associated with a physical asset.
- name: checksum
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the entity
such as a file or process. Checksum should be used over checksum.src or checksum.dst
when it is unclear whether the entity is a source or target of an action.
- name: event_user
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
combination of domain name and username in a windows log.
- name: virusname
overwrite: true
type: keyword
description: This key captures the name of the virus
- name: content_type
overwrite: true
type: keyword
description: This key is used to capture Content Type only.
- name: group_id
overwrite: true
type: keyword
description: This key captures Group ID Number (related to the group name)
- name: policy_id
overwrite: true
type: keyword
description: This key is used to capture the Policy ID only, this should be
a numeric value, use policy.name otherwise
- name: vsys
overwrite: true
type: keyword
description: This key captures Virtual System Name
- name: connection_id
overwrite: true
type: keyword
description: This key captures the Connection ID
- name: reference_id2
overwrite: true
type: keyword
description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
or "reference.id1" value but should not be used unless the other two variables
are in play.
- name: sensor
overwrite: true
type: keyword
description: This key captures Name of the sensor. Typically used in IDS/IPS
based devices
- name: sig_id
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID
- name: port_name
overwrite: true
type: keyword
description: 'This key is used for Physical or logical port connection but does
NOT include a network port. (Example: Printer port name).'
- name: rule_group
overwrite: true
type: keyword
description: This key captures the Rule group name
- name: risk_num
overwrite: true
type: double
description: This key captures a Numeric Risk value
- name: trigger_val
overwrite: true
type: keyword
description: This key captures the Value of the trigger or threshold condition.
- name: log_session_id1
overwrite: true
type: keyword
description: This key is used to capture a Linked (Related) Session ID from
the session directly
- name: comp_version
overwrite: true
type: keyword
description: This key captures the Version level of a sub-component of a product.
- name: content_version
overwrite: true
type: keyword
description: This key captures Version level of a signature or database content.
- name: hardware_id
overwrite: true
type: keyword
description: This key is used to capture unique identifier for a device or system
(NOT a Mac address)
- name: risk
overwrite: true
type: keyword
description: This key captures the non-numeric risk value
- name: event_id
overwrite: true
type: keyword
- name: reason
overwrite: true
type: keyword
- name: status
overwrite: true
type: keyword
- name: mail_id
overwrite: true
type: keyword
description: This key is used to capture the mailbox id/name
- name: rule_uid
overwrite: true
type: keyword
description: This key is the Unique Identifier for a rule.
- name: trigger_desc
overwrite: true
type: keyword
description: This key captures the Description of the trigger or threshold condition.
- name: inout
overwrite: true
type: keyword
- name: p_msgid
overwrite: true
type: keyword
- name: data_type
overwrite: true
type: keyword
- name: msgIdPart4
overwrite: true
type: keyword
- name: error
overwrite: true
type: keyword
description: This key captures All non successful Error codes or responses
- name: index
overwrite: true
type: keyword
- name: listnum
overwrite: true
type: keyword
description: This key is used to capture listname or listnumber, primarily for
collecting access-list
- name: ntype
overwrite: true
type: keyword
- name: observed_val
overwrite: true
type: keyword
description: This key captures the Value observed (from the perspective of the
device generating the log).
- name: policy_value
overwrite: true
type: keyword
description: This key captures the contents of the policy. This contains details
about the policy
- name: pool_name
overwrite: true
type: keyword
description: This key captures the name of a resource pool
- name: rule_template
overwrite: true
type: keyword
description: A default set of parameters which are overlayed onto a rule (or
rulename) which efffectively constitutes a template
- name: count
overwrite: true
type: keyword
- name: number
overwrite: true
type: keyword
- name: sigcat
overwrite: true
type: keyword
- name: type
overwrite: true
type: keyword
- name: comments
overwrite: true
type: keyword
description: Comment information provided in the log message
- name: doc_number
overwrite: true
type: long
description: This key captures File Identification number
- name: expected_val
overwrite: true
type: keyword
description: This key captures the Value expected (from the perspective of the
device generating the log).
- name: job_num
overwrite: true
type: keyword
description: This key captures the Job Number
- name: spi_dst
overwrite: true
type: keyword
description: Destination SPI Index
- name: spi_src
overwrite: true
type: keyword
description: Source SPI Index
- name: code
overwrite: true
type: keyword
- name: agent_id
overwrite: true
type: keyword
description: This key is used to capture agent id
- name: message_body
overwrite: true
type: keyword
description: This key captures the The contents of the message body.
- name: phone
overwrite: true
type: keyword
- name: sig_id_str
overwrite: true
type: keyword
description: This key captures a string object of the sigid variable.
- name: cmd
overwrite: true
type: keyword
- name: misc
overwrite: true
type: keyword
- name: name
overwrite: true
type: keyword
- name: cpu
overwrite: true
type: long
description: This key is the CPU time used in the execution of the event being
recorded.
- name: event_desc
overwrite: true
type: keyword
description: This key is used to capture a description of an event available
directly or inferred
- name: sig_id1
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID. This must be linked
to the sig.id
- name: im_buddyid
overwrite: true
type: keyword
- name: im_client
overwrite: true
type: keyword
- name: im_userid
overwrite: true
type: keyword
- name: pid
overwrite: true
type: keyword
- name: priority
overwrite: true
type: keyword
- name: context_subject
overwrite: true
type: keyword
description: This key is to be used in an audit context where the subject is
the object being identified
- name: context_target
overwrite: true
type: keyword
- name: cve
overwrite: true
type: keyword
description: This key captures CVE (Common Vulnerabilities and Exposures) -
an identifier for known information security vulnerabilities.
- name: fcatnum
overwrite: true
type: keyword
description: This key captures Filter Category Number. Legacy Usage
- name: library
overwrite: true
type: keyword
description: This key is used to capture library information in mainframe devices
- name: parent_node
overwrite: true
type: keyword
description: This key captures the Parent Node Name. Must be related to node
variable.
- name: risk_info
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: tcp_flags
overwrite: true
type: long
description: This key is captures the TCP flags set in any packet of session
- name: tos
overwrite: true
type: long
description: This key describes the type of service
- name: vm_target
overwrite: true
type: keyword
description: VMWare Target **VMWARE** only varaible.
- name: workspace
overwrite: true
type: keyword
description: This key captures Workspace Description
- name: command
overwrite: true
type: keyword
- name: event_category
overwrite: true
type: keyword
- name: facilityname
overwrite: true
type: keyword
- name: forensic_info
overwrite: true
type: keyword
- name: jobname
overwrite: true
type: keyword
- name: mode
overwrite: true
type: keyword
- name: policy
overwrite: true
type: keyword
- name: policy_waiver
overwrite: true
type: keyword
- name: second
overwrite: true
type: keyword
- name: space1
overwrite: true
type: keyword
- name: subcategory
overwrite: true
type: keyword
- name: tbdstr2
overwrite: true
type: keyword
- name: alert_id
overwrite: true
type: keyword
description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: checksum_dst
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the the target
entity such as a process or file.
- name: checksum_src
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the source
entity such as a file or process.
- name: fresult
overwrite: true
type: long
description: This key captures the Filter Result
- name: payload_dst
overwrite: true
type: keyword
description: This key is used to capture destination payload
- name: payload_src
overwrite: true
type: keyword
description: This key is used to capture source payload
- name: pool_id
overwrite: true
type: keyword
description: This key captures the identifier (typically numeric field) of a
resource pool
- name: process_id_val
overwrite: true
type: keyword
description: This key is a failure key for Process ID when it is not an integer
value
- name: risk_num_comm
overwrite: true
type: double
description: This key captures Risk Number Community
- name: risk_num_next
overwrite: true
type: double
description: This key captures Risk Number NextGen
- name: risk_num_sand
overwrite: true
type: double
description: This key captures Risk Number SandBox
- name: risk_num_static
overwrite: true
type: double
description: This key captures Risk Number Static
- name: risk_suspicious
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: risk_warning
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: snmp_oid
overwrite: true
type: keyword
description: SNMP Object Identifier
- name: sql
overwrite: true
type: keyword
description: This key captures the SQL query
- name: vuln_ref
overwrite: true
type: keyword
description: This key captures the Vulnerability Reference details
- name: acl_id
overwrite: true
type: keyword
- name: acl_op
overwrite: true
type: keyword
- name: acl_pos
overwrite: true
type: keyword
- name: acl_table
overwrite: true
type: keyword
- name: admin
overwrite: true
type: keyword
- name: alarm_id
overwrite: true
type: keyword
- name: alarmname
overwrite: true
type: keyword
- name: app_id
overwrite: true
type: keyword
- name: audit
overwrite: true
type: keyword
- name: audit_object
overwrite: true
type: keyword
- name: auditdata
overwrite: true
type: keyword
- name: benchmark
overwrite: true
type: keyword
- name: bypass
overwrite: true
type: keyword
- name: cache
overwrite: true
type: keyword
- name: cache_hit
overwrite: true
type: keyword
- name: cefversion
overwrite: true
type: keyword
- name: cfg_attr
overwrite: true
type: keyword
- name: cfg_obj
overwrite: true
type: keyword
- name: cfg_path
overwrite: true
type: keyword
- name: changes
overwrite: true
type: keyword
- name: client_ip
overwrite: true
type: keyword
- name: clustermembers
overwrite: true
type: keyword
- name: cn_acttimeout
overwrite: true
type: keyword
- name: cn_asn_src
overwrite: true
type: keyword
- name: cn_bgpv4nxthop
overwrite: true
type: keyword
- name: cn_ctr_dst_code
overwrite: true
type: keyword
- name: cn_dst_tos
overwrite: true
type: keyword
- name: cn_dst_vlan
overwrite: true
type: keyword
- name: cn_engine_id
overwrite: true
type: keyword
- name: cn_engine_type
overwrite: true
type: keyword
- name: cn_f_switch
overwrite: true
type: keyword
- name: cn_flowsampid
overwrite: true
type: keyword
- name: cn_flowsampintv
overwrite: true
type: keyword
- name: cn_flowsampmode
overwrite: true
type: keyword
- name: cn_inacttimeout
overwrite: true
type: keyword
- name: cn_inpermbyts
overwrite: true
type: keyword
- name: cn_inpermpckts
overwrite: true
type: keyword
- name: cn_invalid
overwrite: true
type: keyword
- name: cn_ip_proto_ver
overwrite: true
type: keyword
- name: cn_ipv4_ident
overwrite: true
type: keyword
- name: cn_l_switch
overwrite: true
type: keyword
- name: cn_log_did
overwrite: true
type: keyword
- name: cn_log_rid
overwrite: true
type: keyword
- name: cn_max_ttl
overwrite: true
type: keyword
- name: cn_maxpcktlen
overwrite: true
type: keyword
- name: cn_min_ttl
overwrite: true
type: keyword
- name: cn_minpcktlen
overwrite: true
type: keyword
- name: cn_mpls_lbl_1
overwrite: true
type: keyword
- name: cn_mpls_lbl_10
overwrite: true
type: keyword
- name: cn_mpls_lbl_2
overwrite: true
type: keyword
- name: cn_mpls_lbl_3
overwrite: true
type: keyword
- name: cn_mpls_lbl_4
overwrite: true
type: keyword
- name: cn_mpls_lbl_5
overwrite: true
type: keyword
- name: cn_mpls_lbl_6
overwrite: true
type: keyword
- name: cn_mpls_lbl_7
overwrite: true
type: keyword
- name: cn_mpls_lbl_8
overwrite: true
type: keyword
- name: cn_mpls_lbl_9
overwrite: true
type: keyword
- name: cn_mplstoplabel
overwrite: true
type: keyword
- name: cn_mplstoplabip
overwrite: true
type: keyword
- name: cn_mul_dst_byt
overwrite: true
type: keyword
- name: cn_mul_dst_pks
overwrite: true
type: keyword
- name: cn_muligmptype
overwrite: true
type: keyword
- name: cn_sampalgo
overwrite: true
type: keyword
- name: cn_sampint
overwrite: true
type: keyword
- name: cn_seqctr
overwrite: true
type: keyword
- name: cn_spackets
overwrite: true
type: keyword
- name: cn_src_tos
overwrite: true
type: keyword
- name: cn_src_vlan
overwrite: true
type: keyword
- name: cn_sysuptime
overwrite: true
type: keyword
- name: cn_template_id
overwrite: true
type: keyword
- name: cn_totbytsexp
overwrite: true
type: keyword
- name: cn_totflowexp
overwrite: true
type: keyword
- name: cn_totpcktsexp
overwrite: true
type: keyword
- name: cn_unixnanosecs
overwrite: true
type: keyword
- name: cn_v6flowlabel
overwrite: true
type: keyword
- name: cn_v6optheaders
overwrite: true
type: keyword
- name: comp_class
overwrite: true
type: keyword
- name: comp_name
overwrite: true
type: keyword
- name: comp_rbytes
overwrite: true
type: keyword
- name: comp_sbytes
overwrite: true
type: keyword
- name: cpu_data
overwrite: true
type: keyword
- name: criticality
overwrite: true
type: keyword
- name: cs_agency_dst
overwrite: true
type: keyword
- name: cs_analyzedby
overwrite: true
type: keyword
- name: cs_av_other
overwrite: true
type: keyword
- name: cs_av_primary
overwrite: true
type: keyword
- name: cs_av_secondary
overwrite: true
type: keyword
- name: cs_bgpv6nxthop
overwrite: true
type: keyword
- name: cs_bit9status
overwrite: true
type: keyword
- name: cs_context
overwrite: true
type: keyword
- name: cs_control
overwrite: true
type: keyword
- name: cs_data
overwrite: true
type: keyword
- name: cs_datecret
overwrite: true
type: keyword
- name: cs_dst_tld
overwrite: true
type: keyword
- name: cs_eth_dst_ven
overwrite: true
type: keyword
- name: cs_eth_src_ven
overwrite: true
type: keyword
- name: cs_event_uuid
overwrite: true
type: keyword
- name: cs_filetype
overwrite: true
type: keyword
- name: cs_fld
overwrite: true
type: keyword
- name: cs_if_desc
overwrite: true
type: keyword
- name: cs_if_name
overwrite: true
type: keyword
- name: cs_ip_next_hop
overwrite: true
type: keyword
- name: cs_ipv4dstpre
overwrite: true
type: keyword
- name: cs_ipv4srcpre
overwrite: true
type: keyword
- name: cs_lifetime
overwrite: true
type: keyword
- name: cs_log_medium
overwrite: true
type: keyword
- name: cs_loginname
overwrite: true
type: keyword
- name: cs_modulescore
overwrite: true
type: keyword
- name: cs_modulesign
overwrite: true
type: keyword
- name: cs_opswatresult
overwrite: true
type: keyword
- name: cs_payload
overwrite: true
type: keyword
- name: cs_registrant
overwrite: true
type: keyword
- name: cs_registrar
overwrite: true
type: keyword
- name: cs_represult
overwrite: true
type: keyword
- name: cs_rpayload
overwrite: true
type: keyword
- name: cs_sampler_name
overwrite: true
type: keyword
- name: cs_sourcemodule
overwrite: true
type: keyword
- name: cs_streams
overwrite: true
type: keyword
- name: cs_targetmodule
overwrite: true
type: keyword
- name: cs_v6nxthop
overwrite: true
type: keyword
- name: cs_whois_server
overwrite: true
type: keyword
- name: cs_yararesult
overwrite: true
type: keyword
- name: description
overwrite: true
type: keyword
- name: devvendor
overwrite: true
type: keyword
- name: distance
overwrite: true
type: keyword
- name: dstburb
overwrite: true
type: keyword
- name: edomain
overwrite: true
type: keyword
- name: edomaub
overwrite: true
type: keyword
- name: euid
overwrite: true
type: keyword
- name: facility
overwrite: true
type: keyword
- name: finterface
overwrite: true
type: keyword
- name: flags
overwrite: true
type: keyword
- name: gaddr
overwrite: true
type: keyword
- name: id3
overwrite: true
type: keyword
- name: im_buddyname
overwrite: true
type: keyword
- name: im_croomid
overwrite: true
type: keyword
- name: im_croomtype
overwrite: true
type: keyword
- name: im_members
overwrite: true
type: keyword
- name: im_username
overwrite: true
type: keyword
- name: ipkt
overwrite: true
type: keyword
- name: ipscat
overwrite: true
type: keyword
- name: ipspri
overwrite: true
type: keyword
- name: latitude
overwrite: true
type: keyword
- name: linenum
overwrite: true
type: keyword
- name: list_name
overwrite: true
type: keyword
- name: load_data
overwrite: true
type: keyword
- name: location_floor
overwrite: true
type: keyword
- name: location_mark
overwrite: true
type: keyword
- name: log_id
overwrite: true
type: keyword
- name: log_type
overwrite: true
type: keyword
- name: logid
overwrite: true
type: keyword
- name: logip
overwrite: true
type: keyword
- name: logname
overwrite: true
type: keyword
- name: longitude
overwrite: true
type: keyword
- name: lport
overwrite: true
type: keyword
- name: mbug_data
overwrite: true
type: keyword
- name: misc_name
overwrite: true
type: keyword
- name: msg_type
overwrite: true
type: keyword
- name: msgid
overwrite: true
type: keyword
- name: netsessid
overwrite: true
type: keyword
- name: num
overwrite: true
type: keyword
- name: number1
overwrite: true
type: keyword
- name: number2
overwrite: true
type: keyword
- name: nwwn
overwrite: true
type: keyword
- name: object
overwrite: true
type: keyword
- name: operation
overwrite: true
type: keyword
- name: opkt
overwrite: true
type: keyword
- name: orig_from
overwrite: true
type: keyword
- name: owner_id
overwrite: true
type: keyword
- name: p_action
overwrite: true
type: keyword
- name: p_filter
overwrite: true
type: keyword
- name: p_group_object
overwrite: true
type: keyword
- name: p_id
overwrite: true
type: keyword
- name: p_msgid1
overwrite: true
type: keyword
- name: p_msgid2
overwrite: true
type: keyword
- name: p_result1
overwrite: true
type: keyword
- name: password_chg
overwrite: true
type: keyword
- name: password_expire
overwrite: true
type: keyword
- name: permgranted
overwrite: true
type: keyword
- name: permwanted
overwrite: true
type: keyword
- name: pgid
overwrite: true
type: keyword
- name: policyUUID
overwrite: true
type: keyword
- name: prog_asp_num
overwrite: true
type: keyword
- name: program
overwrite: true
type: keyword
- name: real_data
overwrite: true
type: keyword
- name: rec_asp_device
overwrite: true
type: keyword
- name: rec_asp_num
overwrite: true
type: keyword
- name: rec_library
overwrite: true
type: keyword
- name: recordnum
overwrite: true
type: keyword
- name: ruid
overwrite: true
type: keyword
- name: sburb
overwrite: true
type: keyword
- name: sdomain_fld
overwrite: true
type: keyword
- name: sec
overwrite: true
type: keyword
- name: sensorname
overwrite: true
type: keyword
- name: seqnum
overwrite: true
type: keyword
- name: session
overwrite: true
type: keyword
- name: sessiontype
overwrite: true
type: keyword
- name: sigUUID
overwrite: true
type: keyword
- name: spi
overwrite: true
type: keyword
- name: srcburb
overwrite: true
type: keyword
- name: srcdom
overwrite: true
type: keyword
- name: srcservice
overwrite: true
type: keyword
- name: state
overwrite: true
type: keyword
- name: status1
overwrite: true
type: keyword
- name: svcno
overwrite: true
type: keyword
- name: system
overwrite: true
type: keyword
- name: tbdstr1
overwrite: true
type: keyword
- name: tgtdom
overwrite: true
type: keyword
- name: tgtdomain
overwrite: true
type: keyword
- name: threshold
overwrite: true
type: keyword
- name: type1
overwrite: true
type: keyword
- name: udb_class
overwrite: true
type: keyword
- name: url_fld
overwrite: true
type: keyword
- name: user_div
overwrite: true
type: keyword
- name: userid
overwrite: true
type: keyword
- name: username_fld
overwrite: true
type: keyword
- name: utcstamp
overwrite: true
type: keyword
- name: v_instafname
overwrite: true
type: keyword
- name: virt_data
overwrite: true
type: keyword
- name: vpnid
overwrite: true
type: keyword
- name: autorun_type
overwrite: true
type: keyword
description: This is used to capture Auto Run type
- name: cc_number
overwrite: true
type: long
description: Valid Credit Card Numbers only
- name: content
overwrite: true
type: keyword
description: This key captures the content type from protocol headers
- name: ein_number
overwrite: true
type: long
description: Employee Identification Numbers only
- name: found
overwrite: true
type: keyword
description: This is used to capture the results of regex match
- name: language
overwrite: true
type: keyword
description: This is used to capture list of languages the client support and
what it prefers
- name: lifetime
overwrite: true
type: long
description: This key is used to capture the session lifetime in seconds.
- name: link
overwrite: true
type: keyword
description: This key is used to link the sessions together. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: match
overwrite: true
type: keyword
description: This key is for regex match name from search.ini
- name: param_dst
overwrite: true
type: keyword
description: This key captures the command line/launch argument of the target
process or file
- name: param_src
overwrite: true
type: keyword
description: This key captures source parameter
- name: search_text
overwrite: true
type: keyword
description: This key captures the Search Text used
- name: sig_name
overwrite: true
type: keyword
description: This key is used to capture the Signature Name only.
- name: snmp_value
overwrite: true
type: keyword
description: SNMP set request value
- name: streams
overwrite: true
type: long
description: This key captures number of streams in session
- name: db
overwrite: true
type: group
fields:
- name: index
overwrite: true
type: keyword
description: This key captures IndexID of the index.
- name: instance
overwrite: true
type: keyword
description: This key is used to capture the database server instance name
- name: database
overwrite: true
type: keyword
description: This key is used to capture the name of a database or an instance
as seen in a session
- name: transact_id
overwrite: true
type: keyword
description: This key captures the SQL transantion ID of the current session
- name: permissions
overwrite: true
type: keyword
description: This key captures permission or privilege level assigned to a resource.
- name: table_name
overwrite: true
type: keyword
description: This key is used to capture the table name
- name: db_id
overwrite: true
type: keyword
description: This key is used to capture the unique identifier for a database
- name: db_pid
overwrite: true
type: long
description: This key captures the process id of a connection with database
server
- name: lread
overwrite: true
type: long
description: This key is used for the number of logical reads
- name: lwrite
overwrite: true
type: long
description: This key is used for the number of logical writes
- name: pread
overwrite: true
type: long
description: This key is used for the number of physical writes
- name: network
overwrite: true
type: group
fields:
- name: alias_host
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
that isnt ad.computer.
- name: domain
overwrite: true
type: keyword
- name: host_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Hostname"
- name: network_service
overwrite: true
type: keyword
description: This is used to capture layer 7 protocols/service names
- name: interface
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of an interface is not clear
- name: network_port
overwrite: true
type: long
description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
- name: eth_host
overwrite: true
type: keyword
description: Deprecated, use alias.mac
- name: sinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Interface"
- name: dinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Interface"
- name: vlan
overwrite: true
type: long
description: This key should only be used to capture the ID of the Virtual LAN
- name: zone_src
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Zone."
- name: zone
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a Zone is not clear
- name: zone_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Zone."
- name: gateway
overwrite: true
type: keyword
description: This key is used to capture the IP Address of the gateway
- name: icmp_type
overwrite: true
type: long
description: This key is used to capture the ICMP type only
- name: mask
overwrite: true
type: keyword
description: This key is used to capture the device network IPmask.
- name: icmp_code
overwrite: true
type: long
description: This key is used to capture the ICMP code only
- name: protocol_detail
overwrite: true
type: keyword
description: This key should be used to capture additional protocol information
- name: dmask
overwrite: true
type: keyword
description: This key is used for Destionation Device network mask
- name: port
overwrite: true
type: long
description: This key should only be used to capture a Network Port when the
directionality is not clear
- name: smask
overwrite: true
type: keyword
description: This key is used for capturing source Network Mask
- name: netname
overwrite: true
type: keyword
description: This key is used to capture the network name associated with an
IP range. This is configured by the end user.
- name: paddr
overwrite: true
type: ip
description: Deprecated
- name: faddr
overwrite: true
type: keyword
- name: lhost
overwrite: true
type: keyword
- name: origin
overwrite: true
type: keyword
- name: remote_domain_id
overwrite: true
type: keyword
- name: addr
overwrite: true
type: keyword
- name: dns_a_record
overwrite: true
type: keyword
- name: dns_ptr_record
overwrite: true
type: keyword
- name: fhost
overwrite: true
type: keyword
- name: fport
overwrite: true
type: keyword
- name: laddr
overwrite: true
type: keyword
- name: linterface
overwrite: true
type: keyword
- name: phost
overwrite: true
type: keyword
- name: ad_computer_dst
overwrite: true
type: keyword
description: Deprecated, use host.dst
- name: eth_type
overwrite: true
type: long
description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
Only
- name: ip_proto
overwrite: true
type: long
description: This key should be used to capture the Protocol number, all the
protocol nubers are converted into string in UI
- name: dns_cname_record
overwrite: true
type: keyword
- name: dns_id
overwrite: true
type: keyword
- name: dns_opcode
overwrite: true
type: keyword
- name: dns_resp
overwrite: true
type: keyword
- name: dns_type
overwrite: true
type: keyword
- name: domain1
overwrite: true
type: keyword
- name: host_type
overwrite: true
type: keyword
- name: packet_length
overwrite: true
type: keyword
- name: host_orig
overwrite: true
type: keyword
description: This is used to capture the original hostname in case of a Forwarding
Agent or a Proxy in between.
- name: rpayload
overwrite: true
type: keyword
description: This key is used to capture the total number of payload bytes seen
in the retransmitted packets.
- name: vlan_name
overwrite: true
type: keyword
description: This key should only be used to capture the name of the Virtual
LAN
- name: investigations
overwrite: true
type: group
fields:
- name: ec_activity
overwrite: true
type: keyword
description: This key captures the particular event activity(Ex:Logoff)
- name: ec_theme
overwrite: true
type: keyword
description: This key captures the Theme of a particular Event(Ex:Authentication)
- name: ec_subject
overwrite: true
type: keyword
description: This key captures the Subject of a particular Event(Ex:User)
- name: ec_outcome
overwrite: true
type: keyword
description: This key captures the outcome of a particular Event(Ex:Success)
- name: event_cat
overwrite: true
type: long
description: This key captures the Event category number
- name: event_cat_name
overwrite: true
type: keyword
description: This key captures the event category name corresponding to the
event cat code
- name: event_vcat
overwrite: true
type: keyword
description: This is a vendor supplied category. This should be used in situations
where the vendor has adopted their own event_category taxonomy.
- name: analysis_file
overwrite: true
type: keyword
description: This is used to capture all indicators used in a File Analysis.
This key should be used to capture an analysis of a file
- name: analysis_service
overwrite: true
type: keyword
description: This is used to capture all indicators used in a Service Analysis.
This key should be used to capture an analysis of a service
- name: analysis_session
overwrite: true
type: keyword
description: This is used to capture all indicators used for a Session Analysis.
This key should be used to capture an analysis of a session
- name: boc
overwrite: true
type: keyword
description: This is used to capture behaviour of compromise
- name: eoc
overwrite: true
type: keyword
description: This is used to capture Enablers of Compromise
- name: inv_category
overwrite: true
type: keyword
description: This used to capture investigation category
- name: inv_context
overwrite: true
type: keyword
description: This used to capture investigation context
- name: ioc
overwrite: true
type: keyword
description: This is key capture indicator of compromise
- name: counters
overwrite: true
type: group
fields:
- name: dclass_c1
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c1.str only
- name: dclass_c2
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c2.str only
- name: event_counter
overwrite: true
type: long
description: This is used to capture the number of times an event repeated
- name: dclass_r1
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r1.str only
- name: dclass_c3
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c3.str only
- name: dclass_c1_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c1 only
- name: dclass_c2_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c2 only
- name: dclass_r1_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r1 only
- name: dclass_r2
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r2.str only
- name: dclass_c3_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c3 only
- name: dclass_r3
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r3.str only
- name: dclass_r2_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r2 only
- name: dclass_r3_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r3 only
- name: identity
overwrite: true
type: group
fields:
- name: auth_method
overwrite: true
type: keyword
description: This key is used to capture authentication methods used only
- name: user_role
overwrite: true
type: keyword
description: This key is used to capture the Role of a user only
- name: dn
overwrite: true
type: keyword
description: X.500 (LDAP) Distinguished Name
- name: logon_type
overwrite: true
type: keyword
description: This key is used to capture the type of logon method used.
- name: profile
overwrite: true
type: keyword
description: This key is used to capture the user profile
- name: accesses
overwrite: true
type: keyword
description: This key is used to capture actual privileges used in accessing
an object
- name: realm
overwrite: true
type: keyword
description: Radius realm or similar grouping of accounts
- name: user_sid_dst
overwrite: true
type: keyword
description: This key captures Destination User Session ID
- name: dn_src
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that is used in a context that
indicates a Source dn
- name: org
overwrite: true
type: keyword
description: This key captures the User organization
- name: dn_dst
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that used in a context that
indicates a Destination dn
- name: firstname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: lastname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: user_dept
overwrite: true
type: keyword
description: User's Department Names only
- name: user_sid_src
overwrite: true
type: keyword
description: This key captures Source User Session ID
- name: federated_sp
overwrite: true
type: keyword
description: This key is the Federated Service Provider. This is the application
requesting authentication.
- name: federated_idp
overwrite: true
type: keyword
description: This key is the federated Identity Provider. This is the server
providing the authentication.
- name: logon_type_desc
overwrite: true
type: keyword
description: This key is used to capture the textual description of an integer
logon type as stored in the meta key 'logon.type'.
- name: middlename
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: password
overwrite: true
type: keyword
description: This key is for Passwords seen in any session, plain text or encrypted
- name: host_role
overwrite: true
type: keyword
description: This key should only be used to capture the role of a Host Machine
- name: ldap
overwrite: true
type: keyword
description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
t have a clear query or response context"
- name: ldap_query
overwrite: true
type: keyword
description: This key is the Search criteria from an LDAP search
- name: ldap_response
overwrite: true
type: keyword
description: This key is to capture Results from an LDAP search
- name: owner
overwrite: true
type: keyword
description: This is used to capture username the process or service is running
as, the author of the task
- name: service_account
overwrite: true
type: keyword
description: This key is a windows specific key, used for capturing name of
the account a service (referenced in the event) is running under. Legacy Usage
- name: email
overwrite: true
type: group
fields:
- name: email_dst
overwrite: true
type: keyword
description: This key is used to capture the Destination email address only,
when the destination context is not clear use email
- name: email_src
overwrite: true
type: keyword
description: This key is used to capture the source email address only, when
the source context is not clear use email
- name: subject
overwrite: true
type: keyword
description: This key is used to capture the subject string from an Email only.
- name: email
overwrite: true
type: keyword
description: This key is used to capture a generic email address where the source
or destination context is not clear
- name: trans_from
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: trans_to
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: file
overwrite: true
type: group
fields:
- name: privilege
overwrite: true
type: keyword
description: Deprecated, use permissions
- name: attachment
overwrite: true
type: keyword
description: This key captures the attachment file name
- name: filesystem
overwrite: true
type: keyword
- name: binary
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: filename_dst
overwrite: true
type: keyword
description: This is used to capture name of the file targeted by the action
- name: filename_src
overwrite: true
type: keyword
description: This is used to capture name of the parent filename, the file which
performed the action
- name: filename_tmp
overwrite: true
type: keyword
- name: directory_dst
overwrite: true
type: keyword
description: <span>This key is used to capture the directory of the target process
or file</span>
- name: directory_src
overwrite: true
type: keyword
description: This key is used to capture the directory of the source process
or file
- name: file_entropy
overwrite: true
type: double
description: This is used to capture entropy vale of a file
- name: file_vendor
overwrite: true
type: keyword
description: This is used to capture Company name of file located in version_info
- name: task_name
overwrite: true
type: keyword
description: This is used to capture name of the task
- name: web
overwrite: true
type: group
fields:
- name: fqdn
overwrite: true
type: keyword
description: Fully Qualified Domain Names
- name: web_cookie
overwrite: true
type: keyword
description: This key is used to capture the Web cookies specifically.
- name: alias_host
overwrite: true
type: keyword
- name: reputation_num
overwrite: true
type: double
description: Reputation Number of an entity. Typically used for Web Domains
- name: web_ref_domain
overwrite: true
type: keyword
description: Web referer's domain
- name: web_ref_query
overwrite: true
type: keyword
description: This key captures Web referer's query portion of the URL
- name: remote_domain
overwrite: true
type: keyword
- name: web_ref_page
overwrite: true
type: keyword
description: This key captures Web referer's page information
- name: web_ref_root
overwrite: true
type: keyword
description: Web referer's root URL path
- name: cn_asn_dst
overwrite: true
type: keyword
- name: cn_rpackets
overwrite: true
type: keyword
- name: urlpage
overwrite: true
type: keyword
- name: urlroot
overwrite: true
type: keyword
- name: p_url
overwrite: true
type: keyword
- name: p_user_agent
overwrite: true
type: keyword
- name: p_web_cookie
overwrite: true
type: keyword
- name: p_web_method
overwrite: true
type: keyword
- name: p_web_referer
overwrite: true
type: keyword
- name: web_extension_tmp
overwrite: true
type: keyword
- name: web_page
overwrite: true
type: keyword
- name: threat
overwrite: true
type: group
fields:
- name: threat_category
overwrite: true
type: keyword
description: This key captures Threat Name/Threat Category/Categorization of
alert
- name: threat_desc
overwrite: true
type: keyword
description: This key is used to capture the threat description from the session
directly or inferred
- name: alert
overwrite: true
type: keyword
description: This key is used to capture name of the alert
- name: threat_source
overwrite: true
type: keyword
description: This key is used to capture source of the threat
- name: crypto
overwrite: true
type: group
fields:
- name: crypto
overwrite: true
type: keyword
description: This key is used to capture the Encryption Type or Encryption Key
only
- name: cipher_src
overwrite: true
type: keyword
description: This key is for Source (Client) Cipher
- name: cert_subject
overwrite: true
type: keyword
description: This key is used to capture the Certificate organization only
- name: peer
overwrite: true
type: keyword
description: This key is for Encryption peer's IP Address
- name: cipher_size_src
overwrite: true
type: long
description: This key captures Source (Client) Cipher Size
- name: ike
overwrite: true
type: keyword
description: IKE negotiation phase.
- name: scheme
overwrite: true
type: keyword
description: This key captures the Encryption scheme used
- name: peer_id
overwrite: true
type: keyword
description: "This key is for Encryption peer\u2019s identity"
- name: sig_type
overwrite: true
type: keyword
description: This key captures the Signature Type
- name: cert_issuer
overwrite: true
type: keyword
- name: cert_host_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: cert_error
overwrite: true
type: keyword
description: This key captures the Certificate Error String
- name: cipher_dst
overwrite: true
type: keyword
description: This key is for Destination (Server) Cipher
- name: cipher_size_dst
overwrite: true
type: long
description: This key captures Destination (Server) Cipher Size
- name: ssl_ver_src
overwrite: true
type: keyword
description: Deprecated, use version
- name: d_certauth
overwrite: true
type: keyword
- name: s_certauth
overwrite: true
type: keyword
- name: ike_cookie1
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
- name: ike_cookie2
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
- name: cert_checksum
overwrite: true
type: keyword
- name: cert_host_cat
overwrite: true
type: keyword
description: This key is used for the hostname category value of a certificate
- name: cert_serial
overwrite: true
type: keyword
description: This key is used to capture the Certificate serial number only
- name: cert_status
overwrite: true
type: keyword
description: This key captures Certificate validation status
- name: ssl_ver_dst
overwrite: true
type: keyword
description: Deprecated, use version
- name: cert_keysize
overwrite: true
type: keyword
- name: cert_username
overwrite: true
type: keyword
- name: https_insact
overwrite: true
type: keyword
- name: https_valid
overwrite: true
type: keyword
- name: cert_ca
overwrite: true
type: keyword
description: This key is used to capture the Certificate signing authority only
- name: cert_common
overwrite: true
type: keyword
description: This key is used to capture the Certificate common name only
- name: wireless
overwrite: true
type: group
fields:
- name: wlan_ssid
overwrite: true
type: keyword
description: This key is used to capture the ssid of a Wireless Session
- name: access_point
overwrite: true
type: keyword
description: This key is used to capture the access point name.
- name: wlan_channel
overwrite: true
type: long
description: This is used to capture the channel names
- name: wlan_name
overwrite: true
type: keyword
description: This key captures either WLAN number/name
- name: storage
overwrite: true
type: group
fields:
- name: disk_volume
overwrite: true
type: keyword
description: A unique name assigned to logical units (volumes) within a physical
disk
- name: lun
overwrite: true
type: keyword
description: Logical Unit Number.This key is a very useful concept in Storage.
- name: pwwn
overwrite: true
type: keyword
description: This uniquely identifies a port on a HBA.
- name: physical
overwrite: true
type: group
fields:
- name: org_dst
overwrite: true
type: keyword
description: This is used to capture the destination organization based on the
GEOPIP Maxmind database.
- name: org_src
overwrite: true
type: keyword
description: This is used to capture the source organization based on the GEOPIP
Maxmind database.
- name: healthcare
overwrite: true
type: group
fields:
- name: patient_fname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_id
overwrite: true
type: keyword
description: This key captures the unique ID for a patient
- name: patient_lname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_mname
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: endpoint
overwrite: true
type: group
fields:
- name: host_state
overwrite: true
type: keyword
description: This key is used to capture the current state of the machine, such
as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
disabled</strong> and so on
- name: registry_key
overwrite: true
type: keyword
description: This key captures the path to the registry key
- name: registry_value
overwrite: true
type: keyword
description: This key captures values or decorators used within a registry entry
- key: fortinet
title: Fortinet
description: >
fortinet Module
fields:
- name: network.interface.name
overwrite: true
type: keyword
description: >
Name of the network interface where the traffic has been observed.
- name: rsa
overwrite: true
type: group
fields:
- name: internal
overwrite: true
type: group
fields:
- name: msg
overwrite: true
type: keyword
description: This key is used to capture the raw message that comes into the
Log Decoder
- name: messageid
overwrite: true
type: keyword
- name: event_desc
overwrite: true
type: keyword
- name: message
overwrite: true
type: keyword
description: This key captures the contents of instant messages
- name: time
overwrite: true
type: date
description: This is the time at which a session hits a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness.
- name: level
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: msg_id
overwrite: true
type: keyword
description: This is the Message ID1 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: msg_vid
overwrite: true
type: keyword
description: This is the Message ID2 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: data
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_server
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_val
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: resource
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_id
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: statement
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: audit_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: entry
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: hcode
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: inode
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: resource_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: dead
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: feed_desc
overwrite: true
type: keyword
description: This is used to capture the description of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: feed_name
overwrite: true
type: keyword
description: This is used to capture the name of the feed. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: cid
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Concentrator.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_class
overwrite: true
type: keyword
description: This is the Classification of the Log Event Source under a predefined
fixed set of Event Source Classifications. This key should never be used to
parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
key in NetWitness
- name: device_group
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_host
overwrite: true
type: keyword
description: This is the Hostname of the log Event Source sending the logs to
NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ip
overwrite: true
type: ip
description: This is the IPv4 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ipv6
overwrite: true
type: ip
description: This is the IPv6 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_type
overwrite: true
type: keyword
description: This is the name of the log parser which parsed a given session.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_type_id
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: did
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: entropy_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: entropy_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: event_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: feed_category
overwrite: true
type: keyword
description: This is used to capture the category of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: forward_ip
overwrite: true
type: ip
description: This key should be used to capture the IPV4 address of a relay
system which forwarded the events from the original system to NetWitness.
- name: forward_ipv6
overwrite: true
type: ip
description: This key is used to capture the IPV6 address of a relay system
which forwarded the events from the original system to NetWitness. This key
should never be used to parse Meta data from a session (Logs/Packets) Directly,
this is a Reserved key in NetWitness
- name: header_id
overwrite: true
type: keyword
description: This is the Header ID value that identifies the exact log parser
header definition that parses a particular log session. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: lc_cid
overwrite: true
type: keyword
description: This is a unique Identifier of a Log Collector. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: lc_ctime
overwrite: true
type: date
description: This is the time at which a log is collected in a NetWitness Log
Collector. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: mcb_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
request is simply which byte for each side (0 thru 255) was seen the most
- name: mcb_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
response is simply which byte for each side (0 thru 255) was seen the most
- name: mcbc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: mcbc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: medium
overwrite: true
type: long
description: "This key is used to identify if it\u2019s a log/packet session\
\ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
\ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
\ 32 = log, 33 = correlation session, < 32 is packet session"
- name: node_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: nwe_callback_id
overwrite: true
type: keyword
description: This key denotes that event is endpoint related
- name: parse_error
overwrite: true
type: keyword
description: This is a special key that stores any Meta key validation error
found while parsing a log session. This key should never be used to parse
Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
NetWitness
- name: payload_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: payload_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: process_vid_dst
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the target process.
- name: process_vid_src
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the source process.
- name: rid
overwrite: true
type: long
description: This is a special ID of the Remote Session created by NetWitness
Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: session_split
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: site
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: size
overwrite: true
type: long
description: This is the size of the session as seen by the NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: sourcefile
overwrite: true
type: keyword
description: This is the name of the log file or PCAPs that can be imported
into NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: ubc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: ubc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: word
overwrite: true
type: keyword
description: This is used by the Word Parsing technology to capture the first
5 character of every word in an unparsed log
- name: time
overwrite: true
type: group
fields:
- name: event_time
overwrite: true
type: date
description: This key is used to capture the time mentioned in a raw session
that represents the actual time an event occured in a standard normalized
form
- name: duration_time
overwrite: true
type: double
description: This key is used to capture the normalized duration/lifetime in
seconds.
- name: event_time_str
overwrite: true
type: keyword
description: This key is used to capture the incomplete time mentioned in a
session as a string
- name: starttime
overwrite: true
type: date
description: This key is used to capture the Start time mentioned in a session
in a standard form
- name: month
overwrite: true
type: keyword
- name: day
overwrite: true
type: keyword
- name: endtime
overwrite: true
type: date
description: This key is used to capture the End time mentioned in a session
in a standard form
- name: timezone
overwrite: true
type: keyword
description: This key is used to capture the timezone of the Event Time
- name: duration_str
overwrite: true
type: keyword
description: A text string version of the duration
- name: date
overwrite: true
type: keyword
- name: year
overwrite: true
type: keyword
- name: recorded_time
overwrite: true
type: date
description: The event time as recorded by the system the event is collected
from. The usage scenario is a multi-tier application where the management
layer of the system records it's own timestamp at the time of collection from
its child nodes. Must be in timestamp format.
- name: datetime
overwrite: true
type: keyword
- name: effective_time
overwrite: true
type: date
description: This key is the effective time referenced by an individual event
in a Standard Timestamp format
- name: expire_time
overwrite: true
type: date
description: This key is the timestamp that explicitly refers to an expiration.
- name: process_time
overwrite: true
type: keyword
description: Deprecated, use duration.time
- name: hour
overwrite: true
type: keyword
- name: min
overwrite: true
type: keyword
- name: timestamp
overwrite: true
type: keyword
- name: event_queue_time
overwrite: true
type: date
description: This key is the Time that the event was queued.
- name: p_time1
overwrite: true
type: keyword
- name: tzone
overwrite: true
type: keyword
- name: eventtime
overwrite: true
type: keyword
- name: gmtdate
overwrite: true
type: keyword
- name: gmttime
overwrite: true
type: keyword
- name: p_date
overwrite: true
type: keyword
- name: p_month
overwrite: true
type: keyword
- name: p_time
overwrite: true
type: keyword
- name: p_time2
overwrite: true
type: keyword
- name: p_year
overwrite: true
type: keyword
- name: expire_time_str
overwrite: true
type: keyword
description: This key is used to capture incomplete timestamp that explicitly
refers to an expiration.
- name: stamp
overwrite: true
type: date
description: Deprecated key defined only in table map.
- name: misc
overwrite: true
type: group
fields:
- name: action
overwrite: true
type: keyword
- name: result
overwrite: true
type: keyword
description: This key is used to capture the outcome/result string value of
an action in a session.
- name: severity
overwrite: true
type: keyword
description: This key is used to capture the severity given the session
- name: event_type
overwrite: true
type: keyword
description: This key captures the event category type as specified by the event
source.
- name: reference_id
overwrite: true
type: keyword
description: This key is used to capture an event id from the session directly
- name: version
overwrite: true
type: keyword
description: This key captures Version of the application or OS which is generating
the event.
- name: disposition
overwrite: true
type: keyword
description: This key captures the The end state of an action.
- name: result_code
overwrite: true
type: keyword
description: This key is used to capture the outcome/result numeric value of
an action in a session
- name: category
overwrite: true
type: keyword
description: This key is used to capture the category of an event given by the
vendor in the session
- name: obj_name
overwrite: true
type: keyword
description: This is used to capture name of object
- name: obj_type
overwrite: true
type: keyword
description: This is used to capture type of object
- name: event_source
overwrite: true
type: keyword
description: "This key captures Source of the event that\u2019s not a hostname"
- name: log_session_id
overwrite: true
type: keyword
description: This key is used to capture a sessionid from the session directly
- name: group
overwrite: true
type: keyword
description: This key captures the Group Name value
- name: policy_name
overwrite: true
type: keyword
description: This key is used to capture the Policy Name only.
- name: rule_name
overwrite: true
type: keyword
description: This key captures the Rule Name
- name: context
overwrite: true
type: keyword
description: This key captures Information which adds additional context to
the event.
- name: change_new
overwrite: true
type: keyword
description: "This key is used to capture the new values of the attribute that\u2019\
s changing in a session"
- name: space
overwrite: true
type: keyword
- name: client
overwrite: true
type: keyword
description: This key is used to capture only the name of the client application
requesting resources of the server. See the user.agent meta key for capture
of the specific user agent identifier or browser identification string.
- name: msgIdPart1
overwrite: true
type: keyword
- name: msgIdPart2
overwrite: true
type: keyword
- name: change_old
overwrite: true
type: keyword
description: "This key is used to capture the old value of the attribute that\u2019\
s changing in a session"
- name: operation_id
overwrite: true
type: keyword
description: An alert number or operation number. The values should be unique
and non-repeating.
- name: event_state
overwrite: true
type: keyword
description: This key captures the current state of the object/item referenced
within the event. Describing an on-going event.
- name: group_object
overwrite: true
type: keyword
description: This key captures a collection/grouping of entities. Specific usage
- name: node
overwrite: true
type: keyword
description: Common use case is the node name within a cluster. The cluster
name is reflected by the host name.
- name: rule
overwrite: true
type: keyword
description: This key captures the Rule number
- name: device_name
overwrite: true
type: keyword
description: 'This is used to capture name of the Device associated with the
node Like: a physical disk, printer, etc'
- name: param
overwrite: true
type: keyword
description: This key is the parameters passed as part of a command or application,
etc.
- name: change_attrib
overwrite: true
type: keyword
description: "This key is used to capture the name of the attribute that\u2019\
s changing in a session"
- name: event_computer
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
fully qualified domain name in a windows log.
- name: reference_id1
overwrite: true
type: keyword
description: This key is for Linked ID to be used as an addition to "reference.id"
- name: event_log
overwrite: true
type: keyword
description: This key captures the Name of the event log
- name: OS
overwrite: true
type: keyword
description: This key captures the Name of the Operating System
- name: terminal
overwrite: true
type: keyword
description: This key captures the Terminal Names only
- name: msgIdPart3
overwrite: true
type: keyword
- name: filter
overwrite: true
type: keyword
description: This key captures Filter used to reduce result set
- name: serial_number
overwrite: true
type: keyword
description: This key is the Serial number associated with a physical asset.
- name: checksum
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the entity
such as a file or process. Checksum should be used over checksum.src or checksum.dst
when it is unclear whether the entity is a source or target of an action.
- name: event_user
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
combination of domain name and username in a windows log.
- name: virusname
overwrite: true
type: keyword
description: This key captures the name of the virus
- name: content_type
overwrite: true
type: keyword
description: This key is used to capture Content Type only.
- name: group_id
overwrite: true
type: keyword
description: This key captures Group ID Number (related to the group name)
- name: policy_id
overwrite: true
type: keyword
description: This key is used to capture the Policy ID only, this should be
a numeric value, use policy.name otherwise
- name: vsys
overwrite: true
type: keyword
description: This key captures Virtual System Name
- name: connection_id
overwrite: true
type: keyword
description: This key captures the Connection ID
- name: reference_id2
overwrite: true
type: keyword
description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
or "reference.id1" value but should not be used unless the other two variables
are in play.
- name: sensor
overwrite: true
type: keyword
description: This key captures Name of the sensor. Typically used in IDS/IPS
based devices
- name: sig_id
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID
- name: port_name
overwrite: true
type: keyword
description: 'This key is used for Physical or logical port connection but does
NOT include a network port. (Example: Printer port name).'
- name: rule_group
overwrite: true
type: keyword
description: This key captures the Rule group name
- name: risk_num
overwrite: true
type: double
description: This key captures a Numeric Risk value
- name: trigger_val
overwrite: true
type: keyword
description: This key captures the Value of the trigger or threshold condition.
- name: log_session_id1
overwrite: true
type: keyword
description: This key is used to capture a Linked (Related) Session ID from
the session directly
- name: comp_version
overwrite: true
type: keyword
description: This key captures the Version level of a sub-component of a product.
- name: content_version
overwrite: true
type: keyword
description: This key captures Version level of a signature or database content.
- name: hardware_id
overwrite: true
type: keyword
description: This key is used to capture unique identifier for a device or system
(NOT a Mac address)
- name: risk
overwrite: true
type: keyword
description: This key captures the non-numeric risk value
- name: event_id
overwrite: true
type: keyword
- name: reason
overwrite: true
type: keyword
- name: status
overwrite: true
type: keyword
- name: mail_id
overwrite: true
type: keyword
description: This key is used to capture the mailbox id/name
- name: rule_uid
overwrite: true
type: keyword
description: This key is the Unique Identifier for a rule.
- name: trigger_desc
overwrite: true
type: keyword
description: This key captures the Description of the trigger or threshold condition.
- name: inout
overwrite: true
type: keyword
- name: p_msgid
overwrite: true
type: keyword
- name: data_type
overwrite: true
type: keyword
- name: msgIdPart4
overwrite: true
type: keyword
- name: error
overwrite: true
type: keyword
description: This key captures All non successful Error codes or responses
- name: index
overwrite: true
type: keyword
- name: listnum
overwrite: true
type: keyword
description: This key is used to capture listname or listnumber, primarily for
collecting access-list
- name: ntype
overwrite: true
type: keyword
- name: observed_val
overwrite: true
type: keyword
description: This key captures the Value observed (from the perspective of the
device generating the log).
- name: policy_value
overwrite: true
type: keyword
description: This key captures the contents of the policy. This contains details
about the policy
- name: pool_name
overwrite: true
type: keyword
description: This key captures the name of a resource pool
- name: rule_template
overwrite: true
type: keyword
description: A default set of parameters which are overlayed onto a rule (or
rulename) which efffectively constitutes a template
- name: count
overwrite: true
type: keyword
- name: number
overwrite: true
type: keyword
- name: sigcat
overwrite: true
type: keyword
- name: type
overwrite: true
type: keyword
- name: comments
overwrite: true
type: keyword
description: Comment information provided in the log message
- name: doc_number
overwrite: true
type: long
description: This key captures File Identification number
- name: expected_val
overwrite: true
type: keyword
description: This key captures the Value expected (from the perspective of the
device generating the log).
- name: job_num
overwrite: true
type: keyword
description: This key captures the Job Number
- name: spi_dst
overwrite: true
type: keyword
description: Destination SPI Index
- name: spi_src
overwrite: true
type: keyword
description: Source SPI Index
- name: code
overwrite: true
type: keyword
- name: agent_id
overwrite: true
type: keyword
description: This key is used to capture agent id
- name: message_body
overwrite: true
type: keyword
description: This key captures the The contents of the message body.
- name: phone
overwrite: true
type: keyword
- name: sig_id_str
overwrite: true
type: keyword
description: This key captures a string object of the sigid variable.
- name: cmd
overwrite: true
type: keyword
- name: misc
overwrite: true
type: keyword
- name: name
overwrite: true
type: keyword
- name: cpu
overwrite: true
type: long
description: This key is the CPU time used in the execution of the event being
recorded.
- name: event_desc
overwrite: true
type: keyword
description: This key is used to capture a description of an event available
directly or inferred
- name: sig_id1
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID. This must be linked
to the sig.id
- name: im_buddyid
overwrite: true
type: keyword
- name: im_client
overwrite: true
type: keyword
- name: im_userid
overwrite: true
type: keyword
- name: pid
overwrite: true
type: keyword
- name: priority
overwrite: true
type: keyword
- name: context_subject
overwrite: true
type: keyword
description: This key is to be used in an audit context where the subject is
the object being identified
- name: context_target
overwrite: true
type: keyword
- name: cve
overwrite: true
type: keyword
description: This key captures CVE (Common Vulnerabilities and Exposures) -
an identifier for known information security vulnerabilities.
- name: fcatnum
overwrite: true
type: keyword
description: This key captures Filter Category Number. Legacy Usage
- name: library
overwrite: true
type: keyword
description: This key is used to capture library information in mainframe devices
- name: parent_node
overwrite: true
type: keyword
description: This key captures the Parent Node Name. Must be related to node
variable.
- name: risk_info
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: tcp_flags
overwrite: true
type: long
description: This key is captures the TCP flags set in any packet of session
- name: tos
overwrite: true
type: long
description: This key describes the type of service
- name: vm_target
overwrite: true
type: keyword
description: VMWare Target **VMWARE** only varaible.
- name: workspace
overwrite: true
type: keyword
description: This key captures Workspace Description
- name: command
overwrite: true
type: keyword
- name: event_category
overwrite: true
type: keyword
- name: facilityname
overwrite: true
type: keyword
- name: forensic_info
overwrite: true
type: keyword
- name: jobname
overwrite: true
type: keyword
- name: mode
overwrite: true
type: keyword
- name: policy
overwrite: true
type: keyword
- name: policy_waiver
overwrite: true
type: keyword
- name: second
overwrite: true
type: keyword
- name: space1
overwrite: true
type: keyword
- name: subcategory
overwrite: true
type: keyword
- name: tbdstr2
overwrite: true
type: keyword
- name: alert_id
overwrite: true
type: keyword
description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: checksum_dst
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the the target
entity such as a process or file.
- name: checksum_src
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the source
entity such as a file or process.
- name: fresult
overwrite: true
type: long
description: This key captures the Filter Result
- name: payload_dst
overwrite: true
type: keyword
description: This key is used to capture destination payload
- name: payload_src
overwrite: true
type: keyword
description: This key is used to capture source payload
- name: pool_id
overwrite: true
type: keyword
description: This key captures the identifier (typically numeric field) of a
resource pool
- name: process_id_val
overwrite: true
type: keyword
description: This key is a failure key for Process ID when it is not an integer
value
- name: risk_num_comm
overwrite: true
type: double
description: This key captures Risk Number Community
- name: risk_num_next
overwrite: true
type: double
description: This key captures Risk Number NextGen
- name: risk_num_sand
overwrite: true
type: double
description: This key captures Risk Number SandBox
- name: risk_num_static
overwrite: true
type: double
description: This key captures Risk Number Static
- name: risk_suspicious
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: risk_warning
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: snmp_oid
overwrite: true
type: keyword
description: SNMP Object Identifier
- name: sql
overwrite: true
type: keyword
description: This key captures the SQL query
- name: vuln_ref
overwrite: true
type: keyword
description: This key captures the Vulnerability Reference details
- name: acl_id
overwrite: true
type: keyword
- name: acl_op
overwrite: true
type: keyword
- name: acl_pos
overwrite: true
type: keyword
- name: acl_table
overwrite: true
type: keyword
- name: admin
overwrite: true
type: keyword
- name: alarm_id
overwrite: true
type: keyword
- name: alarmname
overwrite: true
type: keyword
- name: app_id
overwrite: true
type: keyword
- name: audit
overwrite: true
type: keyword
- name: audit_object
overwrite: true
type: keyword
- name: auditdata
overwrite: true
type: keyword
- name: benchmark
overwrite: true
type: keyword
- name: bypass
overwrite: true
type: keyword
- name: cache
overwrite: true
type: keyword
- name: cache_hit
overwrite: true
type: keyword
- name: cefversion
overwrite: true
type: keyword
- name: cfg_attr
overwrite: true
type: keyword
- name: cfg_obj
overwrite: true
type: keyword
- name: cfg_path
overwrite: true
type: keyword
- name: changes
overwrite: true
type: keyword
- name: client_ip
overwrite: true
type: keyword
- name: clustermembers
overwrite: true
type: keyword
- name: cn_acttimeout
overwrite: true
type: keyword
- name: cn_asn_src
overwrite: true
type: keyword
- name: cn_bgpv4nxthop
overwrite: true
type: keyword
- name: cn_ctr_dst_code
overwrite: true
type: keyword
- name: cn_dst_tos
overwrite: true
type: keyword
- name: cn_dst_vlan
overwrite: true
type: keyword
- name: cn_engine_id
overwrite: true
type: keyword
- name: cn_engine_type
overwrite: true
type: keyword
- name: cn_f_switch
overwrite: true
type: keyword
- name: cn_flowsampid
overwrite: true
type: keyword
- name: cn_flowsampintv
overwrite: true
type: keyword
- name: cn_flowsampmode
overwrite: true
type: keyword
- name: cn_inacttimeout
overwrite: true
type: keyword
- name: cn_inpermbyts
overwrite: true
type: keyword
- name: cn_inpermpckts
overwrite: true
type: keyword
- name: cn_invalid
overwrite: true
type: keyword
- name: cn_ip_proto_ver
overwrite: true
type: keyword
- name: cn_ipv4_ident
overwrite: true
type: keyword
- name: cn_l_switch
overwrite: true
type: keyword
- name: cn_log_did
overwrite: true
type: keyword
- name: cn_log_rid
overwrite: true
type: keyword
- name: cn_max_ttl
overwrite: true
type: keyword
- name: cn_maxpcktlen
overwrite: true
type: keyword
- name: cn_min_ttl
overwrite: true
type: keyword
- name: cn_minpcktlen
overwrite: true
type: keyword
- name: cn_mpls_lbl_1
overwrite: true
type: keyword
- name: cn_mpls_lbl_10
overwrite: true
type: keyword
- name: cn_mpls_lbl_2
overwrite: true
type: keyword
- name: cn_mpls_lbl_3
overwrite: true
type: keyword
- name: cn_mpls_lbl_4
overwrite: true
type: keyword
- name: cn_mpls_lbl_5
overwrite: true
type: keyword
- name: cn_mpls_lbl_6
overwrite: true
type: keyword
- name: cn_mpls_lbl_7
overwrite: true
type: keyword
- name: cn_mpls_lbl_8
overwrite: true
type: keyword
- name: cn_mpls_lbl_9
overwrite: true
type: keyword
- name: cn_mplstoplabel
overwrite: true
type: keyword
- name: cn_mplstoplabip
overwrite: true
type: keyword
- name: cn_mul_dst_byt
overwrite: true
type: keyword
- name: cn_mul_dst_pks
overwrite: true
type: keyword
- name: cn_muligmptype
overwrite: true
type: keyword
- name: cn_sampalgo
overwrite: true
type: keyword
- name: cn_sampint
overwrite: true
type: keyword
- name: cn_seqctr
overwrite: true
type: keyword
- name: cn_spackets
overwrite: true
type: keyword
- name: cn_src_tos
overwrite: true
type: keyword
- name: cn_src_vlan
overwrite: true
type: keyword
- name: cn_sysuptime
overwrite: true
type: keyword
- name: cn_template_id
overwrite: true
type: keyword
- name: cn_totbytsexp
overwrite: true
type: keyword
- name: cn_totflowexp
overwrite: true
type: keyword
- name: cn_totpcktsexp
overwrite: true
type: keyword
- name: cn_unixnanosecs
overwrite: true
type: keyword
- name: cn_v6flowlabel
overwrite: true
type: keyword
- name: cn_v6optheaders
overwrite: true
type: keyword
- name: comp_class
overwrite: true
type: keyword
- name: comp_name
overwrite: true
type: keyword
- name: comp_rbytes
overwrite: true
type: keyword
- name: comp_sbytes
overwrite: true
type: keyword
- name: cpu_data
overwrite: true
type: keyword
- name: criticality
overwrite: true
type: keyword
- name: cs_agency_dst
overwrite: true
type: keyword
- name: cs_analyzedby
overwrite: true
type: keyword
- name: cs_av_other
overwrite: true
type: keyword
- name: cs_av_primary
overwrite: true
type: keyword
- name: cs_av_secondary
overwrite: true
type: keyword
- name: cs_bgpv6nxthop
overwrite: true
type: keyword
- name: cs_bit9status
overwrite: true
type: keyword
- name: cs_context
overwrite: true
type: keyword
- name: cs_control
overwrite: true
type: keyword
- name: cs_data
overwrite: true
type: keyword
- name: cs_datecret
overwrite: true
type: keyword
- name: cs_dst_tld
overwrite: true
type: keyword
- name: cs_eth_dst_ven
overwrite: true
type: keyword
- name: cs_eth_src_ven
overwrite: true
type: keyword
- name: cs_event_uuid
overwrite: true
type: keyword
- name: cs_filetype
overwrite: true
type: keyword
- name: cs_fld
overwrite: true
type: keyword
- name: cs_if_desc
overwrite: true
type: keyword
- name: cs_if_name
overwrite: true
type: keyword
- name: cs_ip_next_hop
overwrite: true
type: keyword
- name: cs_ipv4dstpre
overwrite: true
type: keyword
- name: cs_ipv4srcpre
overwrite: true
type: keyword
- name: cs_lifetime
overwrite: true
type: keyword
- name: cs_log_medium
overwrite: true
type: keyword
- name: cs_loginname
overwrite: true
type: keyword
- name: cs_modulescore
overwrite: true
type: keyword
- name: cs_modulesign
overwrite: true
type: keyword
- name: cs_opswatresult
overwrite: true
type: keyword
- name: cs_payload
overwrite: true
type: keyword
- name: cs_registrant
overwrite: true
type: keyword
- name: cs_registrar
overwrite: true
type: keyword
- name: cs_represult
overwrite: true
type: keyword
- name: cs_rpayload
overwrite: true
type: keyword
- name: cs_sampler_name
overwrite: true
type: keyword
- name: cs_sourcemodule
overwrite: true
type: keyword
- name: cs_streams
overwrite: true
type: keyword
- name: cs_targetmodule
overwrite: true
type: keyword
- name: cs_v6nxthop
overwrite: true
type: keyword
- name: cs_whois_server
overwrite: true
type: keyword
- name: cs_yararesult
overwrite: true
type: keyword
- name: description
overwrite: true
type: keyword
- name: devvendor
overwrite: true
type: keyword
- name: distance
overwrite: true
type: keyword
- name: dstburb
overwrite: true
type: keyword
- name: edomain
overwrite: true
type: keyword
- name: edomaub
overwrite: true
type: keyword
- name: euid
overwrite: true
type: keyword
- name: facility
overwrite: true
type: keyword
- name: finterface
overwrite: true
type: keyword
- name: flags
overwrite: true
type: keyword
- name: gaddr
overwrite: true
type: keyword
- name: id3
overwrite: true
type: keyword
- name: im_buddyname
overwrite: true
type: keyword
- name: im_croomid
overwrite: true
type: keyword
- name: im_croomtype
overwrite: true
type: keyword
- name: im_members
overwrite: true
type: keyword
- name: im_username
overwrite: true
type: keyword
- name: ipkt
overwrite: true
type: keyword
- name: ipscat
overwrite: true
type: keyword
- name: ipspri
overwrite: true
type: keyword
- name: latitude
overwrite: true
type: keyword
- name: linenum
overwrite: true
type: keyword
- name: list_name
overwrite: true
type: keyword
- name: load_data
overwrite: true
type: keyword
- name: location_floor
overwrite: true
type: keyword
- name: location_mark
overwrite: true
type: keyword
- name: log_id
overwrite: true
type: keyword
- name: log_type
overwrite: true
type: keyword
- name: logid
overwrite: true
type: keyword
- name: logip
overwrite: true
type: keyword
- name: logname
overwrite: true
type: keyword
- name: longitude
overwrite: true
type: keyword
- name: lport
overwrite: true
type: keyword
- name: mbug_data
overwrite: true
type: keyword
- name: misc_name
overwrite: true
type: keyword
- name: msg_type
overwrite: true
type: keyword
- name: msgid
overwrite: true
type: keyword
- name: netsessid
overwrite: true
type: keyword
- name: num
overwrite: true
type: keyword
- name: number1
overwrite: true
type: keyword
- name: number2
overwrite: true
type: keyword
- name: nwwn
overwrite: true
type: keyword
- name: object
overwrite: true
type: keyword
- name: operation
overwrite: true
type: keyword
- name: opkt
overwrite: true
type: keyword
- name: orig_from
overwrite: true
type: keyword
- name: owner_id
overwrite: true
type: keyword
- name: p_action
overwrite: true
type: keyword
- name: p_filter
overwrite: true
type: keyword
- name: p_group_object
overwrite: true
type: keyword
- name: p_id
overwrite: true
type: keyword
- name: p_msgid1
overwrite: true
type: keyword
- name: p_msgid2
overwrite: true
type: keyword
- name: p_result1
overwrite: true
type: keyword
- name: password_chg
overwrite: true
type: keyword
- name: password_expire
overwrite: true
type: keyword
- name: permgranted
overwrite: true
type: keyword
- name: permwanted
overwrite: true
type: keyword
- name: pgid
overwrite: true
type: keyword
- name: policyUUID
overwrite: true
type: keyword
- name: prog_asp_num
overwrite: true
type: keyword
- name: program
overwrite: true
type: keyword
- name: real_data
overwrite: true
type: keyword
- name: rec_asp_device
overwrite: true
type: keyword
- name: rec_asp_num
overwrite: true
type: keyword
- name: rec_library
overwrite: true
type: keyword
- name: recordnum
overwrite: true
type: keyword
- name: ruid
overwrite: true
type: keyword
- name: sburb
overwrite: true
type: keyword
- name: sdomain_fld
overwrite: true
type: keyword
- name: sec
overwrite: true
type: keyword
- name: sensorname
overwrite: true
type: keyword
- name: seqnum
overwrite: true
type: keyword
- name: session
overwrite: true
type: keyword
- name: sessiontype
overwrite: true
type: keyword
- name: sigUUID
overwrite: true
type: keyword
- name: spi
overwrite: true
type: keyword
- name: srcburb
overwrite: true
type: keyword
- name: srcdom
overwrite: true
type: keyword
- name: srcservice
overwrite: true
type: keyword
- name: state
overwrite: true
type: keyword
- name: status1
overwrite: true
type: keyword
- name: svcno
overwrite: true
type: keyword
- name: system
overwrite: true
type: keyword
- name: tbdstr1
overwrite: true
type: keyword
- name: tgtdom
overwrite: true
type: keyword
- name: tgtdomain
overwrite: true
type: keyword
- name: threshold
overwrite: true
type: keyword
- name: type1
overwrite: true
type: keyword
- name: udb_class
overwrite: true
type: keyword
- name: url_fld
overwrite: true
type: keyword
- name: user_div
overwrite: true
type: keyword
- name: userid
overwrite: true
type: keyword
- name: username_fld
overwrite: true
type: keyword
- name: utcstamp
overwrite: true
type: keyword
- name: v_instafname
overwrite: true
type: keyword
- name: virt_data
overwrite: true
type: keyword
- name: vpnid
overwrite: true
type: keyword
- name: autorun_type
overwrite: true
type: keyword
description: This is used to capture Auto Run type
- name: cc_number
overwrite: true
type: long
description: Valid Credit Card Numbers only
- name: content
overwrite: true
type: keyword
description: This key captures the content type from protocol headers
- name: ein_number
overwrite: true
type: long
description: Employee Identification Numbers only
- name: found
overwrite: true
type: keyword
description: This is used to capture the results of regex match
- name: language
overwrite: true
type: keyword
description: This is used to capture list of languages the client support and
what it prefers
- name: lifetime
overwrite: true
type: long
description: This key is used to capture the session lifetime in seconds.
- name: link
overwrite: true
type: keyword
description: This key is used to link the sessions together. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: match
overwrite: true
type: keyword
description: This key is for regex match name from search.ini
- name: param_dst
overwrite: true
type: keyword
description: This key captures the command line/launch argument of the target
process or file
- name: param_src
overwrite: true
type: keyword
description: This key captures source parameter
- name: search_text
overwrite: true
type: keyword
description: This key captures the Search Text used
- name: sig_name
overwrite: true
type: keyword
description: This key is used to capture the Signature Name only.
- name: snmp_value
overwrite: true
type: keyword
description: SNMP set request value
- name: streams
overwrite: true
type: long
description: This key captures number of streams in session
- name: db
overwrite: true
type: group
fields:
- name: index
overwrite: true
type: keyword
description: This key captures IndexID of the index.
- name: instance
overwrite: true
type: keyword
description: This key is used to capture the database server instance name
- name: database
overwrite: true
type: keyword
description: This key is used to capture the name of a database or an instance
as seen in a session
- name: transact_id
overwrite: true
type: keyword
description: This key captures the SQL transantion ID of the current session
- name: permissions
overwrite: true
type: keyword
description: This key captures permission or privilege level assigned to a resource.
- name: table_name
overwrite: true
type: keyword
description: This key is used to capture the table name
- name: db_id
overwrite: true
type: keyword
description: This key is used to capture the unique identifier for a database
- name: db_pid
overwrite: true
type: long
description: This key captures the process id of a connection with database
server
- name: lread
overwrite: true
type: long
description: This key is used for the number of logical reads
- name: lwrite
overwrite: true
type: long
description: This key is used for the number of logical writes
- name: pread
overwrite: true
type: long
description: This key is used for the number of physical writes
- name: network
overwrite: true
type: group
fields:
- name: alias_host
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
that isnt ad.computer.
- name: domain
overwrite: true
type: keyword
- name: host_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Hostname"
- name: network_service
overwrite: true
type: keyword
description: This is used to capture layer 7 protocols/service names
- name: interface
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of an interface is not clear
- name: network_port
overwrite: true
type: long
description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
- name: eth_host
overwrite: true
type: keyword
description: Deprecated, use alias.mac
- name: sinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Interface"
- name: dinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Interface"
- name: vlan
overwrite: true
type: long
description: This key should only be used to capture the ID of the Virtual LAN
- name: zone_src
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Zone."
- name: zone
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a Zone is not clear
- name: zone_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Zone."
- name: gateway
overwrite: true
type: keyword
description: This key is used to capture the IP Address of the gateway
- name: icmp_type
overwrite: true
type: long
description: This key is used to capture the ICMP type only
- name: mask
overwrite: true
type: keyword
description: This key is used to capture the device network IPmask.
- name: icmp_code
overwrite: true
type: long
description: This key is used to capture the ICMP code only
- name: protocol_detail
overwrite: true
type: keyword
description: This key should be used to capture additional protocol information
- name: dmask
overwrite: true
type: keyword
description: This key is used for Destionation Device network mask
- name: port
overwrite: true
type: long
description: This key should only be used to capture a Network Port when the
directionality is not clear
- name: smask
overwrite: true
type: keyword
description: This key is used for capturing source Network Mask
- name: netname
overwrite: true
type: keyword
description: This key is used to capture the network name associated with an
IP range. This is configured by the end user.
- name: paddr
overwrite: true
type: ip
description: Deprecated
- name: faddr
overwrite: true
type: keyword
- name: lhost
overwrite: true
type: keyword
- name: origin
overwrite: true
type: keyword
- name: remote_domain_id
overwrite: true
type: keyword
- name: addr
overwrite: true
type: keyword
- name: dns_a_record
overwrite: true
type: keyword
- name: dns_ptr_record
overwrite: true
type: keyword
- name: fhost
overwrite: true
type: keyword
- name: fport
overwrite: true
type: keyword
- name: laddr
overwrite: true
type: keyword
- name: linterface
overwrite: true
type: keyword
- name: phost
overwrite: true
type: keyword
- name: ad_computer_dst
overwrite: true
type: keyword
description: Deprecated, use host.dst
- name: eth_type
overwrite: true
type: long
description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
Only
- name: ip_proto
overwrite: true
type: long
description: This key should be used to capture the Protocol number, all the
protocol nubers are converted into string in UI
- name: dns_cname_record
overwrite: true
type: keyword
- name: dns_id
overwrite: true
type: keyword
- name: dns_opcode
overwrite: true
type: keyword
- name: dns_resp
overwrite: true
type: keyword
- name: dns_type
overwrite: true
type: keyword
- name: domain1
overwrite: true
type: keyword
- name: host_type
overwrite: true
type: keyword
- name: packet_length
overwrite: true
type: keyword
- name: host_orig
overwrite: true
type: keyword
description: This is used to capture the original hostname in case of a Forwarding
Agent or a Proxy in between.
- name: rpayload
overwrite: true
type: keyword
description: This key is used to capture the total number of payload bytes seen
in the retransmitted packets.
- name: vlan_name
overwrite: true
type: keyword
description: This key should only be used to capture the name of the Virtual
LAN
- name: investigations
overwrite: true
type: group
fields:
- name: ec_activity
overwrite: true
type: keyword
description: This key captures the particular event activity(Ex:Logoff)
- name: ec_theme
overwrite: true
type: keyword
description: This key captures the Theme of a particular Event(Ex:Authentication)
- name: ec_subject
overwrite: true
type: keyword
description: This key captures the Subject of a particular Event(Ex:User)
- name: ec_outcome
overwrite: true
type: keyword
description: This key captures the outcome of a particular Event(Ex:Success)
- name: event_cat
overwrite: true
type: long
description: This key captures the Event category number
- name: event_cat_name
overwrite: true
type: keyword
description: This key captures the event category name corresponding to the
event cat code
- name: event_vcat
overwrite: true
type: keyword
description: This is a vendor supplied category. This should be used in situations
where the vendor has adopted their own event_category taxonomy.
- name: analysis_file
overwrite: true
type: keyword
description: This is used to capture all indicators used in a File Analysis.
This key should be used to capture an analysis of a file
- name: analysis_service
overwrite: true
type: keyword
description: This is used to capture all indicators used in a Service Analysis.
This key should be used to capture an analysis of a service
- name: analysis_session
overwrite: true
type: keyword
description: This is used to capture all indicators used for a Session Analysis.
This key should be used to capture an analysis of a session
- name: boc
overwrite: true
type: keyword
description: This is used to capture behaviour of compromise
- name: eoc
overwrite: true
type: keyword
description: This is used to capture Enablers of Compromise
- name: inv_category
overwrite: true
type: keyword
description: This used to capture investigation category
- name: inv_context
overwrite: true
type: keyword
description: This used to capture investigation context
- name: ioc
overwrite: true
type: keyword
description: This is key capture indicator of compromise
- name: counters
overwrite: true
type: group
fields:
- name: dclass_c1
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c1.str only
- name: dclass_c2
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c2.str only
- name: event_counter
overwrite: true
type: long
description: This is used to capture the number of times an event repeated
- name: dclass_r1
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r1.str only
- name: dclass_c3
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c3.str only
- name: dclass_c1_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c1 only
- name: dclass_c2_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c2 only
- name: dclass_r1_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r1 only
- name: dclass_r2
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r2.str only
- name: dclass_c3_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c3 only
- name: dclass_r3
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r3.str only
- name: dclass_r2_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r2 only
- name: dclass_r3_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r3 only
- name: identity
overwrite: true
type: group
fields:
- name: auth_method
overwrite: true
type: keyword
description: This key is used to capture authentication methods used only
- name: user_role
overwrite: true
type: keyword
description: This key is used to capture the Role of a user only
- name: dn
overwrite: true
type: keyword
description: X.500 (LDAP) Distinguished Name
- name: logon_type
overwrite: true
type: keyword
description: This key is used to capture the type of logon method used.
- name: profile
overwrite: true
type: keyword
description: This key is used to capture the user profile
- name: accesses
overwrite: true
type: keyword
description: This key is used to capture actual privileges used in accessing
an object
- name: realm
overwrite: true
type: keyword
description: Radius realm or similar grouping of accounts
- name: user_sid_dst
overwrite: true
type: keyword
description: This key captures Destination User Session ID
- name: dn_src
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that is used in a context that
indicates a Source dn
- name: org
overwrite: true
type: keyword
description: This key captures the User organization
- name: dn_dst
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that used in a context that
indicates a Destination dn
- name: firstname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: lastname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: user_dept
overwrite: true
type: keyword
description: User's Department Names only
- name: user_sid_src
overwrite: true
type: keyword
description: This key captures Source User Session ID
- name: federated_sp
overwrite: true
type: keyword
description: This key is the Federated Service Provider. This is the application
requesting authentication.
- name: federated_idp
overwrite: true
type: keyword
description: This key is the federated Identity Provider. This is the server
providing the authentication.
- name: logon_type_desc
overwrite: true
type: keyword
description: This key is used to capture the textual description of an integer
logon type as stored in the meta key 'logon.type'.
- name: middlename
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: password
overwrite: true
type: keyword
description: This key is for Passwords seen in any session, plain text or encrypted
- name: host_role
overwrite: true
type: keyword
description: This key should only be used to capture the role of a Host Machine
- name: ldap
overwrite: true
type: keyword
description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
t have a clear query or response context"
- name: ldap_query
overwrite: true
type: keyword
description: This key is the Search criteria from an LDAP search
- name: ldap_response
overwrite: true
type: keyword
description: This key is to capture Results from an LDAP search
- name: owner
overwrite: true
type: keyword
description: This is used to capture username the process or service is running
as, the author of the task
- name: service_account
overwrite: true
type: keyword
description: This key is a windows specific key, used for capturing name of
the account a service (referenced in the event) is running under. Legacy Usage
- name: email
overwrite: true
type: group
fields:
- name: email_dst
overwrite: true
type: keyword
description: This key is used to capture the Destination email address only,
when the destination context is not clear use email
- name: email_src
overwrite: true
type: keyword
description: This key is used to capture the source email address only, when
the source context is not clear use email
- name: subject
overwrite: true
type: keyword
description: This key is used to capture the subject string from an Email only.
- name: email
overwrite: true
type: keyword
description: This key is used to capture a generic email address where the source
or destination context is not clear
- name: trans_from
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: trans_to
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: file
overwrite: true
type: group
fields:
- name: privilege
overwrite: true
type: keyword
description: Deprecated, use permissions
- name: attachment
overwrite: true
type: keyword
description: This key captures the attachment file name
- name: filesystem
overwrite: true
type: keyword
- name: binary
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: filename_dst
overwrite: true
type: keyword
description: This is used to capture name of the file targeted by the action
- name: filename_src
overwrite: true
type: keyword
description: This is used to capture name of the parent filename, the file which
performed the action
- name: filename_tmp
overwrite: true
type: keyword
- name: directory_dst
overwrite: true
type: keyword
description: <span>This key is used to capture the directory of the target process
or file</span>
- name: directory_src
overwrite: true
type: keyword
description: This key is used to capture the directory of the source process
or file
- name: file_entropy
overwrite: true
type: double
description: This is used to capture entropy vale of a file
- name: file_vendor
overwrite: true
type: keyword
description: This is used to capture Company name of file located in version_info
- name: task_name
overwrite: true
type: keyword
description: This is used to capture name of the task
- name: web
overwrite: true
type: group
fields:
- name: fqdn
overwrite: true
type: keyword
description: Fully Qualified Domain Names
- name: web_cookie
overwrite: true
type: keyword
description: This key is used to capture the Web cookies specifically.
- name: alias_host
overwrite: true
type: keyword
- name: reputation_num
overwrite: true
type: double
description: Reputation Number of an entity. Typically used for Web Domains
- name: web_ref_domain
overwrite: true
type: keyword
description: Web referer's domain
- name: web_ref_query
overwrite: true
type: keyword
description: This key captures Web referer's query portion of the URL
- name: remote_domain
overwrite: true
type: keyword
- name: web_ref_page
overwrite: true
type: keyword
description: This key captures Web referer's page information
- name: web_ref_root
overwrite: true
type: keyword
description: Web referer's root URL path
- name: cn_asn_dst
overwrite: true
type: keyword
- name: cn_rpackets
overwrite: true
type: keyword
- name: urlpage
overwrite: true
type: keyword
- name: urlroot
overwrite: true
type: keyword
- name: p_url
overwrite: true
type: keyword
- name: p_user_agent
overwrite: true
type: keyword
- name: p_web_cookie
overwrite: true
type: keyword
- name: p_web_method
overwrite: true
type: keyword
- name: p_web_referer
overwrite: true
type: keyword
- name: web_extension_tmp
overwrite: true
type: keyword
- name: web_page
overwrite: true
type: keyword
- name: threat
overwrite: true
type: group
fields:
- name: threat_category
overwrite: true
type: keyword
description: This key captures Threat Name/Threat Category/Categorization of
alert
- name: threat_desc
overwrite: true
type: keyword
description: This key is used to capture the threat description from the session
directly or inferred
- name: alert
overwrite: true
type: keyword
description: This key is used to capture name of the alert
- name: threat_source
overwrite: true
type: keyword
description: This key is used to capture source of the threat
- name: crypto
overwrite: true
type: group
fields:
- name: crypto
overwrite: true
type: keyword
description: This key is used to capture the Encryption Type or Encryption Key
only
- name: cipher_src
overwrite: true
type: keyword
description: This key is for Source (Client) Cipher
- name: cert_subject
overwrite: true
type: keyword
description: This key is used to capture the Certificate organization only
- name: peer
overwrite: true
type: keyword
description: This key is for Encryption peer's IP Address
- name: cipher_size_src
overwrite: true
type: long
description: This key captures Source (Client) Cipher Size
- name: ike
overwrite: true
type: keyword
description: IKE negotiation phase.
- name: scheme
overwrite: true
type: keyword
description: This key captures the Encryption scheme used
- name: peer_id
overwrite: true
type: keyword
description: "This key is for Encryption peer\u2019s identity"
- name: sig_type
overwrite: true
type: keyword
description: This key captures the Signature Type
- name: cert_issuer
overwrite: true
type: keyword
- name: cert_host_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: cert_error
overwrite: true
type: keyword
description: This key captures the Certificate Error String
- name: cipher_dst
overwrite: true
type: keyword
description: This key is for Destination (Server) Cipher
- name: cipher_size_dst
overwrite: true
type: long
description: This key captures Destination (Server) Cipher Size
- name: ssl_ver_src
overwrite: true
type: keyword
description: Deprecated, use version
- name: d_certauth
overwrite: true
type: keyword
- name: s_certauth
overwrite: true
type: keyword
- name: ike_cookie1
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
- name: ike_cookie2
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
- name: cert_checksum
overwrite: true
type: keyword
- name: cert_host_cat
overwrite: true
type: keyword
description: This key is used for the hostname category value of a certificate
- name: cert_serial
overwrite: true
type: keyword
description: This key is used to capture the Certificate serial number only
- name: cert_status
overwrite: true
type: keyword
description: This key captures Certificate validation status
- name: ssl_ver_dst
overwrite: true
type: keyword
description: Deprecated, use version
- name: cert_keysize
overwrite: true
type: keyword
- name: cert_username
overwrite: true
type: keyword
- name: https_insact
overwrite: true
type: keyword
- name: https_valid
overwrite: true
type: keyword
- name: cert_ca
overwrite: true
type: keyword
description: This key is used to capture the Certificate signing authority only
- name: cert_common
overwrite: true
type: keyword
description: This key is used to capture the Certificate common name only
- name: wireless
overwrite: true
type: group
fields:
- name: wlan_ssid
overwrite: true
type: keyword
description: This key is used to capture the ssid of a Wireless Session
- name: access_point
overwrite: true
type: keyword
description: This key is used to capture the access point name.
- name: wlan_channel
overwrite: true
type: long
description: This is used to capture the channel names
- name: wlan_name
overwrite: true
type: keyword
description: This key captures either WLAN number/name
- name: storage
overwrite: true
type: group
fields:
- name: disk_volume
overwrite: true
type: keyword
description: A unique name assigned to logical units (volumes) within a physical
disk
- name: lun
overwrite: true
type: keyword
description: Logical Unit Number.This key is a very useful concept in Storage.
- name: pwwn
overwrite: true
type: keyword
description: This uniquely identifies a port on a HBA.
- name: physical
overwrite: true
type: group
fields:
- name: org_dst
overwrite: true
type: keyword
description: This is used to capture the destination organization based on the
GEOPIP Maxmind database.
- name: org_src
overwrite: true
type: keyword
description: This is used to capture the source organization based on the GEOPIP
Maxmind database.
- name: healthcare
overwrite: true
type: group
fields:
- name: patient_fname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_id
overwrite: true
type: keyword
description: This key captures the unique ID for a patient
- name: patient_lname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_mname
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: endpoint
overwrite: true
type: group
fields:
- name: host_state
overwrite: true
type: keyword
description: This key is used to capture the current state of the machine, such
as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
disabled</strong> and so on
- name: registry_key
overwrite: true
type: keyword
description: This key captures the path to the registry key
- name: registry_value
overwrite: true
type: keyword
description: This key captures values or decorators used within a registry entry
- name: fortinet
type: group
description: >
Fields from fortinet FortiOS
fields:
- name: file.hash.crc32
type: keyword
description: >
CRC32 Hash of file
- name: firewall
type: group
release: beta
description: >
Module for parsing Fortinet syslog.
fields:
- name: acct_stat
type: keyword
description: >
Accounting state (RADIUS)
- name: acktime
type: keyword
description: >
Alarm Acknowledge Time
- name: act
type: keyword
description: >
Action
- name: action
type: keyword
description: >
Status of the session
- name: activity
type: keyword
description: >
HA activity message
- name: addr
type: ip
description: >
IP Address
- name: addr_type
type: keyword
description: >
Address Type
- name: addrgrp
type: keyword
description: >
Address Group
- name: adgroup
type: keyword
description: >
AD Group Name
- name: admin
type: keyword
description: >
Admin User
- name: age
type: integer
description: >
Time in seconds - time passed since last seen
- name: agent
type: keyword
description: >
User agent - eg. agent="Mozilla/5.0"
- name: alarmid
type: integer
description: >
Alarm ID
- name: alert
type: keyword
description: >
Alert
- name: analyticscksum
type: keyword
description: >
The checksum of the file submitted for analytics
- name: analyticssubmit
type: keyword
description: >
The flag for analytics submission
- name: ap
type: keyword
description: >
Access Point
- name: app-type
type: keyword
description: >
Address Type
- name: appact
type: keyword
description: >
The security action from app control
- name: appid
type: integer
description: >
Application ID
- name: applist
type: keyword
description: >
Application Control profile
- name: apprisk
type: keyword
description: >
Application Risk Level
- name: apscan
type: keyword
description: >
The name of the AP, which scanned and detected the rogue AP
- name: apsn
type: keyword
description: >
Access Point
- name: apstatus
type: keyword
description: >
Access Point status
- name: aptype
type: keyword
description: >
Access Point type
- name: assigned
type: ip
description: >
Assigned IP Address
- name: assignip
type: ip
description: >
Assigned IP Address
- name: attachment
type: keyword
description: >
The flag for email attachement
- name: attack
type: keyword
description: >
Attack Name
- name: attackcontext
type: keyword
description: >
The trigger patterns and the packetdata with base64 encoding
- name: attackcontextid
type: keyword
description: >
Attack context id / total
- name: attackid
type: integer
description: >
Attack ID
- name: auditid
type: long
description: >
Audit ID
- name: auditscore
type: keyword
description: >
The Audit Score
- name: audittime
type: long
description: >
The time of the audit
- name: authgrp
type: keyword
description: >
Authorization Group
- name: authid
type: keyword
description: >
Authentication ID
- name: authproto
type: keyword
description: >
The protocol that initiated the authentication
- name: authserver
type: keyword
description: >
Authentication server
- name: bandwidth
type: keyword
description: >
Bandwidth
- name: banned_rule
type: keyword
description: >
NAC quarantine Banned Rule Name
- name: banned_src
type: keyword
description: >
NAC quarantine Banned Source IP
- name: banword
type: keyword
description: >
Banned word
- name: botnetdomain
type: keyword
description: >
Botnet Domain Name
- name: botnetip
type: ip
description: >
Botnet IP Address
- name: bssid
type: keyword
description: >
Service Set ID
- name: call_id
type: keyword
description: >
Caller ID
- name: carrier_ep
type: keyword
description: >
The FortiOS Carrier end-point identification
- name: cat
type: integer
description: >
DNS category ID
- name: category
type: keyword
description: >
Authentication category
- name: cc
type: keyword
description: >
CC Email Address
- name: cdrcontent
type: keyword
description: >
Cdrcontent
- name: centralnatid
type: integer
description: >
Central NAT ID
- name: cert
type: keyword
description: >
Certificate
- name: cert-type
type: keyword
description: >
Certificate type
- name: certhash
type: keyword
description: >
Certificate hash
- name: cfgattr
type: keyword
description: >
Configuration attribute
- name: cfgobj
type: keyword
description: >
Configuration object
- name: cfgpath
type: keyword
description: >
Configuration path
- name: cfgtid
type: keyword
description: >
Configuration transaction ID
- name: cfgtxpower
type: integer
description: >
Configuration TX power
- name: channel
type: integer
description: >
Wireless Channel
- name: channeltype
type: keyword
description: >
SSH channel type
- name: chassisid
type: integer
description: >
Chassis ID
- name: checksum
type: keyword
description: >
The checksum of the scanned file
- name: chgheaders
type: keyword
description: >
HTTP Headers
- name: cldobjid
type: keyword
description: >
Connector object ID
- name: client_addr
type: keyword
description: >
Wifi client address
- name: cloudaction
type: keyword
description: >
Cloud Action
- name: clouduser
type: keyword
description: >
Cloud User
- name: column
type: integer
description: >
VOIP Column
- name: command
type: keyword
description: >
CLI Command
- name: community
type: keyword
description: >
SNMP Community
- name: configcountry
type: keyword
description: >
Configuration country
- name: connection_type
type: keyword
description: >
FortiClient Connection Type
- name: conserve
type: keyword
description: >
Flag for conserve mode
- name: constraint
type: keyword
description: >
WAF http protocol restrictions
- name: contentdisarmed
type: keyword
description: >
Email scanned content
- name: contenttype
type: keyword
description: >
Content Type from HTTP header
- name: cookies
type: keyword
description: >
VPN Cookie
- name: count
type: integer
description: >
Counts of action type
- name: countapp
type: integer
description: >
Number of App Ctrl logs associated with the session
- name: countav
type: integer
description: >
Number of AV logs associated with the session
- name: countcifs
type: integer
description: >
Number of CIFS logs associated with the session
- name: countdlp
type: integer
description: >
Number of DLP logs associated with the session
- name: countdns
type: integer
description: >
Number of DNS logs associated with the session
- name: countemail
type: integer
description: >
Number of email logs associated with the session
- name: countff
type: integer
description: >
Number of ff logs associated with the session
- name: countips
type: integer
description: >
Number of IPS logs associated with the session
- name: countssh
type: integer
description: >
Number of SSH logs associated with the session
- name: countssl
type: integer
description: >
Number of SSL logs associated with the session
- name: countwaf
type: integer
description: >
Number of WAF logs associated with the session
- name: countweb
type: integer
description: >
Number of Web filter logs associated with the session
- name: cpu
type: integer
description: >
CPU Usage
- name: craction
type: integer
description: >
Client Reputation Action
- name: criticalcount
type: integer
description: >
Number of critical ratings
- name: crl
type: keyword
description: >
Client Reputation Level
- name: crlevel
type: keyword
description: >
Client Reputation Level
- name: crscore
type: integer
description: >
Some description
- name: cveid
type: keyword
description: >
CVE ID
- name: daemon
type: keyword
description: >
Daemon name
- name: datarange
type: keyword
description: >
Data range for reports
- name: date
type: keyword
description: >
Date
- name: ddnsserver
type: ip
description: >
DDNS server
- name: desc
type: keyword
description: >
Description
- name: detectionmethod
type: keyword
description: >
Detection method
- name: devcategory
type: keyword
description: >
Device category
- name: devintfname
type: keyword
description: >
HA device Interface Name
- name: devtype
type: keyword
description: >
Device type
- name: dhcp_msg
type: keyword
description: >
DHCP Message
- name: dintf
type: keyword
description: >
Destination interface
- name: disk
type: keyword
description: >
Assosciated disk
- name: disklograte
type: long
description: >
Disk logging rate
- name: dlpextra
type: keyword
description: >
DLP extra information
- name: docsource
type: keyword
description: >
DLP fingerprint document source
- name: domainctrlauthstate
type: integer
description: >
CIFS domain auth state
- name: domainctrlauthtype
type: integer
description: >
CIFS domain auth type
- name: domainctrldomain
type: keyword
description: >
CIFS domain auth domain
- name: domainctrlip
type: ip
description: >
CIFS Domain IP
- name: domainctrlname
type: keyword
description: >
CIFS Domain name
- name: domainctrlprotocoltype
type: integer
description: >
CIFS Domain connection protocol
- name: domainctrlusername
type: keyword
description: >
CIFS Domain username
- name: domainfilteridx
type: integer
description: >
Domain filter ID
- name: domainfilterlist
type: keyword
description: >
Domain filter name
- name: ds
type: keyword
description: >
Direction with distribution system
- name: dst_int
type: keyword
description: >
Destination interface
- name: dstintfrole
type: keyword
description: >
Destination interface role
- name: dstcountry
type: keyword
description: >
Destination country
- name: dstdevcategory
type: keyword
description: >
Destination device category
- name: dstdevtype
type: keyword
description: >
Destination device type
- name: dstfamily
type: keyword
description: >
Destination OS family
- name: dsthwvendor
type: keyword
description: >
Destination HW vendor
- name: dsthwversion
type: keyword
description: >
Destination HW version
- name: dstinetsvc
type: keyword
description: >
Destination interface service
- name: dstosname
type: keyword
description: >
Destination OS name
- name: dstosversion
type: keyword
description: >
Destination OS version
- name: dstserver
type: integer
description: >
Destination server
- name: dstssid
type: keyword
description: >
Destination SSID
- name: dstswversion
type: keyword
description: >
Destination software version
- name: dstunauthusersource
type: keyword
description: >
Destination unauthenticated source
- name: dstuuid
type: keyword
description: >
UUID of the Destination IP address
- name: duid
type: keyword
description: >
DHCP UID
- name: eapolcnt
type: integer
description: >
EAPOL packet count
- name: eapoltype
type: keyword
description: >
EAPOL packet type
- name: encrypt
type: integer
description: >
Whether the packet is encrypted or not
- name: encryption
type: keyword
description: >
Encryption method
- name: epoch
type: integer
description: >
Epoch used for locating file
- name: espauth
type: keyword
description: >
ESP Authentication
- name: esptransform
type: keyword
description: >
ESP Transform
- name: eventtype
type: keyword
description: >
UTM Event Type
- name: exch
type: keyword
description: >
Mail Exchanges from DNS response answer section
- name: exchange
type: keyword
description: >
Mail Exchanges from DNS response answer section
- name: expectedsignature
type: keyword
description: >
Expected SSL signature
- name: expiry
type: keyword
description: >
FortiGuard override expiry timestamp
- name: fams_pause
type: integer
description: >
Fortinet Analysis and Management Service Pause
- name: fazlograte
type: long
description: >
FortiAnalyzer Logging Rate
- name: fctemssn
type: keyword
description: >
FortiClient Endpoint SSN
- name: fctuid
type: keyword
description: >
FortiClient UID
- name: field
type: keyword
description: >
NTP status field
- name: filefilter
type: keyword
description: >
The filter used to identify the affected file
- name: filehashsrc
type: keyword
description: >
Filehash source
- name: filtercat
type: keyword
description: >
DLP filter category
- name: filteridx
type: integer
description: >
DLP filter ID
- name: filtername
type: keyword
description: >
DLP rule name
- name: filtertype
type: keyword
description: >
DLP filter type
- name: fortiguardresp
type: keyword
description: >
Antispam ESP value
- name: forwardedfor
type: keyword
description: >
Email address forwarded
- name: fqdn
type: keyword
description: >
FQDN
- name: frametype
type: keyword
description: >
Wireless frametype
- name: freediskstorage
type: integer
description: >
Free disk integer
- name: from
type: keyword
description: >
From email address
- name: from_vcluster
type: integer
description: >
Source virtual cluster number
- name: fsaverdict
type: keyword
description: >
FSA verdict
- name: fwserver_name
type: keyword
description: >
Web proxy server name
- name: gateway
type: ip
description: >
Gateway ip address for PPPoE status report
- name: green
type: keyword
description: >
Memory status
- name: groupid
type: integer
description: >
User Group ID
- name: ha-prio
type: integer
description: >
HA Priority
- name: ha_group
type: keyword
description: >
HA Group
- name: ha_role
type: keyword
description: >
HA Role
- name: handshake
type: keyword
description: >
SSL Handshake
- name: hash
type: keyword
description: >
Hash value of downloaded file
- name: hbdn_reason
type: keyword
description: >
Heartbeat down reason
- name: highcount
type: integer
description: >
Highcount fabric summary
- name: host
type: keyword
description: >
Hostname
- name: iaid
type: keyword
description: >
DHCPv6 id
- name: icmpcode
type: keyword
description: >
Destination Port of the ICMP message
- name: icmpid
type: keyword
description: >
Source port of the ICMP message
- name: icmptype
type: keyword
description: >
The type of ICMP message
- name: identifier
type: integer
description: >
Network traffic identifier
- name: in_spi
type: keyword
description: >
IPSEC inbound SPI
- name: incidentserialno
type: integer
description: >
Incident serial number
- name: infected
type: integer
description: >
Infected MMS
- name: infectedfilelevel
type: integer
description: >
DLP infected file level
- name: informationsource
type: keyword
description: >
Information source
- name: init
type: keyword
description: >
IPSEC init stage
- name: initiator
type: keyword
description: >
Original login user name for Fortiguard override
- name: interface
type: keyword
description: >
Related interface
- name: intf
type: keyword
description: >
Related interface
- name: invalidmac
type: keyword
description: >
The MAC address with invalid OUI
- name: ip
type: ip
description: >
Related IP
- name: iptype
type: keyword
description: >
Related IP type
- name: keyword
type: keyword
description: >
Keyword used for search
- name: kind
type: keyword
description: >
VOIP kind
- name: lanin
type: long
description: >
LAN incoming traffic in bytes
- name: lanout
type: long
description: >
LAN outbound traffic in bytes
- name: lease
type: integer
description: >
DHCP lease
- name: license_limit
type: keyword
description: >
Maximum Number of FortiClients for the License
- name: limit
type: integer
description: >
Virtual Domain Resource Limit
- name: line
type: keyword
description: >
VOIP line
- name: live
type: integer
description: >
Time in seconds
- name: local
type: ip
description: >
Local IP for a PPPD Connection
- name: log
type: keyword
description: >
Log message
- name: login
type: keyword
description: >
SSH login
- name: lowcount
type: integer
description: >
Fabric lowcount
- name: mac
type: keyword
description: >
DHCP mac address
- name: malform_data
type: integer
description: >
VOIP malformed data
- name: malform_desc
type: keyword
description: >
VOIP malformed data description
- name: manuf
type: keyword
description: >
Manufacturer name
- name: masterdstmac
type: keyword
description: >
Master mac address for a host with multiple network interfaces
- name: mastersrcmac
type: keyword
description: >
The master MAC address for a host that has multiple network interfaces
- name: mediumcount
type: integer
description: >
Fabric medium count
- name: mem
type: integer
description: >
Memory usage system statistics
- name: meshmode
type: keyword
description: >
Wireless mesh mode
- name: message_type
type: keyword
description: >
VOIP message type
- name: method
type: keyword
description: >
HTTP method
- name: mgmtcnt
type: integer
description: >
The number of unauthorized client flooding managemet frames
- name: mode
type: keyword
description: >
IPSEC mode
- name: module
type: keyword
description: >
PCI-DSS module
- name: monitor-name
type: keyword
description: >
Health Monitor Name
- name: monitor-type
type: keyword
description: >
Health Monitor Type
- name: mpsk
type: keyword
description: >
Wireless MPSK
- name: msgproto
type: keyword
description: >
Message Protocol Number
- name: mtu
type: integer
description: >
Max Transmission Unit Value
- name: name
type: keyword
description: >
Name
- name: nat
type: keyword
description: >
NAT IP Address
- name: netid
type: keyword
description: >
Connector NetID
- name: new_status
type: keyword
description: >
New status on user change
- name: new_value
type: keyword
description: >
New Virtual Domain Name
- name: newchannel
type: integer
description: >
New Channel Number
- name: newchassisid
type: integer
description: >
New Chassis ID
- name: newslot
type: integer
description: >
New Slot Number
- name: nextstat
type: integer
description: >
Time interval in seconds for the next statistics.
- name: nf_type
type: keyword
description: >
Notification Type
- name: noise
type: integer
description: >
Wifi Noise
- name: old_status
type: keyword
description: >
Original Status
- name: old_value
type: keyword
description: >
Original Virtual Domain name
- name: oldchannel
type: integer
description: >
Original channel
- name: oldchassisid
type: integer
description: >
Original Chassis Number
- name: oldslot
type: integer
description: >
Original Slot Number
- name: oldsn
type: keyword
description: >
Old Serial number
- name: oldwprof
type: keyword
description: >
Old Web Filter Profile
- name: onwire
type: keyword
description: >
A flag to indicate if the AP is onwire or not
- name: opercountry
type: keyword
description: >
Operating Country
- name: opertxpower
type: integer
description: >
Operating TX power
- name: osname
type: keyword
description: >
Operating System name
- name: osversion
type: keyword
description: >
Operating System version
- name: out_spi
type: keyword
description: >
Out SPI
- name: outintf
type: keyword
description: >
Out interface
- name: passedcount
type: integer
description: >
Fabric passed count
- name: passwd
type: keyword
description: >
Changed user password information
- name: path
type: keyword
description: >
Path of looped configuration for security fabric
- name: peer
type: keyword
description: >
WAN optimization peer
- name: peer_notif
type: keyword
description: >
VPN peer notification
- name: phase2_name
type: keyword
description: >
VPN phase2 name
- name: phone
type: keyword
description: >
VOIP Phone
- name: pid
type: integer
description: >
Process ID
- name: policytype
type: keyword
description: >
Policy Type
- name: poolname
type: keyword
description: >
IP Pool name
- name: port
type: integer
description: >
Log upload error port
- name: portbegin
type: integer
description: >
IP Pool port number to begin
- name: portend
type: integer
description: >
IP Pool port number to end
- name: probeproto
type: keyword
description: >
Link Monitor Probe Protocol
- name: process
type: keyword
description: >
URL Filter process
- name: processtime
type: integer
description: >
Process time for reports
- name: profile
type: keyword
description: >
Profile Name
- name: profile_vd
type: keyword
description: >
Virtual Domain Name
- name: profilegroup
type: keyword
description: >
Profile Group Name
- name: profiletype
type: keyword
description: >
Profile Type
- name: qtypeval
type: integer
description: >
DNS question type value
- name: quarskip
type: keyword
description: >
Quarantine skip explanation
- name: quotaexceeded
type: keyword
description: >
If quota has been exceeded
- name: quotamax
type: long
description: >
Maximum quota allowed - in seconds if time-based - in bytes if traffic-based
- name: quotatype
type: keyword
description: >
Quota type
- name: quotaused
type: long
description: >
Quota used - in seconds if time-based - in bytes if trafficbased)
- name: radioband
type: keyword
description: >
Radio band
- name: radioid
type: integer
description: >
Radio ID
- name: radioidclosest
type: integer
description: >
Radio ID on the AP closest the rogue AP
- name: radioiddetected
type: integer
description: >
Radio ID on the AP which detected the rogue AP
- name: rate
type: keyword
description: >
Wireless rogue rate value
- name: rawdata
type: keyword
description: >
Raw data value
- name: rawdataid
type: keyword
description: >
Raw data ID
- name: rcvddelta
type: keyword
description: >
Received bytes delta
- name: reason
type: keyword
description: >
Alert reason
- name: received
type: integer
description: >
Server key exchange received
- name: receivedsignature
type: keyword
description: >
Server key exchange received signature
- name: red
type: keyword
description: >
Memory information in red
- name: referralurl
type: keyword
description: >
Web filter referralurl
- name: remote
type: ip
description: >
Remote PPP IP address
- name: remotewtptime
type: keyword
description: >
Remote Wifi Radius authentication time
- name: reporttype
type: keyword
description: >
Report type
- name: reqtype
type: keyword
description: >
Request type
- name: request_name
type: keyword
description: >
VOIP request name
- name: result
type: keyword
description: >
VPN phase result
- name: role
type: keyword
description: >
VPN Phase 2 role
- name: rssi
type: integer
description: >
Received signal strength indicator
- name: rsso_key
type: keyword
description: >
RADIUS SSO attribute value
- name: ruledata
type: keyword
description: >
Rule data
- name: ruletype
type: keyword
description: >
Rule type
- name: scanned
type: integer
description: >
Number of Scanned MMSs
- name: scantime
type: long
description: >
Scanned time
- name: scope
type: keyword
description: >
FortiGuard Override Scope
- name: security
type: keyword
description: >
Wireless rogue security
- name: sensitivity
type: keyword
description: >
Sensitivity for document fingerprint
- name: sensor
type: keyword
description: >
NAC Sensor Name
- name: sentdelta
type: keyword
description: >
Sent bytes delta
- name: seq
type: keyword
description: >
Sequence number
- name: serial
type: keyword
description: >
WAN optimisation serial
- name: serialno
type: keyword
description: >
Serial number
- name: server
type: keyword
description: >
AD server FQDN or IP
- name: session_id
type: keyword
description: >
Session ID
- name: sessionid
type: integer
description: >
WAD Session ID
- name: setuprate
type: long
description: >
Session Setup Rate
- name: severity
type: keyword
description: >
Severity
- name: shaperdroprcvdbyte
type: integer
description: >
Received bytes dropped by shaper
- name: shaperdropsentbyte
type: integer
description: >
Sent bytes dropped by shaper
- name: shaperperipdropbyte
type: integer
description: >
Dropped bytes per IP by shaper
- name: shaperperipname
type: keyword
description: >
Traffic shaper name (per IP)
- name: shaperrcvdname
type: keyword
description: >
Traffic shaper name for received traffic
- name: shapersentname
type: keyword
description: >
Traffic shaper name for sent traffic
- name: shapingpolicyid
type: integer
description: >
Traffic shaper policy ID
- name: signal
type: integer
description: >
Wireless rogue API signal
- name: size
type: long
description: >
Email size in bytes
- name: slot
type: integer
description: >
Slot number
- name: sn
type: keyword
description: >
Security fabric serial number
- name: snclosest
type: keyword
description: >
SN of the AP closest to the rogue AP
- name: sndetected
type: keyword
description: >
SN of the AP which detected the rogue AP
- name: snmeshparent
type: keyword
description: >
SN of the mesh parent
- name: spi
type: keyword
description: >
IPSEC SPI
- name: src_int
type: keyword
description: >
Source interface
- name: srcintfrole
type: keyword
description: >
Source interface role
- name: srccountry
type: keyword
description: >
Source country
- name: srcfamily
type: keyword
description: >
Source family
- name: srchwvendor
type: keyword
description: >
Source hardware vendor
- name: srchwversion
type: keyword
description: >
Source hardware version
- name: srcinetsvc
type: keyword
description: >
Source interface service
- name: srcname
type: keyword
description: >
Source name
- name: srcserver
type: integer
description: >
Source server
- name: srcssid
type: keyword
description: >
Source SSID
- name: srcswversion
type: keyword
description: >
Source software version
- name: srcuuid
type: keyword
description: >
Source UUID
- name: sscname
type: keyword
description: >
SSC name
- name: ssid
type: keyword
description: >
Base Service Set ID
- name: sslaction
type: keyword
description: >
SSL Action
- name: ssllocal
type: keyword
description: >
WAD SSL local
- name: sslremote
type: keyword
description: >
WAD SSL remote
- name: stacount
type: integer
description: >
Number of stations/clients
- name: stage
type: keyword
description: >
IPSEC stage
- name: stamac
type: keyword
description: >
802.1x station mac
- name: state
type: keyword
description: >
Admin login state
- name: status
type: keyword
description: >
Status
- name: stitch
type: keyword
description: >
Automation stitch triggered
- name: subject
type: keyword
description: >
Email subject
- name: submodule
type: keyword
description: >
Configuration Sub-Module Name
- name: subservice
type: keyword
description: >
AV subservice
- name: subtype
type: keyword
description: >
Log subtype
- name: suspicious
type: integer
description: >
Number of Suspicious MMSs
- name: switchproto
type: keyword
description: >
Protocol change information
- name: sync_status
type: keyword
description: >
The sync status with the master
- name: sync_type
type: keyword
description: >
The sync type with the master
- name: sysuptime
type: keyword
description: >
System uptime
- name: tamac
type: keyword
description: >
the MAC address of Transmitter, if none, then Receiver
- name: threattype
type: keyword
description: >
WIDS threat type
- name: time
type: keyword
description: >
Time of the event
- name: to
type: keyword
description: >
Email to field
- name: to_vcluster
type: integer
description: >
destination virtual cluster number
- name: total
type: integer
description: >
Total memory
- name: totalsession
type: integer
description: >
Total Number of Sessions
- name: trace_id
type: keyword
description: >
Session clash trace ID
- name: trandisp
type: keyword
description: >
NAT translation type
- name: transid
type: integer
description: >
HTTP transaction ID
- name: translationid
type: keyword
description: >
DNS filter transaltion ID
- name: trigger
type: keyword
description: >
Automation stitch trigger
- name: trueclntip
type: ip
description: >
File filter true client IP
- name: tunnelid
type: integer
description: >
IPSEC tunnel ID
- name: tunnelip
type: ip
description: >
IPSEC tunnel IP
- name: tunneltype
type: keyword
description: >
IPSEC tunnel type
- name: type
type: keyword
description: >
Module type
- name: ui
type: keyword
description: >
Admin authentication UI type
- name: unauthusersource
type: keyword
description: >
Unauthenticated user source
- name: unit
type: integer
description: >
Power supply unit
- name: urlfilteridx
type: integer
description: >
URL filter ID
- name: urlfilterlist
type: keyword
description: >
URL filter list
- name: urlsource
type: keyword
description: >
URL filter source
- name: urltype
type: keyword
description: >
URL filter type
- name: used
type: integer
description: >
Number of Used IPs
- name: used_for_type
type: integer
description: >
Connection for the type
- name: utmaction
type: keyword
description: >
Security action performed by UTM
- name: utmref
type: keyword
description: >
Reference to UTM
- name: vap
type: keyword
description: >
Virtual AP
- name: vapmode
type: keyword
description: >
Virtual AP mode
- name: vcluster
type: integer
description: >
virtual cluster id
- name: vcluster_member
type: integer
description: >
Virtual cluster member
- name: vcluster_state
type: keyword
description: >
Virtual cluster state
- name: vd
type: keyword
description: >
Virtual Domain Name
- name: vdname
type: keyword
description: >
Virtual Domain Name
- name: vendorurl
type: keyword
description: >
Vulnerability scan vendor name
- name: version
type: keyword
description: >
Version
- name: vip
type: keyword
description: >
Virtual IP
- name: virus
type: keyword
description: >
Virus name
- name: virusid
type: integer
description: >
Virus ID (unique virus identifier)
- name: voip_proto
type: keyword
description: >
VOIP protocol
- name: vpn
type: keyword
description: >
VPN description
- name: vpntunnel
type: keyword
description: >
IPsec Vpn Tunnel Name
- name: vpntype
type: keyword
description: >
The type of the VPN tunnel
- name: vrf
type: integer
description: >
VRF number
- name: vulncat
type: keyword
description: >
Vulnerability Category
- name: vulnid
type: integer
description: >
Vulnerability ID
- name: vulnname
type: keyword
description: >
Vulnerability name
- name: vwlid
type: integer
description: >
VWL ID
- name: vwlquality
type: keyword
description: >
VWL quality
- name: vwlservice
type: keyword
description: >
VWL service
- name: vwpvlanid
type: integer
description: >
VWP VLAN ID
- name: wanin
type: long
description: >
WAN incoming traffic in bytes
- name: wanoptapptype
type: keyword
description: >
WAN Optimization Application type
- name: wanout
type: long
description: >
WAN outgoing traffic in bytes
- name: weakwepiv
type: keyword
description: >
Weak Wep Initiation Vector
- name: xauthgroup
type: keyword
description: >
XAuth Group Name
- name: xauthuser
type: keyword
description: >
XAuth User Name
- name: xid
type: integer
description: >
Wireless X ID
- name: network.interface.name
overwrite: true
type: keyword
description: >
Name of the network interface where the traffic has been observed.
- name: rsa
overwrite: true
type: group
fields:
- name: internal
overwrite: true
type: group
fields:
- name: msg
overwrite: true
type: keyword
description: This key is used to capture the raw message that comes into the
Log Decoder
- name: messageid
overwrite: true
type: keyword
- name: event_desc
overwrite: true
type: keyword
- name: message
overwrite: true
type: keyword
description: This key captures the contents of instant messages
- name: time
overwrite: true
type: date
description: This is the time at which a session hits a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness.
- name: level
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: msg_id
overwrite: true
type: keyword
description: This is the Message ID1 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: msg_vid
overwrite: true
type: keyword
description: This is the Message ID2 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: data
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_server
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_val
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: resource
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_id
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: statement
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: audit_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: entry
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: hcode
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: inode
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: resource_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: dead
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: feed_desc
overwrite: true
type: keyword
description: This is used to capture the description of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: feed_name
overwrite: true
type: keyword
description: This is used to capture the name of the feed. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: cid
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Concentrator.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_class
overwrite: true
type: keyword
description: This is the Classification of the Log Event Source under a predefined
fixed set of Event Source Classifications. This key should never be used to
parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
key in NetWitness
- name: device_group
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_host
overwrite: true
type: keyword
description: This is the Hostname of the log Event Source sending the logs to
NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ip
overwrite: true
type: ip
description: This is the IPv4 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ipv6
overwrite: true
type: ip
description: This is the IPv6 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_type
overwrite: true
type: keyword
description: This is the name of the log parser which parsed a given session.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_type_id
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: did
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: entropy_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: entropy_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: event_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: feed_category
overwrite: true
type: keyword
description: This is used to capture the category of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: forward_ip
overwrite: true
type: ip
description: This key should be used to capture the IPV4 address of a relay
system which forwarded the events from the original system to NetWitness.
- name: forward_ipv6
overwrite: true
type: ip
description: This key is used to capture the IPV6 address of a relay system
which forwarded the events from the original system to NetWitness. This key
should never be used to parse Meta data from a session (Logs/Packets) Directly,
this is a Reserved key in NetWitness
- name: header_id
overwrite: true
type: keyword
description: This is the Header ID value that identifies the exact log parser
header definition that parses a particular log session. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: lc_cid
overwrite: true
type: keyword
description: This is a unique Identifier of a Log Collector. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: lc_ctime
overwrite: true
type: date
description: This is the time at which a log is collected in a NetWitness Log
Collector. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: mcb_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
request is simply which byte for each side (0 thru 255) was seen the most
- name: mcb_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
response is simply which byte for each side (0 thru 255) was seen the most
- name: mcbc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: mcbc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: medium
overwrite: true
type: long
description: "This key is used to identify if it\u2019s a log/packet session\
\ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
\ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
\ 32 = log, 33 = correlation session, < 32 is packet session"
- name: node_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: nwe_callback_id
overwrite: true
type: keyword
description: This key denotes that event is endpoint related
- name: parse_error
overwrite: true
type: keyword
description: This is a special key that stores any Meta key validation error
found while parsing a log session. This key should never be used to parse
Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
NetWitness
- name: payload_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: payload_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: process_vid_dst
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the target process.
- name: process_vid_src
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the source process.
- name: rid
overwrite: true
type: long
description: This is a special ID of the Remote Session created by NetWitness
Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: session_split
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: site
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: size
overwrite: true
type: long
description: This is the size of the session as seen by the NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: sourcefile
overwrite: true
type: keyword
description: This is the name of the log file or PCAPs that can be imported
into NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: ubc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: ubc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: word
overwrite: true
type: keyword
description: This is used by the Word Parsing technology to capture the first
5 character of every word in an unparsed log
- name: time
overwrite: true
type: group
fields:
- name: event_time
overwrite: true
type: date
description: This key is used to capture the time mentioned in a raw session
that represents the actual time an event occured in a standard normalized
form
- name: duration_time
overwrite: true
type: double
description: This key is used to capture the normalized duration/lifetime in
seconds.
- name: event_time_str
overwrite: true
type: keyword
description: This key is used to capture the incomplete time mentioned in a
session as a string
- name: starttime
overwrite: true
type: date
description: This key is used to capture the Start time mentioned in a session
in a standard form
- name: month
overwrite: true
type: keyword
- name: day
overwrite: true
type: keyword
- name: endtime
overwrite: true
type: date
description: This key is used to capture the End time mentioned in a session
in a standard form
- name: timezone
overwrite: true
type: keyword
description: This key is used to capture the timezone of the Event Time
- name: duration_str
overwrite: true
type: keyword
description: A text string version of the duration
- name: date
overwrite: true
type: keyword
- name: year
overwrite: true
type: keyword
- name: recorded_time
overwrite: true
type: date
description: The event time as recorded by the system the event is collected
from. The usage scenario is a multi-tier application where the management
layer of the system records it's own timestamp at the time of collection from
its child nodes. Must be in timestamp format.
- name: datetime
overwrite: true
type: keyword
- name: effective_time
overwrite: true
type: date
description: This key is the effective time referenced by an individual event
in a Standard Timestamp format
- name: expire_time
overwrite: true
type: date
description: This key is the timestamp that explicitly refers to an expiration.
- name: process_time
overwrite: true
type: keyword
description: Deprecated, use duration.time
- name: hour
overwrite: true
type: keyword
- name: min
overwrite: true
type: keyword
- name: timestamp
overwrite: true
type: keyword
- name: event_queue_time
overwrite: true
type: date
description: This key is the Time that the event was queued.
- name: p_time1
overwrite: true
type: keyword
- name: tzone
overwrite: true
type: keyword
- name: eventtime
overwrite: true
type: keyword
- name: gmtdate
overwrite: true
type: keyword
- name: gmttime
overwrite: true
type: keyword
- name: p_date
overwrite: true
type: keyword
- name: p_month
overwrite: true
type: keyword
- name: p_time
overwrite: true
type: keyword
- name: p_time2
overwrite: true
type: keyword
- name: p_year
overwrite: true
type: keyword
- name: expire_time_str
overwrite: true
type: keyword
description: This key is used to capture incomplete timestamp that explicitly
refers to an expiration.
- name: stamp
overwrite: true
type: date
description: Deprecated key defined only in table map.
- name: misc
overwrite: true
type: group
fields:
- name: action
overwrite: true
type: keyword
- name: result
overwrite: true
type: keyword
description: This key is used to capture the outcome/result string value of
an action in a session.
- name: severity
overwrite: true
type: keyword
description: This key is used to capture the severity given the session
- name: event_type
overwrite: true
type: keyword
description: This key captures the event category type as specified by the event
source.
- name: reference_id
overwrite: true
type: keyword
description: This key is used to capture an event id from the session directly
- name: version
overwrite: true
type: keyword
description: This key captures Version of the application or OS which is generating
the event.
- name: disposition
overwrite: true
type: keyword
description: This key captures the The end state of an action.
- name: result_code
overwrite: true
type: keyword
description: This key is used to capture the outcome/result numeric value of
an action in a session
- name: category
overwrite: true
type: keyword
description: This key is used to capture the category of an event given by the
vendor in the session
- name: obj_name
overwrite: true
type: keyword
description: This is used to capture name of object
- name: obj_type
overwrite: true
type: keyword
description: This is used to capture type of object
- name: event_source
overwrite: true
type: keyword
description: "This key captures Source of the event that\u2019s not a hostname"
- name: log_session_id
overwrite: true
type: keyword
description: This key is used to capture a sessionid from the session directly
- name: group
overwrite: true
type: keyword
description: This key captures the Group Name value
- name: policy_name
overwrite: true
type: keyword
description: This key is used to capture the Policy Name only.
- name: rule_name
overwrite: true
type: keyword
description: This key captures the Rule Name
- name: context
overwrite: true
type: keyword
description: This key captures Information which adds additional context to
the event.
- name: change_new
overwrite: true
type: keyword
description: "This key is used to capture the new values of the attribute that\u2019\
s changing in a session"
- name: space
overwrite: true
type: keyword
- name: client
overwrite: true
type: keyword
description: This key is used to capture only the name of the client application
requesting resources of the server. See the user.agent meta key for capture
of the specific user agent identifier or browser identification string.
- name: msgIdPart1
overwrite: true
type: keyword
- name: msgIdPart2
overwrite: true
type: keyword
- name: change_old
overwrite: true
type: keyword
description: "This key is used to capture the old value of the attribute that\u2019\
s changing in a session"
- name: operation_id
overwrite: true
type: keyword
description: An alert number or operation number. The values should be unique
and non-repeating.
- name: event_state
overwrite: true
type: keyword
description: This key captures the current state of the object/item referenced
within the event. Describing an on-going event.
- name: group_object
overwrite: true
type: keyword
description: This key captures a collection/grouping of entities. Specific usage
- name: node
overwrite: true
type: keyword
description: Common use case is the node name within a cluster. The cluster
name is reflected by the host name.
- name: rule
overwrite: true
type: keyword
description: This key captures the Rule number
- name: device_name
overwrite: true
type: keyword
description: 'This is used to capture name of the Device associated with the
node Like: a physical disk, printer, etc'
- name: param
overwrite: true
type: keyword
description: This key is the parameters passed as part of a command or application,
etc.
- name: change_attrib
overwrite: true
type: keyword
description: "This key is used to capture the name of the attribute that\u2019\
s changing in a session"
- name: event_computer
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
fully qualified domain name in a windows log.
- name: reference_id1
overwrite: true
type: keyword
description: This key is for Linked ID to be used as an addition to "reference.id"
- name: event_log
overwrite: true
type: keyword
description: This key captures the Name of the event log
- name: OS
overwrite: true
type: keyword
description: This key captures the Name of the Operating System
- name: terminal
overwrite: true
type: keyword
description: This key captures the Terminal Names only
- name: msgIdPart3
overwrite: true
type: keyword
- name: filter
overwrite: true
type: keyword
description: This key captures Filter used to reduce result set
- name: serial_number
overwrite: true
type: keyword
description: This key is the Serial number associated with a physical asset.
- name: checksum
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the entity
such as a file or process. Checksum should be used over checksum.src or checksum.dst
when it is unclear whether the entity is a source or target of an action.
- name: event_user
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
combination of domain name and username in a windows log.
- name: virusname
overwrite: true
type: keyword
description: This key captures the name of the virus
- name: content_type
overwrite: true
type: keyword
description: This key is used to capture Content Type only.
- name: group_id
overwrite: true
type: keyword
description: This key captures Group ID Number (related to the group name)
- name: policy_id
overwrite: true
type: keyword
description: This key is used to capture the Policy ID only, this should be
a numeric value, use policy.name otherwise
- name: vsys
overwrite: true
type: keyword
description: This key captures Virtual System Name
- name: connection_id
overwrite: true
type: keyword
description: This key captures the Connection ID
- name: reference_id2
overwrite: true
type: keyword
description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
or "reference.id1" value but should not be used unless the other two variables
are in play.
- name: sensor
overwrite: true
type: keyword
description: This key captures Name of the sensor. Typically used in IDS/IPS
based devices
- name: sig_id
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID
- name: port_name
overwrite: true
type: keyword
description: 'This key is used for Physical or logical port connection but does
NOT include a network port. (Example: Printer port name).'
- name: rule_group
overwrite: true
type: keyword
description: This key captures the Rule group name
- name: risk_num
overwrite: true
type: double
description: This key captures a Numeric Risk value
- name: trigger_val
overwrite: true
type: keyword
description: This key captures the Value of the trigger or threshold condition.
- name: log_session_id1
overwrite: true
type: keyword
description: This key is used to capture a Linked (Related) Session ID from
the session directly
- name: comp_version
overwrite: true
type: keyword
description: This key captures the Version level of a sub-component of a product.
- name: content_version
overwrite: true
type: keyword
description: This key captures Version level of a signature or database content.
- name: hardware_id
overwrite: true
type: keyword
description: This key is used to capture unique identifier for a device or system
(NOT a Mac address)
- name: risk
overwrite: true
type: keyword
description: This key captures the non-numeric risk value
- name: event_id
overwrite: true
type: keyword
- name: reason
overwrite: true
type: keyword
- name: status
overwrite: true
type: keyword
- name: mail_id
overwrite: true
type: keyword
description: This key is used to capture the mailbox id/name
- name: rule_uid
overwrite: true
type: keyword
description: This key is the Unique Identifier for a rule.
- name: trigger_desc
overwrite: true
type: keyword
description: This key captures the Description of the trigger or threshold condition.
- name: inout
overwrite: true
type: keyword
- name: p_msgid
overwrite: true
type: keyword
- name: data_type
overwrite: true
type: keyword
- name: msgIdPart4
overwrite: true
type: keyword
- name: error
overwrite: true
type: keyword
description: This key captures All non successful Error codes or responses
- name: index
overwrite: true
type: keyword
- name: listnum
overwrite: true
type: keyword
description: This key is used to capture listname or listnumber, primarily for
collecting access-list
- name: ntype
overwrite: true
type: keyword
- name: observed_val
overwrite: true
type: keyword
description: This key captures the Value observed (from the perspective of the
device generating the log).
- name: policy_value
overwrite: true
type: keyword
description: This key captures the contents of the policy. This contains details
about the policy
- name: pool_name
overwrite: true
type: keyword
description: This key captures the name of a resource pool
- name: rule_template
overwrite: true
type: keyword
description: A default set of parameters which are overlayed onto a rule (or
rulename) which efffectively constitutes a template
- name: count
overwrite: true
type: keyword
- name: number
overwrite: true
type: keyword
- name: sigcat
overwrite: true
type: keyword
- name: type
overwrite: true
type: keyword
- name: comments
overwrite: true
type: keyword
description: Comment information provided in the log message
- name: doc_number
overwrite: true
type: long
description: This key captures File Identification number
- name: expected_val
overwrite: true
type: keyword
description: This key captures the Value expected (from the perspective of the
device generating the log).
- name: job_num
overwrite: true
type: keyword
description: This key captures the Job Number
- name: spi_dst
overwrite: true
type: keyword
description: Destination SPI Index
- name: spi_src
overwrite: true
type: keyword
description: Source SPI Index
- name: code
overwrite: true
type: keyword
- name: agent_id
overwrite: true
type: keyword
description: This key is used to capture agent id
- name: message_body
overwrite: true
type: keyword
description: This key captures the The contents of the message body.
- name: phone
overwrite: true
type: keyword
- name: sig_id_str
overwrite: true
type: keyword
description: This key captures a string object of the sigid variable.
- name: cmd
overwrite: true
type: keyword
- name: misc
overwrite: true
type: keyword
- name: name
overwrite: true
type: keyword
- name: cpu
overwrite: true
type: long
description: This key is the CPU time used in the execution of the event being
recorded.
- name: event_desc
overwrite: true
type: keyword
description: This key is used to capture a description of an event available
directly or inferred
- name: sig_id1
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID. This must be linked
to the sig.id
- name: im_buddyid
overwrite: true
type: keyword
- name: im_client
overwrite: true
type: keyword
- name: im_userid
overwrite: true
type: keyword
- name: pid
overwrite: true
type: keyword
- name: priority
overwrite: true
type: keyword
- name: context_subject
overwrite: true
type: keyword
description: This key is to be used in an audit context where the subject is
the object being identified
- name: context_target
overwrite: true
type: keyword
- name: cve
overwrite: true
type: keyword
description: This key captures CVE (Common Vulnerabilities and Exposures) -
an identifier for known information security vulnerabilities.
- name: fcatnum
overwrite: true
type: keyword
description: This key captures Filter Category Number. Legacy Usage
- name: library
overwrite: true
type: keyword
description: This key is used to capture library information in mainframe devices
- name: parent_node
overwrite: true
type: keyword
description: This key captures the Parent Node Name. Must be related to node
variable.
- name: risk_info
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: tcp_flags
overwrite: true
type: long
description: This key is captures the TCP flags set in any packet of session
- name: tos
overwrite: true
type: long
description: This key describes the type of service
- name: vm_target
overwrite: true
type: keyword
description: VMWare Target **VMWARE** only varaible.
- name: workspace
overwrite: true
type: keyword
description: This key captures Workspace Description
- name: command
overwrite: true
type: keyword
- name: event_category
overwrite: true
type: keyword
- name: facilityname
overwrite: true
type: keyword
- name: forensic_info
overwrite: true
type: keyword
- name: jobname
overwrite: true
type: keyword
- name: mode
overwrite: true
type: keyword
- name: policy
overwrite: true
type: keyword
- name: policy_waiver
overwrite: true
type: keyword
- name: second
overwrite: true
type: keyword
- name: space1
overwrite: true
type: keyword
- name: subcategory
overwrite: true
type: keyword
- name: tbdstr2
overwrite: true
type: keyword
- name: alert_id
overwrite: true
type: keyword
description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: checksum_dst
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the the target
entity such as a process or file.
- name: checksum_src
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the source
entity such as a file or process.
- name: fresult
overwrite: true
type: long
description: This key captures the Filter Result
- name: payload_dst
overwrite: true
type: keyword
description: This key is used to capture destination payload
- name: payload_src
overwrite: true
type: keyword
description: This key is used to capture source payload
- name: pool_id
overwrite: true
type: keyword
description: This key captures the identifier (typically numeric field) of a
resource pool
- name: process_id_val
overwrite: true
type: keyword
description: This key is a failure key for Process ID when it is not an integer
value
- name: risk_num_comm
overwrite: true
type: double
description: This key captures Risk Number Community
- name: risk_num_next
overwrite: true
type: double
description: This key captures Risk Number NextGen
- name: risk_num_sand
overwrite: true
type: double
description: This key captures Risk Number SandBox
- name: risk_num_static
overwrite: true
type: double
description: This key captures Risk Number Static
- name: risk_suspicious
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: risk_warning
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: snmp_oid
overwrite: true
type: keyword
description: SNMP Object Identifier
- name: sql
overwrite: true
type: keyword
description: This key captures the SQL query
- name: vuln_ref
overwrite: true
type: keyword
description: This key captures the Vulnerability Reference details
- name: acl_id
overwrite: true
type: keyword
- name: acl_op
overwrite: true
type: keyword
- name: acl_pos
overwrite: true
type: keyword
- name: acl_table
overwrite: true
type: keyword
- name: admin
overwrite: true
type: keyword
- name: alarm_id
overwrite: true
type: keyword
- name: alarmname
overwrite: true
type: keyword
- name: app_id
overwrite: true
type: keyword
- name: audit
overwrite: true
type: keyword
- name: audit_object
overwrite: true
type: keyword
- name: auditdata
overwrite: true
type: keyword
- name: benchmark
overwrite: true
type: keyword
- name: bypass
overwrite: true
type: keyword
- name: cache
overwrite: true
type: keyword
- name: cache_hit
overwrite: true
type: keyword
- name: cefversion
overwrite: true
type: keyword
- name: cfg_attr
overwrite: true
type: keyword
- name: cfg_obj
overwrite: true
type: keyword
- name: cfg_path
overwrite: true
type: keyword
- name: changes
overwrite: true
type: keyword
- name: client_ip
overwrite: true
type: keyword
- name: clustermembers
overwrite: true
type: keyword
- name: cn_acttimeout
overwrite: true
type: keyword
- name: cn_asn_src
overwrite: true
type: keyword
- name: cn_bgpv4nxthop
overwrite: true
type: keyword
- name: cn_ctr_dst_code
overwrite: true
type: keyword
- name: cn_dst_tos
overwrite: true
type: keyword
- name: cn_dst_vlan
overwrite: true
type: keyword
- name: cn_engine_id
overwrite: true
type: keyword
- name: cn_engine_type
overwrite: true
type: keyword
- name: cn_f_switch
overwrite: true
type: keyword
- name: cn_flowsampid
overwrite: true
type: keyword
- name: cn_flowsampintv
overwrite: true
type: keyword
- name: cn_flowsampmode
overwrite: true
type: keyword
- name: cn_inacttimeout
overwrite: true
type: keyword
- name: cn_inpermbyts
overwrite: true
type: keyword
- name: cn_inpermpckts
overwrite: true
type: keyword
- name: cn_invalid
overwrite: true
type: keyword
- name: cn_ip_proto_ver
overwrite: true
type: keyword
- name: cn_ipv4_ident
overwrite: true
type: keyword
- name: cn_l_switch
overwrite: true
type: keyword
- name: cn_log_did
overwrite: true
type: keyword
- name: cn_log_rid
overwrite: true
type: keyword
- name: cn_max_ttl
overwrite: true
type: keyword
- name: cn_maxpcktlen
overwrite: true
type: keyword
- name: cn_min_ttl
overwrite: true
type: keyword
- name: cn_minpcktlen
overwrite: true
type: keyword
- name: cn_mpls_lbl_1
overwrite: true
type: keyword
- name: cn_mpls_lbl_10
overwrite: true
type: keyword
- name: cn_mpls_lbl_2
overwrite: true
type: keyword
- name: cn_mpls_lbl_3
overwrite: true
type: keyword
- name: cn_mpls_lbl_4
overwrite: true
type: keyword
- name: cn_mpls_lbl_5
overwrite: true
type: keyword
- name: cn_mpls_lbl_6
overwrite: true
type: keyword
- name: cn_mpls_lbl_7
overwrite: true
type: keyword
- name: cn_mpls_lbl_8
overwrite: true
type: keyword
- name: cn_mpls_lbl_9
overwrite: true
type: keyword
- name: cn_mplstoplabel
overwrite: true
type: keyword
- name: cn_mplstoplabip
overwrite: true
type: keyword
- name: cn_mul_dst_byt
overwrite: true
type: keyword
- name: cn_mul_dst_pks
overwrite: true
type: keyword
- name: cn_muligmptype
overwrite: true
type: keyword
- name: cn_sampalgo
overwrite: true
type: keyword
- name: cn_sampint
overwrite: true
type: keyword
- name: cn_seqctr
overwrite: true
type: keyword
- name: cn_spackets
overwrite: true
type: keyword
- name: cn_src_tos
overwrite: true
type: keyword
- name: cn_src_vlan
overwrite: true
type: keyword
- name: cn_sysuptime
overwrite: true
type: keyword
- name: cn_template_id
overwrite: true
type: keyword
- name: cn_totbytsexp
overwrite: true
type: keyword
- name: cn_totflowexp
overwrite: true
type: keyword
- name: cn_totpcktsexp
overwrite: true
type: keyword
- name: cn_unixnanosecs
overwrite: true
type: keyword
- name: cn_v6flowlabel
overwrite: true
type: keyword
- name: cn_v6optheaders
overwrite: true
type: keyword
- name: comp_class
overwrite: true
type: keyword
- name: comp_name
overwrite: true
type: keyword
- name: comp_rbytes
overwrite: true
type: keyword
- name: comp_sbytes
overwrite: true
type: keyword
- name: cpu_data
overwrite: true
type: keyword
- name: criticality
overwrite: true
type: keyword
- name: cs_agency_dst
overwrite: true
type: keyword
- name: cs_analyzedby
overwrite: true
type: keyword
- name: cs_av_other
overwrite: true
type: keyword
- name: cs_av_primary
overwrite: true
type: keyword
- name: cs_av_secondary
overwrite: true
type: keyword
- name: cs_bgpv6nxthop
overwrite: true
type: keyword
- name: cs_bit9status
overwrite: true
type: keyword
- name: cs_context
overwrite: true
type: keyword
- name: cs_control
overwrite: true
type: keyword
- name: cs_data
overwrite: true
type: keyword
- name: cs_datecret
overwrite: true
type: keyword
- name: cs_dst_tld
overwrite: true
type: keyword
- name: cs_eth_dst_ven
overwrite: true
type: keyword
- name: cs_eth_src_ven
overwrite: true
type: keyword
- name: cs_event_uuid
overwrite: true
type: keyword
- name: cs_filetype
overwrite: true
type: keyword
- name: cs_fld
overwrite: true
type: keyword
- name: cs_if_desc
overwrite: true
type: keyword
- name: cs_if_name
overwrite: true
type: keyword
- name: cs_ip_next_hop
overwrite: true
type: keyword
- name: cs_ipv4dstpre
overwrite: true
type: keyword
- name: cs_ipv4srcpre
overwrite: true
type: keyword
- name: cs_lifetime
overwrite: true
type: keyword
- name: cs_log_medium
overwrite: true
type: keyword
- name: cs_loginname
overwrite: true
type: keyword
- name: cs_modulescore
overwrite: true
type: keyword
- name: cs_modulesign
overwrite: true
type: keyword
- name: cs_opswatresult
overwrite: true
type: keyword
- name: cs_payload
overwrite: true
type: keyword
- name: cs_registrant
overwrite: true
type: keyword
- name: cs_registrar
overwrite: true
type: keyword
- name: cs_represult
overwrite: true
type: keyword
- name: cs_rpayload
overwrite: true
type: keyword
- name: cs_sampler_name
overwrite: true
type: keyword
- name: cs_sourcemodule
overwrite: true
type: keyword
- name: cs_streams
overwrite: true
type: keyword
- name: cs_targetmodule
overwrite: true
type: keyword
- name: cs_v6nxthop
overwrite: true
type: keyword
- name: cs_whois_server
overwrite: true
type: keyword
- name: cs_yararesult
overwrite: true
type: keyword
- name: description
overwrite: true
type: keyword
- name: devvendor
overwrite: true
type: keyword
- name: distance
overwrite: true
type: keyword
- name: dstburb
overwrite: true
type: keyword
- name: edomain
overwrite: true
type: keyword
- name: edomaub
overwrite: true
type: keyword
- name: euid
overwrite: true
type: keyword
- name: facility
overwrite: true
type: keyword
- name: finterface
overwrite: true
type: keyword
- name: flags
overwrite: true
type: keyword
- name: gaddr
overwrite: true
type: keyword
- name: id3
overwrite: true
type: keyword
- name: im_buddyname
overwrite: true
type: keyword
- name: im_croomid
overwrite: true
type: keyword
- name: im_croomtype
overwrite: true
type: keyword
- name: im_members
overwrite: true
type: keyword
- name: im_username
overwrite: true
type: keyword
- name: ipkt
overwrite: true
type: keyword
- name: ipscat
overwrite: true
type: keyword
- name: ipspri
overwrite: true
type: keyword
- name: latitude
overwrite: true
type: keyword
- name: linenum
overwrite: true
type: keyword
- name: list_name
overwrite: true
type: keyword
- name: load_data
overwrite: true
type: keyword
- name: location_floor
overwrite: true
type: keyword
- name: location_mark
overwrite: true
type: keyword
- name: log_id
overwrite: true
type: keyword
- name: log_type
overwrite: true
type: keyword
- name: logid
overwrite: true
type: keyword
- name: logip
overwrite: true
type: keyword
- name: logname
overwrite: true
type: keyword
- name: longitude
overwrite: true
type: keyword
- name: lport
overwrite: true
type: keyword
- name: mbug_data
overwrite: true
type: keyword
- name: misc_name
overwrite: true
type: keyword
- name: msg_type
overwrite: true
type: keyword
- name: msgid
overwrite: true
type: keyword
- name: netsessid
overwrite: true
type: keyword
- name: num
overwrite: true
type: keyword
- name: number1
overwrite: true
type: keyword
- name: number2
overwrite: true
type: keyword
- name: nwwn
overwrite: true
type: keyword
- name: object
overwrite: true
type: keyword
- name: operation
overwrite: true
type: keyword
- name: opkt
overwrite: true
type: keyword
- name: orig_from
overwrite: true
type: keyword
- name: owner_id
overwrite: true
type: keyword
- name: p_action
overwrite: true
type: keyword
- name: p_filter
overwrite: true
type: keyword
- name: p_group_object
overwrite: true
type: keyword
- name: p_id
overwrite: true
type: keyword
- name: p_msgid1
overwrite: true
type: keyword
- name: p_msgid2
overwrite: true
type: keyword
- name: p_result1
overwrite: true
type: keyword
- name: password_chg
overwrite: true
type: keyword
- name: password_expire
overwrite: true
type: keyword
- name: permgranted
overwrite: true
type: keyword
- name: permwanted
overwrite: true
type: keyword
- name: pgid
overwrite: true
type: keyword
- name: policyUUID
overwrite: true
type: keyword
- name: prog_asp_num
overwrite: true
type: keyword
- name: program
overwrite: true
type: keyword
- name: real_data
overwrite: true
type: keyword
- name: rec_asp_device
overwrite: true
type: keyword
- name: rec_asp_num
overwrite: true
type: keyword
- name: rec_library
overwrite: true
type: keyword
- name: recordnum
overwrite: true
type: keyword
- name: ruid
overwrite: true
type: keyword
- name: sburb
overwrite: true
type: keyword
- name: sdomain_fld
overwrite: true
type: keyword
- name: sec
overwrite: true
type: keyword
- name: sensorname
overwrite: true
type: keyword
- name: seqnum
overwrite: true
type: keyword
- name: session
overwrite: true
type: keyword
- name: sessiontype
overwrite: true
type: keyword
- name: sigUUID
overwrite: true
type: keyword
- name: spi
overwrite: true
type: keyword
- name: srcburb
overwrite: true
type: keyword
- name: srcdom
overwrite: true
type: keyword
- name: srcservice
overwrite: true
type: keyword
- name: state
overwrite: true
type: keyword
- name: status1
overwrite: true
type: keyword
- name: svcno
overwrite: true
type: keyword
- name: system
overwrite: true
type: keyword
- name: tbdstr1
overwrite: true
type: keyword
- name: tgtdom
overwrite: true
type: keyword
- name: tgtdomain
overwrite: true
type: keyword
- name: threshold
overwrite: true
type: keyword
- name: type1
overwrite: true
type: keyword
- name: udb_class
overwrite: true
type: keyword
- name: url_fld
overwrite: true
type: keyword
- name: user_div
overwrite: true
type: keyword
- name: userid
overwrite: true
type: keyword
- name: username_fld
overwrite: true
type: keyword
- name: utcstamp
overwrite: true
type: keyword
- name: v_instafname
overwrite: true
type: keyword
- name: virt_data
overwrite: true
type: keyword
- name: vpnid
overwrite: true
type: keyword
- name: autorun_type
overwrite: true
type: keyword
description: This is used to capture Auto Run type
- name: cc_number
overwrite: true
type: long
description: Valid Credit Card Numbers only
- name: content
overwrite: true
type: keyword
description: This key captures the content type from protocol headers
- name: ein_number
overwrite: true
type: long
description: Employee Identification Numbers only
- name: found
overwrite: true
type: keyword
description: This is used to capture the results of regex match
- name: language
overwrite: true
type: keyword
description: This is used to capture list of languages the client support and
what it prefers
- name: lifetime
overwrite: true
type: long
description: This key is used to capture the session lifetime in seconds.
- name: link
overwrite: true
type: keyword
description: This key is used to link the sessions together. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: match
overwrite: true
type: keyword
description: This key is for regex match name from search.ini
- name: param_dst
overwrite: true
type: keyword
description: This key captures the command line/launch argument of the target
process or file
- name: param_src
overwrite: true
type: keyword
description: This key captures source parameter
- name: search_text
overwrite: true
type: keyword
description: This key captures the Search Text used
- name: sig_name
overwrite: true
type: keyword
description: This key is used to capture the Signature Name only.
- name: snmp_value
overwrite: true
type: keyword
description: SNMP set request value
- name: streams
overwrite: true
type: long
description: This key captures number of streams in session
- name: db
overwrite: true
type: group
fields:
- name: index
overwrite: true
type: keyword
description: This key captures IndexID of the index.
- name: instance
overwrite: true
type: keyword
description: This key is used to capture the database server instance name
- name: database
overwrite: true
type: keyword
description: This key is used to capture the name of a database or an instance
as seen in a session
- name: transact_id
overwrite: true
type: keyword
description: This key captures the SQL transantion ID of the current session
- name: permissions
overwrite: true
type: keyword
description: This key captures permission or privilege level assigned to a resource.
- name: table_name
overwrite: true
type: keyword
description: This key is used to capture the table name
- name: db_id
overwrite: true
type: keyword
description: This key is used to capture the unique identifier for a database
- name: db_pid
overwrite: true
type: long
description: This key captures the process id of a connection with database
server
- name: lread
overwrite: true
type: long
description: This key is used for the number of logical reads
- name: lwrite
overwrite: true
type: long
description: This key is used for the number of logical writes
- name: pread
overwrite: true
type: long
description: This key is used for the number of physical writes
- name: network
overwrite: true
type: group
fields:
- name: alias_host
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
that isnt ad.computer.
- name: domain
overwrite: true
type: keyword
- name: host_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Hostname"
- name: network_service
overwrite: true
type: keyword
description: This is used to capture layer 7 protocols/service names
- name: interface
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of an interface is not clear
- name: network_port
overwrite: true
type: long
description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
- name: eth_host
overwrite: true
type: keyword
description: Deprecated, use alias.mac
- name: sinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Interface"
- name: dinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Interface"
- name: vlan
overwrite: true
type: long
description: This key should only be used to capture the ID of the Virtual LAN
- name: zone_src
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Zone."
- name: zone
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a Zone is not clear
- name: zone_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Zone."
- name: gateway
overwrite: true
type: keyword
description: This key is used to capture the IP Address of the gateway
- name: icmp_type
overwrite: true
type: long
description: This key is used to capture the ICMP type only
- name: mask
overwrite: true
type: keyword
description: This key is used to capture the device network IPmask.
- name: icmp_code
overwrite: true
type: long
description: This key is used to capture the ICMP code only
- name: protocol_detail
overwrite: true
type: keyword
description: This key should be used to capture additional protocol information
- name: dmask
overwrite: true
type: keyword
description: This key is used for Destionation Device network mask
- name: port
overwrite: true
type: long
description: This key should only be used to capture a Network Port when the
directionality is not clear
- name: smask
overwrite: true
type: keyword
description: This key is used for capturing source Network Mask
- name: netname
overwrite: true
type: keyword
description: This key is used to capture the network name associated with an
IP range. This is configured by the end user.
- name: paddr
overwrite: true
type: ip
description: Deprecated
- name: faddr
overwrite: true
type: keyword
- name: lhost
overwrite: true
type: keyword
- name: origin
overwrite: true
type: keyword
- name: remote_domain_id
overwrite: true
type: keyword
- name: addr
overwrite: true
type: keyword
- name: dns_a_record
overwrite: true
type: keyword
- name: dns_ptr_record
overwrite: true
type: keyword
- name: fhost
overwrite: true
type: keyword
- name: fport
overwrite: true
type: keyword
- name: laddr
overwrite: true
type: keyword
- name: linterface
overwrite: true
type: keyword
- name: phost
overwrite: true
type: keyword
- name: ad_computer_dst
overwrite: true
type: keyword
description: Deprecated, use host.dst
- name: eth_type
overwrite: true
type: long
description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
Only
- name: ip_proto
overwrite: true
type: long
description: This key should be used to capture the Protocol number, all the
protocol nubers are converted into string in UI
- name: dns_cname_record
overwrite: true
type: keyword
- name: dns_id
overwrite: true
type: keyword
- name: dns_opcode
overwrite: true
type: keyword
- name: dns_resp
overwrite: true
type: keyword
- name: dns_type
overwrite: true
type: keyword
- name: domain1
overwrite: true
type: keyword
- name: host_type
overwrite: true
type: keyword
- name: packet_length
overwrite: true
type: keyword
- name: host_orig
overwrite: true
type: keyword
description: This is used to capture the original hostname in case of a Forwarding
Agent or a Proxy in between.
- name: rpayload
overwrite: true
type: keyword
description: This key is used to capture the total number of payload bytes seen
in the retransmitted packets.
- name: vlan_name
overwrite: true
type: keyword
description: This key should only be used to capture the name of the Virtual
LAN
- name: investigations
overwrite: true
type: group
fields:
- name: ec_activity
overwrite: true
type: keyword
description: This key captures the particular event activity(Ex:Logoff)
- name: ec_theme
overwrite: true
type: keyword
description: This key captures the Theme of a particular Event(Ex:Authentication)
- name: ec_subject
overwrite: true
type: keyword
description: This key captures the Subject of a particular Event(Ex:User)
- name: ec_outcome
overwrite: true
type: keyword
description: This key captures the outcome of a particular Event(Ex:Success)
- name: event_cat
overwrite: true
type: long
description: This key captures the Event category number
- name: event_cat_name
overwrite: true
type: keyword
description: This key captures the event category name corresponding to the
event cat code
- name: event_vcat
overwrite: true
type: keyword
description: This is a vendor supplied category. This should be used in situations
where the vendor has adopted their own event_category taxonomy.
- name: analysis_file
overwrite: true
type: keyword
description: This is used to capture all indicators used in a File Analysis.
This key should be used to capture an analysis of a file
- name: analysis_service
overwrite: true
type: keyword
description: This is used to capture all indicators used in a Service Analysis.
This key should be used to capture an analysis of a service
- name: analysis_session
overwrite: true
type: keyword
description: This is used to capture all indicators used for a Session Analysis.
This key should be used to capture an analysis of a session
- name: boc
overwrite: true
type: keyword
description: This is used to capture behaviour of compromise
- name: eoc
overwrite: true
type: keyword
description: This is used to capture Enablers of Compromise
- name: inv_category
overwrite: true
type: keyword
description: This used to capture investigation category
- name: inv_context
overwrite: true
type: keyword
description: This used to capture investigation context
- name: ioc
overwrite: true
type: keyword
description: This is key capture indicator of compromise
- name: counters
overwrite: true
type: group
fields:
- name: dclass_c1
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c1.str only
- name: dclass_c2
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c2.str only
- name: event_counter
overwrite: true
type: long
description: This is used to capture the number of times an event repeated
- name: dclass_r1
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r1.str only
- name: dclass_c3
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c3.str only
- name: dclass_c1_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c1 only
- name: dclass_c2_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c2 only
- name: dclass_r1_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r1 only
- name: dclass_r2
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r2.str only
- name: dclass_c3_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c3 only
- name: dclass_r3
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r3.str only
- name: dclass_r2_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r2 only
- name: dclass_r3_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r3 only
- name: identity
overwrite: true
type: group
fields:
- name: auth_method
overwrite: true
type: keyword
description: This key is used to capture authentication methods used only
- name: user_role
overwrite: true
type: keyword
description: This key is used to capture the Role of a user only
- name: dn
overwrite: true
type: keyword
description: X.500 (LDAP) Distinguished Name
- name: logon_type
overwrite: true
type: keyword
description: This key is used to capture the type of logon method used.
- name: profile
overwrite: true
type: keyword
description: This key is used to capture the user profile
- name: accesses
overwrite: true
type: keyword
description: This key is used to capture actual privileges used in accessing
an object
- name: realm
overwrite: true
type: keyword
description: Radius realm or similar grouping of accounts
- name: user_sid_dst
overwrite: true
type: keyword
description: This key captures Destination User Session ID
- name: dn_src
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that is used in a context that
indicates a Source dn
- name: org
overwrite: true
type: keyword
description: This key captures the User organization
- name: dn_dst
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that used in a context that
indicates a Destination dn
- name: firstname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: lastname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: user_dept
overwrite: true
type: keyword
description: User's Department Names only
- name: user_sid_src
overwrite: true
type: keyword
description: This key captures Source User Session ID
- name: federated_sp
overwrite: true
type: keyword
description: This key is the Federated Service Provider. This is the application
requesting authentication.
- name: federated_idp
overwrite: true
type: keyword
description: This key is the federated Identity Provider. This is the server
providing the authentication.
- name: logon_type_desc
overwrite: true
type: keyword
description: This key is used to capture the textual description of an integer
logon type as stored in the meta key 'logon.type'.
- name: middlename
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: password
overwrite: true
type: keyword
description: This key is for Passwords seen in any session, plain text or encrypted
- name: host_role
overwrite: true
type: keyword
description: This key should only be used to capture the role of a Host Machine
- name: ldap
overwrite: true
type: keyword
description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
t have a clear query or response context"
- name: ldap_query
overwrite: true
type: keyword
description: This key is the Search criteria from an LDAP search
- name: ldap_response
overwrite: true
type: keyword
description: This key is to capture Results from an LDAP search
- name: owner
overwrite: true
type: keyword
description: This is used to capture username the process or service is running
as, the author of the task
- name: service_account
overwrite: true
type: keyword
description: This key is a windows specific key, used for capturing name of
the account a service (referenced in the event) is running under. Legacy Usage
- name: email
overwrite: true
type: group
fields:
- name: email_dst
overwrite: true
type: keyword
description: This key is used to capture the Destination email address only,
when the destination context is not clear use email
- name: email_src
overwrite: true
type: keyword
description: This key is used to capture the source email address only, when
the source context is not clear use email
- name: subject
overwrite: true
type: keyword
description: This key is used to capture the subject string from an Email only.
- name: email
overwrite: true
type: keyword
description: This key is used to capture a generic email address where the source
or destination context is not clear
- name: trans_from
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: trans_to
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: file
overwrite: true
type: group
fields:
- name: privilege
overwrite: true
type: keyword
description: Deprecated, use permissions
- name: attachment
overwrite: true
type: keyword
description: This key captures the attachment file name
- name: filesystem
overwrite: true
type: keyword
- name: binary
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: filename_dst
overwrite: true
type: keyword
description: This is used to capture name of the file targeted by the action
- name: filename_src
overwrite: true
type: keyword
description: This is used to capture name of the parent filename, the file which
performed the action
- name: filename_tmp
overwrite: true
type: keyword
- name: directory_dst
overwrite: true
type: keyword
description: <span>This key is used to capture the directory of the target process
or file</span>
- name: directory_src
overwrite: true
type: keyword
description: This key is used to capture the directory of the source process
or file
- name: file_entropy
overwrite: true
type: double
description: This is used to capture entropy vale of a file
- name: file_vendor
overwrite: true
type: keyword
description: This is used to capture Company name of file located in version_info
- name: task_name
overwrite: true
type: keyword
description: This is used to capture name of the task
- name: web
overwrite: true
type: group
fields:
- name: fqdn
overwrite: true
type: keyword
description: Fully Qualified Domain Names
- name: web_cookie
overwrite: true
type: keyword
description: This key is used to capture the Web cookies specifically.
- name: alias_host
overwrite: true
type: keyword
- name: reputation_num
overwrite: true
type: double
description: Reputation Number of an entity. Typically used for Web Domains
- name: web_ref_domain
overwrite: true
type: keyword
description: Web referer's domain
- name: web_ref_query
overwrite: true
type: keyword
description: This key captures Web referer's query portion of the URL
- name: remote_domain
overwrite: true
type: keyword
- name: web_ref_page
overwrite: true
type: keyword
description: This key captures Web referer's page information
- name: web_ref_root
overwrite: true
type: keyword
description: Web referer's root URL path
- name: cn_asn_dst
overwrite: true
type: keyword
- name: cn_rpackets
overwrite: true
type: keyword
- name: urlpage
overwrite: true
type: keyword
- name: urlroot
overwrite: true
type: keyword
- name: p_url
overwrite: true
type: keyword
- name: p_user_agent
overwrite: true
type: keyword
- name: p_web_cookie
overwrite: true
type: keyword
- name: p_web_method
overwrite: true
type: keyword
- name: p_web_referer
overwrite: true
type: keyword
- name: web_extension_tmp
overwrite: true
type: keyword
- name: web_page
overwrite: true
type: keyword
- name: threat
overwrite: true
type: group
fields:
- name: threat_category
overwrite: true
type: keyword
description: This key captures Threat Name/Threat Category/Categorization of
alert
- name: threat_desc
overwrite: true
type: keyword
description: This key is used to capture the threat description from the session
directly or inferred
- name: alert
overwrite: true
type: keyword
description: This key is used to capture name of the alert
- name: threat_source
overwrite: true
type: keyword
description: This key is used to capture source of the threat
- name: crypto
overwrite: true
type: group
fields:
- name: crypto
overwrite: true
type: keyword
description: This key is used to capture the Encryption Type or Encryption Key
only
- name: cipher_src
overwrite: true
type: keyword
description: This key is for Source (Client) Cipher
- name: cert_subject
overwrite: true
type: keyword
description: This key is used to capture the Certificate organization only
- name: peer
overwrite: true
type: keyword
description: This key is for Encryption peer's IP Address
- name: cipher_size_src
overwrite: true
type: long
description: This key captures Source (Client) Cipher Size
- name: ike
overwrite: true
type: keyword
description: IKE negotiation phase.
- name: scheme
overwrite: true
type: keyword
description: This key captures the Encryption scheme used
- name: peer_id
overwrite: true
type: keyword
description: "This key is for Encryption peer\u2019s identity"
- name: sig_type
overwrite: true
type: keyword
description: This key captures the Signature Type
- name: cert_issuer
overwrite: true
type: keyword
- name: cert_host_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: cert_error
overwrite: true
type: keyword
description: This key captures the Certificate Error String
- name: cipher_dst
overwrite: true
type: keyword
description: This key is for Destination (Server) Cipher
- name: cipher_size_dst
overwrite: true
type: long
description: This key captures Destination (Server) Cipher Size
- name: ssl_ver_src
overwrite: true
type: keyword
description: Deprecated, use version
- name: d_certauth
overwrite: true
type: keyword
- name: s_certauth
overwrite: true
type: keyword
- name: ike_cookie1
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
- name: ike_cookie2
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
- name: cert_checksum
overwrite: true
type: keyword
- name: cert_host_cat
overwrite: true
type: keyword
description: This key is used for the hostname category value of a certificate
- name: cert_serial
overwrite: true
type: keyword
description: This key is used to capture the Certificate serial number only
- name: cert_status
overwrite: true
type: keyword
description: This key captures Certificate validation status
- name: ssl_ver_dst
overwrite: true
type: keyword
description: Deprecated, use version
- name: cert_keysize
overwrite: true
type: keyword
- name: cert_username
overwrite: true
type: keyword
- name: https_insact
overwrite: true
type: keyword
- name: https_valid
overwrite: true
type: keyword
- name: cert_ca
overwrite: true
type: keyword
description: This key is used to capture the Certificate signing authority only
- name: cert_common
overwrite: true
type: keyword
description: This key is used to capture the Certificate common name only
- name: wireless
overwrite: true
type: group
fields:
- name: wlan_ssid
overwrite: true
type: keyword
description: This key is used to capture the ssid of a Wireless Session
- name: access_point
overwrite: true
type: keyword
description: This key is used to capture the access point name.
- name: wlan_channel
overwrite: true
type: long
description: This is used to capture the channel names
- name: wlan_name
overwrite: true
type: keyword
description: This key captures either WLAN number/name
- name: storage
overwrite: true
type: group
fields:
- name: disk_volume
overwrite: true
type: keyword
description: A unique name assigned to logical units (volumes) within a physical
disk
- name: lun
overwrite: true
type: keyword
description: Logical Unit Number.This key is a very useful concept in Storage.
- name: pwwn
overwrite: true
type: keyword
description: This uniquely identifies a port on a HBA.
- name: physical
overwrite: true
type: group
fields:
- name: org_dst
overwrite: true
type: keyword
description: This is used to capture the destination organization based on the
GEOPIP Maxmind database.
- name: org_src
overwrite: true
type: keyword
description: This is used to capture the source organization based on the GEOPIP
Maxmind database.
- name: healthcare
overwrite: true
type: group
fields:
- name: patient_fname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_id
overwrite: true
type: keyword
description: This key captures the unique ID for a patient
- name: patient_lname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_mname
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: endpoint
overwrite: true
type: group
fields:
- name: host_state
overwrite: true
type: keyword
description: This key is used to capture the current state of the machine, such
as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
disabled</strong> and so on
- name: registry_key
overwrite: true
type: keyword
description: This key captures the path to the registry key
- name: registry_value
overwrite: true
type: keyword
description: This key captures values or decorators used within a registry entry
- name: network.interface.name
overwrite: true
type: keyword
description: >
Name of the network interface where the traffic has been observed.
- name: rsa
overwrite: true
type: group
fields:
- name: internal
overwrite: true
type: group
fields:
- name: msg
overwrite: true
type: keyword
description: This key is used to capture the raw message that comes into the
Log Decoder
- name: messageid
overwrite: true
type: keyword
- name: event_desc
overwrite: true
type: keyword
- name: message
overwrite: true
type: keyword
description: This key captures the contents of instant messages
- name: time
overwrite: true
type: date
description: This is the time at which a session hits a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness.
- name: level
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: msg_id
overwrite: true
type: keyword
description: This is the Message ID1 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: msg_vid
overwrite: true
type: keyword
description: This is the Message ID2 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: data
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_server
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_val
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: resource
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_id
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: statement
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: audit_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: entry
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: hcode
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: inode
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: resource_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: dead
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: feed_desc
overwrite: true
type: keyword
description: This is used to capture the description of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: feed_name
overwrite: true
type: keyword
description: This is used to capture the name of the feed. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: cid
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Concentrator.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_class
overwrite: true
type: keyword
description: This is the Classification of the Log Event Source under a predefined
fixed set of Event Source Classifications. This key should never be used to
parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
key in NetWitness
- name: device_group
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_host
overwrite: true
type: keyword
description: This is the Hostname of the log Event Source sending the logs to
NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ip
overwrite: true
type: ip
description: This is the IPv4 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ipv6
overwrite: true
type: ip
description: This is the IPv6 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_type
overwrite: true
type: keyword
description: This is the name of the log parser which parsed a given session.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_type_id
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: did
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: entropy_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: entropy_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: event_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: feed_category
overwrite: true
type: keyword
description: This is used to capture the category of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: forward_ip
overwrite: true
type: ip
description: This key should be used to capture the IPV4 address of a relay
system which forwarded the events from the original system to NetWitness.
- name: forward_ipv6
overwrite: true
type: ip
description: This key is used to capture the IPV6 address of a relay system
which forwarded the events from the original system to NetWitness. This key
should never be used to parse Meta data from a session (Logs/Packets) Directly,
this is a Reserved key in NetWitness
- name: header_id
overwrite: true
type: keyword
description: This is the Header ID value that identifies the exact log parser
header definition that parses a particular log session. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: lc_cid
overwrite: true
type: keyword
description: This is a unique Identifier of a Log Collector. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: lc_ctime
overwrite: true
type: date
description: This is the time at which a log is collected in a NetWitness Log
Collector. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: mcb_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
request is simply which byte for each side (0 thru 255) was seen the most
- name: mcb_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
response is simply which byte for each side (0 thru 255) was seen the most
- name: mcbc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: mcbc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: medium
overwrite: true
type: long
description: "This key is used to identify if it\u2019s a log/packet session\
\ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
\ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
\ 32 = log, 33 = correlation session, < 32 is packet session"
- name: node_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: nwe_callback_id
overwrite: true
type: keyword
description: This key denotes that event is endpoint related
- name: parse_error
overwrite: true
type: keyword
description: This is a special key that stores any Meta key validation error
found while parsing a log session. This key should never be used to parse
Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
NetWitness
- name: payload_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: payload_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: process_vid_dst
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the target process.
- name: process_vid_src
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the source process.
- name: rid
overwrite: true
type: long
description: This is a special ID of the Remote Session created by NetWitness
Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: session_split
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: site
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: size
overwrite: true
type: long
description: This is the size of the session as seen by the NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: sourcefile
overwrite: true
type: keyword
description: This is the name of the log file or PCAPs that can be imported
into NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: ubc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: ubc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: word
overwrite: true
type: keyword
description: This is used by the Word Parsing technology to capture the first
5 character of every word in an unparsed log
- name: time
overwrite: true
type: group
fields:
- name: event_time
overwrite: true
type: date
description: This key is used to capture the time mentioned in a raw session
that represents the actual time an event occured in a standard normalized
form
- name: duration_time
overwrite: true
type: double
description: This key is used to capture the normalized duration/lifetime in
seconds.
- name: event_time_str
overwrite: true
type: keyword
description: This key is used to capture the incomplete time mentioned in a
session as a string
- name: starttime
overwrite: true
type: date
description: This key is used to capture the Start time mentioned in a session
in a standard form
- name: month
overwrite: true
type: keyword
- name: day
overwrite: true
type: keyword
- name: endtime
overwrite: true
type: date
description: This key is used to capture the End time mentioned in a session
in a standard form
- name: timezone
overwrite: true
type: keyword
description: This key is used to capture the timezone of the Event Time
- name: duration_str
overwrite: true
type: keyword
description: A text string version of the duration
- name: date
overwrite: true
type: keyword
- name: year
overwrite: true
type: keyword
- name: recorded_time
overwrite: true
type: date
description: The event time as recorded by the system the event is collected
from. The usage scenario is a multi-tier application where the management
layer of the system records it's own timestamp at the time of collection from
its child nodes. Must be in timestamp format.
- name: datetime
overwrite: true
type: keyword
- name: effective_time
overwrite: true
type: date
description: This key is the effective time referenced by an individual event
in a Standard Timestamp format
- name: expire_time
overwrite: true
type: date
description: This key is the timestamp that explicitly refers to an expiration.
- name: process_time
overwrite: true
type: keyword
description: Deprecated, use duration.time
- name: hour
overwrite: true
type: keyword
- name: min
overwrite: true
type: keyword
- name: timestamp
overwrite: true
type: keyword
- name: event_queue_time
overwrite: true
type: date
description: This key is the Time that the event was queued.
- name: p_time1
overwrite: true
type: keyword
- name: tzone
overwrite: true
type: keyword
- name: eventtime
overwrite: true
type: keyword
- name: gmtdate
overwrite: true
type: keyword
- name: gmttime
overwrite: true
type: keyword
- name: p_date
overwrite: true
type: keyword
- name: p_month
overwrite: true
type: keyword
- name: p_time
overwrite: true
type: keyword
- name: p_time2
overwrite: true
type: keyword
- name: p_year
overwrite: true
type: keyword
- name: expire_time_str
overwrite: true
type: keyword
description: This key is used to capture incomplete timestamp that explicitly
refers to an expiration.
- name: stamp
overwrite: true
type: date
description: Deprecated key defined only in table map.
- name: misc
overwrite: true
type: group
fields:
- name: action
overwrite: true
type: keyword
- name: result
overwrite: true
type: keyword
description: This key is used to capture the outcome/result string value of
an action in a session.
- name: severity
overwrite: true
type: keyword
description: This key is used to capture the severity given the session
- name: event_type
overwrite: true
type: keyword
description: This key captures the event category type as specified by the event
source.
- name: reference_id
overwrite: true
type: keyword
description: This key is used to capture an event id from the session directly
- name: version
overwrite: true
type: keyword
description: This key captures Version of the application or OS which is generating
the event.
- name: disposition
overwrite: true
type: keyword
description: This key captures the The end state of an action.
- name: result_code
overwrite: true
type: keyword
description: This key is used to capture the outcome/result numeric value of
an action in a session
- name: category
overwrite: true
type: keyword
description: This key is used to capture the category of an event given by the
vendor in the session
- name: obj_name
overwrite: true
type: keyword
description: This is used to capture name of object
- name: obj_type
overwrite: true
type: keyword
description: This is used to capture type of object
- name: event_source
overwrite: true
type: keyword
description: "This key captures Source of the event that\u2019s not a hostname"
- name: log_session_id
overwrite: true
type: keyword
description: This key is used to capture a sessionid from the session directly
- name: group
overwrite: true
type: keyword
description: This key captures the Group Name value
- name: policy_name
overwrite: true
type: keyword
description: This key is used to capture the Policy Name only.
- name: rule_name
overwrite: true
type: keyword
description: This key captures the Rule Name
- name: context
overwrite: true
type: keyword
description: This key captures Information which adds additional context to
the event.
- name: change_new
overwrite: true
type: keyword
description: "This key is used to capture the new values of the attribute that\u2019\
s changing in a session"
- name: space
overwrite: true
type: keyword
- name: client
overwrite: true
type: keyword
description: This key is used to capture only the name of the client application
requesting resources of the server. See the user.agent meta key for capture
of the specific user agent identifier or browser identification string.
- name: msgIdPart1
overwrite: true
type: keyword
- name: msgIdPart2
overwrite: true
type: keyword
- name: change_old
overwrite: true
type: keyword
description: "This key is used to capture the old value of the attribute that\u2019\
s changing in a session"
- name: operation_id
overwrite: true
type: keyword
description: An alert number or operation number. The values should be unique
and non-repeating.
- name: event_state
overwrite: true
type: keyword
description: This key captures the current state of the object/item referenced
within the event. Describing an on-going event.
- name: group_object
overwrite: true
type: keyword
description: This key captures a collection/grouping of entities. Specific usage
- name: node
overwrite: true
type: keyword
description: Common use case is the node name within a cluster. The cluster
name is reflected by the host name.
- name: rule
overwrite: true
type: keyword
description: This key captures the Rule number
- name: device_name
overwrite: true
type: keyword
description: 'This is used to capture name of the Device associated with the
node Like: a physical disk, printer, etc'
- name: param
overwrite: true
type: keyword
description: This key is the parameters passed as part of a command or application,
etc.
- name: change_attrib
overwrite: true
type: keyword
description: "This key is used to capture the name of the attribute that\u2019\
s changing in a session"
- name: event_computer
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
fully qualified domain name in a windows log.
- name: reference_id1
overwrite: true
type: keyword
description: This key is for Linked ID to be used as an addition to "reference.id"
- name: event_log
overwrite: true
type: keyword
description: This key captures the Name of the event log
- name: OS
overwrite: true
type: keyword
description: This key captures the Name of the Operating System
- name: terminal
overwrite: true
type: keyword
description: This key captures the Terminal Names only
- name: msgIdPart3
overwrite: true
type: keyword
- name: filter
overwrite: true
type: keyword
description: This key captures Filter used to reduce result set
- name: serial_number
overwrite: true
type: keyword
description: This key is the Serial number associated with a physical asset.
- name: checksum
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the entity
such as a file or process. Checksum should be used over checksum.src or checksum.dst
when it is unclear whether the entity is a source or target of an action.
- name: event_user
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
combination of domain name and username in a windows log.
- name: virusname
overwrite: true
type: keyword
description: This key captures the name of the virus
- name: content_type
overwrite: true
type: keyword
description: This key is used to capture Content Type only.
- name: group_id
overwrite: true
type: keyword
description: This key captures Group ID Number (related to the group name)
- name: policy_id
overwrite: true
type: keyword
description: This key is used to capture the Policy ID only, this should be
a numeric value, use policy.name otherwise
- name: vsys
overwrite: true
type: keyword
description: This key captures Virtual System Name
- name: connection_id
overwrite: true
type: keyword
description: This key captures the Connection ID
- name: reference_id2
overwrite: true
type: keyword
description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
or "reference.id1" value but should not be used unless the other two variables
are in play.
- name: sensor
overwrite: true
type: keyword
description: This key captures Name of the sensor. Typically used in IDS/IPS
based devices
- name: sig_id
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID
- name: port_name
overwrite: true
type: keyword
description: 'This key is used for Physical or logical port connection but does
NOT include a network port. (Example: Printer port name).'
- name: rule_group
overwrite: true
type: keyword
description: This key captures the Rule group name
- name: risk_num
overwrite: true
type: double
description: This key captures a Numeric Risk value
- name: trigger_val
overwrite: true
type: keyword
description: This key captures the Value of the trigger or threshold condition.
- name: log_session_id1
overwrite: true
type: keyword
description: This key is used to capture a Linked (Related) Session ID from
the session directly
- name: comp_version
overwrite: true
type: keyword
description: This key captures the Version level of a sub-component of a product.
- name: content_version
overwrite: true
type: keyword
description: This key captures Version level of a signature or database content.
- name: hardware_id
overwrite: true
type: keyword
description: This key is used to capture unique identifier for a device or system
(NOT a Mac address)
- name: risk
overwrite: true
type: keyword
description: This key captures the non-numeric risk value
- name: event_id
overwrite: true
type: keyword
- name: reason
overwrite: true
type: keyword
- name: status
overwrite: true
type: keyword
- name: mail_id
overwrite: true
type: keyword
description: This key is used to capture the mailbox id/name
- name: rule_uid
overwrite: true
type: keyword
description: This key is the Unique Identifier for a rule.
- name: trigger_desc
overwrite: true
type: keyword
description: This key captures the Description of the trigger or threshold condition.
- name: inout
overwrite: true
type: keyword
- name: p_msgid
overwrite: true
type: keyword
- name: data_type
overwrite: true
type: keyword
- name: msgIdPart4
overwrite: true
type: keyword
- name: error
overwrite: true
type: keyword
description: This key captures All non successful Error codes or responses
- name: index
overwrite: true
type: keyword
- name: listnum
overwrite: true
type: keyword
description: This key is used to capture listname or listnumber, primarily for
collecting access-list
- name: ntype
overwrite: true
type: keyword
- name: observed_val
overwrite: true
type: keyword
description: This key captures the Value observed (from the perspective of the
device generating the log).
- name: policy_value
overwrite: true
type: keyword
description: This key captures the contents of the policy. This contains details
about the policy
- name: pool_name
overwrite: true
type: keyword
description: This key captures the name of a resource pool
- name: rule_template
overwrite: true
type: keyword
description: A default set of parameters which are overlayed onto a rule (or
rulename) which efffectively constitutes a template
- name: count
overwrite: true
type: keyword
- name: number
overwrite: true
type: keyword
- name: sigcat
overwrite: true
type: keyword
- name: type
overwrite: true
type: keyword
- name: comments
overwrite: true
type: keyword
description: Comment information provided in the log message
- name: doc_number
overwrite: true
type: long
description: This key captures File Identification number
- name: expected_val
overwrite: true
type: keyword
description: This key captures the Value expected (from the perspective of the
device generating the log).
- name: job_num
overwrite: true
type: keyword
description: This key captures the Job Number
- name: spi_dst
overwrite: true
type: keyword
description: Destination SPI Index
- name: spi_src
overwrite: true
type: keyword
description: Source SPI Index
- name: code
overwrite: true
type: keyword
- name: agent_id
overwrite: true
type: keyword
description: This key is used to capture agent id
- name: message_body
overwrite: true
type: keyword
description: This key captures the The contents of the message body.
- name: phone
overwrite: true
type: keyword
- name: sig_id_str
overwrite: true
type: keyword
description: This key captures a string object of the sigid variable.
- name: cmd
overwrite: true
type: keyword
- name: misc
overwrite: true
type: keyword
- name: name
overwrite: true
type: keyword
- name: cpu
overwrite: true
type: long
description: This key is the CPU time used in the execution of the event being
recorded.
- name: event_desc
overwrite: true
type: keyword
description: This key is used to capture a description of an event available
directly or inferred
- name: sig_id1
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID. This must be linked
to the sig.id
- name: im_buddyid
overwrite: true
type: keyword
- name: im_client
overwrite: true
type: keyword
- name: im_userid
overwrite: true
type: keyword
- name: pid
overwrite: true
type: keyword
- name: priority
overwrite: true
type: keyword
- name: context_subject
overwrite: true
type: keyword
description: This key is to be used in an audit context where the subject is
the object being identified
- name: context_target
overwrite: true
type: keyword
- name: cve
overwrite: true
type: keyword
description: This key captures CVE (Common Vulnerabilities and Exposures) -
an identifier for known information security vulnerabilities.
- name: fcatnum
overwrite: true
type: keyword
description: This key captures Filter Category Number. Legacy Usage
- name: library
overwrite: true
type: keyword
description: This key is used to capture library information in mainframe devices
- name: parent_node
overwrite: true
type: keyword
description: This key captures the Parent Node Name. Must be related to node
variable.
- name: risk_info
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: tcp_flags
overwrite: true
type: long
description: This key is captures the TCP flags set in any packet of session
- name: tos
overwrite: true
type: long
description: This key describes the type of service
- name: vm_target
overwrite: true
type: keyword
description: VMWare Target **VMWARE** only varaible.
- name: workspace
overwrite: true
type: keyword
description: This key captures Workspace Description
- name: command
overwrite: true
type: keyword
- name: event_category
overwrite: true
type: keyword
- name: facilityname
overwrite: true
type: keyword
- name: forensic_info
overwrite: true
type: keyword
- name: jobname
overwrite: true
type: keyword
- name: mode
overwrite: true
type: keyword
- name: policy
overwrite: true
type: keyword
- name: policy_waiver
overwrite: true
type: keyword
- name: second
overwrite: true
type: keyword
- name: space1
overwrite: true
type: keyword
- name: subcategory
overwrite: true
type: keyword
- name: tbdstr2
overwrite: true
type: keyword
- name: alert_id
overwrite: true
type: keyword
description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: checksum_dst
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the the target
entity such as a process or file.
- name: checksum_src
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the source
entity such as a file or process.
- name: fresult
overwrite: true
type: long
description: This key captures the Filter Result
- name: payload_dst
overwrite: true
type: keyword
description: This key is used to capture destination payload
- name: payload_src
overwrite: true
type: keyword
description: This key is used to capture source payload
- name: pool_id
overwrite: true
type: keyword
description: This key captures the identifier (typically numeric field) of a
resource pool
- name: process_id_val
overwrite: true
type: keyword
description: This key is a failure key for Process ID when it is not an integer
value
- name: risk_num_comm
overwrite: true
type: double
description: This key captures Risk Number Community
- name: risk_num_next
overwrite: true
type: double
description: This key captures Risk Number NextGen
- name: risk_num_sand
overwrite: true
type: double
description: This key captures Risk Number SandBox
- name: risk_num_static
overwrite: true
type: double
description: This key captures Risk Number Static
- name: risk_suspicious
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: risk_warning
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: snmp_oid
overwrite: true
type: keyword
description: SNMP Object Identifier
- name: sql
overwrite: true
type: keyword
description: This key captures the SQL query
- name: vuln_ref
overwrite: true
type: keyword
description: This key captures the Vulnerability Reference details
- name: acl_id
overwrite: true
type: keyword
- name: acl_op
overwrite: true
type: keyword
- name: acl_pos
overwrite: true
type: keyword
- name: acl_table
overwrite: true
type: keyword
- name: admin
overwrite: true
type: keyword
- name: alarm_id
overwrite: true
type: keyword
- name: alarmname
overwrite: true
type: keyword
- name: app_id
overwrite: true
type: keyword
- name: audit
overwrite: true
type: keyword
- name: audit_object
overwrite: true
type: keyword
- name: auditdata
overwrite: true
type: keyword
- name: benchmark
overwrite: true
type: keyword
- name: bypass
overwrite: true
type: keyword
- name: cache
overwrite: true
type: keyword
- name: cache_hit
overwrite: true
type: keyword
- name: cefversion
overwrite: true
type: keyword
- name: cfg_attr
overwrite: true
type: keyword
- name: cfg_obj
overwrite: true
type: keyword
- name: cfg_path
overwrite: true
type: keyword
- name: changes
overwrite: true
type: keyword
- name: client_ip
overwrite: true
type: keyword
- name: clustermembers
overwrite: true
type: keyword
- name: cn_acttimeout
overwrite: true
type: keyword
- name: cn_asn_src
overwrite: true
type: keyword
- name: cn_bgpv4nxthop
overwrite: true
type: keyword
- name: cn_ctr_dst_code
overwrite: true
type: keyword
- name: cn_dst_tos
overwrite: true
type: keyword
- name: cn_dst_vlan
overwrite: true
type: keyword
- name: cn_engine_id
overwrite: true
type: keyword
- name: cn_engine_type
overwrite: true
type: keyword
- name: cn_f_switch
overwrite: true
type: keyword
- name: cn_flowsampid
overwrite: true
type: keyword
- name: cn_flowsampintv
overwrite: true
type: keyword
- name: cn_flowsampmode
overwrite: true
type: keyword
- name: cn_inacttimeout
overwrite: true
type: keyword
- name: cn_inpermbyts
overwrite: true
type: keyword
- name: cn_inpermpckts
overwrite: true
type: keyword
- name: cn_invalid
overwrite: true
type: keyword
- name: cn_ip_proto_ver
overwrite: true
type: keyword
- name: cn_ipv4_ident
overwrite: true
type: keyword
- name: cn_l_switch
overwrite: true
type: keyword
- name: cn_log_did
overwrite: true
type: keyword
- name: cn_log_rid
overwrite: true
type: keyword
- name: cn_max_ttl
overwrite: true
type: keyword
- name: cn_maxpcktlen
overwrite: true
type: keyword
- name: cn_min_ttl
overwrite: true
type: keyword
- name: cn_minpcktlen
overwrite: true
type: keyword
- name: cn_mpls_lbl_1
overwrite: true
type: keyword
- name: cn_mpls_lbl_10
overwrite: true
type: keyword
- name: cn_mpls_lbl_2
overwrite: true
type: keyword
- name: cn_mpls_lbl_3
overwrite: true
type: keyword
- name: cn_mpls_lbl_4
overwrite: true
type: keyword
- name: cn_mpls_lbl_5
overwrite: true
type: keyword
- name: cn_mpls_lbl_6
overwrite: true
type: keyword
- name: cn_mpls_lbl_7
overwrite: true
type: keyword
- name: cn_mpls_lbl_8
overwrite: true
type: keyword
- name: cn_mpls_lbl_9
overwrite: true
type: keyword
- name: cn_mplstoplabel
overwrite: true
type: keyword
- name: cn_mplstoplabip
overwrite: true
type: keyword
- name: cn_mul_dst_byt
overwrite: true
type: keyword
- name: cn_mul_dst_pks
overwrite: true
type: keyword
- name: cn_muligmptype
overwrite: true
type: keyword
- name: cn_sampalgo
overwrite: true
type: keyword
- name: cn_sampint
overwrite: true
type: keyword
- name: cn_seqctr
overwrite: true
type: keyword
- name: cn_spackets
overwrite: true
type: keyword
- name: cn_src_tos
overwrite: true
type: keyword
- name: cn_src_vlan
overwrite: true
type: keyword
- name: cn_sysuptime
overwrite: true
type: keyword
- name: cn_template_id
overwrite: true
type: keyword
- name: cn_totbytsexp
overwrite: true
type: keyword
- name: cn_totflowexp
overwrite: true
type: keyword
- name: cn_totpcktsexp
overwrite: true
type: keyword
- name: cn_unixnanosecs
overwrite: true
type: keyword
- name: cn_v6flowlabel
overwrite: true
type: keyword
- name: cn_v6optheaders
overwrite: true
type: keyword
- name: comp_class
overwrite: true
type: keyword
- name: comp_name
overwrite: true
type: keyword
- name: comp_rbytes
overwrite: true
type: keyword
- name: comp_sbytes
overwrite: true
type: keyword
- name: cpu_data
overwrite: true
type: keyword
- name: criticality
overwrite: true
type: keyword
- name: cs_agency_dst
overwrite: true
type: keyword
- name: cs_analyzedby
overwrite: true
type: keyword
- name: cs_av_other
overwrite: true
type: keyword
- name: cs_av_primary
overwrite: true
type: keyword
- name: cs_av_secondary
overwrite: true
type: keyword
- name: cs_bgpv6nxthop
overwrite: true
type: keyword
- name: cs_bit9status
overwrite: true
type: keyword
- name: cs_context
overwrite: true
type: keyword
- name: cs_control
overwrite: true
type: keyword
- name: cs_data
overwrite: true
type: keyword
- name: cs_datecret
overwrite: true
type: keyword
- name: cs_dst_tld
overwrite: true
type: keyword
- name: cs_eth_dst_ven
overwrite: true
type: keyword
- name: cs_eth_src_ven
overwrite: true
type: keyword
- name: cs_event_uuid
overwrite: true
type: keyword
- name: cs_filetype
overwrite: true
type: keyword
- name: cs_fld
overwrite: true
type: keyword
- name: cs_if_desc
overwrite: true
type: keyword
- name: cs_if_name
overwrite: true
type: keyword
- name: cs_ip_next_hop
overwrite: true
type: keyword
- name: cs_ipv4dstpre
overwrite: true
type: keyword
- name: cs_ipv4srcpre
overwrite: true
type: keyword
- name: cs_lifetime
overwrite: true
type: keyword
- name: cs_log_medium
overwrite: true
type: keyword
- name: cs_loginname
overwrite: true
type: keyword
- name: cs_modulescore
overwrite: true
type: keyword
- name: cs_modulesign
overwrite: true
type: keyword
- name: cs_opswatresult
overwrite: true
type: keyword
- name: cs_payload
overwrite: true
type: keyword
- name: cs_registrant
overwrite: true
type: keyword
- name: cs_registrar
overwrite: true
type: keyword
- name: cs_represult
overwrite: true
type: keyword
- name: cs_rpayload
overwrite: true
type: keyword
- name: cs_sampler_name
overwrite: true
type: keyword
- name: cs_sourcemodule
overwrite: true
type: keyword
- name: cs_streams
overwrite: true
type: keyword
- name: cs_targetmodule
overwrite: true
type: keyword
- name: cs_v6nxthop
overwrite: true
type: keyword
- name: cs_whois_server
overwrite: true
type: keyword
- name: cs_yararesult
overwrite: true
type: keyword
- name: description
overwrite: true
type: keyword
- name: devvendor
overwrite: true
type: keyword
- name: distance
overwrite: true
type: keyword
- name: dstburb
overwrite: true
type: keyword
- name: edomain
overwrite: true
type: keyword
- name: edomaub
overwrite: true
type: keyword
- name: euid
overwrite: true
type: keyword
- name: facility
overwrite: true
type: keyword
- name: finterface
overwrite: true
type: keyword
- name: flags
overwrite: true
type: keyword
- name: gaddr
overwrite: true
type: keyword
- name: id3
overwrite: true
type: keyword
- name: im_buddyname
overwrite: true
type: keyword
- name: im_croomid
overwrite: true
type: keyword
- name: im_croomtype
overwrite: true
type: keyword
- name: im_members
overwrite: true
type: keyword
- name: im_username
overwrite: true
type: keyword
- name: ipkt
overwrite: true
type: keyword
- name: ipscat
overwrite: true
type: keyword
- name: ipspri
overwrite: true
type: keyword
- name: latitude
overwrite: true
type: keyword
- name: linenum
overwrite: true
type: keyword
- name: list_name
overwrite: true
type: keyword
- name: load_data
overwrite: true
type: keyword
- name: location_floor
overwrite: true
type: keyword
- name: location_mark
overwrite: true
type: keyword
- name: log_id
overwrite: true
type: keyword
- name: log_type
overwrite: true
type: keyword
- name: logid
overwrite: true
type: keyword
- name: logip
overwrite: true
type: keyword
- name: logname
overwrite: true
type: keyword
- name: longitude
overwrite: true
type: keyword
- name: lport
overwrite: true
type: keyword
- name: mbug_data
overwrite: true
type: keyword
- name: misc_name
overwrite: true
type: keyword
- name: msg_type
overwrite: true
type: keyword
- name: msgid
overwrite: true
type: keyword
- name: netsessid
overwrite: true
type: keyword
- name: num
overwrite: true
type: keyword
- name: number1
overwrite: true
type: keyword
- name: number2
overwrite: true
type: keyword
- name: nwwn
overwrite: true
type: keyword
- name: object
overwrite: true
type: keyword
- name: operation
overwrite: true
type: keyword
- name: opkt
overwrite: true
type: keyword
- name: orig_from
overwrite: true
type: keyword
- name: owner_id
overwrite: true
type: keyword
- name: p_action
overwrite: true
type: keyword
- name: p_filter
overwrite: true
type: keyword
- name: p_group_object
overwrite: true
type: keyword
- name: p_id
overwrite: true
type: keyword
- name: p_msgid1
overwrite: true
type: keyword
- name: p_msgid2
overwrite: true
type: keyword
- name: p_result1
overwrite: true
type: keyword
- name: password_chg
overwrite: true
type: keyword
- name: password_expire
overwrite: true
type: keyword
- name: permgranted
overwrite: true
type: keyword
- name: permwanted
overwrite: true
type: keyword
- name: pgid
overwrite: true
type: keyword
- name: policyUUID
overwrite: true
type: keyword
- name: prog_asp_num
overwrite: true
type: keyword
- name: program
overwrite: true
type: keyword
- name: real_data
overwrite: true
type: keyword
- name: rec_asp_device
overwrite: true
type: keyword
- name: rec_asp_num
overwrite: true
type: keyword
- name: rec_library
overwrite: true
type: keyword
- name: recordnum
overwrite: true
type: keyword
- name: ruid
overwrite: true
type: keyword
- name: sburb
overwrite: true
type: keyword
- name: sdomain_fld
overwrite: true
type: keyword
- name: sec
overwrite: true
type: keyword
- name: sensorname
overwrite: true
type: keyword
- name: seqnum
overwrite: true
type: keyword
- name: session
overwrite: true
type: keyword
- name: sessiontype
overwrite: true
type: keyword
- name: sigUUID
overwrite: true
type: keyword
- name: spi
overwrite: true
type: keyword
- name: srcburb
overwrite: true
type: keyword
- name: srcdom
overwrite: true
type: keyword
- name: srcservice
overwrite: true
type: keyword
- name: state
overwrite: true
type: keyword
- name: status1
overwrite: true
type: keyword
- name: svcno
overwrite: true
type: keyword
- name: system
overwrite: true
type: keyword
- name: tbdstr1
overwrite: true
type: keyword
- name: tgtdom
overwrite: true
type: keyword
- name: tgtdomain
overwrite: true
type: keyword
- name: threshold
overwrite: true
type: keyword
- name: type1
overwrite: true
type: keyword
- name: udb_class
overwrite: true
type: keyword
- name: url_fld
overwrite: true
type: keyword
- name: user_div
overwrite: true
type: keyword
- name: userid
overwrite: true
type: keyword
- name: username_fld
overwrite: true
type: keyword
- name: utcstamp
overwrite: true
type: keyword
- name: v_instafname
overwrite: true
type: keyword
- name: virt_data
overwrite: true
type: keyword
- name: vpnid
overwrite: true
type: keyword
- name: autorun_type
overwrite: true
type: keyword
description: This is used to capture Auto Run type
- name: cc_number
overwrite: true
type: long
description: Valid Credit Card Numbers only
- name: content
overwrite: true
type: keyword
description: This key captures the content type from protocol headers
- name: ein_number
overwrite: true
type: long
description: Employee Identification Numbers only
- name: found
overwrite: true
type: keyword
description: This is used to capture the results of regex match
- name: language
overwrite: true
type: keyword
description: This is used to capture list of languages the client support and
what it prefers
- name: lifetime
overwrite: true
type: long
description: This key is used to capture the session lifetime in seconds.
- name: link
overwrite: true
type: keyword
description: This key is used to link the sessions together. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: match
overwrite: true
type: keyword
description: This key is for regex match name from search.ini
- name: param_dst
overwrite: true
type: keyword
description: This key captures the command line/launch argument of the target
process or file
- name: param_src
overwrite: true
type: keyword
description: This key captures source parameter
- name: search_text
overwrite: true
type: keyword
description: This key captures the Search Text used
- name: sig_name
overwrite: true
type: keyword
description: This key is used to capture the Signature Name only.
- name: snmp_value
overwrite: true
type: keyword
description: SNMP set request value
- name: streams
overwrite: true
type: long
description: This key captures number of streams in session
- name: db
overwrite: true
type: group
fields:
- name: index
overwrite: true
type: keyword
description: This key captures IndexID of the index.
- name: instance
overwrite: true
type: keyword
description: This key is used to capture the database server instance name
- name: database
overwrite: true
type: keyword
description: This key is used to capture the name of a database or an instance
as seen in a session
- name: transact_id
overwrite: true
type: keyword
description: This key captures the SQL transantion ID of the current session
- name: permissions
overwrite: true
type: keyword
description: This key captures permission or privilege level assigned to a resource.
- name: table_name
overwrite: true
type: keyword
description: This key is used to capture the table name
- name: db_id
overwrite: true
type: keyword
description: This key is used to capture the unique identifier for a database
- name: db_pid
overwrite: true
type: long
description: This key captures the process id of a connection with database
server
- name: lread
overwrite: true
type: long
description: This key is used for the number of logical reads
- name: lwrite
overwrite: true
type: long
description: This key is used for the number of logical writes
- name: pread
overwrite: true
type: long
description: This key is used for the number of physical writes
- name: network
overwrite: true
type: group
fields:
- name: alias_host
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
that isnt ad.computer.
- name: domain
overwrite: true
type: keyword
- name: host_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Hostname"
- name: network_service
overwrite: true
type: keyword
description: This is used to capture layer 7 protocols/service names
- name: interface
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of an interface is not clear
- name: network_port
overwrite: true
type: long
description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
- name: eth_host
overwrite: true
type: keyword
description: Deprecated, use alias.mac
- name: sinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Interface"
- name: dinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Interface"
- name: vlan
overwrite: true
type: long
description: This key should only be used to capture the ID of the Virtual LAN
- name: zone_src
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Zone."
- name: zone
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a Zone is not clear
- name: zone_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Zone."
- name: gateway
overwrite: true
type: keyword
description: This key is used to capture the IP Address of the gateway
- name: icmp_type
overwrite: true
type: long
description: This key is used to capture the ICMP type only
- name: mask
overwrite: true
type: keyword
description: This key is used to capture the device network IPmask.
- name: icmp_code
overwrite: true
type: long
description: This key is used to capture the ICMP code only
- name: protocol_detail
overwrite: true
type: keyword
description: This key should be used to capture additional protocol information
- name: dmask
overwrite: true
type: keyword
description: This key is used for Destionation Device network mask
- name: port
overwrite: true
type: long
description: This key should only be used to capture a Network Port when the
directionality is not clear
- name: smask
overwrite: true
type: keyword
description: This key is used for capturing source Network Mask
- name: netname
overwrite: true
type: keyword
description: This key is used to capture the network name associated with an
IP range. This is configured by the end user.
- name: paddr
overwrite: true
type: ip
description: Deprecated
- name: faddr
overwrite: true
type: keyword
- name: lhost
overwrite: true
type: keyword
- name: origin
overwrite: true
type: keyword
- name: remote_domain_id
overwrite: true
type: keyword
- name: addr
overwrite: true
type: keyword
- name: dns_a_record
overwrite: true
type: keyword
- name: dns_ptr_record
overwrite: true
type: keyword
- name: fhost
overwrite: true
type: keyword
- name: fport
overwrite: true
type: keyword
- name: laddr
overwrite: true
type: keyword
- name: linterface
overwrite: true
type: keyword
- name: phost
overwrite: true
type: keyword
- name: ad_computer_dst
overwrite: true
type: keyword
description: Deprecated, use host.dst
- name: eth_type
overwrite: true
type: long
description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
Only
- name: ip_proto
overwrite: true
type: long
description: This key should be used to capture the Protocol number, all the
protocol nubers are converted into string in UI
- name: dns_cname_record
overwrite: true
type: keyword
- name: dns_id
overwrite: true
type: keyword
- name: dns_opcode
overwrite: true
type: keyword
- name: dns_resp
overwrite: true
type: keyword
- name: dns_type
overwrite: true
type: keyword
- name: domain1
overwrite: true
type: keyword
- name: host_type
overwrite: true
type: keyword
- name: packet_length
overwrite: true
type: keyword
- name: host_orig
overwrite: true
type: keyword
description: This is used to capture the original hostname in case of a Forwarding
Agent or a Proxy in between.
- name: rpayload
overwrite: true
type: keyword
description: This key is used to capture the total number of payload bytes seen
in the retransmitted packets.
- name: vlan_name
overwrite: true
type: keyword
description: This key should only be used to capture the name of the Virtual
LAN
- name: investigations
overwrite: true
type: group
fields:
- name: ec_activity
overwrite: true
type: keyword
description: This key captures the particular event activity(Ex:Logoff)
- name: ec_theme
overwrite: true
type: keyword
description: This key captures the Theme of a particular Event(Ex:Authentication)
- name: ec_subject
overwrite: true
type: keyword
description: This key captures the Subject of a particular Event(Ex:User)
- name: ec_outcome
overwrite: true
type: keyword
description: This key captures the outcome of a particular Event(Ex:Success)
- name: event_cat
overwrite: true
type: long
description: This key captures the Event category number
- name: event_cat_name
overwrite: true
type: keyword
description: This key captures the event category name corresponding to the
event cat code
- name: event_vcat
overwrite: true
type: keyword
description: This is a vendor supplied category. This should be used in situations
where the vendor has adopted their own event_category taxonomy.
- name: analysis_file
overwrite: true
type: keyword
description: This is used to capture all indicators used in a File Analysis.
This key should be used to capture an analysis of a file
- name: analysis_service
overwrite: true
type: keyword
description: This is used to capture all indicators used in a Service Analysis.
This key should be used to capture an analysis of a service
- name: analysis_session
overwrite: true
type: keyword
description: This is used to capture all indicators used for a Session Analysis.
This key should be used to capture an analysis of a session
- name: boc
overwrite: true
type: keyword
description: This is used to capture behaviour of compromise
- name: eoc
overwrite: true
type: keyword
description: This is used to capture Enablers of Compromise
- name: inv_category
overwrite: true
type: keyword
description: This used to capture investigation category
- name: inv_context
overwrite: true
type: keyword
description: This used to capture investigation context
- name: ioc
overwrite: true
type: keyword
description: This is key capture indicator of compromise
- name: counters
overwrite: true
type: group
fields:
- name: dclass_c1
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c1.str only
- name: dclass_c2
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c2.str only
- name: event_counter
overwrite: true
type: long
description: This is used to capture the number of times an event repeated
- name: dclass_r1
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r1.str only
- name: dclass_c3
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c3.str only
- name: dclass_c1_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c1 only
- name: dclass_c2_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c2 only
- name: dclass_r1_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r1 only
- name: dclass_r2
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r2.str only
- name: dclass_c3_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c3 only
- name: dclass_r3
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r3.str only
- name: dclass_r2_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r2 only
- name: dclass_r3_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r3 only
- name: identity
overwrite: true
type: group
fields:
- name: auth_method
overwrite: true
type: keyword
description: This key is used to capture authentication methods used only
- name: user_role
overwrite: true
type: keyword
description: This key is used to capture the Role of a user only
- name: dn
overwrite: true
type: keyword
description: X.500 (LDAP) Distinguished Name
- name: logon_type
overwrite: true
type: keyword
description: This key is used to capture the type of logon method used.
- name: profile
overwrite: true
type: keyword
description: This key is used to capture the user profile
- name: accesses
overwrite: true
type: keyword
description: This key is used to capture actual privileges used in accessing
an object
- name: realm
overwrite: true
type: keyword
description: Radius realm or similar grouping of accounts
- name: user_sid_dst
overwrite: true
type: keyword
description: This key captures Destination User Session ID
- name: dn_src
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that is used in a context that
indicates a Source dn
- name: org
overwrite: true
type: keyword
description: This key captures the User organization
- name: dn_dst
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that used in a context that
indicates a Destination dn
- name: firstname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: lastname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: user_dept
overwrite: true
type: keyword
description: User's Department Names only
- name: user_sid_src
overwrite: true
type: keyword
description: This key captures Source User Session ID
- name: federated_sp
overwrite: true
type: keyword
description: This key is the Federated Service Provider. This is the application
requesting authentication.
- name: federated_idp
overwrite: true
type: keyword
description: This key is the federated Identity Provider. This is the server
providing the authentication.
- name: logon_type_desc
overwrite: true
type: keyword
description: This key is used to capture the textual description of an integer
logon type as stored in the meta key 'logon.type'.
- name: middlename
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: password
overwrite: true
type: keyword
description: This key is for Passwords seen in any session, plain text or encrypted
- name: host_role
overwrite: true
type: keyword
description: This key should only be used to capture the role of a Host Machine
- name: ldap
overwrite: true
type: keyword
description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
t have a clear query or response context"
- name: ldap_query
overwrite: true
type: keyword
description: This key is the Search criteria from an LDAP search
- name: ldap_response
overwrite: true
type: keyword
description: This key is to capture Results from an LDAP search
- name: owner
overwrite: true
type: keyword
description: This is used to capture username the process or service is running
as, the author of the task
- name: service_account
overwrite: true
type: keyword
description: This key is a windows specific key, used for capturing name of
the account a service (referenced in the event) is running under. Legacy Usage
- name: email
overwrite: true
type: group
fields:
- name: email_dst
overwrite: true
type: keyword
description: This key is used to capture the Destination email address only,
when the destination context is not clear use email
- name: email_src
overwrite: true
type: keyword
description: This key is used to capture the source email address only, when
the source context is not clear use email
- name: subject
overwrite: true
type: keyword
description: This key is used to capture the subject string from an Email only.
- name: email
overwrite: true
type: keyword
description: This key is used to capture a generic email address where the source
or destination context is not clear
- name: trans_from
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: trans_to
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: file
overwrite: true
type: group
fields:
- name: privilege
overwrite: true
type: keyword
description: Deprecated, use permissions
- name: attachment
overwrite: true
type: keyword
description: This key captures the attachment file name
- name: filesystem
overwrite: true
type: keyword
- name: binary
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: filename_dst
overwrite: true
type: keyword
description: This is used to capture name of the file targeted by the action
- name: filename_src
overwrite: true
type: keyword
description: This is used to capture name of the parent filename, the file which
performed the action
- name: filename_tmp
overwrite: true
type: keyword
- name: directory_dst
overwrite: true
type: keyword
description: <span>This key is used to capture the directory of the target process
or file</span>
- name: directory_src
overwrite: true
type: keyword
description: This key is used to capture the directory of the source process
or file
- name: file_entropy
overwrite: true
type: double
description: This is used to capture entropy vale of a file
- name: file_vendor
overwrite: true
type: keyword
description: This is used to capture Company name of file located in version_info
- name: task_name
overwrite: true
type: keyword
description: This is used to capture name of the task
- name: web
overwrite: true
type: group
fields:
- name: fqdn
overwrite: true
type: keyword
description: Fully Qualified Domain Names
- name: web_cookie
overwrite: true
type: keyword
description: This key is used to capture the Web cookies specifically.
- name: alias_host
overwrite: true
type: keyword
- name: reputation_num
overwrite: true
type: double
description: Reputation Number of an entity. Typically used for Web Domains
- name: web_ref_domain
overwrite: true
type: keyword
description: Web referer's domain
- name: web_ref_query
overwrite: true
type: keyword
description: This key captures Web referer's query portion of the URL
- name: remote_domain
overwrite: true
type: keyword
- name: web_ref_page
overwrite: true
type: keyword
description: This key captures Web referer's page information
- name: web_ref_root
overwrite: true
type: keyword
description: Web referer's root URL path
- name: cn_asn_dst
overwrite: true
type: keyword
- name: cn_rpackets
overwrite: true
type: keyword
- name: urlpage
overwrite: true
type: keyword
- name: urlroot
overwrite: true
type: keyword
- name: p_url
overwrite: true
type: keyword
- name: p_user_agent
overwrite: true
type: keyword
- name: p_web_cookie
overwrite: true
type: keyword
- name: p_web_method
overwrite: true
type: keyword
- name: p_web_referer
overwrite: true
type: keyword
- name: web_extension_tmp
overwrite: true
type: keyword
- name: web_page
overwrite: true
type: keyword
- name: threat
overwrite: true
type: group
fields:
- name: threat_category
overwrite: true
type: keyword
description: This key captures Threat Name/Threat Category/Categorization of
alert
- name: threat_desc
overwrite: true
type: keyword
description: This key is used to capture the threat description from the session
directly or inferred
- name: alert
overwrite: true
type: keyword
description: This key is used to capture name of the alert
- name: threat_source
overwrite: true
type: keyword
description: This key is used to capture source of the threat
- name: crypto
overwrite: true
type: group
fields:
- name: crypto
overwrite: true
type: keyword
description: This key is used to capture the Encryption Type or Encryption Key
only
- name: cipher_src
overwrite: true
type: keyword
description: This key is for Source (Client) Cipher
- name: cert_subject
overwrite: true
type: keyword
description: This key is used to capture the Certificate organization only
- name: peer
overwrite: true
type: keyword
description: This key is for Encryption peer's IP Address
- name: cipher_size_src
overwrite: true
type: long
description: This key captures Source (Client) Cipher Size
- name: ike
overwrite: true
type: keyword
description: IKE negotiation phase.
- name: scheme
overwrite: true
type: keyword
description: This key captures the Encryption scheme used
- name: peer_id
overwrite: true
type: keyword
description: "This key is for Encryption peer\u2019s identity"
- name: sig_type
overwrite: true
type: keyword
description: This key captures the Signature Type
- name: cert_issuer
overwrite: true
type: keyword
- name: cert_host_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: cert_error
overwrite: true
type: keyword
description: This key captures the Certificate Error String
- name: cipher_dst
overwrite: true
type: keyword
description: This key is for Destination (Server) Cipher
- name: cipher_size_dst
overwrite: true
type: long
description: This key captures Destination (Server) Cipher Size
- name: ssl_ver_src
overwrite: true
type: keyword
description: Deprecated, use version
- name: d_certauth
overwrite: true
type: keyword
- name: s_certauth
overwrite: true
type: keyword
- name: ike_cookie1
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
- name: ike_cookie2
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
- name: cert_checksum
overwrite: true
type: keyword
- name: cert_host_cat
overwrite: true
type: keyword
description: This key is used for the hostname category value of a certificate
- name: cert_serial
overwrite: true
type: keyword
description: This key is used to capture the Certificate serial number only
- name: cert_status
overwrite: true
type: keyword
description: This key captures Certificate validation status
- name: ssl_ver_dst
overwrite: true
type: keyword
description: Deprecated, use version
- name: cert_keysize
overwrite: true
type: keyword
- name: cert_username
overwrite: true
type: keyword
- name: https_insact
overwrite: true
type: keyword
- name: https_valid
overwrite: true
type: keyword
- name: cert_ca
overwrite: true
type: keyword
description: This key is used to capture the Certificate signing authority only
- name: cert_common
overwrite: true
type: keyword
description: This key is used to capture the Certificate common name only
- name: wireless
overwrite: true
type: group
fields:
- name: wlan_ssid
overwrite: true
type: keyword
description: This key is used to capture the ssid of a Wireless Session
- name: access_point
overwrite: true
type: keyword
description: This key is used to capture the access point name.
- name: wlan_channel
overwrite: true
type: long
description: This is used to capture the channel names
- name: wlan_name
overwrite: true
type: keyword
description: This key captures either WLAN number/name
- name: storage
overwrite: true
type: group
fields:
- name: disk_volume
overwrite: true
type: keyword
description: A unique name assigned to logical units (volumes) within a physical
disk
- name: lun
overwrite: true
type: keyword
description: Logical Unit Number.This key is a very useful concept in Storage.
- name: pwwn
overwrite: true
type: keyword
description: This uniquely identifies a port on a HBA.
- name: physical
overwrite: true
type: group
fields:
- name: org_dst
overwrite: true
type: keyword
description: This is used to capture the destination organization based on the
GEOPIP Maxmind database.
- name: org_src
overwrite: true
type: keyword
description: This is used to capture the source organization based on the GEOPIP
Maxmind database.
- name: healthcare
overwrite: true
type: group
fields:
- name: patient_fname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_id
overwrite: true
type: keyword
description: This key captures the unique ID for a patient
- name: patient_lname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_mname
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: endpoint
overwrite: true
type: group
fields:
- name: host_state
overwrite: true
type: keyword
description: This key is used to capture the current state of the machine, such
as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
disabled</strong> and so on
- name: registry_key
overwrite: true
type: keyword
description: This key captures the path to the registry key
- name: registry_value
overwrite: true
type: keyword
description: This key captures values or decorators used within a registry entry
- key: gcp
title: Google Cloud Platform (GCP)
description: >
Module for handling logs from Google Cloud.
fields:
- name: gcp
type: group
description: >
Fields from Google Cloud logs.
fields:
- name: destination.instance
type: group
description: >
If the destination of the connection was a VM located on the same VPC,
this field is populated with VM instance details. In a Shared VPC
configuration, project_id corresponds to the project that owns the
instance, usually the service project.
fields:
- name: project_id
type: keyword
description: >
ID of the project containing the VM.
- name: region
type: keyword
description: >
Region of the VM.
- name: zone
type: keyword
description: >
Zone of the VM.
- name: destination.vpc
type: group
description: >
If the destination of the connection was a VM located on the same VPC,
this field is populated with VPC network details. In a Shared VPC
configuration, project_id corresponds to that of the host project.
fields:
- name: project_id
type: keyword
description: >
ID of the project containing the VM.
- name: vpc_name
type: keyword
description: >
VPC on which the VM is operating.
- name: subnetwork_name
type: keyword
description: >
Subnetwork on which the VM is operating.
- name: source.instance
type: group
description: >
If the source of the connection was a VM located on the same VPC, this
field is populated with VM instance details. In a Shared VPC
configuration, project_id corresponds to the project that owns the
instance, usually the service project.
fields:
- name: project_id
type: keyword
description: >
ID of the project containing the VM.
- name: region
type: keyword
description: >
Region of the VM.
- name: zone
type: keyword
description: >
Zone of the VM.
- name: source.vpc
type: group
description: >
If the source of the connection was a VM located on the same VPC, this
field is populated with VPC network details. In a Shared VPC
configuration, project_id corresponds to that of the host project.
fields:
- name: project_id
type: keyword
description: >
ID of the project containing the VM.
- name: vpc_name
type: keyword
description: >
VPC on which the VM is operating.
- name: subnetwork_name
type: keyword
description: >
Subnetwork on which the VM is operating.
- name: audit
type: group
description: >
Fields for Google Cloud audit logs.
fields:
- name: type
type: keyword
description: >
Type property.
- name: authentication_info
type: group
description: >
Authentication information.
fields:
- name: principal_email
type: keyword
description: >
The email address of the authenticated user making the request.
- name: authority_selector
type: keyword
description: >
The authority selector specified by the requestor, if any. It is not guaranteed
that the principal was allowed to use this authority.
- name: authorization_info
type: array
description: >
Authorization information for the operation.
fields:
- name: permission
type: keyword
description: >
The required IAM permission.
- name: granted
type: boolean
description: >
Whether or not authorization for resource and permission was granted.
- name: resource_attributes
type: group
description: >
The attributes of the resource.
fields:
- name: service
type: keyword
description: >
The name of the service.
- name: name
type: keyword
description: >
The name of the resource.
- name: type
type: keyword
description: >
The type of the resource.
- name: method_name
type: keyword
description: >
The name of the service method or operation. For API calls, this
should be the name of the API method.
For example, 'google.datastore.v1.Datastore.RunQuery'.
- name: num_response_items
type: long
description: >
The number of items returned from a List or Query API method, if applicable.
- name: request
type: group
description: >
The operation request.
fields:
- name: proto_name
type: keyword
description: >
Type property of the request.
- name: filter
type: keyword
description: >
Filter of the request.
- name: name
type: keyword
description: >
Name of the request.
- name: resource_name
type: keyword
description: >
Name of the request resource.
- name: request_metadata
type: group
description: >
Metadata about the request.
fields:
- name: caller_ip
type: ip
description: >
The IP address of the caller.
- name: caller_supplied_user_agent
type: keyword
description: >
The user agent of the caller. This information is not authenticated and
should be treated accordingly.
- name: response
type: group
description: >
The operation response.
fields:
- name: proto_name
type: keyword
description: >
Type property of the response.
- name: details
type: group
description: >
The details of the response.
fields:
- name: group
type: keyword
description: >
The name of the group.
- name: kind
type: keyword
description: >
The kind of the response details.
- name: name
type: keyword
description: >
The name of the response details.
- name: uid
type: keyword
description: >
The uid of the response details.
- name: status
type: keyword
description: >
Status of the response.
- name: resource_name
type: keyword
description: >
The resource or collection that is the target of the operation.
The name is a scheme-less URI, not including the API service name.
For example, 'shelves/SHELF_ID/books'.
- name: resource_location
type: group
description: >
The location of the resource.
fields:
- name: current_locations
type: keyword
description: >
Current locations of the resource.
- name: service_name
type: keyword
description: >
The name of the API service performing the operation.
For example, datastore.googleapis.com.
- name: status
type: group
description: >
The status of the overall operation.
fields:
- name: code
type: integer
description: >
The status code, which should be an enum value of google.rpc.Code.
- name: message
type: keyword
description: >
A developer-facing error message, which should be in English. Any user-facing
error message should be localized and sent in the google.rpc.Status.details
field, or localized by the client.
- name: firewall
type: group
description: >
Fields for Google Cloud Firewall logs.
fields:
- name: rule_details
type: group
description: >
Description of the firewall rule that matched this connection.
fields:
- name: priority
type: long
description: The priority for the firewall rule.
- name: action
type: keyword
description: Action that the rule performs on match.
- name: direction
type: keyword
description: Direction of traffic that matches this rule.
- name: reference
type: keyword
description: Reference to the firewall rule.
- name: source_range
type: keyword
description: List of source ranges that the firewall rule applies to.
- name: destination_range
type: keyword
description: List of destination ranges that the firewall applies to.
- name: source_tag
type: keyword
description: >
List of all the source tags that the firewall rule applies to.
- name: target_tag
type: keyword
description: >
List of all the target tags that the firewall rule applies to.
- name: ip_port_info
type: array
description: >
List of ip protocols and applicable port ranges for rules.
- name: source_service_account
type: keyword
description: >
List of all the source service accounts that the firewall rule applies to.
- name: target_service_account
type: keyword
description: >
List of all the target service accounts that the firewall rule applies to.
- name: vpcflow
type: group
description: >
Fields for Google Cloud VPC flow logs.
fields:
- name: reporter
type: keyword
description: >
The side which reported the flow. Can be either 'SRC' or 'DEST'.
- name: rtt.ms
type: long
description: >
Latency as measured (for TCP flows only) during the time interval. This is
the time elapsed between sending a SEQ and receiving a corresponding ACK
and it contains the network RTT as well as the application related delay.
- key: google_workspace
title: "google_workspace"
description: >
Google Workspace Module
fields:
- name: google_workspace
type: group
description: >
Google Workspace specific fields.
More information about specific fields can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list
fields:
- name: actor.type
type: keyword
description: >
The type of actor.
Values can be:
*USER*: Another user in the same domain.
*EXTERNAL_USER*: A user outside the domain.
*KEY*: A non-human actor.
- name: actor.key
type: keyword
description: >
Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts.
- name: event.type
type: keyword
description: >
The type of Google Workspace event, mapped from `items[].events[].type` in the original payload.
Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list
example: audit#activity
- name: kind
type: keyword
description: >
The type of API resource, mapped from `kind` in the original payload.
More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list
example: audit#activity
- name: organization.domain
type: keyword
description: >
The domain that is affected by the report's event.
- name: admin
type: group
fields:
- name: application.edition
type: keyword
description: The Google Workspace edition.
- name: application.name
type: keyword
description: The application's name.
- name: application.enabled
type: keyword
description: The enabled application.
- name: application.licences_order_number
type: keyword
description: Order number used to redeem licenses.
- name: application.licences_purchased
type: keyword
description: Number of licences purchased.
- name: application.id
type: keyword
description: The application ID.
- name: application.asp_id
type: keyword
description: The application specific password ID.
- name: application.package_id
type: keyword
description: The mobile application package ID.
- name: group.email
type: keyword
description: The group's primary email address.
- name: new_value
type: keyword
description: The new value for the setting.
- name: old_value
type: keyword
description: The old value for the setting.
- name: org_unit.name
type: keyword
description: The organizational unit name.
- name: org_unit.full
type: keyword
description: The org unit full path including the root org unit name.
- name: setting.name
type: keyword
description: The setting name.
- name: user_defined_setting.name
type: keyword
description: The name of the user-defined setting.
- name: setting.description
type: keyword
description: The setting name.
- name: group.priorities
type: keyword
description: Group priorities.
- name: domain.alias
type: keyword
description: The domain alias.
- name: domain.name
type: keyword
description: The primary domain name.
- name: domain.secondary_name
type: keyword
description: The secondary domain name.
- name: managed_configuration
type: keyword
description: The name of the managed configuration.
- name: non_featured_services_selection
type: keyword
description: >
Non-featured services selection.
For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED
- name: field
type: keyword
description: The name of the field.
- name: resource.id
type: keyword
description: The name of the resource identifier.
- name: user.email
type: keyword
description: The user's primary email address.
- name: user.nickname
type: keyword
description: The user's nickname.
- name: user.birthdate
type: date
description: The user's birth date.
- name: gateway.name
type: keyword
description: Gateway name. Present on some chat settings.
- name: chrome_os.session_type
type: keyword
description: Chrome OS session type.
- name: device.serial_number
type: keyword
description: Device serial number.
- name: device.id
type: keyword
- name: device.type
type: keyword
description: Device type.
- name: print_server.name
type: keyword
description: The name of the print server.
- name: printer.name
type: keyword
description: The name of the printer.
- name: device.command_details
type: keyword
description: Command details.
- name: role.id
type: keyword
description: Unique identifier for this role privilege.
- name: role.name
type: keyword
description: >
The role name.
For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings
- name: privilege.name
type: keyword
description: Privilege name.
- name: service.name
type: keyword
description: The service name.
- name: url.name
type: keyword
description: The website name.
- name: product.name
type: keyword
description: The product name.
- name: product.sku
type: keyword
description: The product SKU.
- name: bulk_upload.failed
type: long
description: Number of failed records in bulk upload operation.
- name: bulk_upload.total
type: long
description: Number of total records in bulk upload operation.
- name: group.allowed_list
type: keyword
description: Names of allow-listed groups.
- name: email.quarantine_name
type: keyword
description: The name of the quarantine.
- name: email.log_search_filter.message_id
type: keyword
description: The log search filter's email message ID.
- name: email.log_search_filter.start_date
type: date
description: The log search filter's start date.
- name: email.log_search_filter.end_date
type: date
description: The log search filter's ending date.
- name: email.log_search_filter.recipient.value
type: keyword
description: The log search filter's email recipient.
- name: email.log_search_filter.sender.value
type: keyword
description: The log search filter's email sender.
- name: email.log_search_filter.recipient.ip
type: ip
description: The log search filter's email recipient's IP address.
- name: email.log_search_filter.sender.ip
type: ip
description: The log search filter's email sender's IP address.
- name: chrome_licenses.enabled
type: keyword
description: >
Licences enabled.
For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings
- name: chrome_licenses.allowed
type: keyword
description: >
Licences enabled.
For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings
- name: oauth2.service.name
type: keyword
description: >
OAuth2 service name.
For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings
- name: oauth2.application.id
type: keyword
description: OAuth2 application ID.
- name: oauth2.application.name
type: keyword
description: OAuth2 application name.
- name: oauth2.application.type
type: keyword
description: >
OAuth2 application type.
For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings
- name: verification_method
type: keyword
description: >
Related verification method.
For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings and
https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings
- name: alert.name
type: keyword
description: The alert name.
- name: rule.name
type: keyword
description: The rule name.
- name: api.client.name
type: keyword
description: The API client name.
- name: api.scopes
type: keyword
description: The API scopes.
- name: mdm.token
type: keyword
description: The MDM vendor enrollment token.
- name: mdm.vendor
type: keyword
description: The MDM vendor's name.
- name: info_type
type: keyword
description: >
This will be used to state what kind of information was changed.
For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings
- name: email_monitor.dest_email
type: keyword
description: The destination address of the email monitor.
- name: email_monitor.level.chat
type: keyword
description: The chat email monitor level.
- name: email_monitor.level.draft
type: keyword
description: The draft email monitor level.
- name: email_monitor.level.incoming
type: keyword
description: The incoming email monitor level.
- name: email_monitor.level.outgoing
type: keyword
description: The outgoing email monitor level.
- name: email_dump.include_deleted
type: boolean
description: Indicates if deleted emails are included in the export.
- name: email_dump.package_content
type: keyword
description: The contents of the mailbox package.
- name: email_dump.query
type: keyword
description: The search query used for the dump.
- name: request.id
type: keyword
description: The request ID.
- name: mobile.action.id
type: keyword
description: The mobile device action's ID.
- name: mobile.action.type
type: keyword
description: >
The mobile device action's type.
For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings
- name: mobile.certificate.name
type: keyword
description: The mobile certificate common name.
- name: mobile.company_owned_devices
type: long
description: The number of devices a company owns.
- name: distribution.entity.name
type: keyword
description: >
The distribution entity value, which can be a group name or an org-unit name.
For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings
- name: distribution.entity.type
type: keyword
description: >
The distribution entity type, which can be a group or an org-unit.
For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings
- name: drive
type: group
fields:
- name: billable
type: boolean
description: Whether this activity is billable.
- name: source_folder_id
type: keyword
- name: source_folder_title
type: keyword
- name: destination_folder_id
type: keyword
- name: destination_folder_title
type: keyword
- name: file.id
type: keyword
- name: file.type
type: keyword
description: >
Document Drive type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive
- name: originating_app_id
type: keyword
description: >
The Google Cloud Project ID of the application that performed the action.
- name: file.owner.email
type: keyword
- name: file.owner.is_shared_drive
type: boolean
description: >
Boolean flag denoting whether owner is a shared drive.
- name: primary_event
type: boolean
description: >
Whether this is a primary event. A single user action in Drive may generate several events.
- name: shared_drive_id
type: keyword
description: >
The unique identifier of the Team Drive. Only populated for for events relating to a Team Drive or item contained inside a Team Drive.
- name: visibility
type: keyword
description: >
Visibility of target file. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive
- name: new_value
type: keyword
description: >
When a setting or property of the file changes, the new value for it will appear here.
- name: old_value
type: keyword
description: >
When a setting or property of the file changes, the old value for it will appear here.
- name: sheets_import_range_recipient_doc
type: keyword
description: Doc ID of the recipient of a sheets import range.
- name: old_visibility
type: keyword
description: >
When visibility changes, this holds the old value.
- name: visibility_change
type: keyword
description: >
When visibility changes, this holds the new overall visibility of the file.
- name: target_domain
type: keyword
description: >
The domain for which the acccess scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document.
- name: added_role
type: keyword
description: >
Added membership role of a user/group in a Team Drive.
For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive
- name: membership_change_type
type: keyword
description: >
Type of change in Team Drive membership of a user/group.
For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive
- name: shared_drive_settings_change_type
type: keyword
description: >
Type of change in Team Drive settings.
For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive
- name: removed_role
type: keyword
description: >
Removed membership role of a user/group in a Team Drive.
For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive
- name: target
type: keyword
description: Target user or group.
- name: groups
type: group
fields:
- name: acl_permission
type: keyword
description: >
Group permission setting updated.
For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups
- name: email
type: keyword
description: >
Group email.
- name: member.email
type: keyword
description: >
Member email.
- name: member.role
type: keyword
description: >
Member role.
For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups
- name: setting
type: keyword
description: >
Group setting updated.
For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups
- name: new_value
type: keyword
description: >
New value(s) of the group setting.
For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups
- name: old_value
type: keyword
description:
Old value(s) of the group setting.
For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups
- name: value
type: keyword
description: >
Value of the group setting.
For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups
- name: message.id
type: keyword
description: >
SMTP message Id of an email message.
Present for moderation events.
- name: message.moderation_action
type: keyword
description: >
Message moderation action.
Possible values are `approved` and `rejected`.
- name: status
type: keyword
description: >
A status describing the output of an operation.
Possible values are `failed` and `succeeded`.
- name: login
type: group
fields:
- name: affected_email_address
type: keyword
- name: challenge_method
type: keyword
description: >
Login challenge method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login.
- name: failure_type
type: keyword
description: >
Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login.
- name: type
type: keyword
description: >
Login credentials type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login.
- name: is_second_factor
type: boolean
- name: is_suspicious
type: boolean
- name: saml
type: group
fields:
- name: application_name
type: keyword
description: >
Saml SP application name.
- name: failure_type
type: keyword
description: >
Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml.
- name: initiated_by
type: keyword
description: >
Requester of SAML authentication.
- name: orgunit_path
type: keyword
description: >
User orgunit.
- name: status_code
type: keyword
description: >
SAML status code.
- name: second_level_status_code
type: keyword
description: >
SAML second level status code.
- key: ibmmq
title: "ibmmq"
description: >
ibmmq Module
release: ga
fields:
- name: ibmmq
type: group
description: >
fields:
- name: errorlog
description: IBM MQ error logs
type: group
fields:
- name: installation
description: >
This is the installation name which can be given at installation time.
Each installation of IBM MQ on UNIX, Linux, and Windows, has a unique identifier known as an installation name. The installation name is used to associate things such as queue managers and configuration files with an installation.
type: keyword
- name: qmgr
description: >
Name of the queue manager. Queue managers provide queuing services to applications, and manages the queues that belong to them.
type: keyword
- name: arithinsert
description: Changing content based on error.id
type: keyword
- name: commentinsert
description: Changing content based on error.id
type: keyword
- name: errordescription
description: Please add description
example: Please add example
type: text
- name: explanation
description: Explaines the error in more detail
type: keyword
- name: action
description: Defines what to do when the error occurs
type: keyword
- name: code
description: Error code.
type: keyword
- key: imperva
title: Imperva SecureSphere
description: >
imperva fields.
fields:
- name: network.interface.name
overwrite: true
type: keyword
description: >
Name of the network interface where the traffic has been observed.
- name: rsa
overwrite: true
type: group
fields:
- name: internal
overwrite: true
type: group
fields:
- name: msg
overwrite: true
type: keyword
description: This key is used to capture the raw message that comes into the
Log Decoder
- name: messageid
overwrite: true
type: keyword
- name: event_desc
overwrite: true
type: keyword
- name: message
overwrite: true
type: keyword
description: This key captures the contents of instant messages
- name: time
overwrite: true
type: date
description: This is the time at which a session hits a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness.
- name: level
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: msg_id
overwrite: true
type: keyword
description: This is the Message ID1 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: msg_vid
overwrite: true
type: keyword
description: This is the Message ID2 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: data
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_server
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_val
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: resource
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_id
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: statement
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: audit_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: entry
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: hcode
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: inode
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: resource_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: dead
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: feed_desc
overwrite: true
type: keyword
description: This is used to capture the description of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: feed_name
overwrite: true
type: keyword
description: This is used to capture the name of the feed. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: cid
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Concentrator.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_class
overwrite: true
type: keyword
description: This is the Classification of the Log Event Source under a predefined
fixed set of Event Source Classifications. This key should never be used to
parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
key in NetWitness
- name: device_group
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_host
overwrite: true
type: keyword
description: This is the Hostname of the log Event Source sending the logs to
NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ip
overwrite: true
type: ip
description: This is the IPv4 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ipv6
overwrite: true
type: ip
description: This is the IPv6 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_type
overwrite: true
type: keyword
description: This is the name of the log parser which parsed a given session.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_type_id
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: did
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: entropy_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: entropy_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: event_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: feed_category
overwrite: true
type: keyword
description: This is used to capture the category of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: forward_ip
overwrite: true
type: ip
description: This key should be used to capture the IPV4 address of a relay
system which forwarded the events from the original system to NetWitness.
- name: forward_ipv6
overwrite: true
type: ip
description: This key is used to capture the IPV6 address of a relay system
which forwarded the events from the original system to NetWitness. This key
should never be used to parse Meta data from a session (Logs/Packets) Directly,
this is a Reserved key in NetWitness
- name: header_id
overwrite: true
type: keyword
description: This is the Header ID value that identifies the exact log parser
header definition that parses a particular log session. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: lc_cid
overwrite: true
type: keyword
description: This is a unique Identifier of a Log Collector. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: lc_ctime
overwrite: true
type: date
description: This is the time at which a log is collected in a NetWitness Log
Collector. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: mcb_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
request is simply which byte for each side (0 thru 255) was seen the most
- name: mcb_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
response is simply which byte for each side (0 thru 255) was seen the most
- name: mcbc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: mcbc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: medium
overwrite: true
type: long
description: "This key is used to identify if it\u2019s a log/packet session\
\ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
\ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
\ 32 = log, 33 = correlation session, < 32 is packet session"
- name: node_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: nwe_callback_id
overwrite: true
type: keyword
description: This key denotes that event is endpoint related
- name: parse_error
overwrite: true
type: keyword
description: This is a special key that stores any Meta key validation error
found while parsing a log session. This key should never be used to parse
Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
NetWitness
- name: payload_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: payload_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: process_vid_dst
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the target process.
- name: process_vid_src
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the source process.
- name: rid
overwrite: true
type: long
description: This is a special ID of the Remote Session created by NetWitness
Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: session_split
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: site
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: size
overwrite: true
type: long
description: This is the size of the session as seen by the NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: sourcefile
overwrite: true
type: keyword
description: This is the name of the log file or PCAPs that can be imported
into NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: ubc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: ubc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: word
overwrite: true
type: keyword
description: This is used by the Word Parsing technology to capture the first
5 character of every word in an unparsed log
- name: time
overwrite: true
type: group
fields:
- name: event_time
overwrite: true
type: date
description: This key is used to capture the time mentioned in a raw session
that represents the actual time an event occured in a standard normalized
form
- name: duration_time
overwrite: true
type: double
description: This key is used to capture the normalized duration/lifetime in
seconds.
- name: event_time_str
overwrite: true
type: keyword
description: This key is used to capture the incomplete time mentioned in a
session as a string
- name: starttime
overwrite: true
type: date
description: This key is used to capture the Start time mentioned in a session
in a standard form
- name: month
overwrite: true
type: keyword
- name: day
overwrite: true
type: keyword
- name: endtime
overwrite: true
type: date
description: This key is used to capture the End time mentioned in a session
in a standard form
- name: timezone
overwrite: true
type: keyword
description: This key is used to capture the timezone of the Event Time
- name: duration_str
overwrite: true
type: keyword
description: A text string version of the duration
- name: date
overwrite: true
type: keyword
- name: year
overwrite: true
type: keyword
- name: recorded_time
overwrite: true
type: date
description: The event time as recorded by the system the event is collected
from. The usage scenario is a multi-tier application where the management
layer of the system records it's own timestamp at the time of collection from
its child nodes. Must be in timestamp format.
- name: datetime
overwrite: true
type: keyword
- name: effective_time
overwrite: true
type: date
description: This key is the effective time referenced by an individual event
in a Standard Timestamp format
- name: expire_time
overwrite: true
type: date
description: This key is the timestamp that explicitly refers to an expiration.
- name: process_time
overwrite: true
type: keyword
description: Deprecated, use duration.time
- name: hour
overwrite: true
type: keyword
- name: min
overwrite: true
type: keyword
- name: timestamp
overwrite: true
type: keyword
- name: event_queue_time
overwrite: true
type: date
description: This key is the Time that the event was queued.
- name: p_time1
overwrite: true
type: keyword
- name: tzone
overwrite: true
type: keyword
- name: eventtime
overwrite: true
type: keyword
- name: gmtdate
overwrite: true
type: keyword
- name: gmttime
overwrite: true
type: keyword
- name: p_date
overwrite: true
type: keyword
- name: p_month
overwrite: true
type: keyword
- name: p_time
overwrite: true
type: keyword
- name: p_time2
overwrite: true
type: keyword
- name: p_year
overwrite: true
type: keyword
- name: expire_time_str
overwrite: true
type: keyword
description: This key is used to capture incomplete timestamp that explicitly
refers to an expiration.
- name: stamp
overwrite: true
type: date
description: Deprecated key defined only in table map.
- name: misc
overwrite: true
type: group
fields:
- name: action
overwrite: true
type: keyword
- name: result
overwrite: true
type: keyword
description: This key is used to capture the outcome/result string value of
an action in a session.
- name: severity
overwrite: true
type: keyword
description: This key is used to capture the severity given the session
- name: event_type
overwrite: true
type: keyword
description: This key captures the event category type as specified by the event
source.
- name: reference_id
overwrite: true
type: keyword
description: This key is used to capture an event id from the session directly
- name: version
overwrite: true
type: keyword
description: This key captures Version of the application or OS which is generating
the event.
- name: disposition
overwrite: true
type: keyword
description: This key captures the The end state of an action.
- name: result_code
overwrite: true
type: keyword
description: This key is used to capture the outcome/result numeric value of
an action in a session
- name: category
overwrite: true
type: keyword
description: This key is used to capture the category of an event given by the
vendor in the session
- name: obj_name
overwrite: true
type: keyword
description: This is used to capture name of object
- name: obj_type
overwrite: true
type: keyword
description: This is used to capture type of object
- name: event_source
overwrite: true
type: keyword
description: "This key captures Source of the event that\u2019s not a hostname"
- name: log_session_id
overwrite: true
type: keyword
description: This key is used to capture a sessionid from the session directly
- name: group
overwrite: true
type: keyword
description: This key captures the Group Name value
- name: policy_name
overwrite: true
type: keyword
description: This key is used to capture the Policy Name only.
- name: rule_name
overwrite: true
type: keyword
description: This key captures the Rule Name
- name: context
overwrite: true
type: keyword
description: This key captures Information which adds additional context to
the event.
- name: change_new
overwrite: true
type: keyword
description: "This key is used to capture the new values of the attribute that\u2019\
s changing in a session"
- name: space
overwrite: true
type: keyword
- name: client
overwrite: true
type: keyword
description: This key is used to capture only the name of the client application
requesting resources of the server. See the user.agent meta key for capture
of the specific user agent identifier or browser identification string.
- name: msgIdPart1
overwrite: true
type: keyword
- name: msgIdPart2
overwrite: true
type: keyword
- name: change_old
overwrite: true
type: keyword
description: "This key is used to capture the old value of the attribute that\u2019\
s changing in a session"
- name: operation_id
overwrite: true
type: keyword
description: An alert number or operation number. The values should be unique
and non-repeating.
- name: event_state
overwrite: true
type: keyword
description: This key captures the current state of the object/item referenced
within the event. Describing an on-going event.
- name: group_object
overwrite: true
type: keyword
description: This key captures a collection/grouping of entities. Specific usage
- name: node
overwrite: true
type: keyword
description: Common use case is the node name within a cluster. The cluster
name is reflected by the host name.
- name: rule
overwrite: true
type: keyword
description: This key captures the Rule number
- name: device_name
overwrite: true
type: keyword
description: 'This is used to capture name of the Device associated with the
node Like: a physical disk, printer, etc'
- name: param
overwrite: true
type: keyword
description: This key is the parameters passed as part of a command or application,
etc.
- name: change_attrib
overwrite: true
type: keyword
description: "This key is used to capture the name of the attribute that\u2019\
s changing in a session"
- name: event_computer
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
fully qualified domain name in a windows log.
- name: reference_id1
overwrite: true
type: keyword
description: This key is for Linked ID to be used as an addition to "reference.id"
- name: event_log
overwrite: true
type: keyword
description: This key captures the Name of the event log
- name: OS
overwrite: true
type: keyword
description: This key captures the Name of the Operating System
- name: terminal
overwrite: true
type: keyword
description: This key captures the Terminal Names only
- name: msgIdPart3
overwrite: true
type: keyword
- name: filter
overwrite: true
type: keyword
description: This key captures Filter used to reduce result set
- name: serial_number
overwrite: true
type: keyword
description: This key is the Serial number associated with a physical asset.
- name: checksum
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the entity
such as a file or process. Checksum should be used over checksum.src or checksum.dst
when it is unclear whether the entity is a source or target of an action.
- name: event_user
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
combination of domain name and username in a windows log.
- name: virusname
overwrite: true
type: keyword
description: This key captures the name of the virus
- name: content_type
overwrite: true
type: keyword
description: This key is used to capture Content Type only.
- name: group_id
overwrite: true
type: keyword
description: This key captures Group ID Number (related to the group name)
- name: policy_id
overwrite: true
type: keyword
description: This key is used to capture the Policy ID only, this should be
a numeric value, use policy.name otherwise
- name: vsys
overwrite: true
type: keyword
description: This key captures Virtual System Name
- name: connection_id
overwrite: true
type: keyword
description: This key captures the Connection ID
- name: reference_id2
overwrite: true
type: keyword
description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
or "reference.id1" value but should not be used unless the other two variables
are in play.
- name: sensor
overwrite: true
type: keyword
description: This key captures Name of the sensor. Typically used in IDS/IPS
based devices
- name: sig_id
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID
- name: port_name
overwrite: true
type: keyword
description: 'This key is used for Physical or logical port connection but does
NOT include a network port. (Example: Printer port name).'
- name: rule_group
overwrite: true
type: keyword
description: This key captures the Rule group name
- name: risk_num
overwrite: true
type: double
description: This key captures a Numeric Risk value
- name: trigger_val
overwrite: true
type: keyword
description: This key captures the Value of the trigger or threshold condition.
- name: log_session_id1
overwrite: true
type: keyword
description: This key is used to capture a Linked (Related) Session ID from
the session directly
- name: comp_version
overwrite: true
type: keyword
description: This key captures the Version level of a sub-component of a product.
- name: content_version
overwrite: true
type: keyword
description: This key captures Version level of a signature or database content.
- name: hardware_id
overwrite: true
type: keyword
description: This key is used to capture unique identifier for a device or system
(NOT a Mac address)
- name: risk
overwrite: true
type: keyword
description: This key captures the non-numeric risk value
- name: event_id
overwrite: true
type: keyword
- name: reason
overwrite: true
type: keyword
- name: status
overwrite: true
type: keyword
- name: mail_id
overwrite: true
type: keyword
description: This key is used to capture the mailbox id/name
- name: rule_uid
overwrite: true
type: keyword
description: This key is the Unique Identifier for a rule.
- name: trigger_desc
overwrite: true
type: keyword
description: This key captures the Description of the trigger or threshold condition.
- name: inout
overwrite: true
type: keyword
- name: p_msgid
overwrite: true
type: keyword
- name: data_type
overwrite: true
type: keyword
- name: msgIdPart4
overwrite: true
type: keyword
- name: error
overwrite: true
type: keyword
description: This key captures All non successful Error codes or responses
- name: index
overwrite: true
type: keyword
- name: listnum
overwrite: true
type: keyword
description: This key is used to capture listname or listnumber, primarily for
collecting access-list
- name: ntype
overwrite: true
type: keyword
- name: observed_val
overwrite: true
type: keyword
description: This key captures the Value observed (from the perspective of the
device generating the log).
- name: policy_value
overwrite: true
type: keyword
description: This key captures the contents of the policy. This contains details
about the policy
- name: pool_name
overwrite: true
type: keyword
description: This key captures the name of a resource pool
- name: rule_template
overwrite: true
type: keyword
description: A default set of parameters which are overlayed onto a rule (or
rulename) which efffectively constitutes a template
- name: count
overwrite: true
type: keyword
- name: number
overwrite: true
type: keyword
- name: sigcat
overwrite: true
type: keyword
- name: type
overwrite: true
type: keyword
- name: comments
overwrite: true
type: keyword
description: Comment information provided in the log message
- name: doc_number
overwrite: true
type: long
description: This key captures File Identification number
- name: expected_val
overwrite: true
type: keyword
description: This key captures the Value expected (from the perspective of the
device generating the log).
- name: job_num
overwrite: true
type: keyword
description: This key captures the Job Number
- name: spi_dst
overwrite: true
type: keyword
description: Destination SPI Index
- name: spi_src
overwrite: true
type: keyword
description: Source SPI Index
- name: code
overwrite: true
type: keyword
- name: agent_id
overwrite: true
type: keyword
description: This key is used to capture agent id
- name: message_body
overwrite: true
type: keyword
description: This key captures the The contents of the message body.
- name: phone
overwrite: true
type: keyword
- name: sig_id_str
overwrite: true
type: keyword
description: This key captures a string object of the sigid variable.
- name: cmd
overwrite: true
type: keyword
- name: misc
overwrite: true
type: keyword
- name: name
overwrite: true
type: keyword
- name: cpu
overwrite: true
type: long
description: This key is the CPU time used in the execution of the event being
recorded.
- name: event_desc
overwrite: true
type: keyword
description: This key is used to capture a description of an event available
directly or inferred
- name: sig_id1
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID. This must be linked
to the sig.id
- name: im_buddyid
overwrite: true
type: keyword
- name: im_client
overwrite: true
type: keyword
- name: im_userid
overwrite: true
type: keyword
- name: pid
overwrite: true
type: keyword
- name: priority
overwrite: true
type: keyword
- name: context_subject
overwrite: true
type: keyword
description: This key is to be used in an audit context where the subject is
the object being identified
- name: context_target
overwrite: true
type: keyword
- name: cve
overwrite: true
type: keyword
description: This key captures CVE (Common Vulnerabilities and Exposures) -
an identifier for known information security vulnerabilities.
- name: fcatnum
overwrite: true
type: keyword
description: This key captures Filter Category Number. Legacy Usage
- name: library
overwrite: true
type: keyword
description: This key is used to capture library information in mainframe devices
- name: parent_node
overwrite: true
type: keyword
description: This key captures the Parent Node Name. Must be related to node
variable.
- name: risk_info
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: tcp_flags
overwrite: true
type: long
description: This key is captures the TCP flags set in any packet of session
- name: tos
overwrite: true
type: long
description: This key describes the type of service
- name: vm_target
overwrite: true
type: keyword
description: VMWare Target **VMWARE** only varaible.
- name: workspace
overwrite: true
type: keyword
description: This key captures Workspace Description
- name: command
overwrite: true
type: keyword
- name: event_category
overwrite: true
type: keyword
- name: facilityname
overwrite: true
type: keyword
- name: forensic_info
overwrite: true
type: keyword
- name: jobname
overwrite: true
type: keyword
- name: mode
overwrite: true
type: keyword
- name: policy
overwrite: true
type: keyword
- name: policy_waiver
overwrite: true
type: keyword
- name: second
overwrite: true
type: keyword
- name: space1
overwrite: true
type: keyword
- name: subcategory
overwrite: true
type: keyword
- name: tbdstr2
overwrite: true
type: keyword
- name: alert_id
overwrite: true
type: keyword
description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: checksum_dst
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the the target
entity such as a process or file.
- name: checksum_src
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the source
entity such as a file or process.
- name: fresult
overwrite: true
type: long
description: This key captures the Filter Result
- name: payload_dst
overwrite: true
type: keyword
description: This key is used to capture destination payload
- name: payload_src
overwrite: true
type: keyword
description: This key is used to capture source payload
- name: pool_id
overwrite: true
type: keyword
description: This key captures the identifier (typically numeric field) of a
resource pool
- name: process_id_val
overwrite: true
type: keyword
description: This key is a failure key for Process ID when it is not an integer
value
- name: risk_num_comm
overwrite: true
type: double
description: This key captures Risk Number Community
- name: risk_num_next
overwrite: true
type: double
description: This key captures Risk Number NextGen
- name: risk_num_sand
overwrite: true
type: double
description: This key captures Risk Number SandBox
- name: risk_num_static
overwrite: true
type: double
description: This key captures Risk Number Static
- name: risk_suspicious
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: risk_warning
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: snmp_oid
overwrite: true
type: keyword
description: SNMP Object Identifier
- name: sql
overwrite: true
type: keyword
description: This key captures the SQL query
- name: vuln_ref
overwrite: true
type: keyword
description: This key captures the Vulnerability Reference details
- name: acl_id
overwrite: true
type: keyword
- name: acl_op
overwrite: true
type: keyword
- name: acl_pos
overwrite: true
type: keyword
- name: acl_table
overwrite: true
type: keyword
- name: admin
overwrite: true
type: keyword
- name: alarm_id
overwrite: true
type: keyword
- name: alarmname
overwrite: true
type: keyword
- name: app_id
overwrite: true
type: keyword
- name: audit
overwrite: true
type: keyword
- name: audit_object
overwrite: true
type: keyword
- name: auditdata
overwrite: true
type: keyword
- name: benchmark
overwrite: true
type: keyword
- name: bypass
overwrite: true
type: keyword
- name: cache
overwrite: true
type: keyword
- name: cache_hit
overwrite: true
type: keyword
- name: cefversion
overwrite: true
type: keyword
- name: cfg_attr
overwrite: true
type: keyword
- name: cfg_obj
overwrite: true
type: keyword
- name: cfg_path
overwrite: true
type: keyword
- name: changes
overwrite: true
type: keyword
- name: client_ip
overwrite: true
type: keyword
- name: clustermembers
overwrite: true
type: keyword
- name: cn_acttimeout
overwrite: true
type: keyword
- name: cn_asn_src
overwrite: true
type: keyword
- name: cn_bgpv4nxthop
overwrite: true
type: keyword
- name: cn_ctr_dst_code
overwrite: true
type: keyword
- name: cn_dst_tos
overwrite: true
type: keyword
- name: cn_dst_vlan
overwrite: true
type: keyword
- name: cn_engine_id
overwrite: true
type: keyword
- name: cn_engine_type
overwrite: true
type: keyword
- name: cn_f_switch
overwrite: true
type: keyword
- name: cn_flowsampid
overwrite: true
type: keyword
- name: cn_flowsampintv
overwrite: true
type: keyword
- name: cn_flowsampmode
overwrite: true
type: keyword
- name: cn_inacttimeout
overwrite: true
type: keyword
- name: cn_inpermbyts
overwrite: true
type: keyword
- name: cn_inpermpckts
overwrite: true
type: keyword
- name: cn_invalid
overwrite: true
type: keyword
- name: cn_ip_proto_ver
overwrite: true
type: keyword
- name: cn_ipv4_ident
overwrite: true
type: keyword
- name: cn_l_switch
overwrite: true
type: keyword
- name: cn_log_did
overwrite: true
type: keyword
- name: cn_log_rid
overwrite: true
type: keyword
- name: cn_max_ttl
overwrite: true
type: keyword
- name: cn_maxpcktlen
overwrite: true
type: keyword
- name: cn_min_ttl
overwrite: true
type: keyword
- name: cn_minpcktlen
overwrite: true
type: keyword
- name: cn_mpls_lbl_1
overwrite: true
type: keyword
- name: cn_mpls_lbl_10
overwrite: true
type: keyword
- name: cn_mpls_lbl_2
overwrite: true
type: keyword
- name: cn_mpls_lbl_3
overwrite: true
type: keyword
- name: cn_mpls_lbl_4
overwrite: true
type: keyword
- name: cn_mpls_lbl_5
overwrite: true
type: keyword
- name: cn_mpls_lbl_6
overwrite: true
type: keyword
- name: cn_mpls_lbl_7
overwrite: true
type: keyword
- name: cn_mpls_lbl_8
overwrite: true
type: keyword
- name: cn_mpls_lbl_9
overwrite: true
type: keyword
- name: cn_mplstoplabel
overwrite: true
type: keyword
- name: cn_mplstoplabip
overwrite: true
type: keyword
- name: cn_mul_dst_byt
overwrite: true
type: keyword
- name: cn_mul_dst_pks
overwrite: true
type: keyword
- name: cn_muligmptype
overwrite: true
type: keyword
- name: cn_sampalgo
overwrite: true
type: keyword
- name: cn_sampint
overwrite: true
type: keyword
- name: cn_seqctr
overwrite: true
type: keyword
- name: cn_spackets
overwrite: true
type: keyword
- name: cn_src_tos
overwrite: true
type: keyword
- name: cn_src_vlan
overwrite: true
type: keyword
- name: cn_sysuptime
overwrite: true
type: keyword
- name: cn_template_id
overwrite: true
type: keyword
- name: cn_totbytsexp
overwrite: true
type: keyword
- name: cn_totflowexp
overwrite: true
type: keyword
- name: cn_totpcktsexp
overwrite: true
type: keyword
- name: cn_unixnanosecs
overwrite: true
type: keyword
- name: cn_v6flowlabel
overwrite: true
type: keyword
- name: cn_v6optheaders
overwrite: true
type: keyword
- name: comp_class
overwrite: true
type: keyword
- name: comp_name
overwrite: true
type: keyword
- name: comp_rbytes
overwrite: true
type: keyword
- name: comp_sbytes
overwrite: true
type: keyword
- name: cpu_data
overwrite: true
type: keyword
- name: criticality
overwrite: true
type: keyword
- name: cs_agency_dst
overwrite: true
type: keyword
- name: cs_analyzedby
overwrite: true
type: keyword
- name: cs_av_other
overwrite: true
type: keyword
- name: cs_av_primary
overwrite: true
type: keyword
- name: cs_av_secondary
overwrite: true
type: keyword
- name: cs_bgpv6nxthop
overwrite: true
type: keyword
- name: cs_bit9status
overwrite: true
type: keyword
- name: cs_context
overwrite: true
type: keyword
- name: cs_control
overwrite: true
type: keyword
- name: cs_data
overwrite: true
type: keyword
- name: cs_datecret
overwrite: true
type: keyword
- name: cs_dst_tld
overwrite: true
type: keyword
- name: cs_eth_dst_ven
overwrite: true
type: keyword
- name: cs_eth_src_ven
overwrite: true
type: keyword
- name: cs_event_uuid
overwrite: true
type: keyword
- name: cs_filetype
overwrite: true
type: keyword
- name: cs_fld
overwrite: true
type: keyword
- name: cs_if_desc
overwrite: true
type: keyword
- name: cs_if_name
overwrite: true
type: keyword
- name: cs_ip_next_hop
overwrite: true
type: keyword
- name: cs_ipv4dstpre
overwrite: true
type: keyword
- name: cs_ipv4srcpre
overwrite: true
type: keyword
- name: cs_lifetime
overwrite: true
type: keyword
- name: cs_log_medium
overwrite: true
type: keyword
- name: cs_loginname
overwrite: true
type: keyword
- name: cs_modulescore
overwrite: true
type: keyword
- name: cs_modulesign
overwrite: true
type: keyword
- name: cs_opswatresult
overwrite: true
type: keyword
- name: cs_payload
overwrite: true
type: keyword
- name: cs_registrant
overwrite: true
type: keyword
- name: cs_registrar
overwrite: true
type: keyword
- name: cs_represult
overwrite: true
type: keyword
- name: cs_rpayload
overwrite: true
type: keyword
- name: cs_sampler_name
overwrite: true
type: keyword
- name: cs_sourcemodule
overwrite: true
type: keyword
- name: cs_streams
overwrite: true
type: keyword
- name: cs_targetmodule
overwrite: true
type: keyword
- name: cs_v6nxthop
overwrite: true
type: keyword
- name: cs_whois_server
overwrite: true
type: keyword
- name: cs_yararesult
overwrite: true
type: keyword
- name: description
overwrite: true
type: keyword
- name: devvendor
overwrite: true
type: keyword
- name: distance
overwrite: true
type: keyword
- name: dstburb
overwrite: true
type: keyword
- name: edomain
overwrite: true
type: keyword
- name: edomaub
overwrite: true
type: keyword
- name: euid
overwrite: true
type: keyword
- name: facility
overwrite: true
type: keyword
- name: finterface
overwrite: true
type: keyword
- name: flags
overwrite: true
type: keyword
- name: gaddr
overwrite: true
type: keyword
- name: id3
overwrite: true
type: keyword
- name: im_buddyname
overwrite: true
type: keyword
- name: im_croomid
overwrite: true
type: keyword
- name: im_croomtype
overwrite: true
type: keyword
- name: im_members
overwrite: true
type: keyword
- name: im_username
overwrite: true
type: keyword
- name: ipkt
overwrite: true
type: keyword
- name: ipscat
overwrite: true
type: keyword
- name: ipspri
overwrite: true
type: keyword
- name: latitude
overwrite: true
type: keyword
- name: linenum
overwrite: true
type: keyword
- name: list_name
overwrite: true
type: keyword
- name: load_data
overwrite: true
type: keyword
- name: location_floor
overwrite: true
type: keyword
- name: location_mark
overwrite: true
type: keyword
- name: log_id
overwrite: true
type: keyword
- name: log_type
overwrite: true
type: keyword
- name: logid
overwrite: true
type: keyword
- name: logip
overwrite: true
type: keyword
- name: logname
overwrite: true
type: keyword
- name: longitude
overwrite: true
type: keyword
- name: lport
overwrite: true
type: keyword
- name: mbug_data
overwrite: true
type: keyword
- name: misc_name
overwrite: true
type: keyword
- name: msg_type
overwrite: true
type: keyword
- name: msgid
overwrite: true
type: keyword
- name: netsessid
overwrite: true
type: keyword
- name: num
overwrite: true
type: keyword
- name: number1
overwrite: true
type: keyword
- name: number2
overwrite: true
type: keyword
- name: nwwn
overwrite: true
type: keyword
- name: object
overwrite: true
type: keyword
- name: operation
overwrite: true
type: keyword
- name: opkt
overwrite: true
type: keyword
- name: orig_from
overwrite: true
type: keyword
- name: owner_id
overwrite: true
type: keyword
- name: p_action
overwrite: true
type: keyword
- name: p_filter
overwrite: true
type: keyword
- name: p_group_object
overwrite: true
type: keyword
- name: p_id
overwrite: true
type: keyword
- name: p_msgid1
overwrite: true
type: keyword
- name: p_msgid2
overwrite: true
type: keyword
- name: p_result1
overwrite: true
type: keyword
- name: password_chg
overwrite: true
type: keyword
- name: password_expire
overwrite: true
type: keyword
- name: permgranted
overwrite: true
type: keyword
- name: permwanted
overwrite: true
type: keyword
- name: pgid
overwrite: true
type: keyword
- name: policyUUID
overwrite: true
type: keyword
- name: prog_asp_num
overwrite: true
type: keyword
- name: program
overwrite: true
type: keyword
- name: real_data
overwrite: true
type: keyword
- name: rec_asp_device
overwrite: true
type: keyword
- name: rec_asp_num
overwrite: true
type: keyword
- name: rec_library
overwrite: true
type: keyword
- name: recordnum
overwrite: true
type: keyword
- name: ruid
overwrite: true
type: keyword
- name: sburb
overwrite: true
type: keyword
- name: sdomain_fld
overwrite: true
type: keyword
- name: sec
overwrite: true
type: keyword
- name: sensorname
overwrite: true
type: keyword
- name: seqnum
overwrite: true
type: keyword
- name: session
overwrite: true
type: keyword
- name: sessiontype
overwrite: true
type: keyword
- name: sigUUID
overwrite: true
type: keyword
- name: spi
overwrite: true
type: keyword
- name: srcburb
overwrite: true
type: keyword
- name: srcdom
overwrite: true
type: keyword
- name: srcservice
overwrite: true
type: keyword
- name: state
overwrite: true
type: keyword
- name: status1
overwrite: true
type: keyword
- name: svcno
overwrite: true
type: keyword
- name: system
overwrite: true
type: keyword
- name: tbdstr1
overwrite: true
type: keyword
- name: tgtdom
overwrite: true
type: keyword
- name: tgtdomain
overwrite: true
type: keyword
- name: threshold
overwrite: true
type: keyword
- name: type1
overwrite: true
type: keyword
- name: udb_class
overwrite: true
type: keyword
- name: url_fld
overwrite: true
type: keyword
- name: user_div
overwrite: true
type: keyword
- name: userid
overwrite: true
type: keyword
- name: username_fld
overwrite: true
type: keyword
- name: utcstamp
overwrite: true
type: keyword
- name: v_instafname
overwrite: true
type: keyword
- name: virt_data
overwrite: true
type: keyword
- name: vpnid
overwrite: true
type: keyword
- name: autorun_type
overwrite: true
type: keyword
description: This is used to capture Auto Run type
- name: cc_number
overwrite: true
type: long
description: Valid Credit Card Numbers only
- name: content
overwrite: true
type: keyword
description: This key captures the content type from protocol headers
- name: ein_number
overwrite: true
type: long
description: Employee Identification Numbers only
- name: found
overwrite: true
type: keyword
description: This is used to capture the results of regex match
- name: language
overwrite: true
type: keyword
description: This is used to capture list of languages the client support and
what it prefers
- name: lifetime
overwrite: true
type: long
description: This key is used to capture the session lifetime in seconds.
- name: link
overwrite: true
type: keyword
description: This key is used to link the sessions together. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: match
overwrite: true
type: keyword
description: This key is for regex match name from search.ini
- name: param_dst
overwrite: true
type: keyword
description: This key captures the command line/launch argument of the target
process or file
- name: param_src
overwrite: true
type: keyword
description: This key captures source parameter
- name: search_text
overwrite: true
type: keyword
description: This key captures the Search Text used
- name: sig_name
overwrite: true
type: keyword
description: This key is used to capture the Signature Name only.
- name: snmp_value
overwrite: true
type: keyword
description: SNMP set request value
- name: streams
overwrite: true
type: long
description: This key captures number of streams in session
- name: db
overwrite: true
type: group
fields:
- name: index
overwrite: true
type: keyword
description: This key captures IndexID of the index.
- name: instance
overwrite: true
type: keyword
description: This key is used to capture the database server instance name
- name: database
overwrite: true
type: keyword
description: This key is used to capture the name of a database or an instance
as seen in a session
- name: transact_id
overwrite: true
type: keyword
description: This key captures the SQL transantion ID of the current session
- name: permissions
overwrite: true
type: keyword
description: This key captures permission or privilege level assigned to a resource.
- name: table_name
overwrite: true
type: keyword
description: This key is used to capture the table name
- name: db_id
overwrite: true
type: keyword
description: This key is used to capture the unique identifier for a database
- name: db_pid
overwrite: true
type: long
description: This key captures the process id of a connection with database
server
- name: lread
overwrite: true
type: long
description: This key is used for the number of logical reads
- name: lwrite
overwrite: true
type: long
description: This key is used for the number of logical writes
- name: pread
overwrite: true
type: long
description: This key is used for the number of physical writes
- name: network
overwrite: true
type: group
fields:
- name: alias_host
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
that isnt ad.computer.
- name: domain
overwrite: true
type: keyword
- name: host_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Hostname"
- name: network_service
overwrite: true
type: keyword
description: This is used to capture layer 7 protocols/service names
- name: interface
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of an interface is not clear
- name: network_port
overwrite: true
type: long
description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
- name: eth_host
overwrite: true
type: keyword
description: Deprecated, use alias.mac
- name: sinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Interface"
- name: dinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Interface"
- name: vlan
overwrite: true
type: long
description: This key should only be used to capture the ID of the Virtual LAN
- name: zone_src
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Zone."
- name: zone
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a Zone is not clear
- name: zone_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Zone."
- name: gateway
overwrite: true
type: keyword
description: This key is used to capture the IP Address of the gateway
- name: icmp_type
overwrite: true
type: long
description: This key is used to capture the ICMP type only
- name: mask
overwrite: true
type: keyword
description: This key is used to capture the device network IPmask.
- name: icmp_code
overwrite: true
type: long
description: This key is used to capture the ICMP code only
- name: protocol_detail
overwrite: true
type: keyword
description: This key should be used to capture additional protocol information
- name: dmask
overwrite: true
type: keyword
description: This key is used for Destionation Device network mask
- name: port
overwrite: true
type: long
description: This key should only be used to capture a Network Port when the
directionality is not clear
- name: smask
overwrite: true
type: keyword
description: This key is used for capturing source Network Mask
- name: netname
overwrite: true
type: keyword
description: This key is used to capture the network name associated with an
IP range. This is configured by the end user.
- name: paddr
overwrite: true
type: ip
description: Deprecated
- name: faddr
overwrite: true
type: keyword
- name: lhost
overwrite: true
type: keyword
- name: origin
overwrite: true
type: keyword
- name: remote_domain_id
overwrite: true
type: keyword
- name: addr
overwrite: true
type: keyword
- name: dns_a_record
overwrite: true
type: keyword
- name: dns_ptr_record
overwrite: true
type: keyword
- name: fhost
overwrite: true
type: keyword
- name: fport
overwrite: true
type: keyword
- name: laddr
overwrite: true
type: keyword
- name: linterface
overwrite: true
type: keyword
- name: phost
overwrite: true
type: keyword
- name: ad_computer_dst
overwrite: true
type: keyword
description: Deprecated, use host.dst
- name: eth_type
overwrite: true
type: long
description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
Only
- name: ip_proto
overwrite: true
type: long
description: This key should be used to capture the Protocol number, all the
protocol nubers are converted into string in UI
- name: dns_cname_record
overwrite: true
type: keyword
- name: dns_id
overwrite: true
type: keyword
- name: dns_opcode
overwrite: true
type: keyword
- name: dns_resp
overwrite: true
type: keyword
- name: dns_type
overwrite: true
type: keyword
- name: domain1
overwrite: true
type: keyword
- name: host_type
overwrite: true
type: keyword
- name: packet_length
overwrite: true
type: keyword
- name: host_orig
overwrite: true
type: keyword
description: This is used to capture the original hostname in case of a Forwarding
Agent or a Proxy in between.
- name: rpayload
overwrite: true
type: keyword
description: This key is used to capture the total number of payload bytes seen
in the retransmitted packets.
- name: vlan_name
overwrite: true
type: keyword
description: This key should only be used to capture the name of the Virtual
LAN
- name: investigations
overwrite: true
type: group
fields:
- name: ec_activity
overwrite: true
type: keyword
description: This key captures the particular event activity(Ex:Logoff)
- name: ec_theme
overwrite: true
type: keyword
description: This key captures the Theme of a particular Event(Ex:Authentication)
- name: ec_subject
overwrite: true
type: keyword
description: This key captures the Subject of a particular Event(Ex:User)
- name: ec_outcome
overwrite: true
type: keyword
description: This key captures the outcome of a particular Event(Ex:Success)
- name: event_cat
overwrite: true
type: long
description: This key captures the Event category number
- name: event_cat_name
overwrite: true
type: keyword
description: This key captures the event category name corresponding to the
event cat code
- name: event_vcat
overwrite: true
type: keyword
description: This is a vendor supplied category. This should be used in situations
where the vendor has adopted their own event_category taxonomy.
- name: analysis_file
overwrite: true
type: keyword
description: This is used to capture all indicators used in a File Analysis.
This key should be used to capture an analysis of a file
- name: analysis_service
overwrite: true
type: keyword
description: This is used to capture all indicators used in a Service Analysis.
This key should be used to capture an analysis of a service
- name: analysis_session
overwrite: true
type: keyword
description: This is used to capture all indicators used for a Session Analysis.
This key should be used to capture an analysis of a session
- name: boc
overwrite: true
type: keyword
description: This is used to capture behaviour of compromise
- name: eoc
overwrite: true
type: keyword
description: This is used to capture Enablers of Compromise
- name: inv_category
overwrite: true
type: keyword
description: This used to capture investigation category
- name: inv_context
overwrite: true
type: keyword
description: This used to capture investigation context
- name: ioc
overwrite: true
type: keyword
description: This is key capture indicator of compromise
- name: counters
overwrite: true
type: group
fields:
- name: dclass_c1
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c1.str only
- name: dclass_c2
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c2.str only
- name: event_counter
overwrite: true
type: long
description: This is used to capture the number of times an event repeated
- name: dclass_r1
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r1.str only
- name: dclass_c3
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c3.str only
- name: dclass_c1_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c1 only
- name: dclass_c2_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c2 only
- name: dclass_r1_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r1 only
- name: dclass_r2
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r2.str only
- name: dclass_c3_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c3 only
- name: dclass_r3
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r3.str only
- name: dclass_r2_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r2 only
- name: dclass_r3_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r3 only
- name: identity
overwrite: true
type: group
fields:
- name: auth_method
overwrite: true
type: keyword
description: This key is used to capture authentication methods used only
- name: user_role
overwrite: true
type: keyword
description: This key is used to capture the Role of a user only
- name: dn
overwrite: true
type: keyword
description: X.500 (LDAP) Distinguished Name
- name: logon_type
overwrite: true
type: keyword
description: This key is used to capture the type of logon method used.
- name: profile
overwrite: true
type: keyword
description: This key is used to capture the user profile
- name: accesses
overwrite: true
type: keyword
description: This key is used to capture actual privileges used in accessing
an object
- name: realm
overwrite: true
type: keyword
description: Radius realm or similar grouping of accounts
- name: user_sid_dst
overwrite: true
type: keyword
description: This key captures Destination User Session ID
- name: dn_src
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that is used in a context that
indicates a Source dn
- name: org
overwrite: true
type: keyword
description: This key captures the User organization
- name: dn_dst
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that used in a context that
indicates a Destination dn
- name: firstname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: lastname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: user_dept
overwrite: true
type: keyword
description: User's Department Names only
- name: user_sid_src
overwrite: true
type: keyword
description: This key captures Source User Session ID
- name: federated_sp
overwrite: true
type: keyword
description: This key is the Federated Service Provider. This is the application
requesting authentication.
- name: federated_idp
overwrite: true
type: keyword
description: This key is the federated Identity Provider. This is the server
providing the authentication.
- name: logon_type_desc
overwrite: true
type: keyword
description: This key is used to capture the textual description of an integer
logon type as stored in the meta key 'logon.type'.
- name: middlename
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: password
overwrite: true
type: keyword
description: This key is for Passwords seen in any session, plain text or encrypted
- name: host_role
overwrite: true
type: keyword
description: This key should only be used to capture the role of a Host Machine
- name: ldap
overwrite: true
type: keyword
description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
t have a clear query or response context"
- name: ldap_query
overwrite: true
type: keyword
description: This key is the Search criteria from an LDAP search
- name: ldap_response
overwrite: true
type: keyword
description: This key is to capture Results from an LDAP search
- name: owner
overwrite: true
type: keyword
description: This is used to capture username the process or service is running
as, the author of the task
- name: service_account
overwrite: true
type: keyword
description: This key is a windows specific key, used for capturing name of
the account a service (referenced in the event) is running under. Legacy Usage
- name: email
overwrite: true
type: group
fields:
- name: email_dst
overwrite: true
type: keyword
description: This key is used to capture the Destination email address only,
when the destination context is not clear use email
- name: email_src
overwrite: true
type: keyword
description: This key is used to capture the source email address only, when
the source context is not clear use email
- name: subject
overwrite: true
type: keyword
description: This key is used to capture the subject string from an Email only.
- name: email
overwrite: true
type: keyword
description: This key is used to capture a generic email address where the source
or destination context is not clear
- name: trans_from
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: trans_to
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: file
overwrite: true
type: group
fields:
- name: privilege
overwrite: true
type: keyword
description: Deprecated, use permissions
- name: attachment
overwrite: true
type: keyword
description: This key captures the attachment file name
- name: filesystem
overwrite: true
type: keyword
- name: binary
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: filename_dst
overwrite: true
type: keyword
description: This is used to capture name of the file targeted by the action
- name: filename_src
overwrite: true
type: keyword
description: This is used to capture name of the parent filename, the file which
performed the action
- name: filename_tmp
overwrite: true
type: keyword
- name: directory_dst
overwrite: true
type: keyword
description: <span>This key is used to capture the directory of the target process
or file</span>
- name: directory_src
overwrite: true
type: keyword
description: This key is used to capture the directory of the source process
or file
- name: file_entropy
overwrite: true
type: double
description: This is used to capture entropy vale of a file
- name: file_vendor
overwrite: true
type: keyword
description: This is used to capture Company name of file located in version_info
- name: task_name
overwrite: true
type: keyword
description: This is used to capture name of the task
- name: web
overwrite: true
type: group
fields:
- name: fqdn
overwrite: true
type: keyword
description: Fully Qualified Domain Names
- name: web_cookie
overwrite: true
type: keyword
description: This key is used to capture the Web cookies specifically.
- name: alias_host
overwrite: true
type: keyword
- name: reputation_num
overwrite: true
type: double
description: Reputation Number of an entity. Typically used for Web Domains
- name: web_ref_domain
overwrite: true
type: keyword
description: Web referer's domain
- name: web_ref_query
overwrite: true
type: keyword
description: This key captures Web referer's query portion of the URL
- name: remote_domain
overwrite: true
type: keyword
- name: web_ref_page
overwrite: true
type: keyword
description: This key captures Web referer's page information
- name: web_ref_root
overwrite: true
type: keyword
description: Web referer's root URL path
- name: cn_asn_dst
overwrite: true
type: keyword
- name: cn_rpackets
overwrite: true
type: keyword
- name: urlpage
overwrite: true
type: keyword
- name: urlroot
overwrite: true
type: keyword
- name: p_url
overwrite: true
type: keyword
- name: p_user_agent
overwrite: true
type: keyword
- name: p_web_cookie
overwrite: true
type: keyword
- name: p_web_method
overwrite: true
type: keyword
- name: p_web_referer
overwrite: true
type: keyword
- name: web_extension_tmp
overwrite: true
type: keyword
- name: web_page
overwrite: true
type: keyword
- name: threat
overwrite: true
type: group
fields:
- name: threat_category
overwrite: true
type: keyword
description: This key captures Threat Name/Threat Category/Categorization of
alert
- name: threat_desc
overwrite: true
type: keyword
description: This key is used to capture the threat description from the session
directly or inferred
- name: alert
overwrite: true
type: keyword
description: This key is used to capture name of the alert
- name: threat_source
overwrite: true
type: keyword
description: This key is used to capture source of the threat
- name: crypto
overwrite: true
type: group
fields:
- name: crypto
overwrite: true
type: keyword
description: This key is used to capture the Encryption Type or Encryption Key
only
- name: cipher_src
overwrite: true
type: keyword
description: This key is for Source (Client) Cipher
- name: cert_subject
overwrite: true
type: keyword
description: This key is used to capture the Certificate organization only
- name: peer
overwrite: true
type: keyword
description: This key is for Encryption peer's IP Address
- name: cipher_size_src
overwrite: true
type: long
description: This key captures Source (Client) Cipher Size
- name: ike
overwrite: true
type: keyword
description: IKE negotiation phase.
- name: scheme
overwrite: true
type: keyword
description: This key captures the Encryption scheme used
- name: peer_id
overwrite: true
type: keyword
description: "This key is for Encryption peer\u2019s identity"
- name: sig_type
overwrite: true
type: keyword
description: This key captures the Signature Type
- name: cert_issuer
overwrite: true
type: keyword
- name: cert_host_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: cert_error
overwrite: true
type: keyword
description: This key captures the Certificate Error String
- name: cipher_dst
overwrite: true
type: keyword
description: This key is for Destination (Server) Cipher
- name: cipher_size_dst
overwrite: true
type: long
description: This key captures Destination (Server) Cipher Size
- name: ssl_ver_src
overwrite: true
type: keyword
description: Deprecated, use version
- name: d_certauth
overwrite: true
type: keyword
- name: s_certauth
overwrite: true
type: keyword
- name: ike_cookie1
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
- name: ike_cookie2
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
- name: cert_checksum
overwrite: true
type: keyword
- name: cert_host_cat
overwrite: true
type: keyword
description: This key is used for the hostname category value of a certificate
- name: cert_serial
overwrite: true
type: keyword
description: This key is used to capture the Certificate serial number only
- name: cert_status
overwrite: true
type: keyword
description: This key captures Certificate validation status
- name: ssl_ver_dst
overwrite: true
type: keyword
description: Deprecated, use version
- name: cert_keysize
overwrite: true
type: keyword
- name: cert_username
overwrite: true
type: keyword
- name: https_insact
overwrite: true
type: keyword
- name: https_valid
overwrite: true
type: keyword
- name: cert_ca
overwrite: true
type: keyword
description: This key is used to capture the Certificate signing authority only
- name: cert_common
overwrite: true
type: keyword
description: This key is used to capture the Certificate common name only
- name: wireless
overwrite: true
type: group
fields:
- name: wlan_ssid
overwrite: true
type: keyword
description: This key is used to capture the ssid of a Wireless Session
- name: access_point
overwrite: true
type: keyword
description: This key is used to capture the access point name.
- name: wlan_channel
overwrite: true
type: long
description: This is used to capture the channel names
- name: wlan_name
overwrite: true
type: keyword
description: This key captures either WLAN number/name
- name: storage
overwrite: true
type: group
fields:
- name: disk_volume
overwrite: true
type: keyword
description: A unique name assigned to logical units (volumes) within a physical
disk
- name: lun
overwrite: true
type: keyword
description: Logical Unit Number.This key is a very useful concept in Storage.
- name: pwwn
overwrite: true
type: keyword
description: This uniquely identifies a port on a HBA.
- name: physical
overwrite: true
type: group
fields:
- name: org_dst
overwrite: true
type: keyword
description: This is used to capture the destination organization based on the
GEOPIP Maxmind database.
- name: org_src
overwrite: true
type: keyword
description: This is used to capture the source organization based on the GEOPIP
Maxmind database.
- name: healthcare
overwrite: true
type: group
fields:
- name: patient_fname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_id
overwrite: true
type: keyword
description: This key captures the unique ID for a patient
- name: patient_lname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_mname
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: endpoint
overwrite: true
type: group
fields:
- name: host_state
overwrite: true
type: keyword
description: This key is used to capture the current state of the machine, such
as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
disabled</strong> and so on
- name: registry_key
overwrite: true
type: keyword
description: This key captures the path to the registry key
- name: registry_value
overwrite: true
type: keyword
description: This key captures values or decorators used within a registry entry
- key: infoblox
title: Infoblox NIOS
description: >
infoblox fields.
fields:
- name: network.interface.name
overwrite: true
type: keyword
description: >
Name of the network interface where the traffic has been observed.
- name: rsa
overwrite: true
type: group
fields:
- name: internal
overwrite: true
type: group
fields:
- name: msg
overwrite: true
type: keyword
description: This key is used to capture the raw message that comes into the
Log Decoder
- name: messageid
overwrite: true
type: keyword
- name: event_desc
overwrite: true
type: keyword
- name: message
overwrite: true
type: keyword
description: This key captures the contents of instant messages
- name: time
overwrite: true
type: date
description: This is the time at which a session hits a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness.
- name: level
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: msg_id
overwrite: true
type: keyword
description: This is the Message ID1 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: msg_vid
overwrite: true
type: keyword
description: This is the Message ID2 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: data
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_server
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_val
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: resource
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_id
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: statement
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: audit_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: entry
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: hcode
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: inode
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: resource_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: dead
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: feed_desc
overwrite: true
type: keyword
description: This is used to capture the description of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: feed_name
overwrite: true
type: keyword
description: This is used to capture the name of the feed. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: cid
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Concentrator.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_class
overwrite: true
type: keyword
description: This is the Classification of the Log Event Source under a predefined
fixed set of Event Source Classifications. This key should never be used to
parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
key in NetWitness
- name: device_group
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_host
overwrite: true
type: keyword
description: This is the Hostname of the log Event Source sending the logs to
NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ip
overwrite: true
type: ip
description: This is the IPv4 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ipv6
overwrite: true
type: ip
description: This is the IPv6 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_type
overwrite: true
type: keyword
description: This is the name of the log parser which parsed a given session.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_type_id
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: did
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: entropy_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: entropy_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: event_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: feed_category
overwrite: true
type: keyword
description: This is used to capture the category of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: forward_ip
overwrite: true
type: ip
description: This key should be used to capture the IPV4 address of a relay
system which forwarded the events from the original system to NetWitness.
- name: forward_ipv6
overwrite: true
type: ip
description: This key is used to capture the IPV6 address of a relay system
which forwarded the events from the original system to NetWitness. This key
should never be used to parse Meta data from a session (Logs/Packets) Directly,
this is a Reserved key in NetWitness
- name: header_id
overwrite: true
type: keyword
description: This is the Header ID value that identifies the exact log parser
header definition that parses a particular log session. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: lc_cid
overwrite: true
type: keyword
description: This is a unique Identifier of a Log Collector. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: lc_ctime
overwrite: true
type: date
description: This is the time at which a log is collected in a NetWitness Log
Collector. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: mcb_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
request is simply which byte for each side (0 thru 255) was seen the most
- name: mcb_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
response is simply which byte for each side (0 thru 255) was seen the most
- name: mcbc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: mcbc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: medium
overwrite: true
type: long
description: "This key is used to identify if it\u2019s a log/packet session\
\ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
\ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
\ 32 = log, 33 = correlation session, < 32 is packet session"
- name: node_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: nwe_callback_id
overwrite: true
type: keyword
description: This key denotes that event is endpoint related
- name: parse_error
overwrite: true
type: keyword
description: This is a special key that stores any Meta key validation error
found while parsing a log session. This key should never be used to parse
Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
NetWitness
- name: payload_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: payload_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: process_vid_dst
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the target process.
- name: process_vid_src
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the source process.
- name: rid
overwrite: true
type: long
description: This is a special ID of the Remote Session created by NetWitness
Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: session_split
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: site
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: size
overwrite: true
type: long
description: This is the size of the session as seen by the NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: sourcefile
overwrite: true
type: keyword
description: This is the name of the log file or PCAPs that can be imported
into NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: ubc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: ubc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: word
overwrite: true
type: keyword
description: This is used by the Word Parsing technology to capture the first
5 character of every word in an unparsed log
- name: time
overwrite: true
type: group
fields:
- name: event_time
overwrite: true
type: date
description: This key is used to capture the time mentioned in a raw session
that represents the actual time an event occured in a standard normalized
form
- name: duration_time
overwrite: true
type: double
description: This key is used to capture the normalized duration/lifetime in
seconds.
- name: event_time_str
overwrite: true
type: keyword
description: This key is used to capture the incomplete time mentioned in a
session as a string
- name: starttime
overwrite: true
type: date
description: This key is used to capture the Start time mentioned in a session
in a standard form
- name: month
overwrite: true
type: keyword
- name: day
overwrite: true
type: keyword
- name: endtime
overwrite: true
type: date
description: This key is used to capture the End time mentioned in a session
in a standard form
- name: timezone
overwrite: true
type: keyword
description: This key is used to capture the timezone of the Event Time
- name: duration_str
overwrite: true
type: keyword
description: A text string version of the duration
- name: date
overwrite: true
type: keyword
- name: year
overwrite: true
type: keyword
- name: recorded_time
overwrite: true
type: date
description: The event time as recorded by the system the event is collected
from. The usage scenario is a multi-tier application where the management
layer of the system records it's own timestamp at the time of collection from
its child nodes. Must be in timestamp format.
- name: datetime
overwrite: true
type: keyword
- name: effective_time
overwrite: true
type: date
description: This key is the effective time referenced by an individual event
in a Standard Timestamp format
- name: expire_time
overwrite: true
type: date
description: This key is the timestamp that explicitly refers to an expiration.
- name: process_time
overwrite: true
type: keyword
description: Deprecated, use duration.time
- name: hour
overwrite: true
type: keyword
- name: min
overwrite: true
type: keyword
- name: timestamp
overwrite: true
type: keyword
- name: event_queue_time
overwrite: true
type: date
description: This key is the Time that the event was queued.
- name: p_time1
overwrite: true
type: keyword
- name: tzone
overwrite: true
type: keyword
- name: eventtime
overwrite: true
type: keyword
- name: gmtdate
overwrite: true
type: keyword
- name: gmttime
overwrite: true
type: keyword
- name: p_date
overwrite: true
type: keyword
- name: p_month
overwrite: true
type: keyword
- name: p_time
overwrite: true
type: keyword
- name: p_time2
overwrite: true
type: keyword
- name: p_year
overwrite: true
type: keyword
- name: expire_time_str
overwrite: true
type: keyword
description: This key is used to capture incomplete timestamp that explicitly
refers to an expiration.
- name: stamp
overwrite: true
type: date
description: Deprecated key defined only in table map.
- name: misc
overwrite: true
type: group
fields:
- name: action
overwrite: true
type: keyword
- name: result
overwrite: true
type: keyword
description: This key is used to capture the outcome/result string value of
an action in a session.
- name: severity
overwrite: true
type: keyword
description: This key is used to capture the severity given the session
- name: event_type
overwrite: true
type: keyword
description: This key captures the event category type as specified by the event
source.
- name: reference_id
overwrite: true
type: keyword
description: This key is used to capture an event id from the session directly
- name: version
overwrite: true
type: keyword
description: This key captures Version of the application or OS which is generating
the event.
- name: disposition
overwrite: true
type: keyword
description: This key captures the The end state of an action.
- name: result_code
overwrite: true
type: keyword
description: This key is used to capture the outcome/result numeric value of
an action in a session
- name: category
overwrite: true
type: keyword
description: This key is used to capture the category of an event given by the
vendor in the session
- name: obj_name
overwrite: true
type: keyword
description: This is used to capture name of object
- name: obj_type
overwrite: true
type: keyword
description: This is used to capture type of object
- name: event_source
overwrite: true
type: keyword
description: "This key captures Source of the event that\u2019s not a hostname"
- name: log_session_id
overwrite: true
type: keyword
description: This key is used to capture a sessionid from the session directly
- name: group
overwrite: true
type: keyword
description: This key captures the Group Name value
- name: policy_name
overwrite: true
type: keyword
description: This key is used to capture the Policy Name only.
- name: rule_name
overwrite: true
type: keyword
description: This key captures the Rule Name
- name: context
overwrite: true
type: keyword
description: This key captures Information which adds additional context to
the event.
- name: change_new
overwrite: true
type: keyword
description: "This key is used to capture the new values of the attribute that\u2019\
s changing in a session"
- name: space
overwrite: true
type: keyword
- name: client
overwrite: true
type: keyword
description: This key is used to capture only the name of the client application
requesting resources of the server. See the user.agent meta key for capture
of the specific user agent identifier or browser identification string.
- name: msgIdPart1
overwrite: true
type: keyword
- name: msgIdPart2
overwrite: true
type: keyword
- name: change_old
overwrite: true
type: keyword
description: "This key is used to capture the old value of the attribute that\u2019\
s changing in a session"
- name: operation_id
overwrite: true
type: keyword
description: An alert number or operation number. The values should be unique
and non-repeating.
- name: event_state
overwrite: true
type: keyword
description: This key captures the current state of the object/item referenced
within the event. Describing an on-going event.
- name: group_object
overwrite: true
type: keyword
description: This key captures a collection/grouping of entities. Specific usage
- name: node
overwrite: true
type: keyword
description: Common use case is the node name within a cluster. The cluster
name is reflected by the host name.
- name: rule
overwrite: true
type: keyword
description: This key captures the Rule number
- name: device_name
overwrite: true
type: keyword
description: 'This is used to capture name of the Device associated with the
node Like: a physical disk, printer, etc'
- name: param
overwrite: true
type: keyword
description: This key is the parameters passed as part of a command or application,
etc.
- name: change_attrib
overwrite: true
type: keyword
description: "This key is used to capture the name of the attribute that\u2019\
s changing in a session"
- name: event_computer
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
fully qualified domain name in a windows log.
- name: reference_id1
overwrite: true
type: keyword
description: This key is for Linked ID to be used as an addition to "reference.id"
- name: event_log
overwrite: true
type: keyword
description: This key captures the Name of the event log
- name: OS
overwrite: true
type: keyword
description: This key captures the Name of the Operating System
- name: terminal
overwrite: true
type: keyword
description: This key captures the Terminal Names only
- name: msgIdPart3
overwrite: true
type: keyword
- name: filter
overwrite: true
type: keyword
description: This key captures Filter used to reduce result set
- name: serial_number
overwrite: true
type: keyword
description: This key is the Serial number associated with a physical asset.
- name: checksum
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the entity
such as a file or process. Checksum should be used over checksum.src or checksum.dst
when it is unclear whether the entity is a source or target of an action.
- name: event_user
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
combination of domain name and username in a windows log.
- name: virusname
overwrite: true
type: keyword
description: This key captures the name of the virus
- name: content_type
overwrite: true
type: keyword
description: This key is used to capture Content Type only.
- name: group_id
overwrite: true
type: keyword
description: This key captures Group ID Number (related to the group name)
- name: policy_id
overwrite: true
type: keyword
description: This key is used to capture the Policy ID only, this should be
a numeric value, use policy.name otherwise
- name: vsys
overwrite: true
type: keyword
description: This key captures Virtual System Name
- name: connection_id
overwrite: true
type: keyword
description: This key captures the Connection ID
- name: reference_id2
overwrite: true
type: keyword
description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
or "reference.id1" value but should not be used unless the other two variables
are in play.
- name: sensor
overwrite: true
type: keyword
description: This key captures Name of the sensor. Typically used in IDS/IPS
based devices
- name: sig_id
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID
- name: port_name
overwrite: true
type: keyword
description: 'This key is used for Physical or logical port connection but does
NOT include a network port. (Example: Printer port name).'
- name: rule_group
overwrite: true
type: keyword
description: This key captures the Rule group name
- name: risk_num
overwrite: true
type: double
description: This key captures a Numeric Risk value
- name: trigger_val
overwrite: true
type: keyword
description: This key captures the Value of the trigger or threshold condition.
- name: log_session_id1
overwrite: true
type: keyword
description: This key is used to capture a Linked (Related) Session ID from
the session directly
- name: comp_version
overwrite: true
type: keyword
description: This key captures the Version level of a sub-component of a product.
- name: content_version
overwrite: true
type: keyword
description: This key captures Version level of a signature or database content.
- name: hardware_id
overwrite: true
type: keyword
description: This key is used to capture unique identifier for a device or system
(NOT a Mac address)
- name: risk
overwrite: true
type: keyword
description: This key captures the non-numeric risk value
- name: event_id
overwrite: true
type: keyword
- name: reason
overwrite: true
type: keyword
- name: status
overwrite: true
type: keyword
- name: mail_id
overwrite: true
type: keyword
description: This key is used to capture the mailbox id/name
- name: rule_uid
overwrite: true
type: keyword
description: This key is the Unique Identifier for a rule.
- name: trigger_desc
overwrite: true
type: keyword
description: This key captures the Description of the trigger or threshold condition.
- name: inout
overwrite: true
type: keyword
- name: p_msgid
overwrite: true
type: keyword
- name: data_type
overwrite: true
type: keyword
- name: msgIdPart4
overwrite: true
type: keyword
- name: error
overwrite: true
type: keyword
description: This key captures All non successful Error codes or responses
- name: index
overwrite: true
type: keyword
- name: listnum
overwrite: true
type: keyword
description: This key is used to capture listname or listnumber, primarily for
collecting access-list
- name: ntype
overwrite: true
type: keyword
- name: observed_val
overwrite: true
type: keyword
description: This key captures the Value observed (from the perspective of the
device generating the log).
- name: policy_value
overwrite: true
type: keyword
description: This key captures the contents of the policy. This contains details
about the policy
- name: pool_name
overwrite: true
type: keyword
description: This key captures the name of a resource pool
- name: rule_template
overwrite: true
type: keyword
description: A default set of parameters which are overlayed onto a rule (or
rulename) which efffectively constitutes a template
- name: count
overwrite: true
type: keyword
- name: number
overwrite: true
type: keyword
- name: sigcat
overwrite: true
type: keyword
- name: type
overwrite: true
type: keyword
- name: comments
overwrite: true
type: keyword
description: Comment information provided in the log message
- name: doc_number
overwrite: true
type: long
description: This key captures File Identification number
- name: expected_val
overwrite: true
type: keyword
description: This key captures the Value expected (from the perspective of the
device generating the log).
- name: job_num
overwrite: true
type: keyword
description: This key captures the Job Number
- name: spi_dst
overwrite: true
type: keyword
description: Destination SPI Index
- name: spi_src
overwrite: true
type: keyword
description: Source SPI Index
- name: code
overwrite: true
type: keyword
- name: agent_id
overwrite: true
type: keyword
description: This key is used to capture agent id
- name: message_body
overwrite: true
type: keyword
description: This key captures the The contents of the message body.
- name: phone
overwrite: true
type: keyword
- name: sig_id_str
overwrite: true
type: keyword
description: This key captures a string object of the sigid variable.
- name: cmd
overwrite: true
type: keyword
- name: misc
overwrite: true
type: keyword
- name: name
overwrite: true
type: keyword
- name: cpu
overwrite: true
type: long
description: This key is the CPU time used in the execution of the event being
recorded.
- name: event_desc
overwrite: true
type: keyword
description: This key is used to capture a description of an event available
directly or inferred
- name: sig_id1
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID. This must be linked
to the sig.id
- name: im_buddyid
overwrite: true
type: keyword
- name: im_client
overwrite: true
type: keyword
- name: im_userid
overwrite: true
type: keyword
- name: pid
overwrite: true
type: keyword
- name: priority
overwrite: true
type: keyword
- name: context_subject
overwrite: true
type: keyword
description: This key is to be used in an audit context where the subject is
the object being identified
- name: context_target
overwrite: true
type: keyword
- name: cve
overwrite: true
type: keyword
description: This key captures CVE (Common Vulnerabilities and Exposures) -
an identifier for known information security vulnerabilities.
- name: fcatnum
overwrite: true
type: keyword
description: This key captures Filter Category Number. Legacy Usage
- name: library
overwrite: true
type: keyword
description: This key is used to capture library information in mainframe devices
- name: parent_node
overwrite: true
type: keyword
description: This key captures the Parent Node Name. Must be related to node
variable.
- name: risk_info
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: tcp_flags
overwrite: true
type: long
description: This key is captures the TCP flags set in any packet of session
- name: tos
overwrite: true
type: long
description: This key describes the type of service
- name: vm_target
overwrite: true
type: keyword
description: VMWare Target **VMWARE** only varaible.
- name: workspace
overwrite: true
type: keyword
description: This key captures Workspace Description
- name: command
overwrite: true
type: keyword
- name: event_category
overwrite: true
type: keyword
- name: facilityname
overwrite: true
type: keyword
- name: forensic_info
overwrite: true
type: keyword
- name: jobname
overwrite: true
type: keyword
- name: mode
overwrite: true
type: keyword
- name: policy
overwrite: true
type: keyword
- name: policy_waiver
overwrite: true
type: keyword
- name: second
overwrite: true
type: keyword
- name: space1
overwrite: true
type: keyword
- name: subcategory
overwrite: true
type: keyword
- name: tbdstr2
overwrite: true
type: keyword
- name: alert_id
overwrite: true
type: keyword
description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: checksum_dst
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the the target
entity such as a process or file.
- name: checksum_src
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the source
entity such as a file or process.
- name: fresult
overwrite: true
type: long
description: This key captures the Filter Result
- name: payload_dst
overwrite: true
type: keyword
description: This key is used to capture destination payload
- name: payload_src
overwrite: true
type: keyword
description: This key is used to capture source payload
- name: pool_id
overwrite: true
type: keyword
description: This key captures the identifier (typically numeric field) of a
resource pool
- name: process_id_val
overwrite: true
type: keyword
description: This key is a failure key for Process ID when it is not an integer
value
- name: risk_num_comm
overwrite: true
type: double
description: This key captures Risk Number Community
- name: risk_num_next
overwrite: true
type: double
description: This key captures Risk Number NextGen
- name: risk_num_sand
overwrite: true
type: double
description: This key captures Risk Number SandBox
- name: risk_num_static
overwrite: true
type: double
description: This key captures Risk Number Static
- name: risk_suspicious
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: risk_warning
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: snmp_oid
overwrite: true
type: keyword
description: SNMP Object Identifier
- name: sql
overwrite: true
type: keyword
description: This key captures the SQL query
- name: vuln_ref
overwrite: true
type: keyword
description: This key captures the Vulnerability Reference details
- name: acl_id
overwrite: true
type: keyword
- name: acl_op
overwrite: true
type: keyword
- name: acl_pos
overwrite: true
type: keyword
- name: acl_table
overwrite: true
type: keyword
- name: admin
overwrite: true
type: keyword
- name: alarm_id
overwrite: true
type: keyword
- name: alarmname
overwrite: true
type: keyword
- name: app_id
overwrite: true
type: keyword
- name: audit
overwrite: true
type: keyword
- name: audit_object
overwrite: true
type: keyword
- name: auditdata
overwrite: true
type: keyword
- name: benchmark
overwrite: true
type: keyword
- name: bypass
overwrite: true
type: keyword
- name: cache
overwrite: true
type: keyword
- name: cache_hit
overwrite: true
type: keyword
- name: cefversion
overwrite: true
type: keyword
- name: cfg_attr
overwrite: true
type: keyword
- name: cfg_obj
overwrite: true
type: keyword
- name: cfg_path
overwrite: true
type: keyword
- name: changes
overwrite: true
type: keyword
- name: client_ip
overwrite: true
type: keyword
- name: clustermembers
overwrite: true
type: keyword
- name: cn_acttimeout
overwrite: true
type: keyword
- name: cn_asn_src
overwrite: true
type: keyword
- name: cn_bgpv4nxthop
overwrite: true
type: keyword
- name: cn_ctr_dst_code
overwrite: true
type: keyword
- name: cn_dst_tos
overwrite: true
type: keyword
- name: cn_dst_vlan
overwrite: true
type: keyword
- name: cn_engine_id
overwrite: true
type: keyword
- name: cn_engine_type
overwrite: true
type: keyword
- name: cn_f_switch
overwrite: true
type: keyword
- name: cn_flowsampid
overwrite: true
type: keyword
- name: cn_flowsampintv
overwrite: true
type: keyword
- name: cn_flowsampmode
overwrite: true
type: keyword
- name: cn_inacttimeout
overwrite: true
type: keyword
- name: cn_inpermbyts
overwrite: true
type: keyword
- name: cn_inpermpckts
overwrite: true
type: keyword
- name: cn_invalid
overwrite: true
type: keyword
- name: cn_ip_proto_ver
overwrite: true
type: keyword
- name: cn_ipv4_ident
overwrite: true
type: keyword
- name: cn_l_switch
overwrite: true
type: keyword
- name: cn_log_did
overwrite: true
type: keyword
- name: cn_log_rid
overwrite: true
type: keyword
- name: cn_max_ttl
overwrite: true
type: keyword
- name: cn_maxpcktlen
overwrite: true
type: keyword
- name: cn_min_ttl
overwrite: true
type: keyword
- name: cn_minpcktlen
overwrite: true
type: keyword
- name: cn_mpls_lbl_1
overwrite: true
type: keyword
- name: cn_mpls_lbl_10
overwrite: true
type: keyword
- name: cn_mpls_lbl_2
overwrite: true
type: keyword
- name: cn_mpls_lbl_3
overwrite: true
type: keyword
- name: cn_mpls_lbl_4
overwrite: true
type: keyword
- name: cn_mpls_lbl_5
overwrite: true
type: keyword
- name: cn_mpls_lbl_6
overwrite: true
type: keyword
- name: cn_mpls_lbl_7
overwrite: true
type: keyword
- name: cn_mpls_lbl_8
overwrite: true
type: keyword
- name: cn_mpls_lbl_9
overwrite: true
type: keyword
- name: cn_mplstoplabel
overwrite: true
type: keyword
- name: cn_mplstoplabip
overwrite: true
type: keyword
- name: cn_mul_dst_byt
overwrite: true
type: keyword
- name: cn_mul_dst_pks
overwrite: true
type: keyword
- name: cn_muligmptype
overwrite: true
type: keyword
- name: cn_sampalgo
overwrite: true
type: keyword
- name: cn_sampint
overwrite: true
type: keyword
- name: cn_seqctr
overwrite: true
type: keyword
- name: cn_spackets
overwrite: true
type: keyword
- name: cn_src_tos
overwrite: true
type: keyword
- name: cn_src_vlan
overwrite: true
type: keyword
- name: cn_sysuptime
overwrite: true
type: keyword
- name: cn_template_id
overwrite: true
type: keyword
- name: cn_totbytsexp
overwrite: true
type: keyword
- name: cn_totflowexp
overwrite: true
type: keyword
- name: cn_totpcktsexp
overwrite: true
type: keyword
- name: cn_unixnanosecs
overwrite: true
type: keyword
- name: cn_v6flowlabel
overwrite: true
type: keyword
- name: cn_v6optheaders
overwrite: true
type: keyword
- name: comp_class
overwrite: true
type: keyword
- name: comp_name
overwrite: true
type: keyword
- name: comp_rbytes
overwrite: true
type: keyword
- name: comp_sbytes
overwrite: true
type: keyword
- name: cpu_data
overwrite: true
type: keyword
- name: criticality
overwrite: true
type: keyword
- name: cs_agency_dst
overwrite: true
type: keyword
- name: cs_analyzedby
overwrite: true
type: keyword
- name: cs_av_other
overwrite: true
type: keyword
- name: cs_av_primary
overwrite: true
type: keyword
- name: cs_av_secondary
overwrite: true
type: keyword
- name: cs_bgpv6nxthop
overwrite: true
type: keyword
- name: cs_bit9status
overwrite: true
type: keyword
- name: cs_context
overwrite: true
type: keyword
- name: cs_control
overwrite: true
type: keyword
- name: cs_data
overwrite: true
type: keyword
- name: cs_datecret
overwrite: true
type: keyword
- name: cs_dst_tld
overwrite: true
type: keyword
- name: cs_eth_dst_ven
overwrite: true
type: keyword
- name: cs_eth_src_ven
overwrite: true
type: keyword
- name: cs_event_uuid
overwrite: true
type: keyword
- name: cs_filetype
overwrite: true
type: keyword
- name: cs_fld
overwrite: true
type: keyword
- name: cs_if_desc
overwrite: true
type: keyword
- name: cs_if_name
overwrite: true
type: keyword
- name: cs_ip_next_hop
overwrite: true
type: keyword
- name: cs_ipv4dstpre
overwrite: true
type: keyword
- name: cs_ipv4srcpre
overwrite: true
type: keyword
- name: cs_lifetime
overwrite: true
type: keyword
- name: cs_log_medium
overwrite: true
type: keyword
- name: cs_loginname
overwrite: true
type: keyword
- name: cs_modulescore
overwrite: true
type: keyword
- name: cs_modulesign
overwrite: true
type: keyword
- name: cs_opswatresult
overwrite: true
type: keyword
- name: cs_payload
overwrite: true
type: keyword
- name: cs_registrant
overwrite: true
type: keyword
- name: cs_registrar
overwrite: true
type: keyword
- name: cs_represult
overwrite: true
type: keyword
- name: cs_rpayload
overwrite: true
type: keyword
- name: cs_sampler_name
overwrite: true
type: keyword
- name: cs_sourcemodule
overwrite: true
type: keyword
- name: cs_streams
overwrite: true
type: keyword
- name: cs_targetmodule
overwrite: true
type: keyword
- name: cs_v6nxthop
overwrite: true
type: keyword
- name: cs_whois_server
overwrite: true
type: keyword
- name: cs_yararesult
overwrite: true
type: keyword
- name: description
overwrite: true
type: keyword
- name: devvendor
overwrite: true
type: keyword
- name: distance
overwrite: true
type: keyword
- name: dstburb
overwrite: true
type: keyword
- name: edomain
overwrite: true
type: keyword
- name: edomaub
overwrite: true
type: keyword
- name: euid
overwrite: true
type: keyword
- name: facility
overwrite: true
type: keyword
- name: finterface
overwrite: true
type: keyword
- name: flags
overwrite: true
type: keyword
- name: gaddr
overwrite: true
type: keyword
- name: id3
overwrite: true
type: keyword
- name: im_buddyname
overwrite: true
type: keyword
- name: im_croomid
overwrite: true
type: keyword
- name: im_croomtype
overwrite: true
type: keyword
- name: im_members
overwrite: true
type: keyword
- name: im_username
overwrite: true
type: keyword
- name: ipkt
overwrite: true
type: keyword
- name: ipscat
overwrite: true
type: keyword
- name: ipspri
overwrite: true
type: keyword
- name: latitude
overwrite: true
type: keyword
- name: linenum
overwrite: true
type: keyword
- name: list_name
overwrite: true
type: keyword
- name: load_data
overwrite: true
type: keyword
- name: location_floor
overwrite: true
type: keyword
- name: location_mark
overwrite: true
type: keyword
- name: log_id
overwrite: true
type: keyword
- name: log_type
overwrite: true
type: keyword
- name: logid
overwrite: true
type: keyword
- name: logip
overwrite: true
type: keyword
- name: logname
overwrite: true
type: keyword
- name: longitude
overwrite: true
type: keyword
- name: lport
overwrite: true
type: keyword
- name: mbug_data
overwrite: true
type: keyword
- name: misc_name
overwrite: true
type: keyword
- name: msg_type
overwrite: true
type: keyword
- name: msgid
overwrite: true
type: keyword
- name: netsessid
overwrite: true
type: keyword
- name: num
overwrite: true
type: keyword
- name: number1
overwrite: true
type: keyword
- name: number2
overwrite: true
type: keyword
- name: nwwn
overwrite: true
type: keyword
- name: object
overwrite: true
type: keyword
- name: operation
overwrite: true
type: keyword
- name: opkt
overwrite: true
type: keyword
- name: orig_from
overwrite: true
type: keyword
- name: owner_id
overwrite: true
type: keyword
- name: p_action
overwrite: true
type: keyword
- name: p_filter
overwrite: true
type: keyword
- name: p_group_object
overwrite: true
type: keyword
- name: p_id
overwrite: true
type: keyword
- name: p_msgid1
overwrite: true
type: keyword
- name: p_msgid2
overwrite: true
type: keyword
- name: p_result1
overwrite: true
type: keyword
- name: password_chg
overwrite: true
type: keyword
- name: password_expire
overwrite: true
type: keyword
- name: permgranted
overwrite: true
type: keyword
- name: permwanted
overwrite: true
type: keyword
- name: pgid
overwrite: true
type: keyword
- name: policyUUID
overwrite: true
type: keyword
- name: prog_asp_num
overwrite: true
type: keyword
- name: program
overwrite: true
type: keyword
- name: real_data
overwrite: true
type: keyword
- name: rec_asp_device
overwrite: true
type: keyword
- name: rec_asp_num
overwrite: true
type: keyword
- name: rec_library
overwrite: true
type: keyword
- name: recordnum
overwrite: true
type: keyword
- name: ruid
overwrite: true
type: keyword
- name: sburb
overwrite: true
type: keyword
- name: sdomain_fld
overwrite: true
type: keyword
- name: sec
overwrite: true
type: keyword
- name: sensorname
overwrite: true
type: keyword
- name: seqnum
overwrite: true
type: keyword
- name: session
overwrite: true
type: keyword
- name: sessiontype
overwrite: true
type: keyword
- name: sigUUID
overwrite: true
type: keyword
- name: spi
overwrite: true
type: keyword
- name: srcburb
overwrite: true
type: keyword
- name: srcdom
overwrite: true
type: keyword
- name: srcservice
overwrite: true
type: keyword
- name: state
overwrite: true
type: keyword
- name: status1
overwrite: true
type: keyword
- name: svcno
overwrite: true
type: keyword
- name: system
overwrite: true
type: keyword
- name: tbdstr1
overwrite: true
type: keyword
- name: tgtdom
overwrite: true
type: keyword
- name: tgtdomain
overwrite: true
type: keyword
- name: threshold
overwrite: true
type: keyword
- name: type1
overwrite: true
type: keyword
- name: udb_class
overwrite: true
type: keyword
- name: url_fld
overwrite: true
type: keyword
- name: user_div
overwrite: true
type: keyword
- name: userid
overwrite: true
type: keyword
- name: username_fld
overwrite: true
type: keyword
- name: utcstamp
overwrite: true
type: keyword
- name: v_instafname
overwrite: true
type: keyword
- name: virt_data
overwrite: true
type: keyword
- name: vpnid
overwrite: true
type: keyword
- name: autorun_type
overwrite: true
type: keyword
description: This is used to capture Auto Run type
- name: cc_number
overwrite: true
type: long
description: Valid Credit Card Numbers only
- name: content
overwrite: true
type: keyword
description: This key captures the content type from protocol headers
- name: ein_number
overwrite: true
type: long
description: Employee Identification Numbers only
- name: found
overwrite: true
type: keyword
description: This is used to capture the results of regex match
- name: language
overwrite: true
type: keyword
description: This is used to capture list of languages the client support and
what it prefers
- name: lifetime
overwrite: true
type: long
description: This key is used to capture the session lifetime in seconds.
- name: link
overwrite: true
type: keyword
description: This key is used to link the sessions together. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: match
overwrite: true
type: keyword
description: This key is for regex match name from search.ini
- name: param_dst
overwrite: true
type: keyword
description: This key captures the command line/launch argument of the target
process or file
- name: param_src
overwrite: true
type: keyword
description: This key captures source parameter
- name: search_text
overwrite: true
type: keyword
description: This key captures the Search Text used
- name: sig_name
overwrite: true
type: keyword
description: This key is used to capture the Signature Name only.
- name: snmp_value
overwrite: true
type: keyword
description: SNMP set request value
- name: streams
overwrite: true
type: long
description: This key captures number of streams in session
- name: db
overwrite: true
type: group
fields:
- name: index
overwrite: true
type: keyword
description: This key captures IndexID of the index.
- name: instance
overwrite: true
type: keyword
description: This key is used to capture the database server instance name
- name: database
overwrite: true
type: keyword
description: This key is used to capture the name of a database or an instance
as seen in a session
- name: transact_id
overwrite: true
type: keyword
description: This key captures the SQL transantion ID of the current session
- name: permissions
overwrite: true
type: keyword
description: This key captures permission or privilege level assigned to a resource.
- name: table_name
overwrite: true
type: keyword
description: This key is used to capture the table name
- name: db_id
overwrite: true
type: keyword
description: This key is used to capture the unique identifier for a database
- name: db_pid
overwrite: true
type: long
description: This key captures the process id of a connection with database
server
- name: lread
overwrite: true
type: long
description: This key is used for the number of logical reads
- name: lwrite
overwrite: true
type: long
description: This key is used for the number of logical writes
- name: pread
overwrite: true
type: long
description: This key is used for the number of physical writes
- name: network
overwrite: true
type: group
fields:
- name: alias_host
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
that isnt ad.computer.
- name: domain
overwrite: true
type: keyword
- name: host_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Hostname"
- name: network_service
overwrite: true
type: keyword
description: This is used to capture layer 7 protocols/service names
- name: interface
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of an interface is not clear
- name: network_port
overwrite: true
type: long
description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
- name: eth_host
overwrite: true
type: keyword
description: Deprecated, use alias.mac
- name: sinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Interface"
- name: dinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Interface"
- name: vlan
overwrite: true
type: long
description: This key should only be used to capture the ID of the Virtual LAN
- name: zone_src
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Zone."
- name: zone
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a Zone is not clear
- name: zone_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Zone."
- name: gateway
overwrite: true
type: keyword
description: This key is used to capture the IP Address of the gateway
- name: icmp_type
overwrite: true
type: long
description: This key is used to capture the ICMP type only
- name: mask
overwrite: true
type: keyword
description: This key is used to capture the device network IPmask.
- name: icmp_code
overwrite: true
type: long
description: This key is used to capture the ICMP code only
- name: protocol_detail
overwrite: true
type: keyword
description: This key should be used to capture additional protocol information
- name: dmask
overwrite: true
type: keyword
description: This key is used for Destionation Device network mask
- name: port
overwrite: true
type: long
description: This key should only be used to capture a Network Port when the
directionality is not clear
- name: smask
overwrite: true
type: keyword
description: This key is used for capturing source Network Mask
- name: netname
overwrite: true
type: keyword
description: This key is used to capture the network name associated with an
IP range. This is configured by the end user.
- name: paddr
overwrite: true
type: ip
description: Deprecated
- name: faddr
overwrite: true
type: keyword
- name: lhost
overwrite: true
type: keyword
- name: origin
overwrite: true
type: keyword
- name: remote_domain_id
overwrite: true
type: keyword
- name: addr
overwrite: true
type: keyword
- name: dns_a_record
overwrite: true
type: keyword
- name: dns_ptr_record
overwrite: true
type: keyword
- name: fhost
overwrite: true
type: keyword
- name: fport
overwrite: true
type: keyword
- name: laddr
overwrite: true
type: keyword
- name: linterface
overwrite: true
type: keyword
- name: phost
overwrite: true
type: keyword
- name: ad_computer_dst
overwrite: true
type: keyword
description: Deprecated, use host.dst
- name: eth_type
overwrite: true
type: long
description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
Only
- name: ip_proto
overwrite: true
type: long
description: This key should be used to capture the Protocol number, all the
protocol nubers are converted into string in UI
- name: dns_cname_record
overwrite: true
type: keyword
- name: dns_id
overwrite: true
type: keyword
- name: dns_opcode
overwrite: true
type: keyword
- name: dns_resp
overwrite: true
type: keyword
- name: dns_type
overwrite: true
type: keyword
- name: domain1
overwrite: true
type: keyword
- name: host_type
overwrite: true
type: keyword
- name: packet_length
overwrite: true
type: keyword
- name: host_orig
overwrite: true
type: keyword
description: This is used to capture the original hostname in case of a Forwarding
Agent or a Proxy in between.
- name: rpayload
overwrite: true
type: keyword
description: This key is used to capture the total number of payload bytes seen
in the retransmitted packets.
- name: vlan_name
overwrite: true
type: keyword
description: This key should only be used to capture the name of the Virtual
LAN
- name: investigations
overwrite: true
type: group
fields:
- name: ec_activity
overwrite: true
type: keyword
description: This key captures the particular event activity(Ex:Logoff)
- name: ec_theme
overwrite: true
type: keyword
description: This key captures the Theme of a particular Event(Ex:Authentication)
- name: ec_subject
overwrite: true
type: keyword
description: This key captures the Subject of a particular Event(Ex:User)
- name: ec_outcome
overwrite: true
type: keyword
description: This key captures the outcome of a particular Event(Ex:Success)
- name: event_cat
overwrite: true
type: long
description: This key captures the Event category number
- name: event_cat_name
overwrite: true
type: keyword
description: This key captures the event category name corresponding to the
event cat code
- name: event_vcat
overwrite: true
type: keyword
description: This is a vendor supplied category. This should be used in situations
where the vendor has adopted their own event_category taxonomy.
- name: analysis_file
overwrite: true
type: keyword
description: This is used to capture all indicators used in a File Analysis.
This key should be used to capture an analysis of a file
- name: analysis_service
overwrite: true
type: keyword
description: This is used to capture all indicators used in a Service Analysis.
This key should be used to capture an analysis of a service
- name: analysis_session
overwrite: true
type: keyword
description: This is used to capture all indicators used for a Session Analysis.
This key should be used to capture an analysis of a session
- name: boc
overwrite: true
type: keyword
description: This is used to capture behaviour of compromise
- name: eoc
overwrite: true
type: keyword
description: This is used to capture Enablers of Compromise
- name: inv_category
overwrite: true
type: keyword
description: This used to capture investigation category
- name: inv_context
overwrite: true
type: keyword
description: This used to capture investigation context
- name: ioc
overwrite: true
type: keyword
description: This is key capture indicator of compromise
- name: counters
overwrite: true
type: group
fields:
- name: dclass_c1
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c1.str only
- name: dclass_c2
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c2.str only
- name: event_counter
overwrite: true
type: long
description: This is used to capture the number of times an event repeated
- name: dclass_r1
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r1.str only
- name: dclass_c3
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c3.str only
- name: dclass_c1_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c1 only
- name: dclass_c2_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c2 only
- name: dclass_r1_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r1 only
- name: dclass_r2
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r2.str only
- name: dclass_c3_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c3 only
- name: dclass_r3
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r3.str only
- name: dclass_r2_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r2 only
- name: dclass_r3_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r3 only
- name: identity
overwrite: true
type: group
fields:
- name: auth_method
overwrite: true
type: keyword
description: This key is used to capture authentication methods used only
- name: user_role
overwrite: true
type: keyword
description: This key is used to capture the Role of a user only
- name: dn
overwrite: true
type: keyword
description: X.500 (LDAP) Distinguished Name
- name: logon_type
overwrite: true
type: keyword
description: This key is used to capture the type of logon method used.
- name: profile
overwrite: true
type: keyword
description: This key is used to capture the user profile
- name: accesses
overwrite: true
type: keyword
description: This key is used to capture actual privileges used in accessing
an object
- name: realm
overwrite: true
type: keyword
description: Radius realm or similar grouping of accounts
- name: user_sid_dst
overwrite: true
type: keyword
description: This key captures Destination User Session ID
- name: dn_src
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that is used in a context that
indicates a Source dn
- name: org
overwrite: true
type: keyword
description: This key captures the User organization
- name: dn_dst
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that used in a context that
indicates a Destination dn
- name: firstname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: lastname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: user_dept
overwrite: true
type: keyword
description: User's Department Names only
- name: user_sid_src
overwrite: true
type: keyword
description: This key captures Source User Session ID
- name: federated_sp
overwrite: true
type: keyword
description: This key is the Federated Service Provider. This is the application
requesting authentication.
- name: federated_idp
overwrite: true
type: keyword
description: This key is the federated Identity Provider. This is the server
providing the authentication.
- name: logon_type_desc
overwrite: true
type: keyword
description: This key is used to capture the textual description of an integer
logon type as stored in the meta key 'logon.type'.
- name: middlename
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: password
overwrite: true
type: keyword
description: This key is for Passwords seen in any session, plain text or encrypted
- name: host_role
overwrite: true
type: keyword
description: This key should only be used to capture the role of a Host Machine
- name: ldap
overwrite: true
type: keyword
description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
t have a clear query or response context"
- name: ldap_query
overwrite: true
type: keyword
description: This key is the Search criteria from an LDAP search
- name: ldap_response
overwrite: true
type: keyword
description: This key is to capture Results from an LDAP search
- name: owner
overwrite: true
type: keyword
description: This is used to capture username the process or service is running
as, the author of the task
- name: service_account
overwrite: true
type: keyword
description: This key is a windows specific key, used for capturing name of
the account a service (referenced in the event) is running under. Legacy Usage
- name: email
overwrite: true
type: group
fields:
- name: email_dst
overwrite: true
type: keyword
description: This key is used to capture the Destination email address only,
when the destination context is not clear use email
- name: email_src
overwrite: true
type: keyword
description: This key is used to capture the source email address only, when
the source context is not clear use email
- name: subject
overwrite: true
type: keyword
description: This key is used to capture the subject string from an Email only.
- name: email
overwrite: true
type: keyword
description: This key is used to capture a generic email address where the source
or destination context is not clear
- name: trans_from
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: trans_to
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: file
overwrite: true
type: group
fields:
- name: privilege
overwrite: true
type: keyword
description: Deprecated, use permissions
- name: attachment
overwrite: true
type: keyword
description: This key captures the attachment file name
- name: filesystem
overwrite: true
type: keyword
- name: binary
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: filename_dst
overwrite: true
type: keyword
description: This is used to capture name of the file targeted by the action
- name: filename_src
overwrite: true
type: keyword
description: This is used to capture name of the parent filename, the file which
performed the action
- name: filename_tmp
overwrite: true
type: keyword
- name: directory_dst
overwrite: true
type: keyword
description: <span>This key is used to capture the directory of the target process
or file</span>
- name: directory_src
overwrite: true
type: keyword
description: This key is used to capture the directory of the source process
or file
- name: file_entropy
overwrite: true
type: double
description: This is used to capture entropy vale of a file
- name: file_vendor
overwrite: true
type: keyword
description: This is used to capture Company name of file located in version_info
- name: task_name
overwrite: true
type: keyword
description: This is used to capture name of the task
- name: web
overwrite: true
type: group
fields:
- name: fqdn
overwrite: true
type: keyword
description: Fully Qualified Domain Names
- name: web_cookie
overwrite: true
type: keyword
description: This key is used to capture the Web cookies specifically.
- name: alias_host
overwrite: true
type: keyword
- name: reputation_num
overwrite: true
type: double
description: Reputation Number of an entity. Typically used for Web Domains
- name: web_ref_domain
overwrite: true
type: keyword
description: Web referer's domain
- name: web_ref_query
overwrite: true
type: keyword
description: This key captures Web referer's query portion of the URL
- name: remote_domain
overwrite: true
type: keyword
- name: web_ref_page
overwrite: true
type: keyword
description: This key captures Web referer's page information
- name: web_ref_root
overwrite: true
type: keyword
description: Web referer's root URL path
- name: cn_asn_dst
overwrite: true
type: keyword
- name: cn_rpackets
overwrite: true
type: keyword
- name: urlpage
overwrite: true
type: keyword
- name: urlroot
overwrite: true
type: keyword
- name: p_url
overwrite: true
type: keyword
- name: p_user_agent
overwrite: true
type: keyword
- name: p_web_cookie
overwrite: true
type: keyword
- name: p_web_method
overwrite: true
type: keyword
- name: p_web_referer
overwrite: true
type: keyword
- name: web_extension_tmp
overwrite: true
type: keyword
- name: web_page
overwrite: true
type: keyword
- name: threat
overwrite: true
type: group
fields:
- name: threat_category
overwrite: true
type: keyword
description: This key captures Threat Name/Threat Category/Categorization of
alert
- name: threat_desc
overwrite: true
type: keyword
description: This key is used to capture the threat description from the session
directly or inferred
- name: alert
overwrite: true
type: keyword
description: This key is used to capture name of the alert
- name: threat_source
overwrite: true
type: keyword
description: This key is used to capture source of the threat
- name: crypto
overwrite: true
type: group
fields:
- name: crypto
overwrite: true
type: keyword
description: This key is used to capture the Encryption Type or Encryption Key
only
- name: cipher_src
overwrite: true
type: keyword
description: This key is for Source (Client) Cipher
- name: cert_subject
overwrite: true
type: keyword
description: This key is used to capture the Certificate organization only
- name: peer
overwrite: true
type: keyword
description: This key is for Encryption peer's IP Address
- name: cipher_size_src
overwrite: true
type: long
description: This key captures Source (Client) Cipher Size
- name: ike
overwrite: true
type: keyword
description: IKE negotiation phase.
- name: scheme
overwrite: true
type: keyword
description: This key captures the Encryption scheme used
- name: peer_id
overwrite: true
type: keyword
description: "This key is for Encryption peer\u2019s identity"
- name: sig_type
overwrite: true
type: keyword
description: This key captures the Signature Type
- name: cert_issuer
overwrite: true
type: keyword
- name: cert_host_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: cert_error
overwrite: true
type: keyword
description: This key captures the Certificate Error String
- name: cipher_dst
overwrite: true
type: keyword
description: This key is for Destination (Server) Cipher
- name: cipher_size_dst
overwrite: true
type: long
description: This key captures Destination (Server) Cipher Size
- name: ssl_ver_src
overwrite: true
type: keyword
description: Deprecated, use version
- name: d_certauth
overwrite: true
type: keyword
- name: s_certauth
overwrite: true
type: keyword
- name: ike_cookie1
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
- name: ike_cookie2
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
- name: cert_checksum
overwrite: true
type: keyword
- name: cert_host_cat
overwrite: true
type: keyword
description: This key is used for the hostname category value of a certificate
- name: cert_serial
overwrite: true
type: keyword
description: This key is used to capture the Certificate serial number only
- name: cert_status
overwrite: true
type: keyword
description: This key captures Certificate validation status
- name: ssl_ver_dst
overwrite: true
type: keyword
description: Deprecated, use version
- name: cert_keysize
overwrite: true
type: keyword
- name: cert_username
overwrite: true
type: keyword
- name: https_insact
overwrite: true
type: keyword
- name: https_valid
overwrite: true
type: keyword
- name: cert_ca
overwrite: true
type: keyword
description: This key is used to capture the Certificate signing authority only
- name: cert_common
overwrite: true
type: keyword
description: This key is used to capture the Certificate common name only
- name: wireless
overwrite: true
type: group
fields:
- name: wlan_ssid
overwrite: true
type: keyword
description: This key is used to capture the ssid of a Wireless Session
- name: access_point
overwrite: true
type: keyword
description: This key is used to capture the access point name.
- name: wlan_channel
overwrite: true
type: long
description: This is used to capture the channel names
- name: wlan_name
overwrite: true
type: keyword
description: This key captures either WLAN number/name
- name: storage
overwrite: true
type: group
fields:
- name: disk_volume
overwrite: true
type: keyword
description: A unique name assigned to logical units (volumes) within a physical
disk
- name: lun
overwrite: true
type: keyword
description: Logical Unit Number.This key is a very useful concept in Storage.
- name: pwwn
overwrite: true
type: keyword
description: This uniquely identifies a port on a HBA.
- name: physical
overwrite: true
type: group
fields:
- name: org_dst
overwrite: true
type: keyword
description: This is used to capture the destination organization based on the
GEOPIP Maxmind database.
- name: org_src
overwrite: true
type: keyword
description: This is used to capture the source organization based on the GEOPIP
Maxmind database.
- name: healthcare
overwrite: true
type: group
fields:
- name: patient_fname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_id
overwrite: true
type: keyword
description: This key captures the unique ID for a patient
- name: patient_lname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_mname
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: endpoint
overwrite: true
type: group
fields:
- name: host_state
overwrite: true
type: keyword
description: This key is used to capture the current state of the machine, such
as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
disabled</strong> and so on
- name: registry_key
overwrite: true
type: keyword
description: This key captures the path to the registry key
- name: registry_value
overwrite: true
type: keyword
description: This key captures values or decorators used within a registry entry
- key: iptables
title: iptables
description: >
Module for handling the iptables logs.
fields:
- name: iptables
type: group
description: >
Fields from the iptables logs.
fields:
- name: ether_type
type: long
description: >
Value of the ethernet type field identifying the network layer protocol.
- name: flow_label
type: integer
description: >
IPv6 flow label.
- name: fragment_flags
type: keyword
description: >
IP fragment flags. A combination of CE, DF and MF.
- name: fragment_offset
type: long
description: >
Offset of the current IP fragment.
- name: icmp
type: group
description: >
ICMP fields.
fields:
- name: code
type: long
description: >
ICMP code.
- name: id
type: long
description: >
ICMP ID.
- name: parameter
type: long
description: >
ICMP parameter.
- name: redirect
type: ip
description: >
ICMP redirect address.
- name: seq
type: long
description: >
ICMP sequence number.
- name: type
type: long
description: >
ICMP type.
- name: id
type: long
description: >
Packet identifier.
- name: incomplete_bytes
type: long
description: >
Number of incomplete bytes.
- name: input_device
type: keyword
description: >
Device that received the packet.
- name: precedence_bits
type: short
description: >
IP precedence bits.
- name: tos
type: long
description: >
IP Type of Service field.
- name: length
type: long
description: >
Packet length.
- name: output_device
type: keyword
description: >
Device that output the packet.
- name: tcp
type: group
description: >
TCP fields.
fields:
- name: flags
type: keyword
description: >
TCP flags.
- name: reserved_bits
type: short
description: >
TCP reserved bits.
- name: seq
type: long
description: >
TCP sequence number.
- name: ack
type: long
description: >
TCP Acknowledgment number.
- name: window
type: long
description: >
Advertised TCP window size.
- name: ttl
type: integer
description: >
Time To Live field.
- name: udp
type: group
description: >
UDP fields.
fields:
- name: length
type: long
description: >
Length of the UDP header and payload.
- name: ubiquiti
type: group
description: >
Fields for Ubiquiti network devices.
fields:
- name: input_zone
type: keyword
description: >
Input zone.
- name: output_zone
type: keyword
description: >
Output zone.
- name: rule_number
type: keyword
description:
The rule number within the rule set.
- name: rule_set
type: keyword
description:
The rule set name.
- key: juniper
title: Juniper JUNOS
description: >
juniper fields.
fields:
- name: network.interface.name
overwrite: true
type: keyword
description: >
Name of the network interface where the traffic has been observed.
- name: rsa
overwrite: true
type: group
fields:
- name: internal
overwrite: true
type: group
fields:
- name: msg
overwrite: true
type: keyword
description: This key is used to capture the raw message that comes into the
Log Decoder
- name: messageid
overwrite: true
type: keyword
- name: event_desc
overwrite: true
type: keyword
- name: message
overwrite: true
type: keyword
description: This key captures the contents of instant messages
- name: time
overwrite: true
type: date
description: This is the time at which a session hits a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness.
- name: level
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: msg_id
overwrite: true
type: keyword
description: This is the Message ID1 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: msg_vid
overwrite: true
type: keyword
description: This is the Message ID2 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: data
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_server
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_val
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: resource
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_id
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: statement
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: audit_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: entry
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: hcode
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: inode
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: resource_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: dead
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: feed_desc
overwrite: true
type: keyword
description: This is used to capture the description of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: feed_name
overwrite: true
type: keyword
description: This is used to capture the name of the feed. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: cid
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Concentrator.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_class
overwrite: true
type: keyword
description: This is the Classification of the Log Event Source under a predefined
fixed set of Event Source Classifications. This key should never be used to
parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
key in NetWitness
- name: device_group
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_host
overwrite: true
type: keyword
description: This is the Hostname of the log Event Source sending the logs to
NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ip
overwrite: true
type: ip
description: This is the IPv4 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ipv6
overwrite: true
type: ip
description: This is the IPv6 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_type
overwrite: true
type: keyword
description: This is the name of the log parser which parsed a given session.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_type_id
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: did
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: entropy_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: entropy_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: event_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: feed_category
overwrite: true
type: keyword
description: This is used to capture the category of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: forward_ip
overwrite: true
type: ip
description: This key should be used to capture the IPV4 address of a relay
system which forwarded the events from the original system to NetWitness.
- name: forward_ipv6
overwrite: true
type: ip
description: This key is used to capture the IPV6 address of a relay system
which forwarded the events from the original system to NetWitness. This key
should never be used to parse Meta data from a session (Logs/Packets) Directly,
this is a Reserved key in NetWitness
- name: header_id
overwrite: true
type: keyword
description: This is the Header ID value that identifies the exact log parser
header definition that parses a particular log session. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: lc_cid
overwrite: true
type: keyword
description: This is a unique Identifier of a Log Collector. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: lc_ctime
overwrite: true
type: date
description: This is the time at which a log is collected in a NetWitness Log
Collector. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: mcb_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
request is simply which byte for each side (0 thru 255) was seen the most
- name: mcb_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
response is simply which byte for each side (0 thru 255) was seen the most
- name: mcbc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: mcbc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: medium
overwrite: true
type: long
description: "This key is used to identify if it\u2019s a log/packet session\
\ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
\ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
\ 32 = log, 33 = correlation session, < 32 is packet session"
- name: node_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: nwe_callback_id
overwrite: true
type: keyword
description: This key denotes that event is endpoint related
- name: parse_error
overwrite: true
type: keyword
description: This is a special key that stores any Meta key validation error
found while parsing a log session. This key should never be used to parse
Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
NetWitness
- name: payload_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: payload_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: process_vid_dst
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the target process.
- name: process_vid_src
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the source process.
- name: rid
overwrite: true
type: long
description: This is a special ID of the Remote Session created by NetWitness
Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: session_split
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: site
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: size
overwrite: true
type: long
description: This is the size of the session as seen by the NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: sourcefile
overwrite: true
type: keyword
description: This is the name of the log file or PCAPs that can be imported
into NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: ubc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: ubc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: word
overwrite: true
type: keyword
description: This is used by the Word Parsing technology to capture the first
5 character of every word in an unparsed log
- name: time
overwrite: true
type: group
fields:
- name: event_time
overwrite: true
type: date
description: This key is used to capture the time mentioned in a raw session
that represents the actual time an event occured in a standard normalized
form
- name: duration_time
overwrite: true
type: double
description: This key is used to capture the normalized duration/lifetime in
seconds.
- name: event_time_str
overwrite: true
type: keyword
description: This key is used to capture the incomplete time mentioned in a
session as a string
- name: starttime
overwrite: true
type: date
description: This key is used to capture the Start time mentioned in a session
in a standard form
- name: month
overwrite: true
type: keyword
- name: day
overwrite: true
type: keyword
- name: endtime
overwrite: true
type: date
description: This key is used to capture the End time mentioned in a session
in a standard form
- name: timezone
overwrite: true
type: keyword
description: This key is used to capture the timezone of the Event Time
- name: duration_str
overwrite: true
type: keyword
description: A text string version of the duration
- name: date
overwrite: true
type: keyword
- name: year
overwrite: true
type: keyword
- name: recorded_time
overwrite: true
type: date
description: The event time as recorded by the system the event is collected
from. The usage scenario is a multi-tier application where the management
layer of the system records it's own timestamp at the time of collection from
its child nodes. Must be in timestamp format.
- name: datetime
overwrite: true
type: keyword
- name: effective_time
overwrite: true
type: date
description: This key is the effective time referenced by an individual event
in a Standard Timestamp format
- name: expire_time
overwrite: true
type: date
description: This key is the timestamp that explicitly refers to an expiration.
- name: process_time
overwrite: true
type: keyword
description: Deprecated, use duration.time
- name: hour
overwrite: true
type: keyword
- name: min
overwrite: true
type: keyword
- name: timestamp
overwrite: true
type: keyword
- name: event_queue_time
overwrite: true
type: date
description: This key is the Time that the event was queued.
- name: p_time1
overwrite: true
type: keyword
- name: tzone
overwrite: true
type: keyword
- name: eventtime
overwrite: true
type: keyword
- name: gmtdate
overwrite: true
type: keyword
- name: gmttime
overwrite: true
type: keyword
- name: p_date
overwrite: true
type: keyword
- name: p_month
overwrite: true
type: keyword
- name: p_time
overwrite: true
type: keyword
- name: p_time2
overwrite: true
type: keyword
- name: p_year
overwrite: true
type: keyword
- name: expire_time_str
overwrite: true
type: keyword
description: This key is used to capture incomplete timestamp that explicitly
refers to an expiration.
- name: stamp
overwrite: true
type: date
description: Deprecated key defined only in table map.
- name: misc
overwrite: true
type: group
fields:
- name: action
overwrite: true
type: keyword
- name: result
overwrite: true
type: keyword
description: This key is used to capture the outcome/result string value of
an action in a session.
- name: severity
overwrite: true
type: keyword
description: This key is used to capture the severity given the session
- name: event_type
overwrite: true
type: keyword
description: This key captures the event category type as specified by the event
source.
- name: reference_id
overwrite: true
type: keyword
description: This key is used to capture an event id from the session directly
- name: version
overwrite: true
type: keyword
description: This key captures Version of the application or OS which is generating
the event.
- name: disposition
overwrite: true
type: keyword
description: This key captures the The end state of an action.
- name: result_code
overwrite: true
type: keyword
description: This key is used to capture the outcome/result numeric value of
an action in a session
- name: category
overwrite: true
type: keyword
description: This key is used to capture the category of an event given by the
vendor in the session
- name: obj_name
overwrite: true
type: keyword
description: This is used to capture name of object
- name: obj_type
overwrite: true
type: keyword
description: This is used to capture type of object
- name: event_source
overwrite: true
type: keyword
description: "This key captures Source of the event that\u2019s not a hostname"
- name: log_session_id
overwrite: true
type: keyword
description: This key is used to capture a sessionid from the session directly
- name: group
overwrite: true
type: keyword
description: This key captures the Group Name value
- name: policy_name
overwrite: true
type: keyword
description: This key is used to capture the Policy Name only.
- name: rule_name
overwrite: true
type: keyword
description: This key captures the Rule Name
- name: context
overwrite: true
type: keyword
description: This key captures Information which adds additional context to
the event.
- name: change_new
overwrite: true
type: keyword
description: "This key is used to capture the new values of the attribute that\u2019\
s changing in a session"
- name: space
overwrite: true
type: keyword
- name: client
overwrite: true
type: keyword
description: This key is used to capture only the name of the client application
requesting resources of the server. See the user.agent meta key for capture
of the specific user agent identifier or browser identification string.
- name: msgIdPart1
overwrite: true
type: keyword
- name: msgIdPart2
overwrite: true
type: keyword
- name: change_old
overwrite: true
type: keyword
description: "This key is used to capture the old value of the attribute that\u2019\
s changing in a session"
- name: operation_id
overwrite: true
type: keyword
description: An alert number or operation number. The values should be unique
and non-repeating.
- name: event_state
overwrite: true
type: keyword
description: This key captures the current state of the object/item referenced
within the event. Describing an on-going event.
- name: group_object
overwrite: true
type: keyword
description: This key captures a collection/grouping of entities. Specific usage
- name: node
overwrite: true
type: keyword
description: Common use case is the node name within a cluster. The cluster
name is reflected by the host name.
- name: rule
overwrite: true
type: keyword
description: This key captures the Rule number
- name: device_name
overwrite: true
type: keyword
description: 'This is used to capture name of the Device associated with the
node Like: a physical disk, printer, etc'
- name: param
overwrite: true
type: keyword
description: This key is the parameters passed as part of a command or application,
etc.
- name: change_attrib
overwrite: true
type: keyword
description: "This key is used to capture the name of the attribute that\u2019\
s changing in a session"
- name: event_computer
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
fully qualified domain name in a windows log.
- name: reference_id1
overwrite: true
type: keyword
description: This key is for Linked ID to be used as an addition to "reference.id"
- name: event_log
overwrite: true
type: keyword
description: This key captures the Name of the event log
- name: OS
overwrite: true
type: keyword
description: This key captures the Name of the Operating System
- name: terminal
overwrite: true
type: keyword
description: This key captures the Terminal Names only
- name: msgIdPart3
overwrite: true
type: keyword
- name: filter
overwrite: true
type: keyword
description: This key captures Filter used to reduce result set
- name: serial_number
overwrite: true
type: keyword
description: This key is the Serial number associated with a physical asset.
- name: checksum
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the entity
such as a file or process. Checksum should be used over checksum.src or checksum.dst
when it is unclear whether the entity is a source or target of an action.
- name: event_user
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
combination of domain name and username in a windows log.
- name: virusname
overwrite: true
type: keyword
description: This key captures the name of the virus
- name: content_type
overwrite: true
type: keyword
description: This key is used to capture Content Type only.
- name: group_id
overwrite: true
type: keyword
description: This key captures Group ID Number (related to the group name)
- name: policy_id
overwrite: true
type: keyword
description: This key is used to capture the Policy ID only, this should be
a numeric value, use policy.name otherwise
- name: vsys
overwrite: true
type: keyword
description: This key captures Virtual System Name
- name: connection_id
overwrite: true
type: keyword
description: This key captures the Connection ID
- name: reference_id2
overwrite: true
type: keyword
description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
or "reference.id1" value but should not be used unless the other two variables
are in play.
- name: sensor
overwrite: true
type: keyword
description: This key captures Name of the sensor. Typically used in IDS/IPS
based devices
- name: sig_id
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID
- name: port_name
overwrite: true
type: keyword
description: 'This key is used for Physical or logical port connection but does
NOT include a network port. (Example: Printer port name).'
- name: rule_group
overwrite: true
type: keyword
description: This key captures the Rule group name
- name: risk_num
overwrite: true
type: double
description: This key captures a Numeric Risk value
- name: trigger_val
overwrite: true
type: keyword
description: This key captures the Value of the trigger or threshold condition.
- name: log_session_id1
overwrite: true
type: keyword
description: This key is used to capture a Linked (Related) Session ID from
the session directly
- name: comp_version
overwrite: true
type: keyword
description: This key captures the Version level of a sub-component of a product.
- name: content_version
overwrite: true
type: keyword
description: This key captures Version level of a signature or database content.
- name: hardware_id
overwrite: true
type: keyword
description: This key is used to capture unique identifier for a device or system
(NOT a Mac address)
- name: risk
overwrite: true
type: keyword
description: This key captures the non-numeric risk value
- name: event_id
overwrite: true
type: keyword
- name: reason
overwrite: true
type: keyword
- name: status
overwrite: true
type: keyword
- name: mail_id
overwrite: true
type: keyword
description: This key is used to capture the mailbox id/name
- name: rule_uid
overwrite: true
type: keyword
description: This key is the Unique Identifier for a rule.
- name: trigger_desc
overwrite: true
type: keyword
description: This key captures the Description of the trigger or threshold condition.
- name: inout
overwrite: true
type: keyword
- name: p_msgid
overwrite: true
type: keyword
- name: data_type
overwrite: true
type: keyword
- name: msgIdPart4
overwrite: true
type: keyword
- name: error
overwrite: true
type: keyword
description: This key captures All non successful Error codes or responses
- name: index
overwrite: true
type: keyword
- name: listnum
overwrite: true
type: keyword
description: This key is used to capture listname or listnumber, primarily for
collecting access-list
- name: ntype
overwrite: true
type: keyword
- name: observed_val
overwrite: true
type: keyword
description: This key captures the Value observed (from the perspective of the
device generating the log).
- name: policy_value
overwrite: true
type: keyword
description: This key captures the contents of the policy. This contains details
about the policy
- name: pool_name
overwrite: true
type: keyword
description: This key captures the name of a resource pool
- name: rule_template
overwrite: true
type: keyword
description: A default set of parameters which are overlayed onto a rule (or
rulename) which efffectively constitutes a template
- name: count
overwrite: true
type: keyword
- name: number
overwrite: true
type: keyword
- name: sigcat
overwrite: true
type: keyword
- name: type
overwrite: true
type: keyword
- name: comments
overwrite: true
type: keyword
description: Comment information provided in the log message
- name: doc_number
overwrite: true
type: long
description: This key captures File Identification number
- name: expected_val
overwrite: true
type: keyword
description: This key captures the Value expected (from the perspective of the
device generating the log).
- name: job_num
overwrite: true
type: keyword
description: This key captures the Job Number
- name: spi_dst
overwrite: true
type: keyword
description: Destination SPI Index
- name: spi_src
overwrite: true
type: keyword
description: Source SPI Index
- name: code
overwrite: true
type: keyword
- name: agent_id
overwrite: true
type: keyword
description: This key is used to capture agent id
- name: message_body
overwrite: true
type: keyword
description: This key captures the The contents of the message body.
- name: phone
overwrite: true
type: keyword
- name: sig_id_str
overwrite: true
type: keyword
description: This key captures a string object of the sigid variable.
- name: cmd
overwrite: true
type: keyword
- name: misc
overwrite: true
type: keyword
- name: name
overwrite: true
type: keyword
- name: cpu
overwrite: true
type: long
description: This key is the CPU time used in the execution of the event being
recorded.
- name: event_desc
overwrite: true
type: keyword
description: This key is used to capture a description of an event available
directly or inferred
- name: sig_id1
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID. This must be linked
to the sig.id
- name: im_buddyid
overwrite: true
type: keyword
- name: im_client
overwrite: true
type: keyword
- name: im_userid
overwrite: true
type: keyword
- name: pid
overwrite: true
type: keyword
- name: priority
overwrite: true
type: keyword
- name: context_subject
overwrite: true
type: keyword
description: This key is to be used in an audit context where the subject is
the object being identified
- name: context_target
overwrite: true
type: keyword
- name: cve
overwrite: true
type: keyword
description: This key captures CVE (Common Vulnerabilities and Exposures) -
an identifier for known information security vulnerabilities.
- name: fcatnum
overwrite: true
type: keyword
description: This key captures Filter Category Number. Legacy Usage
- name: library
overwrite: true
type: keyword
description: This key is used to capture library information in mainframe devices
- name: parent_node
overwrite: true
type: keyword
description: This key captures the Parent Node Name. Must be related to node
variable.
- name: risk_info
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: tcp_flags
overwrite: true
type: long
description: This key is captures the TCP flags set in any packet of session
- name: tos
overwrite: true
type: long
description: This key describes the type of service
- name: vm_target
overwrite: true
type: keyword
description: VMWare Target **VMWARE** only varaible.
- name: workspace
overwrite: true
type: keyword
description: This key captures Workspace Description
- name: command
overwrite: true
type: keyword
- name: event_category
overwrite: true
type: keyword
- name: facilityname
overwrite: true
type: keyword
- name: forensic_info
overwrite: true
type: keyword
- name: jobname
overwrite: true
type: keyword
- name: mode
overwrite: true
type: keyword
- name: policy
overwrite: true
type: keyword
- name: policy_waiver
overwrite: true
type: keyword
- name: second
overwrite: true
type: keyword
- name: space1
overwrite: true
type: keyword
- name: subcategory
overwrite: true
type: keyword
- name: tbdstr2
overwrite: true
type: keyword
- name: alert_id
overwrite: true
type: keyword
description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: checksum_dst
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the the target
entity such as a process or file.
- name: checksum_src
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the source
entity such as a file or process.
- name: fresult
overwrite: true
type: long
description: This key captures the Filter Result
- name: payload_dst
overwrite: true
type: keyword
description: This key is used to capture destination payload
- name: payload_src
overwrite: true
type: keyword
description: This key is used to capture source payload
- name: pool_id
overwrite: true
type: keyword
description: This key captures the identifier (typically numeric field) of a
resource pool
- name: process_id_val
overwrite: true
type: keyword
description: This key is a failure key for Process ID when it is not an integer
value
- name: risk_num_comm
overwrite: true
type: double
description: This key captures Risk Number Community
- name: risk_num_next
overwrite: true
type: double
description: This key captures Risk Number NextGen
- name: risk_num_sand
overwrite: true
type: double
description: This key captures Risk Number SandBox
- name: risk_num_static
overwrite: true
type: double
description: This key captures Risk Number Static
- name: risk_suspicious
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: risk_warning
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: snmp_oid
overwrite: true
type: keyword
description: SNMP Object Identifier
- name: sql
overwrite: true
type: keyword
description: This key captures the SQL query
- name: vuln_ref
overwrite: true
type: keyword
description: This key captures the Vulnerability Reference details
- name: acl_id
overwrite: true
type: keyword
- name: acl_op
overwrite: true
type: keyword
- name: acl_pos
overwrite: true
type: keyword
- name: acl_table
overwrite: true
type: keyword
- name: admin
overwrite: true
type: keyword
- name: alarm_id
overwrite: true
type: keyword
- name: alarmname
overwrite: true
type: keyword
- name: app_id
overwrite: true
type: keyword
- name: audit
overwrite: true
type: keyword
- name: audit_object
overwrite: true
type: keyword
- name: auditdata
overwrite: true
type: keyword
- name: benchmark
overwrite: true
type: keyword
- name: bypass
overwrite: true
type: keyword
- name: cache
overwrite: true
type: keyword
- name: cache_hit
overwrite: true
type: keyword
- name: cefversion
overwrite: true
type: keyword
- name: cfg_attr
overwrite: true
type: keyword
- name: cfg_obj
overwrite: true
type: keyword
- name: cfg_path
overwrite: true
type: keyword
- name: changes
overwrite: true
type: keyword
- name: client_ip
overwrite: true
type: keyword
- name: clustermembers
overwrite: true
type: keyword
- name: cn_acttimeout
overwrite: true
type: keyword
- name: cn_asn_src
overwrite: true
type: keyword
- name: cn_bgpv4nxthop
overwrite: true
type: keyword
- name: cn_ctr_dst_code
overwrite: true
type: keyword
- name: cn_dst_tos
overwrite: true
type: keyword
- name: cn_dst_vlan
overwrite: true
type: keyword
- name: cn_engine_id
overwrite: true
type: keyword
- name: cn_engine_type
overwrite: true
type: keyword
- name: cn_f_switch
overwrite: true
type: keyword
- name: cn_flowsampid
overwrite: true
type: keyword
- name: cn_flowsampintv
overwrite: true
type: keyword
- name: cn_flowsampmode
overwrite: true
type: keyword
- name: cn_inacttimeout
overwrite: true
type: keyword
- name: cn_inpermbyts
overwrite: true
type: keyword
- name: cn_inpermpckts
overwrite: true
type: keyword
- name: cn_invalid
overwrite: true
type: keyword
- name: cn_ip_proto_ver
overwrite: true
type: keyword
- name: cn_ipv4_ident
overwrite: true
type: keyword
- name: cn_l_switch
overwrite: true
type: keyword
- name: cn_log_did
overwrite: true
type: keyword
- name: cn_log_rid
overwrite: true
type: keyword
- name: cn_max_ttl
overwrite: true
type: keyword
- name: cn_maxpcktlen
overwrite: true
type: keyword
- name: cn_min_ttl
overwrite: true
type: keyword
- name: cn_minpcktlen
overwrite: true
type: keyword
- name: cn_mpls_lbl_1
overwrite: true
type: keyword
- name: cn_mpls_lbl_10
overwrite: true
type: keyword
- name: cn_mpls_lbl_2
overwrite: true
type: keyword
- name: cn_mpls_lbl_3
overwrite: true
type: keyword
- name: cn_mpls_lbl_4
overwrite: true
type: keyword
- name: cn_mpls_lbl_5
overwrite: true
type: keyword
- name: cn_mpls_lbl_6
overwrite: true
type: keyword
- name: cn_mpls_lbl_7
overwrite: true
type: keyword
- name: cn_mpls_lbl_8
overwrite: true
type: keyword
- name: cn_mpls_lbl_9
overwrite: true
type: keyword
- name: cn_mplstoplabel
overwrite: true
type: keyword
- name: cn_mplstoplabip
overwrite: true
type: keyword
- name: cn_mul_dst_byt
overwrite: true
type: keyword
- name: cn_mul_dst_pks
overwrite: true
type: keyword
- name: cn_muligmptype
overwrite: true
type: keyword
- name: cn_sampalgo
overwrite: true
type: keyword
- name: cn_sampint
overwrite: true
type: keyword
- name: cn_seqctr
overwrite: true
type: keyword
- name: cn_spackets
overwrite: true
type: keyword
- name: cn_src_tos
overwrite: true
type: keyword
- name: cn_src_vlan
overwrite: true
type: keyword
- name: cn_sysuptime
overwrite: true
type: keyword
- name: cn_template_id
overwrite: true
type: keyword
- name: cn_totbytsexp
overwrite: true
type: keyword
- name: cn_totflowexp
overwrite: true
type: keyword
- name: cn_totpcktsexp
overwrite: true
type: keyword
- name: cn_unixnanosecs
overwrite: true
type: keyword
- name: cn_v6flowlabel
overwrite: true
type: keyword
- name: cn_v6optheaders
overwrite: true
type: keyword
- name: comp_class
overwrite: true
type: keyword
- name: comp_name
overwrite: true
type: keyword
- name: comp_rbytes
overwrite: true
type: keyword
- name: comp_sbytes
overwrite: true
type: keyword
- name: cpu_data
overwrite: true
type: keyword
- name: criticality
overwrite: true
type: keyword
- name: cs_agency_dst
overwrite: true
type: keyword
- name: cs_analyzedby
overwrite: true
type: keyword
- name: cs_av_other
overwrite: true
type: keyword
- name: cs_av_primary
overwrite: true
type: keyword
- name: cs_av_secondary
overwrite: true
type: keyword
- name: cs_bgpv6nxthop
overwrite: true
type: keyword
- name: cs_bit9status
overwrite: true
type: keyword
- name: cs_context
overwrite: true
type: keyword
- name: cs_control
overwrite: true
type: keyword
- name: cs_data
overwrite: true
type: keyword
- name: cs_datecret
overwrite: true
type: keyword
- name: cs_dst_tld
overwrite: true
type: keyword
- name: cs_eth_dst_ven
overwrite: true
type: keyword
- name: cs_eth_src_ven
overwrite: true
type: keyword
- name: cs_event_uuid
overwrite: true
type: keyword
- name: cs_filetype
overwrite: true
type: keyword
- name: cs_fld
overwrite: true
type: keyword
- name: cs_if_desc
overwrite: true
type: keyword
- name: cs_if_name
overwrite: true
type: keyword
- name: cs_ip_next_hop
overwrite: true
type: keyword
- name: cs_ipv4dstpre
overwrite: true
type: keyword
- name: cs_ipv4srcpre
overwrite: true
type: keyword
- name: cs_lifetime
overwrite: true
type: keyword
- name: cs_log_medium
overwrite: true
type: keyword
- name: cs_loginname
overwrite: true
type: keyword
- name: cs_modulescore
overwrite: true
type: keyword
- name: cs_modulesign
overwrite: true
type: keyword
- name: cs_opswatresult
overwrite: true
type: keyword
- name: cs_payload
overwrite: true
type: keyword
- name: cs_registrant
overwrite: true
type: keyword
- name: cs_registrar
overwrite: true
type: keyword
- name: cs_represult
overwrite: true
type: keyword
- name: cs_rpayload
overwrite: true
type: keyword
- name: cs_sampler_name
overwrite: true
type: keyword
- name: cs_sourcemodule
overwrite: true
type: keyword
- name: cs_streams
overwrite: true
type: keyword
- name: cs_targetmodule
overwrite: true
type: keyword
- name: cs_v6nxthop
overwrite: true
type: keyword
- name: cs_whois_server
overwrite: true
type: keyword
- name: cs_yararesult
overwrite: true
type: keyword
- name: description
overwrite: true
type: keyword
- name: devvendor
overwrite: true
type: keyword
- name: distance
overwrite: true
type: keyword
- name: dstburb
overwrite: true
type: keyword
- name: edomain
overwrite: true
type: keyword
- name: edomaub
overwrite: true
type: keyword
- name: euid
overwrite: true
type: keyword
- name: facility
overwrite: true
type: keyword
- name: finterface
overwrite: true
type: keyword
- name: flags
overwrite: true
type: keyword
- name: gaddr
overwrite: true
type: keyword
- name: id3
overwrite: true
type: keyword
- name: im_buddyname
overwrite: true
type: keyword
- name: im_croomid
overwrite: true
type: keyword
- name: im_croomtype
overwrite: true
type: keyword
- name: im_members
overwrite: true
type: keyword
- name: im_username
overwrite: true
type: keyword
- name: ipkt
overwrite: true
type: keyword
- name: ipscat
overwrite: true
type: keyword
- name: ipspri
overwrite: true
type: keyword
- name: latitude
overwrite: true
type: keyword
- name: linenum
overwrite: true
type: keyword
- name: list_name
overwrite: true
type: keyword
- name: load_data
overwrite: true
type: keyword
- name: location_floor
overwrite: true
type: keyword
- name: location_mark
overwrite: true
type: keyword
- name: log_id
overwrite: true
type: keyword
- name: log_type
overwrite: true
type: keyword
- name: logid
overwrite: true
type: keyword
- name: logip
overwrite: true
type: keyword
- name: logname
overwrite: true
type: keyword
- name: longitude
overwrite: true
type: keyword
- name: lport
overwrite: true
type: keyword
- name: mbug_data
overwrite: true
type: keyword
- name: misc_name
overwrite: true
type: keyword
- name: msg_type
overwrite: true
type: keyword
- name: msgid
overwrite: true
type: keyword
- name: netsessid
overwrite: true
type: keyword
- name: num
overwrite: true
type: keyword
- name: number1
overwrite: true
type: keyword
- name: number2
overwrite: true
type: keyword
- name: nwwn
overwrite: true
type: keyword
- name: object
overwrite: true
type: keyword
- name: operation
overwrite: true
type: keyword
- name: opkt
overwrite: true
type: keyword
- name: orig_from
overwrite: true
type: keyword
- name: owner_id
overwrite: true
type: keyword
- name: p_action
overwrite: true
type: keyword
- name: p_filter
overwrite: true
type: keyword
- name: p_group_object
overwrite: true
type: keyword
- name: p_id
overwrite: true
type: keyword
- name: p_msgid1
overwrite: true
type: keyword
- name: p_msgid2
overwrite: true
type: keyword
- name: p_result1
overwrite: true
type: keyword
- name: password_chg
overwrite: true
type: keyword
- name: password_expire
overwrite: true
type: keyword
- name: permgranted
overwrite: true
type: keyword
- name: permwanted
overwrite: true
type: keyword
- name: pgid
overwrite: true
type: keyword
- name: policyUUID
overwrite: true
type: keyword
- name: prog_asp_num
overwrite: true
type: keyword
- name: program
overwrite: true
type: keyword
- name: real_data
overwrite: true
type: keyword
- name: rec_asp_device
overwrite: true
type: keyword
- name: rec_asp_num
overwrite: true
type: keyword
- name: rec_library
overwrite: true
type: keyword
- name: recordnum
overwrite: true
type: keyword
- name: ruid
overwrite: true
type: keyword
- name: sburb
overwrite: true
type: keyword
- name: sdomain_fld
overwrite: true
type: keyword
- name: sec
overwrite: true
type: keyword
- name: sensorname
overwrite: true
type: keyword
- name: seqnum
overwrite: true
type: keyword
- name: session
overwrite: true
type: keyword
- name: sessiontype
overwrite: true
type: keyword
- name: sigUUID
overwrite: true
type: keyword
- name: spi
overwrite: true
type: keyword
- name: srcburb
overwrite: true
type: keyword
- name: srcdom
overwrite: true
type: keyword
- name: srcservice
overwrite: true
type: keyword
- name: state
overwrite: true
type: keyword
- name: status1
overwrite: true
type: keyword
- name: svcno
overwrite: true
type: keyword
- name: system
overwrite: true
type: keyword
- name: tbdstr1
overwrite: true
type: keyword
- name: tgtdom
overwrite: true
type: keyword
- name: tgtdomain
overwrite: true
type: keyword
- name: threshold
overwrite: true
type: keyword
- name: type1
overwrite: true
type: keyword
- name: udb_class
overwrite: true
type: keyword
- name: url_fld
overwrite: true
type: keyword
- name: user_div
overwrite: true
type: keyword
- name: userid
overwrite: true
type: keyword
- name: username_fld
overwrite: true
type: keyword
- name: utcstamp
overwrite: true
type: keyword
- name: v_instafname
overwrite: true
type: keyword
- name: virt_data
overwrite: true
type: keyword
- name: vpnid
overwrite: true
type: keyword
- name: autorun_type
overwrite: true
type: keyword
description: This is used to capture Auto Run type
- name: cc_number
overwrite: true
type: long
description: Valid Credit Card Numbers only
- name: content
overwrite: true
type: keyword
description: This key captures the content type from protocol headers
- name: ein_number
overwrite: true
type: long
description: Employee Identification Numbers only
- name: found
overwrite: true
type: keyword
description: This is used to capture the results of regex match
- name: language
overwrite: true
type: keyword
description: This is used to capture list of languages the client support and
what it prefers
- name: lifetime
overwrite: true
type: long
description: This key is used to capture the session lifetime in seconds.
- name: link
overwrite: true
type: keyword
description: This key is used to link the sessions together. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: match
overwrite: true
type: keyword
description: This key is for regex match name from search.ini
- name: param_dst
overwrite: true
type: keyword
description: This key captures the command line/launch argument of the target
process or file
- name: param_src
overwrite: true
type: keyword
description: This key captures source parameter
- name: search_text
overwrite: true
type: keyword
description: This key captures the Search Text used
- name: sig_name
overwrite: true
type: keyword
description: This key is used to capture the Signature Name only.
- name: snmp_value
overwrite: true
type: keyword
description: SNMP set request value
- name: streams
overwrite: true
type: long
description: This key captures number of streams in session
- name: db
overwrite: true
type: group
fields:
- name: index
overwrite: true
type: keyword
description: This key captures IndexID of the index.
- name: instance
overwrite: true
type: keyword
description: This key is used to capture the database server instance name
- name: database
overwrite: true
type: keyword
description: This key is used to capture the name of a database or an instance
as seen in a session
- name: transact_id
overwrite: true
type: keyword
description: This key captures the SQL transantion ID of the current session
- name: permissions
overwrite: true
type: keyword
description: This key captures permission or privilege level assigned to a resource.
- name: table_name
overwrite: true
type: keyword
description: This key is used to capture the table name
- name: db_id
overwrite: true
type: keyword
description: This key is used to capture the unique identifier for a database
- name: db_pid
overwrite: true
type: long
description: This key captures the process id of a connection with database
server
- name: lread
overwrite: true
type: long
description: This key is used for the number of logical reads
- name: lwrite
overwrite: true
type: long
description: This key is used for the number of logical writes
- name: pread
overwrite: true
type: long
description: This key is used for the number of physical writes
- name: network
overwrite: true
type: group
fields:
- name: alias_host
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
that isnt ad.computer.
- name: domain
overwrite: true
type: keyword
- name: host_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Hostname"
- name: network_service
overwrite: true
type: keyword
description: This is used to capture layer 7 protocols/service names
- name: interface
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of an interface is not clear
- name: network_port
overwrite: true
type: long
description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
- name: eth_host
overwrite: true
type: keyword
description: Deprecated, use alias.mac
- name: sinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Interface"
- name: dinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Interface"
- name: vlan
overwrite: true
type: long
description: This key should only be used to capture the ID of the Virtual LAN
- name: zone_src
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Zone."
- name: zone
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a Zone is not clear
- name: zone_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Zone."
- name: gateway
overwrite: true
type: keyword
description: This key is used to capture the IP Address of the gateway
- name: icmp_type
overwrite: true
type: long
description: This key is used to capture the ICMP type only
- name: mask
overwrite: true
type: keyword
description: This key is used to capture the device network IPmask.
- name: icmp_code
overwrite: true
type: long
description: This key is used to capture the ICMP code only
- name: protocol_detail
overwrite: true
type: keyword
description: This key should be used to capture additional protocol information
- name: dmask
overwrite: true
type: keyword
description: This key is used for Destionation Device network mask
- name: port
overwrite: true
type: long
description: This key should only be used to capture a Network Port when the
directionality is not clear
- name: smask
overwrite: true
type: keyword
description: This key is used for capturing source Network Mask
- name: netname
overwrite: true
type: keyword
description: This key is used to capture the network name associated with an
IP range. This is configured by the end user.
- name: paddr
overwrite: true
type: ip
description: Deprecated
- name: faddr
overwrite: true
type: keyword
- name: lhost
overwrite: true
type: keyword
- name: origin
overwrite: true
type: keyword
- name: remote_domain_id
overwrite: true
type: keyword
- name: addr
overwrite: true
type: keyword
- name: dns_a_record
overwrite: true
type: keyword
- name: dns_ptr_record
overwrite: true
type: keyword
- name: fhost
overwrite: true
type: keyword
- name: fport
overwrite: true
type: keyword
- name: laddr
overwrite: true
type: keyword
- name: linterface
overwrite: true
type: keyword
- name: phost
overwrite: true
type: keyword
- name: ad_computer_dst
overwrite: true
type: keyword
description: Deprecated, use host.dst
- name: eth_type
overwrite: true
type: long
description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
Only
- name: ip_proto
overwrite: true
type: long
description: This key should be used to capture the Protocol number, all the
protocol nubers are converted into string in UI
- name: dns_cname_record
overwrite: true
type: keyword
- name: dns_id
overwrite: true
type: keyword
- name: dns_opcode
overwrite: true
type: keyword
- name: dns_resp
overwrite: true
type: keyword
- name: dns_type
overwrite: true
type: keyword
- name: domain1
overwrite: true
type: keyword
- name: host_type
overwrite: true
type: keyword
- name: packet_length
overwrite: true
type: keyword
- name: host_orig
overwrite: true
type: keyword
description: This is used to capture the original hostname in case of a Forwarding
Agent or a Proxy in between.
- name: rpayload
overwrite: true
type: keyword
description: This key is used to capture the total number of payload bytes seen
in the retransmitted packets.
- name: vlan_name
overwrite: true
type: keyword
description: This key should only be used to capture the name of the Virtual
LAN
- name: investigations
overwrite: true
type: group
fields:
- name: ec_activity
overwrite: true
type: keyword
description: This key captures the particular event activity(Ex:Logoff)
- name: ec_theme
overwrite: true
type: keyword
description: This key captures the Theme of a particular Event(Ex:Authentication)
- name: ec_subject
overwrite: true
type: keyword
description: This key captures the Subject of a particular Event(Ex:User)
- name: ec_outcome
overwrite: true
type: keyword
description: This key captures the outcome of a particular Event(Ex:Success)
- name: event_cat
overwrite: true
type: long
description: This key captures the Event category number
- name: event_cat_name
overwrite: true
type: keyword
description: This key captures the event category name corresponding to the
event cat code
- name: event_vcat
overwrite: true
type: keyword
description: This is a vendor supplied category. This should be used in situations
where the vendor has adopted their own event_category taxonomy.
- name: analysis_file
overwrite: true
type: keyword
description: This is used to capture all indicators used in a File Analysis.
This key should be used to capture an analysis of a file
- name: analysis_service
overwrite: true
type: keyword
description: This is used to capture all indicators used in a Service Analysis.
This key should be used to capture an analysis of a service
- name: analysis_session
overwrite: true
type: keyword
description: This is used to capture all indicators used for a Session Analysis.
This key should be used to capture an analysis of a session
- name: boc
overwrite: true
type: keyword
description: This is used to capture behaviour of compromise
- name: eoc
overwrite: true
type: keyword
description: This is used to capture Enablers of Compromise
- name: inv_category
overwrite: true
type: keyword
description: This used to capture investigation category
- name: inv_context
overwrite: true
type: keyword
description: This used to capture investigation context
- name: ioc
overwrite: true
type: keyword
description: This is key capture indicator of compromise
- name: counters
overwrite: true
type: group
fields:
- name: dclass_c1
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c1.str only
- name: dclass_c2
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c2.str only
- name: event_counter
overwrite: true
type: long
description: This is used to capture the number of times an event repeated
- name: dclass_r1
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r1.str only
- name: dclass_c3
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c3.str only
- name: dclass_c1_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c1 only
- name: dclass_c2_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c2 only
- name: dclass_r1_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r1 only
- name: dclass_r2
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r2.str only
- name: dclass_c3_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c3 only
- name: dclass_r3
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r3.str only
- name: dclass_r2_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r2 only
- name: dclass_r3_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r3 only
- name: identity
overwrite: true
type: group
fields:
- name: auth_method
overwrite: true
type: keyword
description: This key is used to capture authentication methods used only
- name: user_role
overwrite: true
type: keyword
description: This key is used to capture the Role of a user only
- name: dn
overwrite: true
type: keyword
description: X.500 (LDAP) Distinguished Name
- name: logon_type
overwrite: true
type: keyword
description: This key is used to capture the type of logon method used.
- name: profile
overwrite: true
type: keyword
description: This key is used to capture the user profile
- name: accesses
overwrite: true
type: keyword
description: This key is used to capture actual privileges used in accessing
an object
- name: realm
overwrite: true
type: keyword
description: Radius realm or similar grouping of accounts
- name: user_sid_dst
overwrite: true
type: keyword
description: This key captures Destination User Session ID
- name: dn_src
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that is used in a context that
indicates a Source dn
- name: org
overwrite: true
type: keyword
description: This key captures the User organization
- name: dn_dst
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that used in a context that
indicates a Destination dn
- name: firstname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: lastname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: user_dept
overwrite: true
type: keyword
description: User's Department Names only
- name: user_sid_src
overwrite: true
type: keyword
description: This key captures Source User Session ID
- name: federated_sp
overwrite: true
type: keyword
description: This key is the Federated Service Provider. This is the application
requesting authentication.
- name: federated_idp
overwrite: true
type: keyword
description: This key is the federated Identity Provider. This is the server
providing the authentication.
- name: logon_type_desc
overwrite: true
type: keyword
description: This key is used to capture the textual description of an integer
logon type as stored in the meta key 'logon.type'.
- name: middlename
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: password
overwrite: true
type: keyword
description: This key is for Passwords seen in any session, plain text or encrypted
- name: host_role
overwrite: true
type: keyword
description: This key should only be used to capture the role of a Host Machine
- name: ldap
overwrite: true
type: keyword
description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
t have a clear query or response context"
- name: ldap_query
overwrite: true
type: keyword
description: This key is the Search criteria from an LDAP search
- name: ldap_response
overwrite: true
type: keyword
description: This key is to capture Results from an LDAP search
- name: owner
overwrite: true
type: keyword
description: This is used to capture username the process or service is running
as, the author of the task
- name: service_account
overwrite: true
type: keyword
description: This key is a windows specific key, used for capturing name of
the account a service (referenced in the event) is running under. Legacy Usage
- name: email
overwrite: true
type: group
fields:
- name: email_dst
overwrite: true
type: keyword
description: This key is used to capture the Destination email address only,
when the destination context is not clear use email
- name: email_src
overwrite: true
type: keyword
description: This key is used to capture the source email address only, when
the source context is not clear use email
- name: subject
overwrite: true
type: keyword
description: This key is used to capture the subject string from an Email only.
- name: email
overwrite: true
type: keyword
description: This key is used to capture a generic email address where the source
or destination context is not clear
- name: trans_from
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: trans_to
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: file
overwrite: true
type: group
fields:
- name: privilege
overwrite: true
type: keyword
description: Deprecated, use permissions
- name: attachment
overwrite: true
type: keyword
description: This key captures the attachment file name
- name: filesystem
overwrite: true
type: keyword
- name: binary
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: filename_dst
overwrite: true
type: keyword
description: This is used to capture name of the file targeted by the action
- name: filename_src
overwrite: true
type: keyword
description: This is used to capture name of the parent filename, the file which
performed the action
- name: filename_tmp
overwrite: true
type: keyword
- name: directory_dst
overwrite: true
type: keyword
description: <span>This key is used to capture the directory of the target process
or file</span>
- name: directory_src
overwrite: true
type: keyword
description: This key is used to capture the directory of the source process
or file
- name: file_entropy
overwrite: true
type: double
description: This is used to capture entropy vale of a file
- name: file_vendor
overwrite: true
type: keyword
description: This is used to capture Company name of file located in version_info
- name: task_name
overwrite: true
type: keyword
description: This is used to capture name of the task
- name: web
overwrite: true
type: group
fields:
- name: fqdn
overwrite: true
type: keyword
description: Fully Qualified Domain Names
- name: web_cookie
overwrite: true
type: keyword
description: This key is used to capture the Web cookies specifically.
- name: alias_host
overwrite: true
type: keyword
- name: reputation_num
overwrite: true
type: double
description: Reputation Number of an entity. Typically used for Web Domains
- name: web_ref_domain
overwrite: true
type: keyword
description: Web referer's domain
- name: web_ref_query
overwrite: true
type: keyword
description: This key captures Web referer's query portion of the URL
- name: remote_domain
overwrite: true
type: keyword
- name: web_ref_page
overwrite: true
type: keyword
description: This key captures Web referer's page information
- name: web_ref_root
overwrite: true
type: keyword
description: Web referer's root URL path
- name: cn_asn_dst
overwrite: true
type: keyword
- name: cn_rpackets
overwrite: true
type: keyword
- name: urlpage
overwrite: true
type: keyword
- name: urlroot
overwrite: true
type: keyword
- name: p_url
overwrite: true
type: keyword
- name: p_user_agent
overwrite: true
type: keyword
- name: p_web_cookie
overwrite: true
type: keyword
- name: p_web_method
overwrite: true
type: keyword
- name: p_web_referer
overwrite: true
type: keyword
- name: web_extension_tmp
overwrite: true
type: keyword
- name: web_page
overwrite: true
type: keyword
- name: threat
overwrite: true
type: group
fields:
- name: threat_category
overwrite: true
type: keyword
description: This key captures Threat Name/Threat Category/Categorization of
alert
- name: threat_desc
overwrite: true
type: keyword
description: This key is used to capture the threat description from the session
directly or inferred
- name: alert
overwrite: true
type: keyword
description: This key is used to capture name of the alert
- name: threat_source
overwrite: true
type: keyword
description: This key is used to capture source of the threat
- name: crypto
overwrite: true
type: group
fields:
- name: crypto
overwrite: true
type: keyword
description: This key is used to capture the Encryption Type or Encryption Key
only
- name: cipher_src
overwrite: true
type: keyword
description: This key is for Source (Client) Cipher
- name: cert_subject
overwrite: true
type: keyword
description: This key is used to capture the Certificate organization only
- name: peer
overwrite: true
type: keyword
description: This key is for Encryption peer's IP Address
- name: cipher_size_src
overwrite: true
type: long
description: This key captures Source (Client) Cipher Size
- name: ike
overwrite: true
type: keyword
description: IKE negotiation phase.
- name: scheme
overwrite: true
type: keyword
description: This key captures the Encryption scheme used
- name: peer_id
overwrite: true
type: keyword
description: "This key is for Encryption peer\u2019s identity"
- name: sig_type
overwrite: true
type: keyword
description: This key captures the Signature Type
- name: cert_issuer
overwrite: true
type: keyword
- name: cert_host_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: cert_error
overwrite: true
type: keyword
description: This key captures the Certificate Error String
- name: cipher_dst
overwrite: true
type: keyword
description: This key is for Destination (Server) Cipher
- name: cipher_size_dst
overwrite: true
type: long
description: This key captures Destination (Server) Cipher Size
- name: ssl_ver_src
overwrite: true
type: keyword
description: Deprecated, use version
- name: d_certauth
overwrite: true
type: keyword
- name: s_certauth
overwrite: true
type: keyword
- name: ike_cookie1
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
- name: ike_cookie2
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
- name: cert_checksum
overwrite: true
type: keyword
- name: cert_host_cat
overwrite: true
type: keyword
description: This key is used for the hostname category value of a certificate
- name: cert_serial
overwrite: true
type: keyword
description: This key is used to capture the Certificate serial number only
- name: cert_status
overwrite: true
type: keyword
description: This key captures Certificate validation status
- name: ssl_ver_dst
overwrite: true
type: keyword
description: Deprecated, use version
- name: cert_keysize
overwrite: true
type: keyword
- name: cert_username
overwrite: true
type: keyword
- name: https_insact
overwrite: true
type: keyword
- name: https_valid
overwrite: true
type: keyword
- name: cert_ca
overwrite: true
type: keyword
description: This key is used to capture the Certificate signing authority only
- name: cert_common
overwrite: true
type: keyword
description: This key is used to capture the Certificate common name only
- name: wireless
overwrite: true
type: group
fields:
- name: wlan_ssid
overwrite: true
type: keyword
description: This key is used to capture the ssid of a Wireless Session
- name: access_point
overwrite: true
type: keyword
description: This key is used to capture the access point name.
- name: wlan_channel
overwrite: true
type: long
description: This is used to capture the channel names
- name: wlan_name
overwrite: true
type: keyword
description: This key captures either WLAN number/name
- name: storage
overwrite: true
type: group
fields:
- name: disk_volume
overwrite: true
type: keyword
description: A unique name assigned to logical units (volumes) within a physical
disk
- name: lun
overwrite: true
type: keyword
description: Logical Unit Number.This key is a very useful concept in Storage.
- name: pwwn
overwrite: true
type: keyword
description: This uniquely identifies a port on a HBA.
- name: physical
overwrite: true
type: group
fields:
- name: org_dst
overwrite: true
type: keyword
description: This is used to capture the destination organization based on the
GEOPIP Maxmind database.
- name: org_src
overwrite: true
type: keyword
description: This is used to capture the source organization based on the GEOPIP
Maxmind database.
- name: healthcare
overwrite: true
type: group
fields:
- name: patient_fname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_id
overwrite: true
type: keyword
description: This key captures the unique ID for a patient
- name: patient_lname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_mname
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: endpoint
overwrite: true
type: group
fields:
- name: host_state
overwrite: true
type: keyword
description: This key is used to capture the current state of the machine, such
as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
disabled</strong> and so on
- name: registry_key
overwrite: true
type: keyword
description: This key captures the path to the registry key
- name: registry_value
overwrite: true
type: keyword
description: This key captures values or decorators used within a registry entry
- name: network.interface.name
overwrite: true
type: keyword
description: >
Name of the network interface where the traffic has been observed.
- name: rsa
overwrite: true
type: group
fields:
- name: internal
overwrite: true
type: group
fields:
- name: msg
overwrite: true
type: keyword
description: This key is used to capture the raw message that comes into the
Log Decoder
- name: messageid
overwrite: true
type: keyword
- name: event_desc
overwrite: true
type: keyword
- name: message
overwrite: true
type: keyword
description: This key captures the contents of instant messages
- name: time
overwrite: true
type: date
description: This is the time at which a session hits a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness.
- name: level
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: msg_id
overwrite: true
type: keyword
description: This is the Message ID1 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: msg_vid
overwrite: true
type: keyword
description: This is the Message ID2 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: data
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_server
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_val
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: resource
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_id
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: statement
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: audit_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: entry
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: hcode
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: inode
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: resource_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: dead
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: feed_desc
overwrite: true
type: keyword
description: This is used to capture the description of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: feed_name
overwrite: true
type: keyword
description: This is used to capture the name of the feed. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: cid
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Concentrator.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_class
overwrite: true
type: keyword
description: This is the Classification of the Log Event Source under a predefined
fixed set of Event Source Classifications. This key should never be used to
parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
key in NetWitness
- name: device_group
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_host
overwrite: true
type: keyword
description: This is the Hostname of the log Event Source sending the logs to
NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ip
overwrite: true
type: ip
description: This is the IPv4 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ipv6
overwrite: true
type: ip
description: This is the IPv6 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_type
overwrite: true
type: keyword
description: This is the name of the log parser which parsed a given session.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_type_id
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: did
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: entropy_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: entropy_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: event_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: feed_category
overwrite: true
type: keyword
description: This is used to capture the category of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: forward_ip
overwrite: true
type: ip
description: This key should be used to capture the IPV4 address of a relay
system which forwarded the events from the original system to NetWitness.
- name: forward_ipv6
overwrite: true
type: ip
description: This key is used to capture the IPV6 address of a relay system
which forwarded the events from the original system to NetWitness. This key
should never be used to parse Meta data from a session (Logs/Packets) Directly,
this is a Reserved key in NetWitness
- name: header_id
overwrite: true
type: keyword
description: This is the Header ID value that identifies the exact log parser
header definition that parses a particular log session. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: lc_cid
overwrite: true
type: keyword
description: This is a unique Identifier of a Log Collector. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: lc_ctime
overwrite: true
type: date
description: This is the time at which a log is collected in a NetWitness Log
Collector. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: mcb_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
request is simply which byte for each side (0 thru 255) was seen the most
- name: mcb_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
response is simply which byte for each side (0 thru 255) was seen the most
- name: mcbc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: mcbc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: medium
overwrite: true
type: long
description: "This key is used to identify if it\u2019s a log/packet session\
\ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
\ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
\ 32 = log, 33 = correlation session, < 32 is packet session"
- name: node_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: nwe_callback_id
overwrite: true
type: keyword
description: This key denotes that event is endpoint related
- name: parse_error
overwrite: true
type: keyword
description: This is a special key that stores any Meta key validation error
found while parsing a log session. This key should never be used to parse
Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
NetWitness
- name: payload_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: payload_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: process_vid_dst
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the target process.
- name: process_vid_src
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the source process.
- name: rid
overwrite: true
type: long
description: This is a special ID of the Remote Session created by NetWitness
Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: session_split
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: site
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: size
overwrite: true
type: long
description: This is the size of the session as seen by the NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: sourcefile
overwrite: true
type: keyword
description: This is the name of the log file or PCAPs that can be imported
into NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: ubc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: ubc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: word
overwrite: true
type: keyword
description: This is used by the Word Parsing technology to capture the first
5 character of every word in an unparsed log
- name: time
overwrite: true
type: group
fields:
- name: event_time
overwrite: true
type: date
description: This key is used to capture the time mentioned in a raw session
that represents the actual time an event occured in a standard normalized
form
- name: duration_time
overwrite: true
type: double
description: This key is used to capture the normalized duration/lifetime in
seconds.
- name: event_time_str
overwrite: true
type: keyword
description: This key is used to capture the incomplete time mentioned in a
session as a string
- name: starttime
overwrite: true
type: date
description: This key is used to capture the Start time mentioned in a session
in a standard form
- name: month
overwrite: true
type: keyword
- name: day
overwrite: true
type: keyword
- name: endtime
overwrite: true
type: date
description: This key is used to capture the End time mentioned in a session
in a standard form
- name: timezone
overwrite: true
type: keyword
description: This key is used to capture the timezone of the Event Time
- name: duration_str
overwrite: true
type: keyword
description: A text string version of the duration
- name: date
overwrite: true
type: keyword
- name: year
overwrite: true
type: keyword
- name: recorded_time
overwrite: true
type: date
description: The event time as recorded by the system the event is collected
from. The usage scenario is a multi-tier application where the management
layer of the system records it's own timestamp at the time of collection from
its child nodes. Must be in timestamp format.
- name: datetime
overwrite: true
type: keyword
- name: effective_time
overwrite: true
type: date
description: This key is the effective time referenced by an individual event
in a Standard Timestamp format
- name: expire_time
overwrite: true
type: date
description: This key is the timestamp that explicitly refers to an expiration.
- name: process_time
overwrite: true
type: keyword
description: Deprecated, use duration.time
- name: hour
overwrite: true
type: keyword
- name: min
overwrite: true
type: keyword
- name: timestamp
overwrite: true
type: keyword
- name: event_queue_time
overwrite: true
type: date
description: This key is the Time that the event was queued.
- name: p_time1
overwrite: true
type: keyword
- name: tzone
overwrite: true
type: keyword
- name: eventtime
overwrite: true
type: keyword
- name: gmtdate
overwrite: true
type: keyword
- name: gmttime
overwrite: true
type: keyword
- name: p_date
overwrite: true
type: keyword
- name: p_month
overwrite: true
type: keyword
- name: p_time
overwrite: true
type: keyword
- name: p_time2
overwrite: true
type: keyword
- name: p_year
overwrite: true
type: keyword
- name: expire_time_str
overwrite: true
type: keyword
description: This key is used to capture incomplete timestamp that explicitly
refers to an expiration.
- name: stamp
overwrite: true
type: date
description: Deprecated key defined only in table map.
- name: misc
overwrite: true
type: group
fields:
- name: action
overwrite: true
type: keyword
- name: result
overwrite: true
type: keyword
description: This key is used to capture the outcome/result string value of
an action in a session.
- name: severity
overwrite: true
type: keyword
description: This key is used to capture the severity given the session
- name: event_type
overwrite: true
type: keyword
description: This key captures the event category type as specified by the event
source.
- name: reference_id
overwrite: true
type: keyword
description: This key is used to capture an event id from the session directly
- name: version
overwrite: true
type: keyword
description: This key captures Version of the application or OS which is generating
the event.
- name: disposition
overwrite: true
type: keyword
description: This key captures the The end state of an action.
- name: result_code
overwrite: true
type: keyword
description: This key is used to capture the outcome/result numeric value of
an action in a session
- name: category
overwrite: true
type: keyword
description: This key is used to capture the category of an event given by the
vendor in the session
- name: obj_name
overwrite: true
type: keyword
description: This is used to capture name of object
- name: obj_type
overwrite: true
type: keyword
description: This is used to capture type of object
- name: event_source
overwrite: true
type: keyword
description: "This key captures Source of the event that\u2019s not a hostname"
- name: log_session_id
overwrite: true
type: keyword
description: This key is used to capture a sessionid from the session directly
- name: group
overwrite: true
type: keyword
description: This key captures the Group Name value
- name: policy_name
overwrite: true
type: keyword
description: This key is used to capture the Policy Name only.
- name: rule_name
overwrite: true
type: keyword
description: This key captures the Rule Name
- name: context
overwrite: true
type: keyword
description: This key captures Information which adds additional context to
the event.
- name: change_new
overwrite: true
type: keyword
description: "This key is used to capture the new values of the attribute that\u2019\
s changing in a session"
- name: space
overwrite: true
type: keyword
- name: client
overwrite: true
type: keyword
description: This key is used to capture only the name of the client application
requesting resources of the server. See the user.agent meta key for capture
of the specific user agent identifier or browser identification string.
- name: msgIdPart1
overwrite: true
type: keyword
- name: msgIdPart2
overwrite: true
type: keyword
- name: change_old
overwrite: true
type: keyword
description: "This key is used to capture the old value of the attribute that\u2019\
s changing in a session"
- name: operation_id
overwrite: true
type: keyword
description: An alert number or operation number. The values should be unique
and non-repeating.
- name: event_state
overwrite: true
type: keyword
description: This key captures the current state of the object/item referenced
within the event. Describing an on-going event.
- name: group_object
overwrite: true
type: keyword
description: This key captures a collection/grouping of entities. Specific usage
- name: node
overwrite: true
type: keyword
description: Common use case is the node name within a cluster. The cluster
name is reflected by the host name.
- name: rule
overwrite: true
type: keyword
description: This key captures the Rule number
- name: device_name
overwrite: true
type: keyword
description: 'This is used to capture name of the Device associated with the
node Like: a physical disk, printer, etc'
- name: param
overwrite: true
type: keyword
description: This key is the parameters passed as part of a command or application,
etc.
- name: change_attrib
overwrite: true
type: keyword
description: "This key is used to capture the name of the attribute that\u2019\
s changing in a session"
- name: event_computer
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
fully qualified domain name in a windows log.
- name: reference_id1
overwrite: true
type: keyword
description: This key is for Linked ID to be used as an addition to "reference.id"
- name: event_log
overwrite: true
type: keyword
description: This key captures the Name of the event log
- name: OS
overwrite: true
type: keyword
description: This key captures the Name of the Operating System
- name: terminal
overwrite: true
type: keyword
description: This key captures the Terminal Names only
- name: msgIdPart3
overwrite: true
type: keyword
- name: filter
overwrite: true
type: keyword
description: This key captures Filter used to reduce result set
- name: serial_number
overwrite: true
type: keyword
description: This key is the Serial number associated with a physical asset.
- name: checksum
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the entity
such as a file or process. Checksum should be used over checksum.src or checksum.dst
when it is unclear whether the entity is a source or target of an action.
- name: event_user
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
combination of domain name and username in a windows log.
- name: virusname
overwrite: true
type: keyword
description: This key captures the name of the virus
- name: content_type
overwrite: true
type: keyword
description: This key is used to capture Content Type only.
- name: group_id
overwrite: true
type: keyword
description: This key captures Group ID Number (related to the group name)
- name: policy_id
overwrite: true
type: keyword
description: This key is used to capture the Policy ID only, this should be
a numeric value, use policy.name otherwise
- name: vsys
overwrite: true
type: keyword
description: This key captures Virtual System Name
- name: connection_id
overwrite: true
type: keyword
description: This key captures the Connection ID
- name: reference_id2
overwrite: true
type: keyword
description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
or "reference.id1" value but should not be used unless the other two variables
are in play.
- name: sensor
overwrite: true
type: keyword
description: This key captures Name of the sensor. Typically used in IDS/IPS
based devices
- name: sig_id
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID
- name: port_name
overwrite: true
type: keyword
description: 'This key is used for Physical or logical port connection but does
NOT include a network port. (Example: Printer port name).'
- name: rule_group
overwrite: true
type: keyword
description: This key captures the Rule group name
- name: risk_num
overwrite: true
type: double
description: This key captures a Numeric Risk value
- name: trigger_val
overwrite: true
type: keyword
description: This key captures the Value of the trigger or threshold condition.
- name: log_session_id1
overwrite: true
type: keyword
description: This key is used to capture a Linked (Related) Session ID from
the session directly
- name: comp_version
overwrite: true
type: keyword
description: This key captures the Version level of a sub-component of a product.
- name: content_version
overwrite: true
type: keyword
description: This key captures Version level of a signature or database content.
- name: hardware_id
overwrite: true
type: keyword
description: This key is used to capture unique identifier for a device or system
(NOT a Mac address)
- name: risk
overwrite: true
type: keyword
description: This key captures the non-numeric risk value
- name: event_id
overwrite: true
type: keyword
- name: reason
overwrite: true
type: keyword
- name: status
overwrite: true
type: keyword
- name: mail_id
overwrite: true
type: keyword
description: This key is used to capture the mailbox id/name
- name: rule_uid
overwrite: true
type: keyword
description: This key is the Unique Identifier for a rule.
- name: trigger_desc
overwrite: true
type: keyword
description: This key captures the Description of the trigger or threshold condition.
- name: inout
overwrite: true
type: keyword
- name: p_msgid
overwrite: true
type: keyword
- name: data_type
overwrite: true
type: keyword
- name: msgIdPart4
overwrite: true
type: keyword
- name: error
overwrite: true
type: keyword
description: This key captures All non successful Error codes or responses
- name: index
overwrite: true
type: keyword
- name: listnum
overwrite: true
type: keyword
description: This key is used to capture listname or listnumber, primarily for
collecting access-list
- name: ntype
overwrite: true
type: keyword
- name: observed_val
overwrite: true
type: keyword
description: This key captures the Value observed (from the perspective of the
device generating the log).
- name: policy_value
overwrite: true
type: keyword
description: This key captures the contents of the policy. This contains details
about the policy
- name: pool_name
overwrite: true
type: keyword
description: This key captures the name of a resource pool
- name: rule_template
overwrite: true
type: keyword
description: A default set of parameters which are overlayed onto a rule (or
rulename) which efffectively constitutes a template
- name: count
overwrite: true
type: keyword
- name: number
overwrite: true
type: keyword
- name: sigcat
overwrite: true
type: keyword
- name: type
overwrite: true
type: keyword
- name: comments
overwrite: true
type: keyword
description: Comment information provided in the log message
- name: doc_number
overwrite: true
type: long
description: This key captures File Identification number
- name: expected_val
overwrite: true
type: keyword
description: This key captures the Value expected (from the perspective of the
device generating the log).
- name: job_num
overwrite: true
type: keyword
description: This key captures the Job Number
- name: spi_dst
overwrite: true
type: keyword
description: Destination SPI Index
- name: spi_src
overwrite: true
type: keyword
description: Source SPI Index
- name: code
overwrite: true
type: keyword
- name: agent_id
overwrite: true
type: keyword
description: This key is used to capture agent id
- name: message_body
overwrite: true
type: keyword
description: This key captures the The contents of the message body.
- name: phone
overwrite: true
type: keyword
- name: sig_id_str
overwrite: true
type: keyword
description: This key captures a string object of the sigid variable.
- name: cmd
overwrite: true
type: keyword
- name: misc
overwrite: true
type: keyword
- name: name
overwrite: true
type: keyword
- name: cpu
overwrite: true
type: long
description: This key is the CPU time used in the execution of the event being
recorded.
- name: event_desc
overwrite: true
type: keyword
description: This key is used to capture a description of an event available
directly or inferred
- name: sig_id1
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID. This must be linked
to the sig.id
- name: im_buddyid
overwrite: true
type: keyword
- name: im_client
overwrite: true
type: keyword
- name: im_userid
overwrite: true
type: keyword
- name: pid
overwrite: true
type: keyword
- name: priority
overwrite: true
type: keyword
- name: context_subject
overwrite: true
type: keyword
description: This key is to be used in an audit context where the subject is
the object being identified
- name: context_target
overwrite: true
type: keyword
- name: cve
overwrite: true
type: keyword
description: This key captures CVE (Common Vulnerabilities and Exposures) -
an identifier for known information security vulnerabilities.
- name: fcatnum
overwrite: true
type: keyword
description: This key captures Filter Category Number. Legacy Usage
- name: library
overwrite: true
type: keyword
description: This key is used to capture library information in mainframe devices
- name: parent_node
overwrite: true
type: keyword
description: This key captures the Parent Node Name. Must be related to node
variable.
- name: risk_info
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: tcp_flags
overwrite: true
type: long
description: This key is captures the TCP flags set in any packet of session
- name: tos
overwrite: true
type: long
description: This key describes the type of service
- name: vm_target
overwrite: true
type: keyword
description: VMWare Target **VMWARE** only varaible.
- name: workspace
overwrite: true
type: keyword
description: This key captures Workspace Description
- name: command
overwrite: true
type: keyword
- name: event_category
overwrite: true
type: keyword
- name: facilityname
overwrite: true
type: keyword
- name: forensic_info
overwrite: true
type: keyword
- name: jobname
overwrite: true
type: keyword
- name: mode
overwrite: true
type: keyword
- name: policy
overwrite: true
type: keyword
- name: policy_waiver
overwrite: true
type: keyword
- name: second
overwrite: true
type: keyword
- name: space1
overwrite: true
type: keyword
- name: subcategory
overwrite: true
type: keyword
- name: tbdstr2
overwrite: true
type: keyword
- name: alert_id
overwrite: true
type: keyword
description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: checksum_dst
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the the target
entity such as a process or file.
- name: checksum_src
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the source
entity such as a file or process.
- name: fresult
overwrite: true
type: long
description: This key captures the Filter Result
- name: payload_dst
overwrite: true
type: keyword
description: This key is used to capture destination payload
- name: payload_src
overwrite: true
type: keyword
description: This key is used to capture source payload
- name: pool_id
overwrite: true
type: keyword
description: This key captures the identifier (typically numeric field) of a
resource pool
- name: process_id_val
overwrite: true
type: keyword
description: This key is a failure key for Process ID when it is not an integer
value
- name: risk_num_comm
overwrite: true
type: double
description: This key captures Risk Number Community
- name: risk_num_next
overwrite: true
type: double
description: This key captures Risk Number NextGen
- name: risk_num_sand
overwrite: true
type: double
description: This key captures Risk Number SandBox
- name: risk_num_static
overwrite: true
type: double
description: This key captures Risk Number Static
- name: risk_suspicious
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: risk_warning
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: snmp_oid
overwrite: true
type: keyword
description: SNMP Object Identifier
- name: sql
overwrite: true
type: keyword
description: This key captures the SQL query
- name: vuln_ref
overwrite: true
type: keyword
description: This key captures the Vulnerability Reference details
- name: acl_id
overwrite: true
type: keyword
- name: acl_op
overwrite: true
type: keyword
- name: acl_pos
overwrite: true
type: keyword
- name: acl_table
overwrite: true
type: keyword
- name: admin
overwrite: true
type: keyword
- name: alarm_id
overwrite: true
type: keyword
- name: alarmname
overwrite: true
type: keyword
- name: app_id
overwrite: true
type: keyword
- name: audit
overwrite: true
type: keyword
- name: audit_object
overwrite: true
type: keyword
- name: auditdata
overwrite: true
type: keyword
- name: benchmark
overwrite: true
type: keyword
- name: bypass
overwrite: true
type: keyword
- name: cache
overwrite: true
type: keyword
- name: cache_hit
overwrite: true
type: keyword
- name: cefversion
overwrite: true
type: keyword
- name: cfg_attr
overwrite: true
type: keyword
- name: cfg_obj
overwrite: true
type: keyword
- name: cfg_path
overwrite: true
type: keyword
- name: changes
overwrite: true
type: keyword
- name: client_ip
overwrite: true
type: keyword
- name: clustermembers
overwrite: true
type: keyword
- name: cn_acttimeout
overwrite: true
type: keyword
- name: cn_asn_src
overwrite: true
type: keyword
- name: cn_bgpv4nxthop
overwrite: true
type: keyword
- name: cn_ctr_dst_code
overwrite: true
type: keyword
- name: cn_dst_tos
overwrite: true
type: keyword
- name: cn_dst_vlan
overwrite: true
type: keyword
- name: cn_engine_id
overwrite: true
type: keyword
- name: cn_engine_type
overwrite: true
type: keyword
- name: cn_f_switch
overwrite: true
type: keyword
- name: cn_flowsampid
overwrite: true
type: keyword
- name: cn_flowsampintv
overwrite: true
type: keyword
- name: cn_flowsampmode
overwrite: true
type: keyword
- name: cn_inacttimeout
overwrite: true
type: keyword
- name: cn_inpermbyts
overwrite: true
type: keyword
- name: cn_inpermpckts
overwrite: true
type: keyword
- name: cn_invalid
overwrite: true
type: keyword
- name: cn_ip_proto_ver
overwrite: true
type: keyword
- name: cn_ipv4_ident
overwrite: true
type: keyword
- name: cn_l_switch
overwrite: true
type: keyword
- name: cn_log_did
overwrite: true
type: keyword
- name: cn_log_rid
overwrite: true
type: keyword
- name: cn_max_ttl
overwrite: true
type: keyword
- name: cn_maxpcktlen
overwrite: true
type: keyword
- name: cn_min_ttl
overwrite: true
type: keyword
- name: cn_minpcktlen
overwrite: true
type: keyword
- name: cn_mpls_lbl_1
overwrite: true
type: keyword
- name: cn_mpls_lbl_10
overwrite: true
type: keyword
- name: cn_mpls_lbl_2
overwrite: true
type: keyword
- name: cn_mpls_lbl_3
overwrite: true
type: keyword
- name: cn_mpls_lbl_4
overwrite: true
type: keyword
- name: cn_mpls_lbl_5
overwrite: true
type: keyword
- name: cn_mpls_lbl_6
overwrite: true
type: keyword
- name: cn_mpls_lbl_7
overwrite: true
type: keyword
- name: cn_mpls_lbl_8
overwrite: true
type: keyword
- name: cn_mpls_lbl_9
overwrite: true
type: keyword
- name: cn_mplstoplabel
overwrite: true
type: keyword
- name: cn_mplstoplabip
overwrite: true
type: keyword
- name: cn_mul_dst_byt
overwrite: true
type: keyword
- name: cn_mul_dst_pks
overwrite: true
type: keyword
- name: cn_muligmptype
overwrite: true
type: keyword
- name: cn_sampalgo
overwrite: true
type: keyword
- name: cn_sampint
overwrite: true
type: keyword
- name: cn_seqctr
overwrite: true
type: keyword
- name: cn_spackets
overwrite: true
type: keyword
- name: cn_src_tos
overwrite: true
type: keyword
- name: cn_src_vlan
overwrite: true
type: keyword
- name: cn_sysuptime
overwrite: true
type: keyword
- name: cn_template_id
overwrite: true
type: keyword
- name: cn_totbytsexp
overwrite: true
type: keyword
- name: cn_totflowexp
overwrite: true
type: keyword
- name: cn_totpcktsexp
overwrite: true
type: keyword
- name: cn_unixnanosecs
overwrite: true
type: keyword
- name: cn_v6flowlabel
overwrite: true
type: keyword
- name: cn_v6optheaders
overwrite: true
type: keyword
- name: comp_class
overwrite: true
type: keyword
- name: comp_name
overwrite: true
type: keyword
- name: comp_rbytes
overwrite: true
type: keyword
- name: comp_sbytes
overwrite: true
type: keyword
- name: cpu_data
overwrite: true
type: keyword
- name: criticality
overwrite: true
type: keyword
- name: cs_agency_dst
overwrite: true
type: keyword
- name: cs_analyzedby
overwrite: true
type: keyword
- name: cs_av_other
overwrite: true
type: keyword
- name: cs_av_primary
overwrite: true
type: keyword
- name: cs_av_secondary
overwrite: true
type: keyword
- name: cs_bgpv6nxthop
overwrite: true
type: keyword
- name: cs_bit9status
overwrite: true
type: keyword
- name: cs_context
overwrite: true
type: keyword
- name: cs_control
overwrite: true
type: keyword
- name: cs_data
overwrite: true
type: keyword
- name: cs_datecret
overwrite: true
type: keyword
- name: cs_dst_tld
overwrite: true
type: keyword
- name: cs_eth_dst_ven
overwrite: true
type: keyword
- name: cs_eth_src_ven
overwrite: true
type: keyword
- name: cs_event_uuid
overwrite: true
type: keyword
- name: cs_filetype
overwrite: true
type: keyword
- name: cs_fld
overwrite: true
type: keyword
- name: cs_if_desc
overwrite: true
type: keyword
- name: cs_if_name
overwrite: true
type: keyword
- name: cs_ip_next_hop
overwrite: true
type: keyword
- name: cs_ipv4dstpre
overwrite: true
type: keyword
- name: cs_ipv4srcpre
overwrite: true
type: keyword
- name: cs_lifetime
overwrite: true
type: keyword
- name: cs_log_medium
overwrite: true
type: keyword
- name: cs_loginname
overwrite: true
type: keyword
- name: cs_modulescore
overwrite: true
type: keyword
- name: cs_modulesign
overwrite: true
type: keyword
- name: cs_opswatresult
overwrite: true
type: keyword
- name: cs_payload
overwrite: true
type: keyword
- name: cs_registrant
overwrite: true
type: keyword
- name: cs_registrar
overwrite: true
type: keyword
- name: cs_represult
overwrite: true
type: keyword
- name: cs_rpayload
overwrite: true
type: keyword
- name: cs_sampler_name
overwrite: true
type: keyword
- name: cs_sourcemodule
overwrite: true
type: keyword
- name: cs_streams
overwrite: true
type: keyword
- name: cs_targetmodule
overwrite: true
type: keyword
- name: cs_v6nxthop
overwrite: true
type: keyword
- name: cs_whois_server
overwrite: true
type: keyword
- name: cs_yararesult
overwrite: true
type: keyword
- name: description
overwrite: true
type: keyword
- name: devvendor
overwrite: true
type: keyword
- name: distance
overwrite: true
type: keyword
- name: dstburb
overwrite: true
type: keyword
- name: edomain
overwrite: true
type: keyword
- name: edomaub
overwrite: true
type: keyword
- name: euid
overwrite: true
type: keyword
- name: facility
overwrite: true
type: keyword
- name: finterface
overwrite: true
type: keyword
- name: flags
overwrite: true
type: keyword
- name: gaddr
overwrite: true
type: keyword
- name: id3
overwrite: true
type: keyword
- name: im_buddyname
overwrite: true
type: keyword
- name: im_croomid
overwrite: true
type: keyword
- name: im_croomtype
overwrite: true
type: keyword
- name: im_members
overwrite: true
type: keyword
- name: im_username
overwrite: true
type: keyword
- name: ipkt
overwrite: true
type: keyword
- name: ipscat
overwrite: true
type: keyword
- name: ipspri
overwrite: true
type: keyword
- name: latitude
overwrite: true
type: keyword
- name: linenum
overwrite: true
type: keyword
- name: list_name
overwrite: true
type: keyword
- name: load_data
overwrite: true
type: keyword
- name: location_floor
overwrite: true
type: keyword
- name: location_mark
overwrite: true
type: keyword
- name: log_id
overwrite: true
type: keyword
- name: log_type
overwrite: true
type: keyword
- name: logid
overwrite: true
type: keyword
- name: logip
overwrite: true
type: keyword
- name: logname
overwrite: true
type: keyword
- name: longitude
overwrite: true
type: keyword
- name: lport
overwrite: true
type: keyword
- name: mbug_data
overwrite: true
type: keyword
- name: misc_name
overwrite: true
type: keyword
- name: msg_type
overwrite: true
type: keyword
- name: msgid
overwrite: true
type: keyword
- name: netsessid
overwrite: true
type: keyword
- name: num
overwrite: true
type: keyword
- name: number1
overwrite: true
type: keyword
- name: number2
overwrite: true
type: keyword
- name: nwwn
overwrite: true
type: keyword
- name: object
overwrite: true
type: keyword
- name: operation
overwrite: true
type: keyword
- name: opkt
overwrite: true
type: keyword
- name: orig_from
overwrite: true
type: keyword
- name: owner_id
overwrite: true
type: keyword
- name: p_action
overwrite: true
type: keyword
- name: p_filter
overwrite: true
type: keyword
- name: p_group_object
overwrite: true
type: keyword
- name: p_id
overwrite: true
type: keyword
- name: p_msgid1
overwrite: true
type: keyword
- name: p_msgid2
overwrite: true
type: keyword
- name: p_result1
overwrite: true
type: keyword
- name: password_chg
overwrite: true
type: keyword
- name: password_expire
overwrite: true
type: keyword
- name: permgranted
overwrite: true
type: keyword
- name: permwanted
overwrite: true
type: keyword
- name: pgid
overwrite: true
type: keyword
- name: policyUUID
overwrite: true
type: keyword
- name: prog_asp_num
overwrite: true
type: keyword
- name: program
overwrite: true
type: keyword
- name: real_data
overwrite: true
type: keyword
- name: rec_asp_device
overwrite: true
type: keyword
- name: rec_asp_num
overwrite: true
type: keyword
- name: rec_library
overwrite: true
type: keyword
- name: recordnum
overwrite: true
type: keyword
- name: ruid
overwrite: true
type: keyword
- name: sburb
overwrite: true
type: keyword
- name: sdomain_fld
overwrite: true
type: keyword
- name: sec
overwrite: true
type: keyword
- name: sensorname
overwrite: true
type: keyword
- name: seqnum
overwrite: true
type: keyword
- name: session
overwrite: true
type: keyword
- name: sessiontype
overwrite: true
type: keyword
- name: sigUUID
overwrite: true
type: keyword
- name: spi
overwrite: true
type: keyword
- name: srcburb
overwrite: true
type: keyword
- name: srcdom
overwrite: true
type: keyword
- name: srcservice
overwrite: true
type: keyword
- name: state
overwrite: true
type: keyword
- name: status1
overwrite: true
type: keyword
- name: svcno
overwrite: true
type: keyword
- name: system
overwrite: true
type: keyword
- name: tbdstr1
overwrite: true
type: keyword
- name: tgtdom
overwrite: true
type: keyword
- name: tgtdomain
overwrite: true
type: keyword
- name: threshold
overwrite: true
type: keyword
- name: type1
overwrite: true
type: keyword
- name: udb_class
overwrite: true
type: keyword
- name: url_fld
overwrite: true
type: keyword
- name: user_div
overwrite: true
type: keyword
- name: userid
overwrite: true
type: keyword
- name: username_fld
overwrite: true
type: keyword
- name: utcstamp
overwrite: true
type: keyword
- name: v_instafname
overwrite: true
type: keyword
- name: virt_data
overwrite: true
type: keyword
- name: vpnid
overwrite: true
type: keyword
- name: autorun_type
overwrite: true
type: keyword
description: This is used to capture Auto Run type
- name: cc_number
overwrite: true
type: long
description: Valid Credit Card Numbers only
- name: content
overwrite: true
type: keyword
description: This key captures the content type from protocol headers
- name: ein_number
overwrite: true
type: long
description: Employee Identification Numbers only
- name: found
overwrite: true
type: keyword
description: This is used to capture the results of regex match
- name: language
overwrite: true
type: keyword
description: This is used to capture list of languages the client support and
what it prefers
- name: lifetime
overwrite: true
type: long
description: This key is used to capture the session lifetime in seconds.
- name: link
overwrite: true
type: keyword
description: This key is used to link the sessions together. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: match
overwrite: true
type: keyword
description: This key is for regex match name from search.ini
- name: param_dst
overwrite: true
type: keyword
description: This key captures the command line/launch argument of the target
process or file
- name: param_src
overwrite: true
type: keyword
description: This key captures source parameter
- name: search_text
overwrite: true
type: keyword
description: This key captures the Search Text used
- name: sig_name
overwrite: true
type: keyword
description: This key is used to capture the Signature Name only.
- name: snmp_value
overwrite: true
type: keyword
description: SNMP set request value
- name: streams
overwrite: true
type: long
description: This key captures number of streams in session
- name: db
overwrite: true
type: group
fields:
- name: index
overwrite: true
type: keyword
description: This key captures IndexID of the index.
- name: instance
overwrite: true
type: keyword
description: This key is used to capture the database server instance name
- name: database
overwrite: true
type: keyword
description: This key is used to capture the name of a database or an instance
as seen in a session
- name: transact_id
overwrite: true
type: keyword
description: This key captures the SQL transantion ID of the current session
- name: permissions
overwrite: true
type: keyword
description: This key captures permission or privilege level assigned to a resource.
- name: table_name
overwrite: true
type: keyword
description: This key is used to capture the table name
- name: db_id
overwrite: true
type: keyword
description: This key is used to capture the unique identifier for a database
- name: db_pid
overwrite: true
type: long
description: This key captures the process id of a connection with database
server
- name: lread
overwrite: true
type: long
description: This key is used for the number of logical reads
- name: lwrite
overwrite: true
type: long
description: This key is used for the number of logical writes
- name: pread
overwrite: true
type: long
description: This key is used for the number of physical writes
- name: network
overwrite: true
type: group
fields:
- name: alias_host
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
that isnt ad.computer.
- name: domain
overwrite: true
type: keyword
- name: host_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Hostname"
- name: network_service
overwrite: true
type: keyword
description: This is used to capture layer 7 protocols/service names
- name: interface
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of an interface is not clear
- name: network_port
overwrite: true
type: long
description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
- name: eth_host
overwrite: true
type: keyword
description: Deprecated, use alias.mac
- name: sinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Interface"
- name: dinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Interface"
- name: vlan
overwrite: true
type: long
description: This key should only be used to capture the ID of the Virtual LAN
- name: zone_src
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Zone."
- name: zone
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a Zone is not clear
- name: zone_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Zone."
- name: gateway
overwrite: true
type: keyword
description: This key is used to capture the IP Address of the gateway
- name: icmp_type
overwrite: true
type: long
description: This key is used to capture the ICMP type only
- name: mask
overwrite: true
type: keyword
description: This key is used to capture the device network IPmask.
- name: icmp_code
overwrite: true
type: long
description: This key is used to capture the ICMP code only
- name: protocol_detail
overwrite: true
type: keyword
description: This key should be used to capture additional protocol information
- name: dmask
overwrite: true
type: keyword
description: This key is used for Destionation Device network mask
- name: port
overwrite: true
type: long
description: This key should only be used to capture a Network Port when the
directionality is not clear
- name: smask
overwrite: true
type: keyword
description: This key is used for capturing source Network Mask
- name: netname
overwrite: true
type: keyword
description: This key is used to capture the network name associated with an
IP range. This is configured by the end user.
- name: paddr
overwrite: true
type: ip
description: Deprecated
- name: faddr
overwrite: true
type: keyword
- name: lhost
overwrite: true
type: keyword
- name: origin
overwrite: true
type: keyword
- name: remote_domain_id
overwrite: true
type: keyword
- name: addr
overwrite: true
type: keyword
- name: dns_a_record
overwrite: true
type: keyword
- name: dns_ptr_record
overwrite: true
type: keyword
- name: fhost
overwrite: true
type: keyword
- name: fport
overwrite: true
type: keyword
- name: laddr
overwrite: true
type: keyword
- name: linterface
overwrite: true
type: keyword
- name: phost
overwrite: true
type: keyword
- name: ad_computer_dst
overwrite: true
type: keyword
description: Deprecated, use host.dst
- name: eth_type
overwrite: true
type: long
description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
Only
- name: ip_proto
overwrite: true
type: long
description: This key should be used to capture the Protocol number, all the
protocol nubers are converted into string in UI
- name: dns_cname_record
overwrite: true
type: keyword
- name: dns_id
overwrite: true
type: keyword
- name: dns_opcode
overwrite: true
type: keyword
- name: dns_resp
overwrite: true
type: keyword
- name: dns_type
overwrite: true
type: keyword
- name: domain1
overwrite: true
type: keyword
- name: host_type
overwrite: true
type: keyword
- name: packet_length
overwrite: true
type: keyword
- name: host_orig
overwrite: true
type: keyword
description: This is used to capture the original hostname in case of a Forwarding
Agent or a Proxy in between.
- name: rpayload
overwrite: true
type: keyword
description: This key is used to capture the total number of payload bytes seen
in the retransmitted packets.
- name: vlan_name
overwrite: true
type: keyword
description: This key should only be used to capture the name of the Virtual
LAN
- name: investigations
overwrite: true
type: group
fields:
- name: ec_activity
overwrite: true
type: keyword
description: This key captures the particular event activity(Ex:Logoff)
- name: ec_theme
overwrite: true
type: keyword
description: This key captures the Theme of a particular Event(Ex:Authentication)
- name: ec_subject
overwrite: true
type: keyword
description: This key captures the Subject of a particular Event(Ex:User)
- name: ec_outcome
overwrite: true
type: keyword
description: This key captures the outcome of a particular Event(Ex:Success)
- name: event_cat
overwrite: true
type: long
description: This key captures the Event category number
- name: event_cat_name
overwrite: true
type: keyword
description: This key captures the event category name corresponding to the
event cat code
- name: event_vcat
overwrite: true
type: keyword
description: This is a vendor supplied category. This should be used in situations
where the vendor has adopted their own event_category taxonomy.
- name: analysis_file
overwrite: true
type: keyword
description: This is used to capture all indicators used in a File Analysis.
This key should be used to capture an analysis of a file
- name: analysis_service
overwrite: true
type: keyword
description: This is used to capture all indicators used in a Service Analysis.
This key should be used to capture an analysis of a service
- name: analysis_session
overwrite: true
type: keyword
description: This is used to capture all indicators used for a Session Analysis.
This key should be used to capture an analysis of a session
- name: boc
overwrite: true
type: keyword
description: This is used to capture behaviour of compromise
- name: eoc
overwrite: true
type: keyword
description: This is used to capture Enablers of Compromise
- name: inv_category
overwrite: true
type: keyword
description: This used to capture investigation category
- name: inv_context
overwrite: true
type: keyword
description: This used to capture investigation context
- name: ioc
overwrite: true
type: keyword
description: This is key capture indicator of compromise
- name: counters
overwrite: true
type: group
fields:
- name: dclass_c1
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c1.str only
- name: dclass_c2
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c2.str only
- name: event_counter
overwrite: true
type: long
description: This is used to capture the number of times an event repeated
- name: dclass_r1
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r1.str only
- name: dclass_c3
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c3.str only
- name: dclass_c1_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c1 only
- name: dclass_c2_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c2 only
- name: dclass_r1_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r1 only
- name: dclass_r2
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r2.str only
- name: dclass_c3_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c3 only
- name: dclass_r3
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r3.str only
- name: dclass_r2_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r2 only
- name: dclass_r3_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r3 only
- name: identity
overwrite: true
type: group
fields:
- name: auth_method
overwrite: true
type: keyword
description: This key is used to capture authentication methods used only
- name: user_role
overwrite: true
type: keyword
description: This key is used to capture the Role of a user only
- name: dn
overwrite: true
type: keyword
description: X.500 (LDAP) Distinguished Name
- name: logon_type
overwrite: true
type: keyword
description: This key is used to capture the type of logon method used.
- name: profile
overwrite: true
type: keyword
description: This key is used to capture the user profile
- name: accesses
overwrite: true
type: keyword
description: This key is used to capture actual privileges used in accessing
an object
- name: realm
overwrite: true
type: keyword
description: Radius realm or similar grouping of accounts
- name: user_sid_dst
overwrite: true
type: keyword
description: This key captures Destination User Session ID
- name: dn_src
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that is used in a context that
indicates a Source dn
- name: org
overwrite: true
type: keyword
description: This key captures the User organization
- name: dn_dst
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that used in a context that
indicates a Destination dn
- name: firstname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: lastname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: user_dept
overwrite: true
type: keyword
description: User's Department Names only
- name: user_sid_src
overwrite: true
type: keyword
description: This key captures Source User Session ID
- name: federated_sp
overwrite: true
type: keyword
description: This key is the Federated Service Provider. This is the application
requesting authentication.
- name: federated_idp
overwrite: true
type: keyword
description: This key is the federated Identity Provider. This is the server
providing the authentication.
- name: logon_type_desc
overwrite: true
type: keyword
description: This key is used to capture the textual description of an integer
logon type as stored in the meta key 'logon.type'.
- name: middlename
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: password
overwrite: true
type: keyword
description: This key is for Passwords seen in any session, plain text or encrypted
- name: host_role
overwrite: true
type: keyword
description: This key should only be used to capture the role of a Host Machine
- name: ldap
overwrite: true
type: keyword
description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
t have a clear query or response context"
- name: ldap_query
overwrite: true
type: keyword
description: This key is the Search criteria from an LDAP search
- name: ldap_response
overwrite: true
type: keyword
description: This key is to capture Results from an LDAP search
- name: owner
overwrite: true
type: keyword
description: This is used to capture username the process or service is running
as, the author of the task
- name: service_account
overwrite: true
type: keyword
description: This key is a windows specific key, used for capturing name of
the account a service (referenced in the event) is running under. Legacy Usage
- name: email
overwrite: true
type: group
fields:
- name: email_dst
overwrite: true
type: keyword
description: This key is used to capture the Destination email address only,
when the destination context is not clear use email
- name: email_src
overwrite: true
type: keyword
description: This key is used to capture the source email address only, when
the source context is not clear use email
- name: subject
overwrite: true
type: keyword
description: This key is used to capture the subject string from an Email only.
- name: email
overwrite: true
type: keyword
description: This key is used to capture a generic email address where the source
or destination context is not clear
- name: trans_from
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: trans_to
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: file
overwrite: true
type: group
fields:
- name: privilege
overwrite: true
type: keyword
description: Deprecated, use permissions
- name: attachment
overwrite: true
type: keyword
description: This key captures the attachment file name
- name: filesystem
overwrite: true
type: keyword
- name: binary
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: filename_dst
overwrite: true
type: keyword
description: This is used to capture name of the file targeted by the action
- name: filename_src
overwrite: true
type: keyword
description: This is used to capture name of the parent filename, the file which
performed the action
- name: filename_tmp
overwrite: true
type: keyword
- name: directory_dst
overwrite: true
type: keyword
description: <span>This key is used to capture the directory of the target process
or file</span>
- name: directory_src
overwrite: true
type: keyword
description: This key is used to capture the directory of the source process
or file
- name: file_entropy
overwrite: true
type: double
description: This is used to capture entropy vale of a file
- name: file_vendor
overwrite: true
type: keyword
description: This is used to capture Company name of file located in version_info
- name: task_name
overwrite: true
type: keyword
description: This is used to capture name of the task
- name: web
overwrite: true
type: group
fields:
- name: fqdn
overwrite: true
type: keyword
description: Fully Qualified Domain Names
- name: web_cookie
overwrite: true
type: keyword
description: This key is used to capture the Web cookies specifically.
- name: alias_host
overwrite: true
type: keyword
- name: reputation_num
overwrite: true
type: double
description: Reputation Number of an entity. Typically used for Web Domains
- name: web_ref_domain
overwrite: true
type: keyword
description: Web referer's domain
- name: web_ref_query
overwrite: true
type: keyword
description: This key captures Web referer's query portion of the URL
- name: remote_domain
overwrite: true
type: keyword
- name: web_ref_page
overwrite: true
type: keyword
description: This key captures Web referer's page information
- name: web_ref_root
overwrite: true
type: keyword
description: Web referer's root URL path
- name: cn_asn_dst
overwrite: true
type: keyword
- name: cn_rpackets
overwrite: true
type: keyword
- name: urlpage
overwrite: true
type: keyword
- name: urlroot
overwrite: true
type: keyword
- name: p_url
overwrite: true
type: keyword
- name: p_user_agent
overwrite: true
type: keyword
- name: p_web_cookie
overwrite: true
type: keyword
- name: p_web_method
overwrite: true
type: keyword
- name: p_web_referer
overwrite: true
type: keyword
- name: web_extension_tmp
overwrite: true
type: keyword
- name: web_page
overwrite: true
type: keyword
- name: threat
overwrite: true
type: group
fields:
- name: threat_category
overwrite: true
type: keyword
description: This key captures Threat Name/Threat Category/Categorization of
alert
- name: threat_desc
overwrite: true
type: keyword
description: This key is used to capture the threat description from the session
directly or inferred
- name: alert
overwrite: true
type: keyword
description: This key is used to capture name of the alert
- name: threat_source
overwrite: true
type: keyword
description: This key is used to capture source of the threat
- name: crypto
overwrite: true
type: group
fields:
- name: crypto
overwrite: true
type: keyword
description: This key is used to capture the Encryption Type or Encryption Key
only
- name: cipher_src
overwrite: true
type: keyword
description: This key is for Source (Client) Cipher
- name: cert_subject
overwrite: true
type: keyword
description: This key is used to capture the Certificate organization only
- name: peer
overwrite: true
type: keyword
description: This key is for Encryption peer's IP Address
- name: cipher_size_src
overwrite: true
type: long
description: This key captures Source (Client) Cipher Size
- name: ike
overwrite: true
type: keyword
description: IKE negotiation phase.
- name: scheme
overwrite: true
type: keyword
description: This key captures the Encryption scheme used
- name: peer_id
overwrite: true
type: keyword
description: "This key is for Encryption peer\u2019s identity"
- name: sig_type
overwrite: true
type: keyword
description: This key captures the Signature Type
- name: cert_issuer
overwrite: true
type: keyword
- name: cert_host_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: cert_error
overwrite: true
type: keyword
description: This key captures the Certificate Error String
- name: cipher_dst
overwrite: true
type: keyword
description: This key is for Destination (Server) Cipher
- name: cipher_size_dst
overwrite: true
type: long
description: This key captures Destination (Server) Cipher Size
- name: ssl_ver_src
overwrite: true
type: keyword
description: Deprecated, use version
- name: d_certauth
overwrite: true
type: keyword
- name: s_certauth
overwrite: true
type: keyword
- name: ike_cookie1
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
- name: ike_cookie2
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
- name: cert_checksum
overwrite: true
type: keyword
- name: cert_host_cat
overwrite: true
type: keyword
description: This key is used for the hostname category value of a certificate
- name: cert_serial
overwrite: true
type: keyword
description: This key is used to capture the Certificate serial number only
- name: cert_status
overwrite: true
type: keyword
description: This key captures Certificate validation status
- name: ssl_ver_dst
overwrite: true
type: keyword
description: Deprecated, use version
- name: cert_keysize
overwrite: true
type: keyword
- name: cert_username
overwrite: true
type: keyword
- name: https_insact
overwrite: true
type: keyword
- name: https_valid
overwrite: true
type: keyword
- name: cert_ca
overwrite: true
type: keyword
description: This key is used to capture the Certificate signing authority only
- name: cert_common
overwrite: true
type: keyword
description: This key is used to capture the Certificate common name only
- name: wireless
overwrite: true
type: group
fields:
- name: wlan_ssid
overwrite: true
type: keyword
description: This key is used to capture the ssid of a Wireless Session
- name: access_point
overwrite: true
type: keyword
description: This key is used to capture the access point name.
- name: wlan_channel
overwrite: true
type: long
description: This is used to capture the channel names
- name: wlan_name
overwrite: true
type: keyword
description: This key captures either WLAN number/name
- name: storage
overwrite: true
type: group
fields:
- name: disk_volume
overwrite: true
type: keyword
description: A unique name assigned to logical units (volumes) within a physical
disk
- name: lun
overwrite: true
type: keyword
description: Logical Unit Number.This key is a very useful concept in Storage.
- name: pwwn
overwrite: true
type: keyword
description: This uniquely identifies a port on a HBA.
- name: physical
overwrite: true
type: group
fields:
- name: org_dst
overwrite: true
type: keyword
description: This is used to capture the destination organization based on the
GEOPIP Maxmind database.
- name: org_src
overwrite: true
type: keyword
description: This is used to capture the source organization based on the GEOPIP
Maxmind database.
- name: healthcare
overwrite: true
type: group
fields:
- name: patient_fname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_id
overwrite: true
type: keyword
description: This key captures the unique ID for a patient
- name: patient_lname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_mname
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: endpoint
overwrite: true
type: group
fields:
- name: host_state
overwrite: true
type: keyword
description: This key is used to capture the current state of the machine, such
as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
disabled</strong> and so on
- name: registry_key
overwrite: true
type: keyword
description: This key captures the path to the registry key
- name: registry_value
overwrite: true
type: keyword
description: This key captures values or decorators used within a registry entry
- name: juniper.srx
type: group
release: beta
overwrite: true
description: >
Module for parsing junipersrx syslog.
fields:
- name: reason
type: keyword
description: >
reason
- name: connection_tag
type: keyword
description: >
connection tag
- name: service_name
type: keyword
description: >
service name
- name: nat_connection_tag
type: keyword
description: >
nat connection tag
- name: src_nat_rule_type
type: keyword
description: >
src nat rule type
- name: src_nat_rule_name
type: keyword
description: >
src nat rule name
- name: dst_nat_rule_type
type: keyword
description: >
dst nat rule type
- name: dst_nat_rule_name
type: keyword
description: >
dst nat rule name
- name: protocol_id
type: keyword
description: >
protocol id
- name: policy_name
type: keyword
description: >
policy name
- name: session_id_32
type: keyword
description: >
session id 32
- name: session_id
type: keyword
description: >
session id
- name: outbound_packets
type: integer
description: >
packets from client
- name: outbound_bytes
type: integer
description: >
bytes from client
- name: inbound_packets
type: integer
description: >
packets from server
- name: inbound_bytes
type: integer
description: >
bytes from server
- name: elapsed_time
type: date
description: >
elapsed time
- name: application
type: keyword
description: >
application
- name: nested_application
type: keyword
description: >
nested application
- name: username
type: keyword
description: >
username
- name: roles
type: keyword
description: >
roles
- name: encrypted
type: keyword
description: >
encrypted
- name: application_category
type: keyword
description: >
application category
- name: application_sub_category
type: keyword
description: >
application sub category
- name: application_characteristics
type: keyword
description: >
application characteristics
- name: secure_web_proxy_session_type
type: keyword
description: >
secure web proxy session type
- name: peer_session_id
type: keyword
description: >
peer session id
- name: peer_source_address
type: ip
description: >
peer source address
- name: peer_source_port
type: integer
description: >
peer source port
- name: peer_destination_address
type: ip
description: >
peer destination address
- name: peer_destination_port
type: integer
description: >
peer destination port
- name: hostname
type: keyword
description: >
hostname
- name: src_vrf_grp
type: keyword
description: >
src_vrf_grp
- name: dst_vrf_grp
type: keyword
description: >
dst_vrf_grp
- name: icmp_type
type: integer
description: >
icmp type
- name: process
type: keyword
description: >
process that generated the message
- name: apbr_rule_type
type: keyword
description: >
apbr rule type
- name: dscp_value
type: integer
description: >
apbr rule type
- name: logical_system_name
type: keyword
description: >
logical system name
- name: profile_name
type: keyword
description: >
profile name
- name: routing_instance
type: keyword
description: >
routing instance
- name: rule_name
type: keyword
description: >
rule name
- name: uplink_tx_bytes
type: integer
description: >
uplink tx bytes
- name: uplink_rx_bytes
type: integer
description: >
uplink rx bytes
- name: obj
type: keyword
description: >
url path
- name: url
type: keyword
description: >
url domain
- name: profile
type: keyword
description: >
filter profile
- name: category
type: keyword
description: >
filter category
- name: filename
type: keyword
description: >
filename
- name: temporary_filename
type: keyword
description: >
temporary_filename
- name: name
type: keyword
description: >
name
- name: error_message
type: keyword
description: >
error_message
- name: error_code
type: keyword
description: >
error_code
- name: action
type: keyword
description: >
action
- name: protocol
type: keyword
description: >
protocol
- name: protocol_name
type: keyword
description: >
protocol name
- name: type
type: keyword
description: >
type
- name: repeat_count
type: integer
description: >
repeat count
- name: alert
type: keyword
description: >
repeat alert
- name: message_type
type: keyword
description: >
message type
- name: threat_severity
type: keyword
description: >
threat severity
- name: application_name
type: keyword
description: >
application name
- name: attack_name
type: keyword
description: >
attack name
- name: index
type: keyword
description: >
index
- name: message
type: keyword
description: >
mesagge
- name: epoch_time
type: date
description: >
epoch time
- name: packet_log_id
type: integer
description: >
packet log id
- name: export_id
type: integer
description: >
packet log id
- name: ddos_application_name
type: keyword
description: >
ddos application name
- name: connection_hit_rate
type: integer
description: >
connection hit rate
- name: time_scope
type: keyword
description: >
time scope
- name: context_hit_rate
type: integer
description: >
context hit rate
- name: context_value_hit_rate
type: integer
description: >
context value hit rate
- name: time_count
type: integer
description: >
time count
- name: time_period
type: integer
description: >
time period
- name: context_value
type: keyword
description: >
context value
- name: context_name
type: keyword
description: >
context name
- name: ruleebase_name
type: keyword
description: >
ruleebase name
- name: verdict_source
type: keyword
description: >
verdict source
- name: verdict_number
type: integer
description: >
verdict number
- name: file_category
type: keyword
description: >
file category
- name: sample_sha256
type: keyword
description: >
sample sha256
- name: malware_info
type: keyword
description: >
malware info
- name: client_ip
type: ip
description: >
client ip
- name: tenant_id
type: keyword
description: >
tenant id
- name: timestamp
type: date
description: >
timestamp
- name: th
type: keyword
description: >
th
- name: status
type: keyword
description: >
status
- name: state
type: keyword
description: >
state
- name: file_hash_lookup
type: keyword
description: >
file hash lookup
- name: file_name
type: keyword
description: >
file name
- name: action_detail
type: keyword
description: >
action detail
- name: sub_category
type: keyword
description: >
sub category
- name: feed_name
type: keyword
description: >
feed name
- name: occur_count
type: integer
description: >
occur count
- name: tag
type: keyword
description: >
system log message tag, which uniquely identifies the message.
- key: microsoft
title: Microsoft
description: >
Microsoft Module
fields:
- name: microsoft.defender_atp
type: group
release: ga
description: >
Module for ingesting Microsoft Defender ATP.
fields:
- name: lastUpdateTime
type: date
description: >
The date and time (in UTC) the alert was last updated.
- name: resolvedTime
type: date
description: >
The date and time in which the status of the alert was changed to 'Resolved'.
- name: incidentId
type: keyword
description: >
The Incident ID of the Alert.
- name: investigationId
type: keyword
description: >
The Investigation ID related to the Alert.
- name: investigationState
type: keyword
description: >
The current state of the Investigation.
- name: assignedTo
type: keyword
description: >
Owner of the alert.
- name: status
type: keyword
description: >
Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'.
- name: classification
type: keyword
description: >
Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'.
- name: determination
type: keyword
description: >
Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'.
- name: threatFamilyName
type: keyword
description: >
Threat family.
- name: rbacGroupName
type: keyword
description: >
User group related to the alert
- name: evidence.domainName
type: keyword
description: >
Domain name related to the alert
- name: evidence.ipAddress
type: ip
description: >
IP address involved in the alert
- name: evidence.aadUserId
type: keyword
description: >
ID of the user involved in the alert
- name: evidence.accountName
type: keyword
description: >
Username of the user involved in the alert
- name: evidence.entityType
type: keyword
description: >
The type of evidence
- name: evidence.userPrincipalName
type: keyword
description: >
Principal name of the user involved in the alert
- name: network.interface.name
overwrite: true
type: keyword
description: >
Name of the network interface where the traffic has been observed.
- name: rsa
overwrite: true
type: group
fields:
- name: internal
overwrite: true
type: group
fields:
- name: msg
overwrite: true
type: keyword
description: This key is used to capture the raw message that comes into the
Log Decoder
- name: messageid
overwrite: true
type: keyword
- name: event_desc
overwrite: true
type: keyword
- name: message
overwrite: true
type: keyword
description: This key captures the contents of instant messages
- name: time
overwrite: true
type: date
description: This is the time at which a session hits a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness.
- name: level
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: msg_id
overwrite: true
type: keyword
description: This is the Message ID1 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: msg_vid
overwrite: true
type: keyword
description: This is the Message ID2 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: data
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_server
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_val
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: resource
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_id
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: statement
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: audit_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: entry
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: hcode
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: inode
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: resource_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: dead
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: feed_desc
overwrite: true
type: keyword
description: This is used to capture the description of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: feed_name
overwrite: true
type: keyword
description: This is used to capture the name of the feed. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: cid
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Concentrator.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_class
overwrite: true
type: keyword
description: This is the Classification of the Log Event Source under a predefined
fixed set of Event Source Classifications. This key should never be used to
parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
key in NetWitness
- name: device_group
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_host
overwrite: true
type: keyword
description: This is the Hostname of the log Event Source sending the logs to
NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ip
overwrite: true
type: ip
description: This is the IPv4 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ipv6
overwrite: true
type: ip
description: This is the IPv6 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_type
overwrite: true
type: keyword
description: This is the name of the log parser which parsed a given session.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_type_id
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: did
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: entropy_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: entropy_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: event_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: feed_category
overwrite: true
type: keyword
description: This is used to capture the category of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: forward_ip
overwrite: true
type: ip
description: This key should be used to capture the IPV4 address of a relay
system which forwarded the events from the original system to NetWitness.
- name: forward_ipv6
overwrite: true
type: ip
description: This key is used to capture the IPV6 address of a relay system
which forwarded the events from the original system to NetWitness. This key
should never be used to parse Meta data from a session (Logs/Packets) Directly,
this is a Reserved key in NetWitness
- name: header_id
overwrite: true
type: keyword
description: This is the Header ID value that identifies the exact log parser
header definition that parses a particular log session. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: lc_cid
overwrite: true
type: keyword
description: This is a unique Identifier of a Log Collector. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: lc_ctime
overwrite: true
type: date
description: This is the time at which a log is collected in a NetWitness Log
Collector. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: mcb_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
request is simply which byte for each side (0 thru 255) was seen the most
- name: mcb_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
response is simply which byte for each side (0 thru 255) was seen the most
- name: mcbc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: mcbc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: medium
overwrite: true
type: long
description: "This key is used to identify if it\u2019s a log/packet session\
\ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
\ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
\ 32 = log, 33 = correlation session, < 32 is packet session"
- name: node_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: nwe_callback_id
overwrite: true
type: keyword
description: This key denotes that event is endpoint related
- name: parse_error
overwrite: true
type: keyword
description: This is a special key that stores any Meta key validation error
found while parsing a log session. This key should never be used to parse
Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
NetWitness
- name: payload_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: payload_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: process_vid_dst
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the target process.
- name: process_vid_src
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the source process.
- name: rid
overwrite: true
type: long
description: This is a special ID of the Remote Session created by NetWitness
Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: session_split
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: site
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: size
overwrite: true
type: long
description: This is the size of the session as seen by the NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: sourcefile
overwrite: true
type: keyword
description: This is the name of the log file or PCAPs that can be imported
into NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: ubc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: ubc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: word
overwrite: true
type: keyword
description: This is used by the Word Parsing technology to capture the first
5 character of every word in an unparsed log
- name: time
overwrite: true
type: group
fields:
- name: event_time
overwrite: true
type: date
description: This key is used to capture the time mentioned in a raw session
that represents the actual time an event occured in a standard normalized
form
- name: duration_time
overwrite: true
type: double
description: This key is used to capture the normalized duration/lifetime in
seconds.
- name: event_time_str
overwrite: true
type: keyword
description: This key is used to capture the incomplete time mentioned in a
session as a string
- name: starttime
overwrite: true
type: date
description: This key is used to capture the Start time mentioned in a session
in a standard form
- name: month
overwrite: true
type: keyword
- name: day
overwrite: true
type: keyword
- name: endtime
overwrite: true
type: date
description: This key is used to capture the End time mentioned in a session
in a standard form
- name: timezone
overwrite: true
type: keyword
description: This key is used to capture the timezone of the Event Time
- name: duration_str
overwrite: true
type: keyword
description: A text string version of the duration
- name: date
overwrite: true
type: keyword
- name: year
overwrite: true
type: keyword
- name: recorded_time
overwrite: true
type: date
description: The event time as recorded by the system the event is collected
from. The usage scenario is a multi-tier application where the management
layer of the system records it's own timestamp at the time of collection from
its child nodes. Must be in timestamp format.
- name: datetime
overwrite: true
type: keyword
- name: effective_time
overwrite: true
type: date
description: This key is the effective time referenced by an individual event
in a Standard Timestamp format
- name: expire_time
overwrite: true
type: date
description: This key is the timestamp that explicitly refers to an expiration.
- name: process_time
overwrite: true
type: keyword
description: Deprecated, use duration.time
- name: hour
overwrite: true
type: keyword
- name: min
overwrite: true
type: keyword
- name: timestamp
overwrite: true
type: keyword
- name: event_queue_time
overwrite: true
type: date
description: This key is the Time that the event was queued.
- name: p_time1
overwrite: true
type: keyword
- name: tzone
overwrite: true
type: keyword
- name: eventtime
overwrite: true
type: keyword
- name: gmtdate
overwrite: true
type: keyword
- name: gmttime
overwrite: true
type: keyword
- name: p_date
overwrite: true
type: keyword
- name: p_month
overwrite: true
type: keyword
- name: p_time
overwrite: true
type: keyword
- name: p_time2
overwrite: true
type: keyword
- name: p_year
overwrite: true
type: keyword
- name: expire_time_str
overwrite: true
type: keyword
description: This key is used to capture incomplete timestamp that explicitly
refers to an expiration.
- name: stamp
overwrite: true
type: date
description: Deprecated key defined only in table map.
- name: misc
overwrite: true
type: group
fields:
- name: action
overwrite: true
type: keyword
- name: result
overwrite: true
type: keyword
description: This key is used to capture the outcome/result string value of
an action in a session.
- name: severity
overwrite: true
type: keyword
description: This key is used to capture the severity given the session
- name: event_type
overwrite: true
type: keyword
description: This key captures the event category type as specified by the event
source.
- name: reference_id
overwrite: true
type: keyword
description: This key is used to capture an event id from the session directly
- name: version
overwrite: true
type: keyword
description: This key captures Version of the application or OS which is generating
the event.
- name: disposition
overwrite: true
type: keyword
description: This key captures the The end state of an action.
- name: result_code
overwrite: true
type: keyword
description: This key is used to capture the outcome/result numeric value of
an action in a session
- name: category
overwrite: true
type: keyword
description: This key is used to capture the category of an event given by the
vendor in the session
- name: obj_name
overwrite: true
type: keyword
description: This is used to capture name of object
- name: obj_type
overwrite: true
type: keyword
description: This is used to capture type of object
- name: event_source
overwrite: true
type: keyword
description: "This key captures Source of the event that\u2019s not a hostname"
- name: log_session_id
overwrite: true
type: keyword
description: This key is used to capture a sessionid from the session directly
- name: group
overwrite: true
type: keyword
description: This key captures the Group Name value
- name: policy_name
overwrite: true
type: keyword
description: This key is used to capture the Policy Name only.
- name: rule_name
overwrite: true
type: keyword
description: This key captures the Rule Name
- name: context
overwrite: true
type: keyword
description: This key captures Information which adds additional context to
the event.
- name: change_new
overwrite: true
type: keyword
description: "This key is used to capture the new values of the attribute that\u2019\
s changing in a session"
- name: space
overwrite: true
type: keyword
- name: client
overwrite: true
type: keyword
description: This key is used to capture only the name of the client application
requesting resources of the server. See the user.agent meta key for capture
of the specific user agent identifier or browser identification string.
- name: msgIdPart1
overwrite: true
type: keyword
- name: msgIdPart2
overwrite: true
type: keyword
- name: change_old
overwrite: true
type: keyword
description: "This key is used to capture the old value of the attribute that\u2019\
s changing in a session"
- name: operation_id
overwrite: true
type: keyword
description: An alert number or operation number. The values should be unique
and non-repeating.
- name: event_state
overwrite: true
type: keyword
description: This key captures the current state of the object/item referenced
within the event. Describing an on-going event.
- name: group_object
overwrite: true
type: keyword
description: This key captures a collection/grouping of entities. Specific usage
- name: node
overwrite: true
type: keyword
description: Common use case is the node name within a cluster. The cluster
name is reflected by the host name.
- name: rule
overwrite: true
type: keyword
description: This key captures the Rule number
- name: device_name
overwrite: true
type: keyword
description: 'This is used to capture name of the Device associated with the
node Like: a physical disk, printer, etc'
- name: param
overwrite: true
type: keyword
description: This key is the parameters passed as part of a command or application,
etc.
- name: change_attrib
overwrite: true
type: keyword
description: "This key is used to capture the name of the attribute that\u2019\
s changing in a session"
- name: event_computer
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
fully qualified domain name in a windows log.
- name: reference_id1
overwrite: true
type: keyword
description: This key is for Linked ID to be used as an addition to "reference.id"
- name: event_log
overwrite: true
type: keyword
description: This key captures the Name of the event log
- name: OS
overwrite: true
type: keyword
description: This key captures the Name of the Operating System
- name: terminal
overwrite: true
type: keyword
description: This key captures the Terminal Names only
- name: msgIdPart3
overwrite: true
type: keyword
- name: filter
overwrite: true
type: keyword
description: This key captures Filter used to reduce result set
- name: serial_number
overwrite: true
type: keyword
description: This key is the Serial number associated with a physical asset.
- name: checksum
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the entity
such as a file or process. Checksum should be used over checksum.src or checksum.dst
when it is unclear whether the entity is a source or target of an action.
- name: event_user
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
combination of domain name and username in a windows log.
- name: virusname
overwrite: true
type: keyword
description: This key captures the name of the virus
- name: content_type
overwrite: true
type: keyword
description: This key is used to capture Content Type only.
- name: group_id
overwrite: true
type: keyword
description: This key captures Group ID Number (related to the group name)
- name: policy_id
overwrite: true
type: keyword
description: This key is used to capture the Policy ID only, this should be
a numeric value, use policy.name otherwise
- name: vsys
overwrite: true
type: keyword
description: This key captures Virtual System Name
- name: connection_id
overwrite: true
type: keyword
description: This key captures the Connection ID
- name: reference_id2
overwrite: true
type: keyword
description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
or "reference.id1" value but should not be used unless the other two variables
are in play.
- name: sensor
overwrite: true
type: keyword
description: This key captures Name of the sensor. Typically used in IDS/IPS
based devices
- name: sig_id
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID
- name: port_name
overwrite: true
type: keyword
description: 'This key is used for Physical or logical port connection but does
NOT include a network port. (Example: Printer port name).'
- name: rule_group
overwrite: true
type: keyword
description: This key captures the Rule group name
- name: risk_num
overwrite: true
type: double
description: This key captures a Numeric Risk value
- name: trigger_val
overwrite: true
type: keyword
description: This key captures the Value of the trigger or threshold condition.
- name: log_session_id1
overwrite: true
type: keyword
description: This key is used to capture a Linked (Related) Session ID from
the session directly
- name: comp_version
overwrite: true
type: keyword
description: This key captures the Version level of a sub-component of a product.
- name: content_version
overwrite: true
type: keyword
description: This key captures Version level of a signature or database content.
- name: hardware_id
overwrite: true
type: keyword
description: This key is used to capture unique identifier for a device or system
(NOT a Mac address)
- name: risk
overwrite: true
type: keyword
description: This key captures the non-numeric risk value
- name: event_id
overwrite: true
type: keyword
- name: reason
overwrite: true
type: keyword
- name: status
overwrite: true
type: keyword
- name: mail_id
overwrite: true
type: keyword
description: This key is used to capture the mailbox id/name
- name: rule_uid
overwrite: true
type: keyword
description: This key is the Unique Identifier for a rule.
- name: trigger_desc
overwrite: true
type: keyword
description: This key captures the Description of the trigger or threshold condition.
- name: inout
overwrite: true
type: keyword
- name: p_msgid
overwrite: true
type: keyword
- name: data_type
overwrite: true
type: keyword
- name: msgIdPart4
overwrite: true
type: keyword
- name: error
overwrite: true
type: keyword
description: This key captures All non successful Error codes or responses
- name: index
overwrite: true
type: keyword
- name: listnum
overwrite: true
type: keyword
description: This key is used to capture listname or listnumber, primarily for
collecting access-list
- name: ntype
overwrite: true
type: keyword
- name: observed_val
overwrite: true
type: keyword
description: This key captures the Value observed (from the perspective of the
device generating the log).
- name: policy_value
overwrite: true
type: keyword
description: This key captures the contents of the policy. This contains details
about the policy
- name: pool_name
overwrite: true
type: keyword
description: This key captures the name of a resource pool
- name: rule_template
overwrite: true
type: keyword
description: A default set of parameters which are overlayed onto a rule (or
rulename) which efffectively constitutes a template
- name: count
overwrite: true
type: keyword
- name: number
overwrite: true
type: keyword
- name: sigcat
overwrite: true
type: keyword
- name: type
overwrite: true
type: keyword
- name: comments
overwrite: true
type: keyword
description: Comment information provided in the log message
- name: doc_number
overwrite: true
type: long
description: This key captures File Identification number
- name: expected_val
overwrite: true
type: keyword
description: This key captures the Value expected (from the perspective of the
device generating the log).
- name: job_num
overwrite: true
type: keyword
description: This key captures the Job Number
- name: spi_dst
overwrite: true
type: keyword
description: Destination SPI Index
- name: spi_src
overwrite: true
type: keyword
description: Source SPI Index
- name: code
overwrite: true
type: keyword
- name: agent_id
overwrite: true
type: keyword
description: This key is used to capture agent id
- name: message_body
overwrite: true
type: keyword
description: This key captures the The contents of the message body.
- name: phone
overwrite: true
type: keyword
- name: sig_id_str
overwrite: true
type: keyword
description: This key captures a string object of the sigid variable.
- name: cmd
overwrite: true
type: keyword
- name: misc
overwrite: true
type: keyword
- name: name
overwrite: true
type: keyword
- name: cpu
overwrite: true
type: long
description: This key is the CPU time used in the execution of the event being
recorded.
- name: event_desc
overwrite: true
type: keyword
description: This key is used to capture a description of an event available
directly or inferred
- name: sig_id1
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID. This must be linked
to the sig.id
- name: im_buddyid
overwrite: true
type: keyword
- name: im_client
overwrite: true
type: keyword
- name: im_userid
overwrite: true
type: keyword
- name: pid
overwrite: true
type: keyword
- name: priority
overwrite: true
type: keyword
- name: context_subject
overwrite: true
type: keyword
description: This key is to be used in an audit context where the subject is
the object being identified
- name: context_target
overwrite: true
type: keyword
- name: cve
overwrite: true
type: keyword
description: This key captures CVE (Common Vulnerabilities and Exposures) -
an identifier for known information security vulnerabilities.
- name: fcatnum
overwrite: true
type: keyword
description: This key captures Filter Category Number. Legacy Usage
- name: library
overwrite: true
type: keyword
description: This key is used to capture library information in mainframe devices
- name: parent_node
overwrite: true
type: keyword
description: This key captures the Parent Node Name. Must be related to node
variable.
- name: risk_info
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: tcp_flags
overwrite: true
type: long
description: This key is captures the TCP flags set in any packet of session
- name: tos
overwrite: true
type: long
description: This key describes the type of service
- name: vm_target
overwrite: true
type: keyword
description: VMWare Target **VMWARE** only varaible.
- name: workspace
overwrite: true
type: keyword
description: This key captures Workspace Description
- name: command
overwrite: true
type: keyword
- name: event_category
overwrite: true
type: keyword
- name: facilityname
overwrite: true
type: keyword
- name: forensic_info
overwrite: true
type: keyword
- name: jobname
overwrite: true
type: keyword
- name: mode
overwrite: true
type: keyword
- name: policy
overwrite: true
type: keyword
- name: policy_waiver
overwrite: true
type: keyword
- name: second
overwrite: true
type: keyword
- name: space1
overwrite: true
type: keyword
- name: subcategory
overwrite: true
type: keyword
- name: tbdstr2
overwrite: true
type: keyword
- name: alert_id
overwrite: true
type: keyword
description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: checksum_dst
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the the target
entity such as a process or file.
- name: checksum_src
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the source
entity such as a file or process.
- name: fresult
overwrite: true
type: long
description: This key captures the Filter Result
- name: payload_dst
overwrite: true
type: keyword
description: This key is used to capture destination payload
- name: payload_src
overwrite: true
type: keyword
description: This key is used to capture source payload
- name: pool_id
overwrite: true
type: keyword
description: This key captures the identifier (typically numeric field) of a
resource pool
- name: process_id_val
overwrite: true
type: keyword
description: This key is a failure key for Process ID when it is not an integer
value
- name: risk_num_comm
overwrite: true
type: double
description: This key captures Risk Number Community
- name: risk_num_next
overwrite: true
type: double
description: This key captures Risk Number NextGen
- name: risk_num_sand
overwrite: true
type: double
description: This key captures Risk Number SandBox
- name: risk_num_static
overwrite: true
type: double
description: This key captures Risk Number Static
- name: risk_suspicious
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: risk_warning
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: snmp_oid
overwrite: true
type: keyword
description: SNMP Object Identifier
- name: sql
overwrite: true
type: keyword
description: This key captures the SQL query
- name: vuln_ref
overwrite: true
type: keyword
description: This key captures the Vulnerability Reference details
- name: acl_id
overwrite: true
type: keyword
- name: acl_op
overwrite: true
type: keyword
- name: acl_pos
overwrite: true
type: keyword
- name: acl_table
overwrite: true
type: keyword
- name: admin
overwrite: true
type: keyword
- name: alarm_id
overwrite: true
type: keyword
- name: alarmname
overwrite: true
type: keyword
- name: app_id
overwrite: true
type: keyword
- name: audit
overwrite: true
type: keyword
- name: audit_object
overwrite: true
type: keyword
- name: auditdata
overwrite: true
type: keyword
- name: benchmark
overwrite: true
type: keyword
- name: bypass
overwrite: true
type: keyword
- name: cache
overwrite: true
type: keyword
- name: cache_hit
overwrite: true
type: keyword
- name: cefversion
overwrite: true
type: keyword
- name: cfg_attr
overwrite: true
type: keyword
- name: cfg_obj
overwrite: true
type: keyword
- name: cfg_path
overwrite: true
type: keyword
- name: changes
overwrite: true
type: keyword
- name: client_ip
overwrite: true
type: keyword
- name: clustermembers
overwrite: true
type: keyword
- name: cn_acttimeout
overwrite: true
type: keyword
- name: cn_asn_src
overwrite: true
type: keyword
- name: cn_bgpv4nxthop
overwrite: true
type: keyword
- name: cn_ctr_dst_code
overwrite: true
type: keyword
- name: cn_dst_tos
overwrite: true
type: keyword
- name: cn_dst_vlan
overwrite: true
type: keyword
- name: cn_engine_id
overwrite: true
type: keyword
- name: cn_engine_type
overwrite: true
type: keyword
- name: cn_f_switch
overwrite: true
type: keyword
- name: cn_flowsampid
overwrite: true
type: keyword
- name: cn_flowsampintv
overwrite: true
type: keyword
- name: cn_flowsampmode
overwrite: true
type: keyword
- name: cn_inacttimeout
overwrite: true
type: keyword
- name: cn_inpermbyts
overwrite: true
type: keyword
- name: cn_inpermpckts
overwrite: true
type: keyword
- name: cn_invalid
overwrite: true
type: keyword
- name: cn_ip_proto_ver
overwrite: true
type: keyword
- name: cn_ipv4_ident
overwrite: true
type: keyword
- name: cn_l_switch
overwrite: true
type: keyword
- name: cn_log_did
overwrite: true
type: keyword
- name: cn_log_rid
overwrite: true
type: keyword
- name: cn_max_ttl
overwrite: true
type: keyword
- name: cn_maxpcktlen
overwrite: true
type: keyword
- name: cn_min_ttl
overwrite: true
type: keyword
- name: cn_minpcktlen
overwrite: true
type: keyword
- name: cn_mpls_lbl_1
overwrite: true
type: keyword
- name: cn_mpls_lbl_10
overwrite: true
type: keyword
- name: cn_mpls_lbl_2
overwrite: true
type: keyword
- name: cn_mpls_lbl_3
overwrite: true
type: keyword
- name: cn_mpls_lbl_4
overwrite: true
type: keyword
- name: cn_mpls_lbl_5
overwrite: true
type: keyword
- name: cn_mpls_lbl_6
overwrite: true
type: keyword
- name: cn_mpls_lbl_7
overwrite: true
type: keyword
- name: cn_mpls_lbl_8
overwrite: true
type: keyword
- name: cn_mpls_lbl_9
overwrite: true
type: keyword
- name: cn_mplstoplabel
overwrite: true
type: keyword
- name: cn_mplstoplabip
overwrite: true
type: keyword
- name: cn_mul_dst_byt
overwrite: true
type: keyword
- name: cn_mul_dst_pks
overwrite: true
type: keyword
- name: cn_muligmptype
overwrite: true
type: keyword
- name: cn_sampalgo
overwrite: true
type: keyword
- name: cn_sampint
overwrite: true
type: keyword
- name: cn_seqctr
overwrite: true
type: keyword
- name: cn_spackets
overwrite: true
type: keyword
- name: cn_src_tos
overwrite: true
type: keyword
- name: cn_src_vlan
overwrite: true
type: keyword
- name: cn_sysuptime
overwrite: true
type: keyword
- name: cn_template_id
overwrite: true
type: keyword
- name: cn_totbytsexp
overwrite: true
type: keyword
- name: cn_totflowexp
overwrite: true
type: keyword
- name: cn_totpcktsexp
overwrite: true
type: keyword
- name: cn_unixnanosecs
overwrite: true
type: keyword
- name: cn_v6flowlabel
overwrite: true
type: keyword
- name: cn_v6optheaders
overwrite: true
type: keyword
- name: comp_class
overwrite: true
type: keyword
- name: comp_name
overwrite: true
type: keyword
- name: comp_rbytes
overwrite: true
type: keyword
- name: comp_sbytes
overwrite: true
type: keyword
- name: cpu_data
overwrite: true
type: keyword
- name: criticality
overwrite: true
type: keyword
- name: cs_agency_dst
overwrite: true
type: keyword
- name: cs_analyzedby
overwrite: true
type: keyword
- name: cs_av_other
overwrite: true
type: keyword
- name: cs_av_primary
overwrite: true
type: keyword
- name: cs_av_secondary
overwrite: true
type: keyword
- name: cs_bgpv6nxthop
overwrite: true
type: keyword
- name: cs_bit9status
overwrite: true
type: keyword
- name: cs_context
overwrite: true
type: keyword
- name: cs_control
overwrite: true
type: keyword
- name: cs_data
overwrite: true
type: keyword
- name: cs_datecret
overwrite: true
type: keyword
- name: cs_dst_tld
overwrite: true
type: keyword
- name: cs_eth_dst_ven
overwrite: true
type: keyword
- name: cs_eth_src_ven
overwrite: true
type: keyword
- name: cs_event_uuid
overwrite: true
type: keyword
- name: cs_filetype
overwrite: true
type: keyword
- name: cs_fld
overwrite: true
type: keyword
- name: cs_if_desc
overwrite: true
type: keyword
- name: cs_if_name
overwrite: true
type: keyword
- name: cs_ip_next_hop
overwrite: true
type: keyword
- name: cs_ipv4dstpre
overwrite: true
type: keyword
- name: cs_ipv4srcpre
overwrite: true
type: keyword
- name: cs_lifetime
overwrite: true
type: keyword
- name: cs_log_medium
overwrite: true
type: keyword
- name: cs_loginname
overwrite: true
type: keyword
- name: cs_modulescore
overwrite: true
type: keyword
- name: cs_modulesign
overwrite: true
type: keyword
- name: cs_opswatresult
overwrite: true
type: keyword
- name: cs_payload
overwrite: true
type: keyword
- name: cs_registrant
overwrite: true
type: keyword
- name: cs_registrar
overwrite: true
type: keyword
- name: cs_represult
overwrite: true
type: keyword
- name: cs_rpayload
overwrite: true
type: keyword
- name: cs_sampler_name
overwrite: true
type: keyword
- name: cs_sourcemodule
overwrite: true
type: keyword
- name: cs_streams
overwrite: true
type: keyword
- name: cs_targetmodule
overwrite: true
type: keyword
- name: cs_v6nxthop
overwrite: true
type: keyword
- name: cs_whois_server
overwrite: true
type: keyword
- name: cs_yararesult
overwrite: true
type: keyword
- name: description
overwrite: true
type: keyword
- name: devvendor
overwrite: true
type: keyword
- name: distance
overwrite: true
type: keyword
- name: dstburb
overwrite: true
type: keyword
- name: edomain
overwrite: true
type: keyword
- name: edomaub
overwrite: true
type: keyword
- name: euid
overwrite: true
type: keyword
- name: facility
overwrite: true
type: keyword
- name: finterface
overwrite: true
type: keyword
- name: flags
overwrite: true
type: keyword
- name: gaddr
overwrite: true
type: keyword
- name: id3
overwrite: true
type: keyword
- name: im_buddyname
overwrite: true
type: keyword
- name: im_croomid
overwrite: true
type: keyword
- name: im_croomtype
overwrite: true
type: keyword
- name: im_members
overwrite: true
type: keyword
- name: im_username
overwrite: true
type: keyword
- name: ipkt
overwrite: true
type: keyword
- name: ipscat
overwrite: true
type: keyword
- name: ipspri
overwrite: true
type: keyword
- name: latitude
overwrite: true
type: keyword
- name: linenum
overwrite: true
type: keyword
- name: list_name
overwrite: true
type: keyword
- name: load_data
overwrite: true
type: keyword
- name: location_floor
overwrite: true
type: keyword
- name: location_mark
overwrite: true
type: keyword
- name: log_id
overwrite: true
type: keyword
- name: log_type
overwrite: true
type: keyword
- name: logid
overwrite: true
type: keyword
- name: logip
overwrite: true
type: keyword
- name: logname
overwrite: true
type: keyword
- name: longitude
overwrite: true
type: keyword
- name: lport
overwrite: true
type: keyword
- name: mbug_data
overwrite: true
type: keyword
- name: misc_name
overwrite: true
type: keyword
- name: msg_type
overwrite: true
type: keyword
- name: msgid
overwrite: true
type: keyword
- name: netsessid
overwrite: true
type: keyword
- name: num
overwrite: true
type: keyword
- name: number1
overwrite: true
type: keyword
- name: number2
overwrite: true
type: keyword
- name: nwwn
overwrite: true
type: keyword
- name: object
overwrite: true
type: keyword
- name: operation
overwrite: true
type: keyword
- name: opkt
overwrite: true
type: keyword
- name: orig_from
overwrite: true
type: keyword
- name: owner_id
overwrite: true
type: keyword
- name: p_action
overwrite: true
type: keyword
- name: p_filter
overwrite: true
type: keyword
- name: p_group_object
overwrite: true
type: keyword
- name: p_id
overwrite: true
type: keyword
- name: p_msgid1
overwrite: true
type: keyword
- name: p_msgid2
overwrite: true
type: keyword
- name: p_result1
overwrite: true
type: keyword
- name: password_chg
overwrite: true
type: keyword
- name: password_expire
overwrite: true
type: keyword
- name: permgranted
overwrite: true
type: keyword
- name: permwanted
overwrite: true
type: keyword
- name: pgid
overwrite: true
type: keyword
- name: policyUUID
overwrite: true
type: keyword
- name: prog_asp_num
overwrite: true
type: keyword
- name: program
overwrite: true
type: keyword
- name: real_data
overwrite: true
type: keyword
- name: rec_asp_device
overwrite: true
type: keyword
- name: rec_asp_num
overwrite: true
type: keyword
- name: rec_library
overwrite: true
type: keyword
- name: recordnum
overwrite: true
type: keyword
- name: ruid
overwrite: true
type: keyword
- name: sburb
overwrite: true
type: keyword
- name: sdomain_fld
overwrite: true
type: keyword
- name: sec
overwrite: true
type: keyword
- name: sensorname
overwrite: true
type: keyword
- name: seqnum
overwrite: true
type: keyword
- name: session
overwrite: true
type: keyword
- name: sessiontype
overwrite: true
type: keyword
- name: sigUUID
overwrite: true
type: keyword
- name: spi
overwrite: true
type: keyword
- name: srcburb
overwrite: true
type: keyword
- name: srcdom
overwrite: true
type: keyword
- name: srcservice
overwrite: true
type: keyword
- name: state
overwrite: true
type: keyword
- name: status1
overwrite: true
type: keyword
- name: svcno
overwrite: true
type: keyword
- name: system
overwrite: true
type: keyword
- name: tbdstr1
overwrite: true
type: keyword
- name: tgtdom
overwrite: true
type: keyword
- name: tgtdomain
overwrite: true
type: keyword
- name: threshold
overwrite: true
type: keyword
- name: type1
overwrite: true
type: keyword
- name: udb_class
overwrite: true
type: keyword
- name: url_fld
overwrite: true
type: keyword
- name: user_div
overwrite: true
type: keyword
- name: userid
overwrite: true
type: keyword
- name: username_fld
overwrite: true
type: keyword
- name: utcstamp
overwrite: true
type: keyword
- name: v_instafname
overwrite: true
type: keyword
- name: virt_data
overwrite: true
type: keyword
- name: vpnid
overwrite: true
type: keyword
- name: autorun_type
overwrite: true
type: keyword
description: This is used to capture Auto Run type
- name: cc_number
overwrite: true
type: long
description: Valid Credit Card Numbers only
- name: content
overwrite: true
type: keyword
description: This key captures the content type from protocol headers
- name: ein_number
overwrite: true
type: long
description: Employee Identification Numbers only
- name: found
overwrite: true
type: keyword
description: This is used to capture the results of regex match
- name: language
overwrite: true
type: keyword
description: This is used to capture list of languages the client support and
what it prefers
- name: lifetime
overwrite: true
type: long
description: This key is used to capture the session lifetime in seconds.
- name: link
overwrite: true
type: keyword
description: This key is used to link the sessions together. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: match
overwrite: true
type: keyword
description: This key is for regex match name from search.ini
- name: param_dst
overwrite: true
type: keyword
description: This key captures the command line/launch argument of the target
process or file
- name: param_src
overwrite: true
type: keyword
description: This key captures source parameter
- name: search_text
overwrite: true
type: keyword
description: This key captures the Search Text used
- name: sig_name
overwrite: true
type: keyword
description: This key is used to capture the Signature Name only.
- name: snmp_value
overwrite: true
type: keyword
description: SNMP set request value
- name: streams
overwrite: true
type: long
description: This key captures number of streams in session
- name: db
overwrite: true
type: group
fields:
- name: index
overwrite: true
type: keyword
description: This key captures IndexID of the index.
- name: instance
overwrite: true
type: keyword
description: This key is used to capture the database server instance name
- name: database
overwrite: true
type: keyword
description: This key is used to capture the name of a database or an instance
as seen in a session
- name: transact_id
overwrite: true
type: keyword
description: This key captures the SQL transantion ID of the current session
- name: permissions
overwrite: true
type: keyword
description: This key captures permission or privilege level assigned to a resource.
- name: table_name
overwrite: true
type: keyword
description: This key is used to capture the table name
- name: db_id
overwrite: true
type: keyword
description: This key is used to capture the unique identifier for a database
- name: db_pid
overwrite: true
type: long
description: This key captures the process id of a connection with database
server
- name: lread
overwrite: true
type: long
description: This key is used for the number of logical reads
- name: lwrite
overwrite: true
type: long
description: This key is used for the number of logical writes
- name: pread
overwrite: true
type: long
description: This key is used for the number of physical writes
- name: network
overwrite: true
type: group
fields:
- name: alias_host
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
that isnt ad.computer.
- name: domain
overwrite: true
type: keyword
- name: host_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Hostname"
- name: network_service
overwrite: true
type: keyword
description: This is used to capture layer 7 protocols/service names
- name: interface
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of an interface is not clear
- name: network_port
overwrite: true
type: long
description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
- name: eth_host
overwrite: true
type: keyword
description: Deprecated, use alias.mac
- name: sinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Interface"
- name: dinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Interface"
- name: vlan
overwrite: true
type: long
description: This key should only be used to capture the ID of the Virtual LAN
- name: zone_src
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Zone."
- name: zone
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a Zone is not clear
- name: zone_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Zone."
- name: gateway
overwrite: true
type: keyword
description: This key is used to capture the IP Address of the gateway
- name: icmp_type
overwrite: true
type: long
description: This key is used to capture the ICMP type only
- name: mask
overwrite: true
type: keyword
description: This key is used to capture the device network IPmask.
- name: icmp_code
overwrite: true
type: long
description: This key is used to capture the ICMP code only
- name: protocol_detail
overwrite: true
type: keyword
description: This key should be used to capture additional protocol information
- name: dmask
overwrite: true
type: keyword
description: This key is used for Destionation Device network mask
- name: port
overwrite: true
type: long
description: This key should only be used to capture a Network Port when the
directionality is not clear
- name: smask
overwrite: true
type: keyword
description: This key is used for capturing source Network Mask
- name: netname
overwrite: true
type: keyword
description: This key is used to capture the network name associated with an
IP range. This is configured by the end user.
- name: paddr
overwrite: true
type: ip
description: Deprecated
- name: faddr
overwrite: true
type: keyword
- name: lhost
overwrite: true
type: keyword
- name: origin
overwrite: true
type: keyword
- name: remote_domain_id
overwrite: true
type: keyword
- name: addr
overwrite: true
type: keyword
- name: dns_a_record
overwrite: true
type: keyword
- name: dns_ptr_record
overwrite: true
type: keyword
- name: fhost
overwrite: true
type: keyword
- name: fport
overwrite: true
type: keyword
- name: laddr
overwrite: true
type: keyword
- name: linterface
overwrite: true
type: keyword
- name: phost
overwrite: true
type: keyword
- name: ad_computer_dst
overwrite: true
type: keyword
description: Deprecated, use host.dst
- name: eth_type
overwrite: true
type: long
description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
Only
- name: ip_proto
overwrite: true
type: long
description: This key should be used to capture the Protocol number, all the
protocol nubers are converted into string in UI
- name: dns_cname_record
overwrite: true
type: keyword
- name: dns_id
overwrite: true
type: keyword
- name: dns_opcode
overwrite: true
type: keyword
- name: dns_resp
overwrite: true
type: keyword
- name: dns_type
overwrite: true
type: keyword
- name: domain1
overwrite: true
type: keyword
- name: host_type
overwrite: true
type: keyword
- name: packet_length
overwrite: true
type: keyword
- name: host_orig
overwrite: true
type: keyword
description: This is used to capture the original hostname in case of a Forwarding
Agent or a Proxy in between.
- name: rpayload
overwrite: true
type: keyword
description: This key is used to capture the total number of payload bytes seen
in the retransmitted packets.
- name: vlan_name
overwrite: true
type: keyword
description: This key should only be used to capture the name of the Virtual
LAN
- name: investigations
overwrite: true
type: group
fields:
- name: ec_activity
overwrite: true
type: keyword
description: This key captures the particular event activity(Ex:Logoff)
- name: ec_theme
overwrite: true
type: keyword
description: This key captures the Theme of a particular Event(Ex:Authentication)
- name: ec_subject
overwrite: true
type: keyword
description: This key captures the Subject of a particular Event(Ex:User)
- name: ec_outcome
overwrite: true
type: keyword
description: This key captures the outcome of a particular Event(Ex:Success)
- name: event_cat
overwrite: true
type: long
description: This key captures the Event category number
- name: event_cat_name
overwrite: true
type: keyword
description: This key captures the event category name corresponding to the
event cat code
- name: event_vcat
overwrite: true
type: keyword
description: This is a vendor supplied category. This should be used in situations
where the vendor has adopted their own event_category taxonomy.
- name: analysis_file
overwrite: true
type: keyword
description: This is used to capture all indicators used in a File Analysis.
This key should be used to capture an analysis of a file
- name: analysis_service
overwrite: true
type: keyword
description: This is used to capture all indicators used in a Service Analysis.
This key should be used to capture an analysis of a service
- name: analysis_session
overwrite: true
type: keyword
description: This is used to capture all indicators used for a Session Analysis.
This key should be used to capture an analysis of a session
- name: boc
overwrite: true
type: keyword
description: This is used to capture behaviour of compromise
- name: eoc
overwrite: true
type: keyword
description: This is used to capture Enablers of Compromise
- name: inv_category
overwrite: true
type: keyword
description: This used to capture investigation category
- name: inv_context
overwrite: true
type: keyword
description: This used to capture investigation context
- name: ioc
overwrite: true
type: keyword
description: This is key capture indicator of compromise
- name: counters
overwrite: true
type: group
fields:
- name: dclass_c1
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c1.str only
- name: dclass_c2
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c2.str only
- name: event_counter
overwrite: true
type: long
description: This is used to capture the number of times an event repeated
- name: dclass_r1
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r1.str only
- name: dclass_c3
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c3.str only
- name: dclass_c1_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c1 only
- name: dclass_c2_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c2 only
- name: dclass_r1_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r1 only
- name: dclass_r2
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r2.str only
- name: dclass_c3_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c3 only
- name: dclass_r3
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r3.str only
- name: dclass_r2_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r2 only
- name: dclass_r3_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r3 only
- name: identity
overwrite: true
type: group
fields:
- name: auth_method
overwrite: true
type: keyword
description: This key is used to capture authentication methods used only
- name: user_role
overwrite: true
type: keyword
description: This key is used to capture the Role of a user only
- name: dn
overwrite: true
type: keyword
description: X.500 (LDAP) Distinguished Name
- name: logon_type
overwrite: true
type: keyword
description: This key is used to capture the type of logon method used.
- name: profile
overwrite: true
type: keyword
description: This key is used to capture the user profile
- name: accesses
overwrite: true
type: keyword
description: This key is used to capture actual privileges used in accessing
an object
- name: realm
overwrite: true
type: keyword
description: Radius realm or similar grouping of accounts
- name: user_sid_dst
overwrite: true
type: keyword
description: This key captures Destination User Session ID
- name: dn_src
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that is used in a context that
indicates a Source dn
- name: org
overwrite: true
type: keyword
description: This key captures the User organization
- name: dn_dst
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that used in a context that
indicates a Destination dn
- name: firstname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: lastname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: user_dept
overwrite: true
type: keyword
description: User's Department Names only
- name: user_sid_src
overwrite: true
type: keyword
description: This key captures Source User Session ID
- name: federated_sp
overwrite: true
type: keyword
description: This key is the Federated Service Provider. This is the application
requesting authentication.
- name: federated_idp
overwrite: true
type: keyword
description: This key is the federated Identity Provider. This is the server
providing the authentication.
- name: logon_type_desc
overwrite: true
type: keyword
description: This key is used to capture the textual description of an integer
logon type as stored in the meta key 'logon.type'.
- name: middlename
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: password
overwrite: true
type: keyword
description: This key is for Passwords seen in any session, plain text or encrypted
- name: host_role
overwrite: true
type: keyword
description: This key should only be used to capture the role of a Host Machine
- name: ldap
overwrite: true
type: keyword
description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
t have a clear query or response context"
- name: ldap_query
overwrite: true
type: keyword
description: This key is the Search criteria from an LDAP search
- name: ldap_response
overwrite: true
type: keyword
description: This key is to capture Results from an LDAP search
- name: owner
overwrite: true
type: keyword
description: This is used to capture username the process or service is running
as, the author of the task
- name: service_account
overwrite: true
type: keyword
description: This key is a windows specific key, used for capturing name of
the account a service (referenced in the event) is running under. Legacy Usage
- name: email
overwrite: true
type: group
fields:
- name: email_dst
overwrite: true
type: keyword
description: This key is used to capture the Destination email address only,
when the destination context is not clear use email
- name: email_src
overwrite: true
type: keyword
description: This key is used to capture the source email address only, when
the source context is not clear use email
- name: subject
overwrite: true
type: keyword
description: This key is used to capture the subject string from an Email only.
- name: email
overwrite: true
type: keyword
description: This key is used to capture a generic email address where the source
or destination context is not clear
- name: trans_from
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: trans_to
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: file
overwrite: true
type: group
fields:
- name: privilege
overwrite: true
type: keyword
description: Deprecated, use permissions
- name: attachment
overwrite: true
type: keyword
description: This key captures the attachment file name
- name: filesystem
overwrite: true
type: keyword
- name: binary
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: filename_dst
overwrite: true
type: keyword
description: This is used to capture name of the file targeted by the action
- name: filename_src
overwrite: true
type: keyword
description: This is used to capture name of the parent filename, the file which
performed the action
- name: filename_tmp
overwrite: true
type: keyword
- name: directory_dst
overwrite: true
type: keyword
description: <span>This key is used to capture the directory of the target process
or file</span>
- name: directory_src
overwrite: true
type: keyword
description: This key is used to capture the directory of the source process
or file
- name: file_entropy
overwrite: true
type: double
description: This is used to capture entropy vale of a file
- name: file_vendor
overwrite: true
type: keyword
description: This is used to capture Company name of file located in version_info
- name: task_name
overwrite: true
type: keyword
description: This is used to capture name of the task
- name: web
overwrite: true
type: group
fields:
- name: fqdn
overwrite: true
type: keyword
description: Fully Qualified Domain Names
- name: web_cookie
overwrite: true
type: keyword
description: This key is used to capture the Web cookies specifically.
- name: alias_host
overwrite: true
type: keyword
- name: reputation_num
overwrite: true
type: double
description: Reputation Number of an entity. Typically used for Web Domains
- name: web_ref_domain
overwrite: true
type: keyword
description: Web referer's domain
- name: web_ref_query
overwrite: true
type: keyword
description: This key captures Web referer's query portion of the URL
- name: remote_domain
overwrite: true
type: keyword
- name: web_ref_page
overwrite: true
type: keyword
description: This key captures Web referer's page information
- name: web_ref_root
overwrite: true
type: keyword
description: Web referer's root URL path
- name: cn_asn_dst
overwrite: true
type: keyword
- name: cn_rpackets
overwrite: true
type: keyword
- name: urlpage
overwrite: true
type: keyword
- name: urlroot
overwrite: true
type: keyword
- name: p_url
overwrite: true
type: keyword
- name: p_user_agent
overwrite: true
type: keyword
- name: p_web_cookie
overwrite: true
type: keyword
- name: p_web_method
overwrite: true
type: keyword
- name: p_web_referer
overwrite: true
type: keyword
- name: web_extension_tmp
overwrite: true
type: keyword
- name: web_page
overwrite: true
type: keyword
- name: threat
overwrite: true
type: group
fields:
- name: threat_category
overwrite: true
type: keyword
description: This key captures Threat Name/Threat Category/Categorization of
alert
- name: threat_desc
overwrite: true
type: keyword
description: This key is used to capture the threat description from the session
directly or inferred
- name: alert
overwrite: true
type: keyword
description: This key is used to capture name of the alert
- name: threat_source
overwrite: true
type: keyword
description: This key is used to capture source of the threat
- name: crypto
overwrite: true
type: group
fields:
- name: crypto
overwrite: true
type: keyword
description: This key is used to capture the Encryption Type or Encryption Key
only
- name: cipher_src
overwrite: true
type: keyword
description: This key is for Source (Client) Cipher
- name: cert_subject
overwrite: true
type: keyword
description: This key is used to capture the Certificate organization only
- name: peer
overwrite: true
type: keyword
description: This key is for Encryption peer's IP Address
- name: cipher_size_src
overwrite: true
type: long
description: This key captures Source (Client) Cipher Size
- name: ike
overwrite: true
type: keyword
description: IKE negotiation phase.
- name: scheme
overwrite: true
type: keyword
description: This key captures the Encryption scheme used
- name: peer_id
overwrite: true
type: keyword
description: "This key is for Encryption peer\u2019s identity"
- name: sig_type
overwrite: true
type: keyword
description: This key captures the Signature Type
- name: cert_issuer
overwrite: true
type: keyword
- name: cert_host_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: cert_error
overwrite: true
type: keyword
description: This key captures the Certificate Error String
- name: cipher_dst
overwrite: true
type: keyword
description: This key is for Destination (Server) Cipher
- name: cipher_size_dst
overwrite: true
type: long
description: This key captures Destination (Server) Cipher Size
- name: ssl_ver_src
overwrite: true
type: keyword
description: Deprecated, use version
- name: d_certauth
overwrite: true
type: keyword
- name: s_certauth
overwrite: true
type: keyword
- name: ike_cookie1
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
- name: ike_cookie2
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
- name: cert_checksum
overwrite: true
type: keyword
- name: cert_host_cat
overwrite: true
type: keyword
description: This key is used for the hostname category value of a certificate
- name: cert_serial
overwrite: true
type: keyword
description: This key is used to capture the Certificate serial number only
- name: cert_status
overwrite: true
type: keyword
description: This key captures Certificate validation status
- name: ssl_ver_dst
overwrite: true
type: keyword
description: Deprecated, use version
- name: cert_keysize
overwrite: true
type: keyword
- name: cert_username
overwrite: true
type: keyword
- name: https_insact
overwrite: true
type: keyword
- name: https_valid
overwrite: true
type: keyword
- name: cert_ca
overwrite: true
type: keyword
description: This key is used to capture the Certificate signing authority only
- name: cert_common
overwrite: true
type: keyword
description: This key is used to capture the Certificate common name only
- name: wireless
overwrite: true
type: group
fields:
- name: wlan_ssid
overwrite: true
type: keyword
description: This key is used to capture the ssid of a Wireless Session
- name: access_point
overwrite: true
type: keyword
description: This key is used to capture the access point name.
- name: wlan_channel
overwrite: true
type: long
description: This is used to capture the channel names
- name: wlan_name
overwrite: true
type: keyword
description: This key captures either WLAN number/name
- name: storage
overwrite: true
type: group
fields:
- name: disk_volume
overwrite: true
type: keyword
description: A unique name assigned to logical units (volumes) within a physical
disk
- name: lun
overwrite: true
type: keyword
description: Logical Unit Number.This key is a very useful concept in Storage.
- name: pwwn
overwrite: true
type: keyword
description: This uniquely identifies a port on a HBA.
- name: physical
overwrite: true
type: group
fields:
- name: org_dst
overwrite: true
type: keyword
description: This is used to capture the destination organization based on the
GEOPIP Maxmind database.
- name: org_src
overwrite: true
type: keyword
description: This is used to capture the source organization based on the GEOPIP
Maxmind database.
- name: healthcare
overwrite: true
type: group
fields:
- name: patient_fname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_id
overwrite: true
type: keyword
description: This key captures the unique ID for a patient
- name: patient_lname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_mname
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: endpoint
overwrite: true
type: group
fields:
- name: host_state
overwrite: true
type: keyword
description: This key is used to capture the current state of the machine, such
as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
disabled</strong> and so on
- name: registry_key
overwrite: true
type: keyword
description: This key captures the path to the registry key
- name: registry_value
overwrite: true
type: keyword
description: This key captures values or decorators used within a registry entry
- name: microsoft.m365_defender
type: group
release: beta
description: >
Module for ingesting Microsoft Defender ATP.
fields:
- name: incidentId
type: keyword
description: >
Unique identifier to represent the incident.
- name: redirectIncidentId
type: keyword
description: >
Only populated in case an incident is being grouped together with another incident, as part of the incident processing logic.
- name: incidentName
type: keyword
description: >
Name of the Incident.
- name: determination
type: keyword
description: >
Specifies the determination of the incident. The property values are: NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, Other.
- name: investigationState
type: keyword
description: >
The current state of the Investigation.
- name: assignedTo
type: keyword
description: >
Owner of the alert.
- name: tags
type: keyword
description: >
Array of custom tags associated with an incident, for example to flag a group of incidents with a common characteristic.
- name: status
type: keyword
description: >
Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'.
- name: classification
type: keyword
description: >
Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'.
- name: alerts.incidentId
type: keyword
description: >
Unique identifier to represent the incident this alert is associated with.
- name: alerts.resolvedTime
type: date
description: >
Time when alert was resolved.
- name: alerts.status
type: keyword
description: >
Categorize alerts (as New, Active, or Resolved).
- name: alerts.severity
type: keyword
description: >
The severity of the related alert.
- name: alerts.creationTime
type: date
description: >
Time when alert was first created.
- name: alerts.lastUpdatedTime
type: date
description: >
Time when alert was last updated.
- name: alerts.investigationId
type: keyword
description: >
The automated investigation id triggered by this alert.
- name: alerts.userSid
type: keyword
description: >
The SID of the related user
- name: alerts.detectionSource
type: keyword
description: >
The service that initially detected the threat.
- name: alerts.classification
type: keyword
description: >
The specification for the incident. The property values are: Unknown, FalsePositive, TruePositive or null.
- name: alerts.investigationState
type: keyword
description: >
Information on the investigation's current status.
- name: alerts.determination
type: keyword
description: >
Specifies the determination of the incident. The property values are: NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, Other or null
- name: alerts.assignedTo
type: keyword
description: >
Owner of the incident, or null if no owner is assigned.
- name: alerts.actorName
type: keyword
description: >
The activity group, if any, the associated with this alert.
- name: alerts.threatFamilyName
type: keyword
description: >
Threat family associated with this alert.
- name: alerts.mitreTechniques
type: keyword
description: >
The attack techniques, as aligned with the MITRE ATT&CK™ framework.
- name: alerts.entities.entityType
type: keyword
description: >
Entities that have been identified to be part of, or related to, a given alert. The properties values are: User, Ip, Url, File, Process, MailBox, MailMessage, MailCluster, Registry.
- name: alerts.entities.accountName
type: keyword
description: >
Account name of the related user.
- name: alerts.entities.mailboxDisplayName
type: keyword
description: >
The display name of the related mailbox.
- name: alerts.entities.mailboxAddress
type: keyword
description: >
The mail address of the related mailbox.
- name: alerts.entities.clusterBy
type: keyword
description: >
A list of metadata if the entityType is MailCluster.
- name: alerts.entities.sender
type: keyword
description: >
The sender for the related email message.
- name: alerts.entities.recipient
type: keyword
description: >
The recipient for the related email message.
- name: alerts.entities.subject
type: keyword
description: >
The subject for the related email message.
- name: alerts.entities.deliveryAction
type: keyword
description: >
The delivery status for the related email message.
- name: alerts.entities.securityGroupId
type: keyword
description: >
The Security Group ID for the user related to the email message.
- name: alerts.entities.securityGroupName
type: keyword
description: >
The Security Group Name for the user related to the email message.
- name: alerts.entities.registryHive
type: keyword
description: >
Reference to which Hive in registry the event is related to, if eventType is registry. Example: HKEY_LOCAL_MACHINE.
- name: alerts.entities.registryKey
type: keyword
description: >
Reference to the related registry key to the event.
- name: alerts.entities.registryValueType
type: keyword
description: >
Value type of the registry key/value pair related to the event.
- name: alerts.entities.deviceId
type: keyword
description: >
The unique ID of the device related to the event.
- name: alerts.entities.ipAddress
type: keyword
description: >
The related IP address to the event.
- name: alerts.devices
type: flattened
description: >
The devices related to the investigation.
- key: misp
title: MISP
description: >
Module for handling threat information from MISP.
fields:
- name: misp
type: group
description: >
Fields from MISP threat information.
fields:
- name: attack_pattern
title: Attack Pattern
short: Fields that let you store attack patterns
description: >
Fields provide support for specifying information about attack patterns.
type: group
fields:
- name: id
level: core
type: keyword
description: >
Identifier of the threat indicator.
- name: name
level: core
type: keyword
description: >
Name of the attack pattern.
- name: description
level: extended
type: text
description: >
Description of the attack pattern.
- name: kill_chain_phases
level: extended
type: keyword
description: >
The kill chain phase(s) to which this attack pattern corresponds.
- name: campaign
title: Campaign
short: Fields that let you store campaign information
description: >
Fields provide support for specifying information about campaigns.
type: group
fields:
- name: id
level: core
type: keyword
description: >
Identifier of the campaign.
- name: name
level: core
type: keyword
description: >
Name of the campaign.
- name: description
level: extended
type: text
description: >
Description of the campaign.
- name: aliases
level: extended
type: text
description: >
Alternative names used to identify this campaign.
- name: first_seen
level: core
type: date
description: >
The time that this Campaign was first seen, in RFC3339 format.
- name: last_seen
level: core
type: date
description: >
The time that this Campaign was last seen, in RFC3339 format.
- name: objective
level: core
type: keyword
description: >
This field defines the Campaign's primary goal, objective, desired outcome, or intended effect.
- name: course_of_action
title: Course of Action
short: Fields that let you store information about course of action.
description: >
A Course of Action is an action taken either to prevent an attack or to respond to an attack that is in progress.
type: group
fields:
- name: id
level: core
type: keyword
description: >
Identifier of the Course of Action.
- name: name
level: core
type: keyword
description: >
The name used to identify the Course of Action.
- name: description
level: extended
type: text
description: >
Description of the Course of Action.
- name: identity
title: Identity
short: Fields that let you store information about identity.
description: >
Identity can represent actual individuals, organizations, or groups, as well as classes of individuals, organizations, or groups.
type: group
fields:
- name: id
level: core
type: keyword
description: >
Identifier of the Identity.
- name: name
level: core
type: keyword
description: >
The name used to identify the Identity.
- name: description
level: extended
type: text
description: >
Description of the Identity.
- name: identity_class
level: core
type: keyword
description: >
The type of entity that this Identity describes, e.g., an individual or organization. Open Vocab - identity-class-ov
- name: labels
level: extended
type: keyword
description: >
The list of roles that this Identity performs.
example: >
CEO
- name: sectors
level: extended
type: keyword
description: >
The list of sectors that this Identity belongs to. Open Vocab - industry-sector-ov
- name: contact_information
level: extended
type: text
description: >
The contact information (e-mail, phone number, etc.) for this Identity.
- name: intrusion_set
title: Intrusion Set
short: Fields that let you store information about Intrusion Set.
description: >
An Intrusion Set is a grouped set of adversary behavior and resources with common properties that is believed to be orchestrated by a single organization.
type: group
fields:
- name: id
level: core
type: keyword
description: >
Identifier of the Intrusion Set.
- name: name
level: core
type: keyword
description: >
The name used to identify the Intrusion Set.
- name: description
level: extended
type: text
description: >
Description of the Intrusion Set.
- name: aliases
level: extended
type: text
description: >
Alternative names used to identify the Intrusion Set.
- name: first_seen
level: extended
type: date
description: >
The time that this Intrusion Set was first seen, in RFC3339 format.
- name: last_seen
level: extended
type: date
description: >
The time that this Intrusion Set was last seen, in RFC3339 format.
- name: goals
level: extended
type: text
description: >
The high level goals of this Intrusion Set, namely, what are they trying to do.
- name: resource_level
level: extended
type: text
description: >
This defines the organizational level at which this Intrusion Set typically works. Open Vocab - attack-resource-level-ov
- name: primary_motivation
level: extended
type: text
description: >
The primary reason, motivation, or purpose behind this Intrusion Set. Open Vocab - attack-motivation-ov
- name: secondary_motivations
level: extended
type: text
description: >
The secondary reasons, motivations, or purposes behind this Intrusion Set. Open Vocab - attack-motivation-ov
- name: malware
title: Malware
short: Fields that let you store information about Malware.
description: >
Malware is a type of TTP that is also known as malicious code and malicious software, refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim.
type: group
fields:
- name: id
level: core
type: keyword
description: >
Identifier of the Malware.
- name: name
level: core
type: keyword
description: >
The name used to identify the Malware.
- name: description
level: extended
type: text
description: >
Description of the Malware.
- name: labels
level: core
type: keyword
description: >
The type of malware being described.
Open Vocab - malware-label-ov.
adware,backdoor,bot,ddos,dropper,exploit-kit,keylogger,ransomware, remote-access-trojan,resource-exploitation,rogue-security-software,rootkit, screen-capture,spyware,trojan,virus,worm
- name: kill_chain_phases
format: string
level: extended
type: keyword
description: >
The list of kill chain phases for which this Malware instance can be used.
- name: note
title: Note
short: Fields that let you store information about Malware.
description: >
A Note is a comment or note containing informative text to help explain the context of one or more STIX Objects (SDOs or SROs) or to provide additional analysis that is not contained in the original object.
type: group
fields:
- name: id
level: core
type: keyword
description: >
Identifier of the Note.
- name: summary
level: extended
type: keyword
description: >
A brief description used as a summary of the Note.
- name: description
level: extended
type: text
description: >
The content of the Note.
- name: authors
level: extended
type: keyword
description: >
The name of the author(s) of this Note.
- name: object_refs
level: extended
type: keyword
description: >
The STIX Objects (SDOs and SROs) that the note is being applied to.
- name: threat_indicator
title: Threat Indicator
short: Fields that let you store Threat Indicators
description: >
Fields provide support for specifying information about threat indicators, and related matching patterns.
type: group
fields:
- name: labels
level: core
type: keyword
description: >
list of type open-vocab that specifies the type of indicator.
example: >
Domain Watchlist
- name: id
level: core
type: keyword
description: >
Identifier of the threat indicator.
- name: version
level: core
type: keyword
description: >
Version of the threat indicator.
- name: type
level: core
type: keyword
description: >
Type of the threat indicator.
- name: description
level: core
type: text
description: >
Description of the threat indicator.
- name: feed
level: core
type: text
description: >
Name of the threat feed.
- name: valid_from
level: core
type: date
description: >
The time from which this Indicator should be considered valuable
intelligence, in RFC3339 format.
- name: valid_until
level: core
type: date
description: >
The time at which this Indicator should no longer be considered valuable intelligence. If the valid_until property is omitted, then there is no constraint on the latest time for which the indicator should be used, in RFC3339 format.
- name: severity
format: string
level: core
type: keyword
description: >
Threat severity to which this indicator corresponds.
example: high
- name: confidence
level: core
type: keyword
description: >
Confidence level to which this indicator corresponds.
example: high
- name: kill_chain_phases
format: string
level: extended
type: keyword
description: >
The kill chain phase(s) to which this indicator corresponds.
- name: mitre_tactic
format: string
level: extended
type: keyword
description: >
MITRE tactics to which this indicator corresponds.
example: Initial Access
- name: mitre_technique
format: string
level: extended
type: keyword
description: >
MITRE techniques to which this indicator corresponds.
example: Drive-by Compromise
- name: attack_pattern
level: core
type: keyword
description: >
The attack_pattern for this indicator is a STIX Pattern as specified in STIX Version 2.0 Part 5 - STIX Patterning.
example: >
[destination:ip = '91.219.29.188/32']
- name: attack_pattern_kql
level: core
type: keyword
description: >
The attack_pattern for this indicator is KQL query that matches the attack_pattern specified in the STIX Pattern format.
example: >
destination.ip: "91.219.29.188/32"
- name: negate
level: core
type: boolean
description: >
When set to true, it specifies the absence of the attack_pattern.
- name: intrusion_set
level: extended
type: keyword
description: >
Name of the intrusion set if known.
- name: campaign
level: extended
type: keyword
description: >
Name of the attack campaign if known.
- name: threat_actor
level: extended
type: keyword
description: >
Name of the threat actor if known.
- name: observed_data
title: Observed Data
short: Fields that let you store information about Observed Data.
description: >
Observed data conveys information that was observed on systems and networks, such as log data or network traffic, using the Cyber Observable specification.
type: group
fields:
- name: id
level: core
type: keyword
description: >
Identifier of the Observed Data.
- name: first_observed
level: core
type: date
description: >
The beginning of the time window that the data was observed, in RFC3339 format.
- name: last_observed
level: core
type: date
description: >
The end of the time window that the data was observed, in RFC3339 format.
- name: number_observed
level: core
type: integer
description: >
The number of times the data represented in the objects property was observed. This MUST be an integer between 1 and 999,999,999 inclusive.
- name: objects
level: core
type: keyword
description: >
A dictionary of Cyber Observable Objects that describes the single fact that was observed.
- name: report
title: Report
short: Fields that let you store information about Report.
description: >
Reports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details.
type: group
fields:
- name: id
level: core
type: keyword
description: >
Identifier of the Report.
- name: labels
level: core
type: keyword
description: >
This field is an Open Vocabulary that specifies the primary subject of this report.
Open Vocab - report-label-ov.
threat-report,attack-pattern,campaign,identity,indicator,malware,observed-data,threat-actor,tool,vulnerability
- name: name
level: core
type: keyword
description: >
The name used to identify the Report.
- name: description
level: extended
type: text
description: >
A description that provides more details and context about Report.
- name: published
level: extended
type: date
description: >
The date that this report object was officially published by the creator of this report, in RFC3339 format.
- name: object_refs
level: core
type: text
description: >
Specifies the STIX Objects that are referred to by this Report.
- name: threat_actor
title: Threat Actor
short: Fields that let you store information about Threat Actor.
description: >
Threat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent.
type: group
fields:
- name: id
level: core
type: keyword
description: >
Identifier of the Threat Actor.
- name: labels
level: core
type: keyword
description: >
This field specifies the type of threat actor.
Open Vocab - threat-actor-label-ov.
activist,competitor,crime-syndicate,criminal,hacker,insider-accidental,insider-disgruntled,nation-state,sensationalist,spy,terrorist
- name: name
level: core
type: keyword
description: >
The name used to identify this Threat Actor or Threat Actor group.
- name: description
level: extended
type: text
description: >
A description that provides more details and context about the Threat Actor.
- name: aliases
level: extended
type: text
description: >
A list of other names that this Threat Actor is believed to use.
- name: roles
level: extended
type: text
description: >
This is a list of roles the Threat Actor plays.
Open Vocab - threat-actor-role-ov.
agent,director,independent,sponsor,infrastructure-operator,infrastructure-architect,malware-author
- name: goals
level: extended
type: text
description: >
The high level goals of this Threat Actor, namely, what are they trying to do.
- name: sophistication
level: extended
type: text
description: >
The skill, specific knowledge, special training, or expertise a Threat Actor
must have to perform the attack.
Open Vocab - threat-actor-sophistication-ov.
none,minimal,intermediate,advanced,strategic,expert,innovator
- name: resource_level
level: extended
type: text
description: >
This defines the organizational level at which this Threat Actor typically works.
Open Vocab - attack-resource-level-ov.
individual,club,contest,team,organization,government
- name: primary_motivation
level: extended
type: text
description: >
The primary reason, motivation, or purpose behind this Threat Actor.
Open Vocab - attack-motivation-ov.
accidental,coercion,dominance,ideology,notoriety,organizational-gain,personal-gain,personal-satisfaction,revenge,unpredictable
- name: secondary_motivations
level: extended
type: text
description: >
The secondary reasons, motivations, or purposes behind this Threat Actor.
Open Vocab - attack-motivation-ov.
accidental,coercion,dominance,ideology,notoriety,organizational-gain,personal-gain,personal-satisfaction,revenge,unpredictable
- name: personal_motivations
level: extended
type: text
description: >
The personal reasons, motivations, or purposes of the Threat Actor regardless of
organizational goals.
Open Vocab - attack-motivation-ov.
accidental,coercion,dominance,ideology,notoriety,organizational-gain,personal-gain,personal-satisfaction,revenge,unpredictable
- name: tool
title: Tool
short: Fields that let you store information about Tool.
description: >
Tools are legitimate software that can be used by threat actors to perform attacks.
type: group
fields:
- name: id
level: core
type: keyword
description: >
Identifier of the Tool.
- name: labels
level: core
type: keyword
description: >
The kind(s) of tool(s) being described.
Open Vocab - tool-label-ov.
denial-of-service,exploitation,information-gathering,network-capture,credential-exploitation,remote-access,vulnerability-scanning
- name: name
level: core
type: keyword
description: >
The name used to identify the Tool.
- name: description
level: extended
type: text
description: >
A description that provides more details and context about the Tool.
- name: tool_version
level: extended
type: keyword
description: >
The version identifier associated with the Tool.
- name: kill_chain_phases
level: extended
type: text
description: >
The list of kill chain phases for which this Tool instance can be used.
- name: vulnerability
title: Vulnerability
short: Fields that let you store information about Vulnerability.
description: >
A Vulnerability is a mistake in software that can be directly used by a hacker to gain access to a system or network.
type: group
fields:
- name: id
level: core
type: keyword
description: >
Identifier of the Vulnerability.
- name: name
level: core
type: keyword
description: >
The name used to identify the Vulnerability.
- name: description
level: extended
type: text
description: >
A description that provides more details and context about the Vulnerability.
- key: mssql
title: "mssql"
description: MS SQL Filebeat Module
fields:
- name: mssql
type: group
description: Fields from the MSSQL log files
fields:
- name: log
description: Common log fields
type: group
fields:
- name: origin
description: Origin of the message, usually the server but it can also be a recovery process
type: keyword
- key: mysqlenterprise
title: MySQL Enterprise
description: >
MySQL Enterprise Audit module
fields:
- name: mysqlenterprise
type: group
description: >
Fields from MySQL Enterprise Logs
fields:
- name: audit
type: group
release: beta
description: >
Module for parsing MySQL Enterprise Audit Logs
fields:
- name: class
type: keyword
description: >
A string representing the event class. The class defines the type of event, when taken together with the event item that specifies the event subclass.
- name: connection_id
type: keyword
description: >
An integer representing the client connection identifier. This is the same as the value returned by the CONNECTION_ID() function within the session.
- name: id
type: keyword
description: >
An unsigned integer representing an event ID.
- name: connection_data.connection_type
type: keyword
description: >
The security state of the connection to the server. Permitted values are tcp/ip (TCP/IP connection established without encryption), ssl (TCP/IP connection established with encryption), socket (Unix socket file connection), named_pipe (Windows named pipe connection), and shared_memory (Windows shared memory connection).
- name: connection_data.status
type: long
description: >
An integer representing the command status: 0 for success, nonzero if an error occurred.
- name: connection_data.db
type: keyword
description: >
A string representing a database name. For connection_data, it is the default database. For table_access_data, it is the table database.
- name: connection_data.connection_attributes
type: flattened
description: >
Connection attributes that might be passed by different MySQL Clients.
- name: general_data.command
type: keyword
description: >
A string representing the type of instruction that generated the audit event, such as a command that the server received from a client.
- name: general_data.sql_command
type: keyword
description: >
A string that indicates the SQL statement type.
- name: general_data.query
type: keyword
description: >
A string representing the text of an SQL statement. The value can be empty. Long values may be truncated. The string, like the audit log file itself, is written using UTF-8 (up to 4 bytes per character), so the value may be the result of conversion.
- name: general_data.status
type: long
description: >
An integer representing the command status: 0 for success, nonzero if an error occurred. This is the same as the value of the mysql_errno() C API function.
- name: login.user
type: keyword
description: >
A string representing the information indicating how a client connected to the server.
- name: login.proxy
type: keyword
description: >
A string representing the proxy user. The value is empty if user proxying is not in effect.
- name: shutdown_data.server_id
type: keyword
description: >
An integer representing the server ID. This is the same as the value of the server_id system variable.
- name: startup_data.server_id
type: keyword
description: >
An integer representing the server ID. This is the same as the value of the server_id system variable.
- name: startup_data.mysql_version
type: keyword
description: >
An integer representing the server ID. This is the same as the value of the server_id system variable.
- name: table_access_data.db
type: keyword
description: >
A string representing a database name. For connection_data, it is the default database. For table_access_data, it is the table database.
- name: table_access_data.table
type: keyword
description: >
A string representing a table name.
- name: table_access_data.query
type: keyword
description: >
A string representing the text of an SQL statement. The value can be empty. Long values may be truncated. The string, like the audit log file itself, is written using UTF-8 (up to 4 bytes per character), so the value may be the result of conversion.
- name: table_access_data.sql_command
type: keyword
description: >
A string that indicates the SQL statement type.
- name: account.user
type: keyword
description: >
A string representing the user that the server authenticated the client as. This is the user name that the server uses for privilege checking.
- name: account.host
type: keyword
description: >
A string representing the client host name.
- name: login.os
type: keyword
description: >
A string representing the external user name used during the authentication process, as set by the plugin used to authenticate the client.
- key: netflow-module
title: NetFlow
description: >
Module for receiving NetFlow and IPFIX flow records over UDP. The module
does not add fields beyond what the netflow input provides.
skipdocs:
fields:
- key: netscout
title: Arbor Peakflow SP
description: >
netscout fields.
fields:
- name: network.interface.name
overwrite: true
type: keyword
description: >
Name of the network interface where the traffic has been observed.
- name: rsa
overwrite: true
type: group
fields:
- name: internal
overwrite: true
type: group
fields:
- name: msg
overwrite: true
type: keyword
description: This key is used to capture the raw message that comes into the
Log Decoder
- name: messageid
overwrite: true
type: keyword
- name: event_desc
overwrite: true
type: keyword
- name: message
overwrite: true
type: keyword
description: This key captures the contents of instant messages
- name: time
overwrite: true
type: date
description: This is the time at which a session hits a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness.
- name: level
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: msg_id
overwrite: true
type: keyword
description: This is the Message ID1 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: msg_vid
overwrite: true
type: keyword
description: This is the Message ID2 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: data
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_server
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_val
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: resource
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_id
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: statement
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: audit_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: entry
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: hcode
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: inode
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: resource_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: dead
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: feed_desc
overwrite: true
type: keyword
description: This is used to capture the description of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: feed_name
overwrite: true
type: keyword
description: This is used to capture the name of the feed. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: cid
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Concentrator.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_class
overwrite: true
type: keyword
description: This is the Classification of the Log Event Source under a predefined
fixed set of Event Source Classifications. This key should never be used to
parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
key in NetWitness
- name: device_group
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_host
overwrite: true
type: keyword
description: This is the Hostname of the log Event Source sending the logs to
NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ip
overwrite: true
type: ip
description: This is the IPv4 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ipv6
overwrite: true
type: ip
description: This is the IPv6 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_type
overwrite: true
type: keyword
description: This is the name of the log parser which parsed a given session.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_type_id
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: did
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: entropy_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: entropy_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: event_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: feed_category
overwrite: true
type: keyword
description: This is used to capture the category of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: forward_ip
overwrite: true
type: ip
description: This key should be used to capture the IPV4 address of a relay
system which forwarded the events from the original system to NetWitness.
- name: forward_ipv6
overwrite: true
type: ip
description: This key is used to capture the IPV6 address of a relay system
which forwarded the events from the original system to NetWitness. This key
should never be used to parse Meta data from a session (Logs/Packets) Directly,
this is a Reserved key in NetWitness
- name: header_id
overwrite: true
type: keyword
description: This is the Header ID value that identifies the exact log parser
header definition that parses a particular log session. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: lc_cid
overwrite: true
type: keyword
description: This is a unique Identifier of a Log Collector. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: lc_ctime
overwrite: true
type: date
description: This is the time at which a log is collected in a NetWitness Log
Collector. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: mcb_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
request is simply which byte for each side (0 thru 255) was seen the most
- name: mcb_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
response is simply which byte for each side (0 thru 255) was seen the most
- name: mcbc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: mcbc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: medium
overwrite: true
type: long
description: "This key is used to identify if it\u2019s a log/packet session\
\ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
\ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
\ 32 = log, 33 = correlation session, < 32 is packet session"
- name: node_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: nwe_callback_id
overwrite: true
type: keyword
description: This key denotes that event is endpoint related
- name: parse_error
overwrite: true
type: keyword
description: This is a special key that stores any Meta key validation error
found while parsing a log session. This key should never be used to parse
Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
NetWitness
- name: payload_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: payload_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: process_vid_dst
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the target process.
- name: process_vid_src
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the source process.
- name: rid
overwrite: true
type: long
description: This is a special ID of the Remote Session created by NetWitness
Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: session_split
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: site
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: size
overwrite: true
type: long
description: This is the size of the session as seen by the NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: sourcefile
overwrite: true
type: keyword
description: This is the name of the log file or PCAPs that can be imported
into NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: ubc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: ubc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: word
overwrite: true
type: keyword
description: This is used by the Word Parsing technology to capture the first
5 character of every word in an unparsed log
- name: time
overwrite: true
type: group
fields:
- name: event_time
overwrite: true
type: date
description: This key is used to capture the time mentioned in a raw session
that represents the actual time an event occured in a standard normalized
form
- name: duration_time
overwrite: true
type: double
description: This key is used to capture the normalized duration/lifetime in
seconds.
- name: event_time_str
overwrite: true
type: keyword
description: This key is used to capture the incomplete time mentioned in a
session as a string
- name: starttime
overwrite: true
type: date
description: This key is used to capture the Start time mentioned in a session
in a standard form
- name: month
overwrite: true
type: keyword
- name: day
overwrite: true
type: keyword
- name: endtime
overwrite: true
type: date
description: This key is used to capture the End time mentioned in a session
in a standard form
- name: timezone
overwrite: true
type: keyword
description: This key is used to capture the timezone of the Event Time
- name: duration_str
overwrite: true
type: keyword
description: A text string version of the duration
- name: date
overwrite: true
type: keyword
- name: year
overwrite: true
type: keyword
- name: recorded_time
overwrite: true
type: date
description: The event time as recorded by the system the event is collected
from. The usage scenario is a multi-tier application where the management
layer of the system records it's own timestamp at the time of collection from
its child nodes. Must be in timestamp format.
- name: datetime
overwrite: true
type: keyword
- name: effective_time
overwrite: true
type: date
description: This key is the effective time referenced by an individual event
in a Standard Timestamp format
- name: expire_time
overwrite: true
type: date
description: This key is the timestamp that explicitly refers to an expiration.
- name: process_time
overwrite: true
type: keyword
description: Deprecated, use duration.time
- name: hour
overwrite: true
type: keyword
- name: min
overwrite: true
type: keyword
- name: timestamp
overwrite: true
type: keyword
- name: event_queue_time
overwrite: true
type: date
description: This key is the Time that the event was queued.
- name: p_time1
overwrite: true
type: keyword
- name: tzone
overwrite: true
type: keyword
- name: eventtime
overwrite: true
type: keyword
- name: gmtdate
overwrite: true
type: keyword
- name: gmttime
overwrite: true
type: keyword
- name: p_date
overwrite: true
type: keyword
- name: p_month
overwrite: true
type: keyword
- name: p_time
overwrite: true
type: keyword
- name: p_time2
overwrite: true
type: keyword
- name: p_year
overwrite: true
type: keyword
- name: expire_time_str
overwrite: true
type: keyword
description: This key is used to capture incomplete timestamp that explicitly
refers to an expiration.
- name: stamp
overwrite: true
type: date
description: Deprecated key defined only in table map.
- name: misc
overwrite: true
type: group
fields:
- name: action
overwrite: true
type: keyword
- name: result
overwrite: true
type: keyword
description: This key is used to capture the outcome/result string value of
an action in a session.
- name: severity
overwrite: true
type: keyword
description: This key is used to capture the severity given the session
- name: event_type
overwrite: true
type: keyword
description: This key captures the event category type as specified by the event
source.
- name: reference_id
overwrite: true
type: keyword
description: This key is used to capture an event id from the session directly
- name: version
overwrite: true
type: keyword
description: This key captures Version of the application or OS which is generating
the event.
- name: disposition
overwrite: true
type: keyword
description: This key captures the The end state of an action.
- name: result_code
overwrite: true
type: keyword
description: This key is used to capture the outcome/result numeric value of
an action in a session
- name: category
overwrite: true
type: keyword
description: This key is used to capture the category of an event given by the
vendor in the session
- name: obj_name
overwrite: true
type: keyword
description: This is used to capture name of object
- name: obj_type
overwrite: true
type: keyword
description: This is used to capture type of object
- name: event_source
overwrite: true
type: keyword
description: "This key captures Source of the event that\u2019s not a hostname"
- name: log_session_id
overwrite: true
type: keyword
description: This key is used to capture a sessionid from the session directly
- name: group
overwrite: true
type: keyword
description: This key captures the Group Name value
- name: policy_name
overwrite: true
type: keyword
description: This key is used to capture the Policy Name only.
- name: rule_name
overwrite: true
type: keyword
description: This key captures the Rule Name
- name: context
overwrite: true
type: keyword
description: This key captures Information which adds additional context to
the event.
- name: change_new
overwrite: true
type: keyword
description: "This key is used to capture the new values of the attribute that\u2019\
s changing in a session"
- name: space
overwrite: true
type: keyword
- name: client
overwrite: true
type: keyword
description: This key is used to capture only the name of the client application
requesting resources of the server. See the user.agent meta key for capture
of the specific user agent identifier or browser identification string.
- name: msgIdPart1
overwrite: true
type: keyword
- name: msgIdPart2
overwrite: true
type: keyword
- name: change_old
overwrite: true
type: keyword
description: "This key is used to capture the old value of the attribute that\u2019\
s changing in a session"
- name: operation_id
overwrite: true
type: keyword
description: An alert number or operation number. The values should be unique
and non-repeating.
- name: event_state
overwrite: true
type: keyword
description: This key captures the current state of the object/item referenced
within the event. Describing an on-going event.
- name: group_object
overwrite: true
type: keyword
description: This key captures a collection/grouping of entities. Specific usage
- name: node
overwrite: true
type: keyword
description: Common use case is the node name within a cluster. The cluster
name is reflected by the host name.
- name: rule
overwrite: true
type: keyword
description: This key captures the Rule number
- name: device_name
overwrite: true
type: keyword
description: 'This is used to capture name of the Device associated with the
node Like: a physical disk, printer, etc'
- name: param
overwrite: true
type: keyword
description: This key is the parameters passed as part of a command or application,
etc.
- name: change_attrib
overwrite: true
type: keyword
description: "This key is used to capture the name of the attribute that\u2019\
s changing in a session"
- name: event_computer
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
fully qualified domain name in a windows log.
- name: reference_id1
overwrite: true
type: keyword
description: This key is for Linked ID to be used as an addition to "reference.id"
- name: event_log
overwrite: true
type: keyword
description: This key captures the Name of the event log
- name: OS
overwrite: true
type: keyword
description: This key captures the Name of the Operating System
- name: terminal
overwrite: true
type: keyword
description: This key captures the Terminal Names only
- name: msgIdPart3
overwrite: true
type: keyword
- name: filter
overwrite: true
type: keyword
description: This key captures Filter used to reduce result set
- name: serial_number
overwrite: true
type: keyword
description: This key is the Serial number associated with a physical asset.
- name: checksum
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the entity
such as a file or process. Checksum should be used over checksum.src or checksum.dst
when it is unclear whether the entity is a source or target of an action.
- name: event_user
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
combination of domain name and username in a windows log.
- name: virusname
overwrite: true
type: keyword
description: This key captures the name of the virus
- name: content_type
overwrite: true
type: keyword
description: This key is used to capture Content Type only.
- name: group_id
overwrite: true
type: keyword
description: This key captures Group ID Number (related to the group name)
- name: policy_id
overwrite: true
type: keyword
description: This key is used to capture the Policy ID only, this should be
a numeric value, use policy.name otherwise
- name: vsys
overwrite: true
type: keyword
description: This key captures Virtual System Name
- name: connection_id
overwrite: true
type: keyword
description: This key captures the Connection ID
- name: reference_id2
overwrite: true
type: keyword
description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
or "reference.id1" value but should not be used unless the other two variables
are in play.
- name: sensor
overwrite: true
type: keyword
description: This key captures Name of the sensor. Typically used in IDS/IPS
based devices
- name: sig_id
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID
- name: port_name
overwrite: true
type: keyword
description: 'This key is used for Physical or logical port connection but does
NOT include a network port. (Example: Printer port name).'
- name: rule_group
overwrite: true
type: keyword
description: This key captures the Rule group name
- name: risk_num
overwrite: true
type: double
description: This key captures a Numeric Risk value
- name: trigger_val
overwrite: true
type: keyword
description: This key captures the Value of the trigger or threshold condition.
- name: log_session_id1
overwrite: true
type: keyword
description: This key is used to capture a Linked (Related) Session ID from
the session directly
- name: comp_version
overwrite: true
type: keyword
description: This key captures the Version level of a sub-component of a product.
- name: content_version
overwrite: true
type: keyword
description: This key captures Version level of a signature or database content.
- name: hardware_id
overwrite: true
type: keyword
description: This key is used to capture unique identifier for a device or system
(NOT a Mac address)
- name: risk
overwrite: true
type: keyword
description: This key captures the non-numeric risk value
- name: event_id
overwrite: true
type: keyword
- name: reason
overwrite: true
type: keyword
- name: status
overwrite: true
type: keyword
- name: mail_id
overwrite: true
type: keyword
description: This key is used to capture the mailbox id/name
- name: rule_uid
overwrite: true
type: keyword
description: This key is the Unique Identifier for a rule.
- name: trigger_desc
overwrite: true
type: keyword
description: This key captures the Description of the trigger or threshold condition.
- name: inout
overwrite: true
type: keyword
- name: p_msgid
overwrite: true
type: keyword
- name: data_type
overwrite: true
type: keyword
- name: msgIdPart4
overwrite: true
type: keyword
- name: error
overwrite: true
type: keyword
description: This key captures All non successful Error codes or responses
- name: index
overwrite: true
type: keyword
- name: listnum
overwrite: true
type: keyword
description: This key is used to capture listname or listnumber, primarily for
collecting access-list
- name: ntype
overwrite: true
type: keyword
- name: observed_val
overwrite: true
type: keyword
description: This key captures the Value observed (from the perspective of the
device generating the log).
- name: policy_value
overwrite: true
type: keyword
description: This key captures the contents of the policy. This contains details
about the policy
- name: pool_name
overwrite: true
type: keyword
description: This key captures the name of a resource pool
- name: rule_template
overwrite: true
type: keyword
description: A default set of parameters which are overlayed onto a rule (or
rulename) which efffectively constitutes a template
- name: count
overwrite: true
type: keyword
- name: number
overwrite: true
type: keyword
- name: sigcat
overwrite: true
type: keyword
- name: type
overwrite: true
type: keyword
- name: comments
overwrite: true
type: keyword
description: Comment information provided in the log message
- name: doc_number
overwrite: true
type: long
description: This key captures File Identification number
- name: expected_val
overwrite: true
type: keyword
description: This key captures the Value expected (from the perspective of the
device generating the log).
- name: job_num
overwrite: true
type: keyword
description: This key captures the Job Number
- name: spi_dst
overwrite: true
type: keyword
description: Destination SPI Index
- name: spi_src
overwrite: true
type: keyword
description: Source SPI Index
- name: code
overwrite: true
type: keyword
- name: agent_id
overwrite: true
type: keyword
description: This key is used to capture agent id
- name: message_body
overwrite: true
type: keyword
description: This key captures the The contents of the message body.
- name: phone
overwrite: true
type: keyword
- name: sig_id_str
overwrite: true
type: keyword
description: This key captures a string object of the sigid variable.
- name: cmd
overwrite: true
type: keyword
- name: misc
overwrite: true
type: keyword
- name: name
overwrite: true
type: keyword
- name: cpu
overwrite: true
type: long
description: This key is the CPU time used in the execution of the event being
recorded.
- name: event_desc
overwrite: true
type: keyword
description: This key is used to capture a description of an event available
directly or inferred
- name: sig_id1
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID. This must be linked
to the sig.id
- name: im_buddyid
overwrite: true
type: keyword
- name: im_client
overwrite: true
type: keyword
- name: im_userid
overwrite: true
type: keyword
- name: pid
overwrite: true
type: keyword
- name: priority
overwrite: true
type: keyword
- name: context_subject
overwrite: true
type: keyword
description: This key is to be used in an audit context where the subject is
the object being identified
- name: context_target
overwrite: true
type: keyword
- name: cve
overwrite: true
type: keyword
description: This key captures CVE (Common Vulnerabilities and Exposures) -
an identifier for known information security vulnerabilities.
- name: fcatnum
overwrite: true
type: keyword
description: This key captures Filter Category Number. Legacy Usage
- name: library
overwrite: true
type: keyword
description: This key is used to capture library information in mainframe devices
- name: parent_node
overwrite: true
type: keyword
description: This key captures the Parent Node Name. Must be related to node
variable.
- name: risk_info
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: tcp_flags
overwrite: true
type: long
description: This key is captures the TCP flags set in any packet of session
- name: tos
overwrite: true
type: long
description: This key describes the type of service
- name: vm_target
overwrite: true
type: keyword
description: VMWare Target **VMWARE** only varaible.
- name: workspace
overwrite: true
type: keyword
description: This key captures Workspace Description
- name: command
overwrite: true
type: keyword
- name: event_category
overwrite: true
type: keyword
- name: facilityname
overwrite: true
type: keyword
- name: forensic_info
overwrite: true
type: keyword
- name: jobname
overwrite: true
type: keyword
- name: mode
overwrite: true
type: keyword
- name: policy
overwrite: true
type: keyword
- name: policy_waiver
overwrite: true
type: keyword
- name: second
overwrite: true
type: keyword
- name: space1
overwrite: true
type: keyword
- name: subcategory
overwrite: true
type: keyword
- name: tbdstr2
overwrite: true
type: keyword
- name: alert_id
overwrite: true
type: keyword
description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: checksum_dst
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the the target
entity such as a process or file.
- name: checksum_src
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the source
entity such as a file or process.
- name: fresult
overwrite: true
type: long
description: This key captures the Filter Result
- name: payload_dst
overwrite: true
type: keyword
description: This key is used to capture destination payload
- name: payload_src
overwrite: true
type: keyword
description: This key is used to capture source payload
- name: pool_id
overwrite: true
type: keyword
description: This key captures the identifier (typically numeric field) of a
resource pool
- name: process_id_val
overwrite: true
type: keyword
description: This key is a failure key for Process ID when it is not an integer
value
- name: risk_num_comm
overwrite: true
type: double
description: This key captures Risk Number Community
- name: risk_num_next
overwrite: true
type: double
description: This key captures Risk Number NextGen
- name: risk_num_sand
overwrite: true
type: double
description: This key captures Risk Number SandBox
- name: risk_num_static
overwrite: true
type: double
description: This key captures Risk Number Static
- name: risk_suspicious
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: risk_warning
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: snmp_oid
overwrite: true
type: keyword
description: SNMP Object Identifier
- name: sql
overwrite: true
type: keyword
description: This key captures the SQL query
- name: vuln_ref
overwrite: true
type: keyword
description: This key captures the Vulnerability Reference details
- name: acl_id
overwrite: true
type: keyword
- name: acl_op
overwrite: true
type: keyword
- name: acl_pos
overwrite: true
type: keyword
- name: acl_table
overwrite: true
type: keyword
- name: admin
overwrite: true
type: keyword
- name: alarm_id
overwrite: true
type: keyword
- name: alarmname
overwrite: true
type: keyword
- name: app_id
overwrite: true
type: keyword
- name: audit
overwrite: true
type: keyword
- name: audit_object
overwrite: true
type: keyword
- name: auditdata
overwrite: true
type: keyword
- name: benchmark
overwrite: true
type: keyword
- name: bypass
overwrite: true
type: keyword
- name: cache
overwrite: true
type: keyword
- name: cache_hit
overwrite: true
type: keyword
- name: cefversion
overwrite: true
type: keyword
- name: cfg_attr
overwrite: true
type: keyword
- name: cfg_obj
overwrite: true
type: keyword
- name: cfg_path
overwrite: true
type: keyword
- name: changes
overwrite: true
type: keyword
- name: client_ip
overwrite: true
type: keyword
- name: clustermembers
overwrite: true
type: keyword
- name: cn_acttimeout
overwrite: true
type: keyword
- name: cn_asn_src
overwrite: true
type: keyword
- name: cn_bgpv4nxthop
overwrite: true
type: keyword
- name: cn_ctr_dst_code
overwrite: true
type: keyword
- name: cn_dst_tos
overwrite: true
type: keyword
- name: cn_dst_vlan
overwrite: true
type: keyword
- name: cn_engine_id
overwrite: true
type: keyword
- name: cn_engine_type
overwrite: true
type: keyword
- name: cn_f_switch
overwrite: true
type: keyword
- name: cn_flowsampid
overwrite: true
type: keyword
- name: cn_flowsampintv
overwrite: true
type: keyword
- name: cn_flowsampmode
overwrite: true
type: keyword
- name: cn_inacttimeout
overwrite: true
type: keyword
- name: cn_inpermbyts
overwrite: true
type: keyword
- name: cn_inpermpckts
overwrite: true
type: keyword
- name: cn_invalid
overwrite: true
type: keyword
- name: cn_ip_proto_ver
overwrite: true
type: keyword
- name: cn_ipv4_ident
overwrite: true
type: keyword
- name: cn_l_switch
overwrite: true
type: keyword
- name: cn_log_did
overwrite: true
type: keyword
- name: cn_log_rid
overwrite: true
type: keyword
- name: cn_max_ttl
overwrite: true
type: keyword
- name: cn_maxpcktlen
overwrite: true
type: keyword
- name: cn_min_ttl
overwrite: true
type: keyword
- name: cn_minpcktlen
overwrite: true
type: keyword
- name: cn_mpls_lbl_1
overwrite: true
type: keyword
- name: cn_mpls_lbl_10
overwrite: true
type: keyword
- name: cn_mpls_lbl_2
overwrite: true
type: keyword
- name: cn_mpls_lbl_3
overwrite: true
type: keyword
- name: cn_mpls_lbl_4
overwrite: true
type: keyword
- name: cn_mpls_lbl_5
overwrite: true
type: keyword
- name: cn_mpls_lbl_6
overwrite: true
type: keyword
- name: cn_mpls_lbl_7
overwrite: true
type: keyword
- name: cn_mpls_lbl_8
overwrite: true
type: keyword
- name: cn_mpls_lbl_9
overwrite: true
type: keyword
- name: cn_mplstoplabel
overwrite: true
type: keyword
- name: cn_mplstoplabip
overwrite: true
type: keyword
- name: cn_mul_dst_byt
overwrite: true
type: keyword
- name: cn_mul_dst_pks
overwrite: true
type: keyword
- name: cn_muligmptype
overwrite: true
type: keyword
- name: cn_sampalgo
overwrite: true
type: keyword
- name: cn_sampint
overwrite: true
type: keyword
- name: cn_seqctr
overwrite: true
type: keyword
- name: cn_spackets
overwrite: true
type: keyword
- name: cn_src_tos
overwrite: true
type: keyword
- name: cn_src_vlan
overwrite: true
type: keyword
- name: cn_sysuptime
overwrite: true
type: keyword
- name: cn_template_id
overwrite: true
type: keyword
- name: cn_totbytsexp
overwrite: true
type: keyword
- name: cn_totflowexp
overwrite: true
type: keyword
- name: cn_totpcktsexp
overwrite: true
type: keyword
- name: cn_unixnanosecs
overwrite: true
type: keyword
- name: cn_v6flowlabel
overwrite: true
type: keyword
- name: cn_v6optheaders
overwrite: true
type: keyword
- name: comp_class
overwrite: true
type: keyword
- name: comp_name
overwrite: true
type: keyword
- name: comp_rbytes
overwrite: true
type: keyword
- name: comp_sbytes
overwrite: true
type: keyword
- name: cpu_data
overwrite: true
type: keyword
- name: criticality
overwrite: true
type: keyword
- name: cs_agency_dst
overwrite: true
type: keyword
- name: cs_analyzedby
overwrite: true
type: keyword
- name: cs_av_other
overwrite: true
type: keyword
- name: cs_av_primary
overwrite: true
type: keyword
- name: cs_av_secondary
overwrite: true
type: keyword
- name: cs_bgpv6nxthop
overwrite: true
type: keyword
- name: cs_bit9status
overwrite: true
type: keyword
- name: cs_context
overwrite: true
type: keyword
- name: cs_control
overwrite: true
type: keyword
- name: cs_data
overwrite: true
type: keyword
- name: cs_datecret
overwrite: true
type: keyword
- name: cs_dst_tld
overwrite: true
type: keyword
- name: cs_eth_dst_ven
overwrite: true
type: keyword
- name: cs_eth_src_ven
overwrite: true
type: keyword
- name: cs_event_uuid
overwrite: true
type: keyword
- name: cs_filetype
overwrite: true
type: keyword
- name: cs_fld
overwrite: true
type: keyword
- name: cs_if_desc
overwrite: true
type: keyword
- name: cs_if_name
overwrite: true
type: keyword
- name: cs_ip_next_hop
overwrite: true
type: keyword
- name: cs_ipv4dstpre
overwrite: true
type: keyword
- name: cs_ipv4srcpre
overwrite: true
type: keyword
- name: cs_lifetime
overwrite: true
type: keyword
- name: cs_log_medium
overwrite: true
type: keyword
- name: cs_loginname
overwrite: true
type: keyword
- name: cs_modulescore
overwrite: true
type: keyword
- name: cs_modulesign
overwrite: true
type: keyword
- name: cs_opswatresult
overwrite: true
type: keyword
- name: cs_payload
overwrite: true
type: keyword
- name: cs_registrant
overwrite: true
type: keyword
- name: cs_registrar
overwrite: true
type: keyword
- name: cs_represult
overwrite: true
type: keyword
- name: cs_rpayload
overwrite: true
type: keyword
- name: cs_sampler_name
overwrite: true
type: keyword
- name: cs_sourcemodule
overwrite: true
type: keyword
- name: cs_streams
overwrite: true
type: keyword
- name: cs_targetmodule
overwrite: true
type: keyword
- name: cs_v6nxthop
overwrite: true
type: keyword
- name: cs_whois_server
overwrite: true
type: keyword
- name: cs_yararesult
overwrite: true
type: keyword
- name: description
overwrite: true
type: keyword
- name: devvendor
overwrite: true
type: keyword
- name: distance
overwrite: true
type: keyword
- name: dstburb
overwrite: true
type: keyword
- name: edomain
overwrite: true
type: keyword
- name: edomaub
overwrite: true
type: keyword
- name: euid
overwrite: true
type: keyword
- name: facility
overwrite: true
type: keyword
- name: finterface
overwrite: true
type: keyword
- name: flags
overwrite: true
type: keyword
- name: gaddr
overwrite: true
type: keyword
- name: id3
overwrite: true
type: keyword
- name: im_buddyname
overwrite: true
type: keyword
- name: im_croomid
overwrite: true
type: keyword
- name: im_croomtype
overwrite: true
type: keyword
- name: im_members
overwrite: true
type: keyword
- name: im_username
overwrite: true
type: keyword
- name: ipkt
overwrite: true
type: keyword
- name: ipscat
overwrite: true
type: keyword
- name: ipspri
overwrite: true
type: keyword
- name: latitude
overwrite: true
type: keyword
- name: linenum
overwrite: true
type: keyword
- name: list_name
overwrite: true
type: keyword
- name: load_data
overwrite: true
type: keyword
- name: location_floor
overwrite: true
type: keyword
- name: location_mark
overwrite: true
type: keyword
- name: log_id
overwrite: true
type: keyword
- name: log_type
overwrite: true
type: keyword
- name: logid
overwrite: true
type: keyword
- name: logip
overwrite: true
type: keyword
- name: logname
overwrite: true
type: keyword
- name: longitude
overwrite: true
type: keyword
- name: lport
overwrite: true
type: keyword
- name: mbug_data
overwrite: true
type: keyword
- name: misc_name
overwrite: true
type: keyword
- name: msg_type
overwrite: true
type: keyword
- name: msgid
overwrite: true
type: keyword
- name: netsessid
overwrite: true
type: keyword
- name: num
overwrite: true
type: keyword
- name: number1
overwrite: true
type: keyword
- name: number2
overwrite: true
type: keyword
- name: nwwn
overwrite: true
type: keyword
- name: object
overwrite: true
type: keyword
- name: operation
overwrite: true
type: keyword
- name: opkt
overwrite: true
type: keyword
- name: orig_from
overwrite: true
type: keyword
- name: owner_id
overwrite: true
type: keyword
- name: p_action
overwrite: true
type: keyword
- name: p_filter
overwrite: true
type: keyword
- name: p_group_object
overwrite: true
type: keyword
- name: p_id
overwrite: true
type: keyword
- name: p_msgid1
overwrite: true
type: keyword
- name: p_msgid2
overwrite: true
type: keyword
- name: p_result1
overwrite: true
type: keyword
- name: password_chg
overwrite: true
type: keyword
- name: password_expire
overwrite: true
type: keyword
- name: permgranted
overwrite: true
type: keyword
- name: permwanted
overwrite: true
type: keyword
- name: pgid
overwrite: true
type: keyword
- name: policyUUID
overwrite: true
type: keyword
- name: prog_asp_num
overwrite: true
type: keyword
- name: program
overwrite: true
type: keyword
- name: real_data
overwrite: true
type: keyword
- name: rec_asp_device
overwrite: true
type: keyword
- name: rec_asp_num
overwrite: true
type: keyword
- name: rec_library
overwrite: true
type: keyword
- name: recordnum
overwrite: true
type: keyword
- name: ruid
overwrite: true
type: keyword
- name: sburb
overwrite: true
type: keyword
- name: sdomain_fld
overwrite: true
type: keyword
- name: sec
overwrite: true
type: keyword
- name: sensorname
overwrite: true
type: keyword
- name: seqnum
overwrite: true
type: keyword
- name: session
overwrite: true
type: keyword
- name: sessiontype
overwrite: true
type: keyword
- name: sigUUID
overwrite: true
type: keyword
- name: spi
overwrite: true
type: keyword
- name: srcburb
overwrite: true
type: keyword
- name: srcdom
overwrite: true
type: keyword
- name: srcservice
overwrite: true
type: keyword
- name: state
overwrite: true
type: keyword
- name: status1
overwrite: true
type: keyword
- name: svcno
overwrite: true
type: keyword
- name: system
overwrite: true
type: keyword
- name: tbdstr1
overwrite: true
type: keyword
- name: tgtdom
overwrite: true
type: keyword
- name: tgtdomain
overwrite: true
type: keyword
- name: threshold
overwrite: true
type: keyword
- name: type1
overwrite: true
type: keyword
- name: udb_class
overwrite: true
type: keyword
- name: url_fld
overwrite: true
type: keyword
- name: user_div
overwrite: true
type: keyword
- name: userid
overwrite: true
type: keyword
- name: username_fld
overwrite: true
type: keyword
- name: utcstamp
overwrite: true
type: keyword
- name: v_instafname
overwrite: true
type: keyword
- name: virt_data
overwrite: true
type: keyword
- name: vpnid
overwrite: true
type: keyword
- name: autorun_type
overwrite: true
type: keyword
description: This is used to capture Auto Run type
- name: cc_number
overwrite: true
type: long
description: Valid Credit Card Numbers only
- name: content
overwrite: true
type: keyword
description: This key captures the content type from protocol headers
- name: ein_number
overwrite: true
type: long
description: Employee Identification Numbers only
- name: found
overwrite: true
type: keyword
description: This is used to capture the results of regex match
- name: language
overwrite: true
type: keyword
description: This is used to capture list of languages the client support and
what it prefers
- name: lifetime
overwrite: true
type: long
description: This key is used to capture the session lifetime in seconds.
- name: link
overwrite: true
type: keyword
description: This key is used to link the sessions together. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: match
overwrite: true
type: keyword
description: This key is for regex match name from search.ini
- name: param_dst
overwrite: true
type: keyword
description: This key captures the command line/launch argument of the target
process or file
- name: param_src
overwrite: true
type: keyword
description: This key captures source parameter
- name: search_text
overwrite: true
type: keyword
description: This key captures the Search Text used
- name: sig_name
overwrite: true
type: keyword
description: This key is used to capture the Signature Name only.
- name: snmp_value
overwrite: true
type: keyword
description: SNMP set request value
- name: streams
overwrite: true
type: long
description: This key captures number of streams in session
- name: db
overwrite: true
type: group
fields:
- name: index
overwrite: true
type: keyword
description: This key captures IndexID of the index.
- name: instance
overwrite: true
type: keyword
description: This key is used to capture the database server instance name
- name: database
overwrite: true
type: keyword
description: This key is used to capture the name of a database or an instance
as seen in a session
- name: transact_id
overwrite: true
type: keyword
description: This key captures the SQL transantion ID of the current session
- name: permissions
overwrite: true
type: keyword
description: This key captures permission or privilege level assigned to a resource.
- name: table_name
overwrite: true
type: keyword
description: This key is used to capture the table name
- name: db_id
overwrite: true
type: keyword
description: This key is used to capture the unique identifier for a database
- name: db_pid
overwrite: true
type: long
description: This key captures the process id of a connection with database
server
- name: lread
overwrite: true
type: long
description: This key is used for the number of logical reads
- name: lwrite
overwrite: true
type: long
description: This key is used for the number of logical writes
- name: pread
overwrite: true
type: long
description: This key is used for the number of physical writes
- name: network
overwrite: true
type: group
fields:
- name: alias_host
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
that isnt ad.computer.
- name: domain
overwrite: true
type: keyword
- name: host_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Hostname"
- name: network_service
overwrite: true
type: keyword
description: This is used to capture layer 7 protocols/service names
- name: interface
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of an interface is not clear
- name: network_port
overwrite: true
type: long
description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
- name: eth_host
overwrite: true
type: keyword
description: Deprecated, use alias.mac
- name: sinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Interface"
- name: dinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Interface"
- name: vlan
overwrite: true
type: long
description: This key should only be used to capture the ID of the Virtual LAN
- name: zone_src
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Zone."
- name: zone
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a Zone is not clear
- name: zone_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Zone."
- name: gateway
overwrite: true
type: keyword
description: This key is used to capture the IP Address of the gateway
- name: icmp_type
overwrite: true
type: long
description: This key is used to capture the ICMP type only
- name: mask
overwrite: true
type: keyword
description: This key is used to capture the device network IPmask.
- name: icmp_code
overwrite: true
type: long
description: This key is used to capture the ICMP code only
- name: protocol_detail
overwrite: true
type: keyword
description: This key should be used to capture additional protocol information
- name: dmask
overwrite: true
type: keyword
description: This key is used for Destionation Device network mask
- name: port
overwrite: true
type: long
description: This key should only be used to capture a Network Port when the
directionality is not clear
- name: smask
overwrite: true
type: keyword
description: This key is used for capturing source Network Mask
- name: netname
overwrite: true
type: keyword
description: This key is used to capture the network name associated with an
IP range. This is configured by the end user.
- name: paddr
overwrite: true
type: ip
description: Deprecated
- name: faddr
overwrite: true
type: keyword
- name: lhost
overwrite: true
type: keyword
- name: origin
overwrite: true
type: keyword
- name: remote_domain_id
overwrite: true
type: keyword
- name: addr
overwrite: true
type: keyword
- name: dns_a_record
overwrite: true
type: keyword
- name: dns_ptr_record
overwrite: true
type: keyword
- name: fhost
overwrite: true
type: keyword
- name: fport
overwrite: true
type: keyword
- name: laddr
overwrite: true
type: keyword
- name: linterface
overwrite: true
type: keyword
- name: phost
overwrite: true
type: keyword
- name: ad_computer_dst
overwrite: true
type: keyword
description: Deprecated, use host.dst
- name: eth_type
overwrite: true
type: long
description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
Only
- name: ip_proto
overwrite: true
type: long
description: This key should be used to capture the Protocol number, all the
protocol nubers are converted into string in UI
- name: dns_cname_record
overwrite: true
type: keyword
- name: dns_id
overwrite: true
type: keyword
- name: dns_opcode
overwrite: true
type: keyword
- name: dns_resp
overwrite: true
type: keyword
- name: dns_type
overwrite: true
type: keyword
- name: domain1
overwrite: true
type: keyword
- name: host_type
overwrite: true
type: keyword
- name: packet_length
overwrite: true
type: keyword
- name: host_orig
overwrite: true
type: keyword
description: This is used to capture the original hostname in case of a Forwarding
Agent or a Proxy in between.
- name: rpayload
overwrite: true
type: keyword
description: This key is used to capture the total number of payload bytes seen
in the retransmitted packets.
- name: vlan_name
overwrite: true
type: keyword
description: This key should only be used to capture the name of the Virtual
LAN
- name: investigations
overwrite: true
type: group
fields:
- name: ec_activity
overwrite: true
type: keyword
description: This key captures the particular event activity(Ex:Logoff)
- name: ec_theme
overwrite: true
type: keyword
description: This key captures the Theme of a particular Event(Ex:Authentication)
- name: ec_subject
overwrite: true
type: keyword
description: This key captures the Subject of a particular Event(Ex:User)
- name: ec_outcome
overwrite: true
type: keyword
description: This key captures the outcome of a particular Event(Ex:Success)
- name: event_cat
overwrite: true
type: long
description: This key captures the Event category number
- name: event_cat_name
overwrite: true
type: keyword
description: This key captures the event category name corresponding to the
event cat code
- name: event_vcat
overwrite: true
type: keyword
description: This is a vendor supplied category. This should be used in situations
where the vendor has adopted their own event_category taxonomy.
- name: analysis_file
overwrite: true
type: keyword
description: This is used to capture all indicators used in a File Analysis.
This key should be used to capture an analysis of a file
- name: analysis_service
overwrite: true
type: keyword
description: This is used to capture all indicators used in a Service Analysis.
This key should be used to capture an analysis of a service
- name: analysis_session
overwrite: true
type: keyword
description: This is used to capture all indicators used for a Session Analysis.
This key should be used to capture an analysis of a session
- name: boc
overwrite: true
type: keyword
description: This is used to capture behaviour of compromise
- name: eoc
overwrite: true
type: keyword
description: This is used to capture Enablers of Compromise
- name: inv_category
overwrite: true
type: keyword
description: This used to capture investigation category
- name: inv_context
overwrite: true
type: keyword
description: This used to capture investigation context
- name: ioc
overwrite: true
type: keyword
description: This is key capture indicator of compromise
- name: counters
overwrite: true
type: group
fields:
- name: dclass_c1
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c1.str only
- name: dclass_c2
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c2.str only
- name: event_counter
overwrite: true
type: long
description: This is used to capture the number of times an event repeated
- name: dclass_r1
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r1.str only
- name: dclass_c3
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c3.str only
- name: dclass_c1_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c1 only
- name: dclass_c2_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c2 only
- name: dclass_r1_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r1 only
- name: dclass_r2
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r2.str only
- name: dclass_c3_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c3 only
- name: dclass_r3
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r3.str only
- name: dclass_r2_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r2 only
- name: dclass_r3_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r3 only
- name: identity
overwrite: true
type: group
fields:
- name: auth_method
overwrite: true
type: keyword
description: This key is used to capture authentication methods used only
- name: user_role
overwrite: true
type: keyword
description: This key is used to capture the Role of a user only
- name: dn
overwrite: true
type: keyword
description: X.500 (LDAP) Distinguished Name
- name: logon_type
overwrite: true
type: keyword
description: This key is used to capture the type of logon method used.
- name: profile
overwrite: true
type: keyword
description: This key is used to capture the user profile
- name: accesses
overwrite: true
type: keyword
description: This key is used to capture actual privileges used in accessing
an object
- name: realm
overwrite: true
type: keyword
description: Radius realm or similar grouping of accounts
- name: user_sid_dst
overwrite: true
type: keyword
description: This key captures Destination User Session ID
- name: dn_src
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that is used in a context that
indicates a Source dn
- name: org
overwrite: true
type: keyword
description: This key captures the User organization
- name: dn_dst
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that used in a context that
indicates a Destination dn
- name: firstname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: lastname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: user_dept
overwrite: true
type: keyword
description: User's Department Names only
- name: user_sid_src
overwrite: true
type: keyword
description: This key captures Source User Session ID
- name: federated_sp
overwrite: true
type: keyword
description: This key is the Federated Service Provider. This is the application
requesting authentication.
- name: federated_idp
overwrite: true
type: keyword
description: This key is the federated Identity Provider. This is the server
providing the authentication.
- name: logon_type_desc
overwrite: true
type: keyword
description: This key is used to capture the textual description of an integer
logon type as stored in the meta key 'logon.type'.
- name: middlename
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: password
overwrite: true
type: keyword
description: This key is for Passwords seen in any session, plain text or encrypted
- name: host_role
overwrite: true
type: keyword
description: This key should only be used to capture the role of a Host Machine
- name: ldap
overwrite: true
type: keyword
description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
t have a clear query or response context"
- name: ldap_query
overwrite: true
type: keyword
description: This key is the Search criteria from an LDAP search
- name: ldap_response
overwrite: true
type: keyword
description: This key is to capture Results from an LDAP search
- name: owner
overwrite: true
type: keyword
description: This is used to capture username the process or service is running
as, the author of the task
- name: service_account
overwrite: true
type: keyword
description: This key is a windows specific key, used for capturing name of
the account a service (referenced in the event) is running under. Legacy Usage
- name: email
overwrite: true
type: group
fields:
- name: email_dst
overwrite: true
type: keyword
description: This key is used to capture the Destination email address only,
when the destination context is not clear use email
- name: email_src
overwrite: true
type: keyword
description: This key is used to capture the source email address only, when
the source context is not clear use email
- name: subject
overwrite: true
type: keyword
description: This key is used to capture the subject string from an Email only.
- name: email
overwrite: true
type: keyword
description: This key is used to capture a generic email address where the source
or destination context is not clear
- name: trans_from
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: trans_to
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: file
overwrite: true
type: group
fields:
- name: privilege
overwrite: true
type: keyword
description: Deprecated, use permissions
- name: attachment
overwrite: true
type: keyword
description: This key captures the attachment file name
- name: filesystem
overwrite: true
type: keyword
- name: binary
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: filename_dst
overwrite: true
type: keyword
description: This is used to capture name of the file targeted by the action
- name: filename_src
overwrite: true
type: keyword
description: This is used to capture name of the parent filename, the file which
performed the action
- name: filename_tmp
overwrite: true
type: keyword
- name: directory_dst
overwrite: true
type: keyword
description: <span>This key is used to capture the directory of the target process
or file</span>
- name: directory_src
overwrite: true
type: keyword
description: This key is used to capture the directory of the source process
or file
- name: file_entropy
overwrite: true
type: double
description: This is used to capture entropy vale of a file
- name: file_vendor
overwrite: true
type: keyword
description: This is used to capture Company name of file located in version_info
- name: task_name
overwrite: true
type: keyword
description: This is used to capture name of the task
- name: web
overwrite: true
type: group
fields:
- name: fqdn
overwrite: true
type: keyword
description: Fully Qualified Domain Names
- name: web_cookie
overwrite: true
type: keyword
description: This key is used to capture the Web cookies specifically.
- name: alias_host
overwrite: true
type: keyword
- name: reputation_num
overwrite: true
type: double
description: Reputation Number of an entity. Typically used for Web Domains
- name: web_ref_domain
overwrite: true
type: keyword
description: Web referer's domain
- name: web_ref_query
overwrite: true
type: keyword
description: This key captures Web referer's query portion of the URL
- name: remote_domain
overwrite: true
type: keyword
- name: web_ref_page
overwrite: true
type: keyword
description: This key captures Web referer's page information
- name: web_ref_root
overwrite: true
type: keyword
description: Web referer's root URL path
- name: cn_asn_dst
overwrite: true
type: keyword
- name: cn_rpackets
overwrite: true
type: keyword
- name: urlpage
overwrite: true
type: keyword
- name: urlroot
overwrite: true
type: keyword
- name: p_url
overwrite: true
type: keyword
- name: p_user_agent
overwrite: true
type: keyword
- name: p_web_cookie
overwrite: true
type: keyword
- name: p_web_method
overwrite: true
type: keyword
- name: p_web_referer
overwrite: true
type: keyword
- name: web_extension_tmp
overwrite: true
type: keyword
- name: web_page
overwrite: true
type: keyword
- name: threat
overwrite: true
type: group
fields:
- name: threat_category
overwrite: true
type: keyword
description: This key captures Threat Name/Threat Category/Categorization of
alert
- name: threat_desc
overwrite: true
type: keyword
description: This key is used to capture the threat description from the session
directly or inferred
- name: alert
overwrite: true
type: keyword
description: This key is used to capture name of the alert
- name: threat_source
overwrite: true
type: keyword
description: This key is used to capture source of the threat
- name: crypto
overwrite: true
type: group
fields:
- name: crypto
overwrite: true
type: keyword
description: This key is used to capture the Encryption Type or Encryption Key
only
- name: cipher_src
overwrite: true
type: keyword
description: This key is for Source (Client) Cipher
- name: cert_subject
overwrite: true
type: keyword
description: This key is used to capture the Certificate organization only
- name: peer
overwrite: true
type: keyword
description: This key is for Encryption peer's IP Address
- name: cipher_size_src
overwrite: true
type: long
description: This key captures Source (Client) Cipher Size
- name: ike
overwrite: true
type: keyword
description: IKE negotiation phase.
- name: scheme
overwrite: true
type: keyword
description: This key captures the Encryption scheme used
- name: peer_id
overwrite: true
type: keyword
description: "This key is for Encryption peer\u2019s identity"
- name: sig_type
overwrite: true
type: keyword
description: This key captures the Signature Type
- name: cert_issuer
overwrite: true
type: keyword
- name: cert_host_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: cert_error
overwrite: true
type: keyword
description: This key captures the Certificate Error String
- name: cipher_dst
overwrite: true
type: keyword
description: This key is for Destination (Server) Cipher
- name: cipher_size_dst
overwrite: true
type: long
description: This key captures Destination (Server) Cipher Size
- name: ssl_ver_src
overwrite: true
type: keyword
description: Deprecated, use version
- name: d_certauth
overwrite: true
type: keyword
- name: s_certauth
overwrite: true
type: keyword
- name: ike_cookie1
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
- name: ike_cookie2
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
- name: cert_checksum
overwrite: true
type: keyword
- name: cert_host_cat
overwrite: true
type: keyword
description: This key is used for the hostname category value of a certificate
- name: cert_serial
overwrite: true
type: keyword
description: This key is used to capture the Certificate serial number only
- name: cert_status
overwrite: true
type: keyword
description: This key captures Certificate validation status
- name: ssl_ver_dst
overwrite: true
type: keyword
description: Deprecated, use version
- name: cert_keysize
overwrite: true
type: keyword
- name: cert_username
overwrite: true
type: keyword
- name: https_insact
overwrite: true
type: keyword
- name: https_valid
overwrite: true
type: keyword
- name: cert_ca
overwrite: true
type: keyword
description: This key is used to capture the Certificate signing authority only
- name: cert_common
overwrite: true
type: keyword
description: This key is used to capture the Certificate common name only
- name: wireless
overwrite: true
type: group
fields:
- name: wlan_ssid
overwrite: true
type: keyword
description: This key is used to capture the ssid of a Wireless Session
- name: access_point
overwrite: true
type: keyword
description: This key is used to capture the access point name.
- name: wlan_channel
overwrite: true
type: long
description: This is used to capture the channel names
- name: wlan_name
overwrite: true
type: keyword
description: This key captures either WLAN number/name
- name: storage
overwrite: true
type: group
fields:
- name: disk_volume
overwrite: true
type: keyword
description: A unique name assigned to logical units (volumes) within a physical
disk
- name: lun
overwrite: true
type: keyword
description: Logical Unit Number.This key is a very useful concept in Storage.
- name: pwwn
overwrite: true
type: keyword
description: This uniquely identifies a port on a HBA.
- name: physical
overwrite: true
type: group
fields:
- name: org_dst
overwrite: true
type: keyword
description: This is used to capture the destination organization based on the
GEOPIP Maxmind database.
- name: org_src
overwrite: true
type: keyword
description: This is used to capture the source organization based on the GEOPIP
Maxmind database.
- name: healthcare
overwrite: true
type: group
fields:
- name: patient_fname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_id
overwrite: true
type: keyword
description: This key captures the unique ID for a patient
- name: patient_lname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_mname
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: endpoint
overwrite: true
type: group
fields:
- name: host_state
overwrite: true
type: keyword
description: This key is used to capture the current state of the machine, such
as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
disabled</strong> and so on
- name: registry_key
overwrite: true
type: keyword
description: This key captures the path to the registry key
- name: registry_value
overwrite: true
type: keyword
description: This key captures values or decorators used within a registry entry
- key: o365
title: Office 365
description: >
Module for handling logs from Office 365.
fields:
- name: o365.audit
type: group
description: >
Fields from Office 365 Management API audit logs.
fields:
- name: AADGroupId
type: keyword
- name: Actor
type: array
fields:
- name: ID
type: keyword
- name: Type
type: keyword
- name: ActorContextId
type: keyword
- name: ActorIpAddress
type: keyword
- name: ActorUserId
type: keyword
- name: ActorYammerUserId
type: keyword
- name: AlertEntityId
type: keyword
- name: AlertId
type: keyword
- name: AlertLinks
type: array
- name: AlertType
type: keyword
- name: AppId
type: keyword
- name: ApplicationDisplayName
type: keyword
- name: ApplicationId
type: keyword
- name: AzureActiveDirectoryEventType
type: keyword
- name: ExchangeMetaData.*
type: object
- name: Category
type: keyword
- name: ClientAppId
type: keyword
- name: ClientInfoString
type: keyword
- name: ClientIP
type: keyword
- name: ClientIPAddress
type: keyword
- name: Comments
type: text
norms: false
- name: CommunicationType
type: keyword
- name: CorrelationId
type: keyword
- name: CreationTime
type: keyword
- name: CustomUniqueId
type: keyword
- name: Data
type: keyword
- name: DataType
type: keyword
- name: DoNotDistributeEvent
type: boolean
- name: EntityType
type: keyword
- name: ErrorNumber
type: keyword
- name: EventData
type: keyword
- name: EventSource
type: keyword
- name: ExceptionInfo.*
type: object
- name: ExtendedProperties.*
type: object
- name: ExternalAccess
type: keyword
- name: FromApp
type: boolean
- name: GroupName
type: keyword
- name: Id
type: keyword
- name: ImplicitShare
type: keyword
- name: IncidentId
type: keyword
- name: InternalLogonType
type: keyword
- name: InterSystemsId
type: keyword
- name: IntraSystemId
type: keyword
- name: IsDocLib
type: boolean
- name: Item.*
type: object
- name: Item.*.*
type: object
- name: ItemCount
type: long
- name: ItemName
type: keyword
- name: ItemType
type: keyword
- name: ListBaseTemplateType
type: keyword
- name: ListBaseType
type: keyword
- name: ListColor
type: keyword
- name: ListIcon
type: keyword
- name: ListId
type: keyword
- name: ListTitle
type: keyword
- name: ListItemUniqueId
type: keyword
- name: LogonError
type: keyword
- name: LogonType
type: keyword
- name: LogonUserSid
type: keyword
- name: MailboxGuid
type: keyword
- name: MailboxOwnerMasterAccountSid
type: keyword
- name: MailboxOwnerSid
type: keyword
- name: MailboxOwnerUPN
type: keyword
- name: Members
type: array
- name: Members.*
type: object
- name: ModifiedProperties.*.*
type: object
- name: Name
type: keyword
- name: ObjectId
type: keyword
- name: Operation
type: keyword
- name: OrganizationId
type: keyword
- name: OrganizationName
type: keyword
- name: OriginatingServer
type: keyword
- name: Parameters.*
type: object
- name: PolicyDetails
type: array
- name: PolicyId
type: keyword
- name: RecordType
type: keyword
- name: ResultStatus
type: keyword
- name: SensitiveInfoDetectionIsIncluded
type: keyword
- name: SharePointMetaData.*
type: object
- name: SessionId
type: keyword
- name: Severity
type: keyword
- name: Site
type: keyword
- name: SiteUrl
type: keyword
- name: Source
type: keyword
- name: SourceFileExtension
type: keyword
- name: SourceFileName
type: keyword
- name: SourceRelativeUrl
type: keyword
- name: Status
type: keyword
- name: SupportTicketId
type: keyword
- name: Target
type: array
fields:
- name: ID
type: keyword
- name: Type
type: keyword
- name: TargetContextId
type: keyword
- name: TargetUserOrGroupName
type: keyword
- name: TargetUserOrGroupType
type: keyword
- name: TeamName
type: keyword
- name: TeamGuid
type: keyword
- name: TemplateTypeId
type: keyword
- name: UniqueSharingId
type: keyword
- name: UserAgent
type: keyword
- name: UserId
type: keyword
- name: UserKey
type: keyword
- name: UserType
type: keyword
- name: Version
type: keyword
- name: WebId
type: keyword
- name: Workload
type: keyword
- name: YammerNetworkId
type: keyword
- key: okta
title: Okta
description: >
Module for handling system logs from Okta.
fields:
- name: okta
type: group
description: >
Fields from Okta.
fields:
- name: uuid
title: UUID
short: The unique identifier of the Okta LogEvent.
description: >
The unique identifier of the Okta LogEvent.
type: keyword
- name: event_type
title: Event Type
short: The type of the LogEvent.
description: >
The type of the LogEvent.
type: keyword
- name: version
title: Version
short: The version of the LogEvent.
description: >
The version of the LogEvent.
type: keyword
- name: severity
title: Severity
short: The severity of the LogEvent.
description: >
The severity of the LogEvent. Must be one of DEBUG, INFO, WARN, or ERROR.
type: keyword
- name: display_message
title: Display Message
short: The display message of the LogEvent.
description: >
The display message of the LogEvent.
type: keyword
- name: actor
title: Actor
short: Fields of the actor for the LogEvent.
description: >
Fields that let you store information of the actor for the LogEvent.
type: group
fields:
- name: id
type: keyword
description: >
Identifier of the actor.
- name: type
type: keyword
description: >
Type of the actor.
- name: alternate_id
type: keyword
description: >
Alternate identifier of the actor.
- name: display_name
type: keyword
description: >
Display name of the actor.
- name: client
title: Client
short: Fields about the client of the actor.
description: >
Fields that let you store information about the client of the actor.
type: group
fields:
- name: ip
type: ip
description: >
The IP address of the client.
- name: user_agent
description: >
Fields about the user agent information of the client.
type: group
fields:
- name: raw_user_agent
type: keyword
description: >
The raw informaton of the user agent.
- name: os
type: keyword
description: >
The OS informaton.
- name: browser
type: keyword
description: >
The browser informaton of the client.
- name: zone
type: keyword
description: >
The zone information of the client.
- name: device
type: keyword
description: >
The information of the client device.
- name: id
type: keyword
description: >
The identifier of the client.
- name: outcome
title: Outcome of the LogEvent.
short: Fields that let you store information about the outcome.
description: >
Fields that let you store information about the outcome.
type: group
fields:
- name: reason
type: keyword
description: >
The reason of the outcome.
- name: result
type: keyword
description: >
The result of the outcome. Must be one of: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
- name: target
title: Target
short: The list of targets.
description: >
The list of targets.
type: flattened
fields:
- name: id
type: keyword
description: >
Identifier of the actor.
- name: type
type: keyword
description: >
Type of the actor.
- name: alternate_id
type: keyword
description: >
Alternate identifier of the actor.
- name: display_name
type: keyword
description: >
Display name of the actor.
- name: transaction
title: Transaction
short: Fields that let you store information about related transaction.
description: >
Fields that let you store information about related transaction.
type: group
fields:
- name: id
type: keyword
description: >
Identifier of the transaction.
- name: type
type: keyword
description: >
The type of transaction. Must be one of "WEB", "JOB".
- name: debug_context
title: Debug Context
short: Fields that let you store information about the debug context.
description: >
Fields that let you store information about the debug context.
type: group
fields:
- name: debug_data
description: >
The debug data.
type: group
fields:
- name: device_fingerprint
type: keyword
description: >
The fingerprint of the device.
- name: factor
type: keyword
description: >
The factor used for authentication.
- name: request_id
type: keyword
description: >
The identifier of the request.
- name: request_uri
type: keyword
description: >
The request URI.
- name: threat_suspected
type: keyword
description: >
Threat suspected.
- name: risk_behaviors
type: keyword
description: >
The set of behaviors that contribute to a risk assessment.
- name: risk_level
type: keyword
description: >
The risk level assigned to the sign in attempt.
- name: risk_reasons
type: keyword
description: >
The reasons for the risk.
- name: url
type: keyword
description: >
The URL.
- name: flattened
type: flattened
description: >
The complete debug_data object.
- name: suspicious_activity
description: >
The suspicious activity fields from the debug data.
type: group
fields:
- name: browser
type: keyword
description: >
The browser used.
- name: event_city
type: keyword
description: >
The city where the suspicious activity took place.
- name: event_country
type: keyword
description: >
The country where the suspicious activity took place.
- name: event_id
type: keyword
description: >
The event ID.
- name: event_ip
type: ip
description: >
The IP of the suspicious event.
- name: event_latitude
type: float
description: >
The latitude where the suspicious activity took place.
- name: event_longitude
type: float
description: >
The longitude where the suspicious activity took place.
- name: event_state
type: keyword
description: >
The state where the suspicious activity took place.
- name: event_transaction_id
type: keyword
description: >
The event transaction ID.
- name: event_type
type: keyword
description: >
The event type.
- name: os
type: keyword
description: >
The OS of the system from where the suspicious activity occured.
- name: timestamp
type: date
description: >
The timestamp of when the activity occurred.
- name: authentication_context
title: Authentication Context
short: Fields that let you store information about authentication context.
description: >
Fields that let you store information about authentication context.
type: group
fields:
- name: authentication_provider
type: keyword
description: >
The information about the authentication provider. Must be one of OKTA_AUTHENTICATION_PROVIDER, ACTIVE_DIRECTORY, LDAP, FEDERATION, SOCIAL, FACTOR_PROVIDER.
- name: authentication_step
type: integer
description: >
The authentication step.
- name: credential_provider
type: keyword
description: >
The information about credential provider. Must be one of OKTA_CREDENTIAL_PROVIDER, RSA, SYMANTEC, GOOGLE, DUO, YUBIKEY.
- name: credential_type
type: keyword
description: >
The information about credential type. Must be one of OTP, SMS, PASSWORD, ASSERTION, IWA, EMAIL, OAUTH2, JWT, CERTIFICATE, PRE_SHARED_SYMMETRIC_KEY, OKTA_CLIENT_SESSION, DEVICE_UDID.
- name: issuer
description: >
The information about the issuer.
type: array
fields:
- name: id
type: keyword
description: >
The identifier of the issuer.
- name: type
type: keyword
description: >
The type of the issuer.
- name: external_session_id
type: keyword
description: >
The session identifer of the external session if any.
- name: interface
type: keyword
description: >
The interface used. e.g., Outlook, Office365, wsTrust
- name: security_context
title: Security Context
short: Fields that let you store information about security context.
description: >
Fields that let you store information about security context.
type: group
fields:
- name: as
type: group
description: >
The autonomous system.
fields:
- name: number
type: integer
description: >
The AS number.
- name: organization
type: group
description: >
The organization that owns the AS number.
fields:
- name: name
type: keyword
description: >
The organization name.
- name: isp
type: keyword
description: >
The Internet Service Provider.
- name: domain
type: keyword
description: >
The domain name.
- name: is_proxy
type: boolean
description: >
Whether it is a proxy or not.
- name: request
title: Request
short: Fields that let you store information about the request.
description: >
Fields that let you store information about the request, in the form of list of ip_chain.
type: group
fields:
- name: ip_chain
description: >
List of ip_chain objects.
type: flattened
fields:
- name: ip
type: ip
description: >
IP address.
- name: version
type: keyword
description: >
IP version. Must be one of V4, V6.
- name: source
type: keyword
description: >
Source information.
- name: geographical_context
description: >
Geographical information.
type: group
fields:
- name: city
type: keyword
description: The city.
- name: state
type: keyword
description: The state.
- name: postal_code
type: keyword
description: The postal code.
- name: country
type: keyword
description: The country.
- name: geolocation
description: >
Geolocation information.
type: geo_point
- key: oracle
title: Oracle
description: >
Oracle Module
fields:
- name: oracle
type: group
description: >
Fields from Oracle logs.
fields:
- name: database_audit
type: group
description: >
Module for parsing Oracle Database audit logs
fields:
- name: priv_used
type: integer
description: >
System privilege used to execute the action.
- name: logoff_pread
type: integer
description: >
Physical reads for the session.
- name: logoff_lread
type: integer
description: >
Logical reads for the session.
- name: logoff_lwrite
type: integer
description: >
Logical writes for the session.
- name: logoff_dead
type: integer
description: >
Deadlocks detected during the session.
- name: sessioncpu
type: integer
description: >
Amount of CPU time used by each Oracle session.
- name: returncode
type: integer
description: >
Oracle error code generated by the action.
- name: statement
type: integer
description: >
nth statement in the user session.
- name: userid
type: keyword
description: >
Name of the user whose actions were audited.
- name: entryid
type: integer
description: >
Numeric ID for each audit trail entry in the session. The entry ID is an index of a session's audit entries that starts at 1 and increases to the number of entries that are written.
- name: comment_text
type: text
description: >
Text comment on the audit trail entry, providing more information about the statement audited.
- name: os_userid
type: keyword
description: >
Operating system login username of the user whose actions were audited.
- name: terminal
type: text
description: >
Identifier of the user's terminal.
- name: status
type: keyword
description: >
Database Audit Status.
- name: session_id
type: keyword
description: >
Indicates the audit session ID number.
- name: client.terminal
type: keyword
description: >
If available, the client terminal type, for example "pty".
- name: client.address
type: keyword
description: >
The IP Address or Domain used by the client.
- name: client.user
type: keyword
description: >
The user running the client or connection to the database.
- name: database.user
type: keyword
description: >
The database user used to authenticate.
- name: privilege
type: keyword
description: >
The privilege group related to the database user.
- name: entry.id
type: keyword
description: >
Indicates the current audit entry number, assigned to each audit trail record. The audit entry.id sequence number is shared between fine-grained audit records and regular audit records.
- name: database.host
type: keyword
description: >
Client host machine name.
- name: action
type: keyword
description: >
The action performed during the audit event. This could for example be the raw query.
- name: action_number
type: keyword
description: >
Action is a numeric value representing the action the user performed. The corresponding name of the action type is in the AUDIT_ACTIONS table. For example, action 100 refers to LOGON.
- name: database.id
type: keyword
description: >
Database identifier calculated when the database is created. It corresponds to the DBID column of the V$DATABASE data dictionary view.
- name: length
type: long
description: >
Refers to the total number of bytes used in this audit record. This number includes the trailing newline bytes (\n), if any, at the end of the audit record.
- key: panw
title: panw
description: >
Module for Palo Alto Networks (PAN-OS)
fields:
- name: panw
type: group
description: >
Fields from the panw module.
fields:
- name: panos
type: group
description: >
Fields for the Palo Alto Networks PAN-OS logs.
fields:
- name: ruleset
type: keyword
description: >
Name of the rule that matched this session.
- name: source
type: group
description: >
Fields to extend the top-level source object.
fields:
- name: zone
type: keyword
description: >
Source zone for this session.
- name: interface
type: keyword
description: >
Source interface for this session.
- name: nat
type: group
description: >
Post-NAT source address, if source NAT is performed.
fields:
- name: ip
type: ip
description: >
Post-NAT source IP.
- name: port
type: long
description: >
Post-NAT source port.
- name: destination
type: group
description: >
Fields to extend the top-level destination object.
fields:
- name: zone
type: keyword
description: >
Destination zone for this session.
- name: interface
type: keyword
description: >
Destination interface for this session.
- name: nat
type: group
description: >
Post-NAT destination address, if destination NAT is performed.
fields:
- name: ip
type: ip
description: >
Post-NAT destination IP.
- name: port
type: long
description: >
Post-NAT destination port.
- name: endreason
type: keyword
description: >
The reason a session terminated.
- name: network
type: group
description: >
Fields to extend the top-level network object.
fields:
- name: pcap_id
type: keyword
description: >
Packet capture ID for a threat.
- name: nat
type: group
fields:
- name: community_id
type: keyword
description: >
Community ID flow-hash for the NAT 5-tuple.
- name: file
type: group
description: >
Fields to extend the top-level file object.
fields:
- name: hash
description: >
Binary hash for a threat file sent to be analyzed
by the WildFire service.
type: keyword
- name: url
type: group
description: >
Fields to extend the top-level url object.
fields:
- name: category
type: keyword
description: >
For threat URLs, it's the URL category.
For WildFire, the verdict on the file and is
either 'malicious', 'grayware', or 'benign'.
- name: flow_id
type: keyword
description: >
Internal numeric identifier for each session.
- name: sequence_number
type: long
description: >
Log entry identifier that is incremented sequentially.
Unique for each log type.
- name: threat.resource
type: keyword
description: >
URL or file name for a threat.
- name: threat.id
type: keyword
description: >
Palo Alto Networks identifier for the threat.
- name: threat.name
type: keyword
description: >
Palo Alto Networks name for the threat.
- name: action
type: keyword
description: >-
Action taken for the session.
- name: type
description: >-
Specifies the type of the log
- name: sub_type
description: >-
Specifies the sub type of the log
- name: virtual_sys
type: keyword
description: >
Virtual system instance
- name: client_os_ver
type: keyword
description: >
The client device’s OS version.
- name: client_os
type: keyword
description: >
The client device’s OS version.
- name: client_ver
type: keyword
description: >
The client’s GlobalProtect app version.
- name: stage
type: keyword
example: before-login
description: >
A string showing the stage of the connection
- name: actionflags
type: keyword
description: >
A bit field indicating if the log was forwarded to Panorama.
- name: error
type: keyword
description: >
A string showing that error that has occurred in any event.
- name: error_code
type: integer
description: >
An integer associated with any errors that occurred.
- name: repeatcnt
type: integer
description: >
The number of sessions with the same source IP address, destination IP address, application, and subtype that GlobalProtect has detected within the last five seconds.An integer associated with any errors that occurred.
- name: serial_number
type: keyword
description: >
The serial number of the user’s machine or device.
- name: auth_method
type: keyword
example: LDAP
description: >
A string showing the authentication type
- name: datasource
type: keyword
description: >
Source from which mapping information is collected.
- name: datasourcetype
type: keyword
description: >
Mechanism used to identify the IP/User mappings within a data source.
- name: datasourcename
type: keyword
description: >
User-ID source that sends the IP (Port)-User Mapping.
- name: factorno
type: integer
description: >
Indicates the use of primary authentication (1) or additional factors (2, 3).
- name: factortype
type: keyword
description: >
Vendor used to authenticate a user when Multi Factor authentication is present.
- name: factorcompletiontime
type: date
description: >
Time the authentication was completed.
- name: ugflags
type: keyword
description: |
Displays whether the user group that was found during user group mapping. Supported values are:
User Group Found—Indicates whether the user could be mapped to a group.
Duplicate User—Indicates whether duplicate users were found in a user group. Displays N/A if no user group is found.
- name: device_group_hierarchy
type: group
description: >
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
fields:
- name: level_1
type: keyword
description: >
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
- name: level_2
type: keyword
description: >
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
- name: level_3
type: keyword
description: >
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
- name: level_4
type: keyword
description: >
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
- name: timeout
type: integer
description: >
Timeout after which the IP/User Mappings are cleared.
- name: vsys_id
type: keyword
description: >
A unique identifier for a virtual system on a Palo Alto Networks firewall.
- name: vsys_name
type: keyword
description: >
The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems.
- name: description
type: keyword
description: >
Additional information for any event that has occurred.
- name: tunnel_type
type: keyword
description: >
The type of tunnel (either SSLVPN or IPSec).
- name: connect_method
type: keyword
description: >
A string showing the how the GlobalProtect app connects to Gateway
- name: matchname
type: keyword
description: >
Name of the HIP object or profile.
- name: matchtype
type: keyword
description: >
Whether the hip field represents a HIP object or a HIP profile.
- name: priority
type: keyword
description: >
The priority order of the gateway that is based on highest (1), high (2), medium (3), low (4), or lowest (5) to which the GlobalProtect app can connect.
- name: response_time
type: keyword
description: >
The SSL response time of the selected gateway that is measured in milliseconds on the endpoint during tunnel setup.
- name: attempted_gateways
type: keyword
description: >
The fields that are collected for each gateway connection attempt with the gateway name, SSL response time, and priority
- name: gateway
type: keyword
description: >
The name of the gateway that is specified on the portal configuration.
- name: selection_type
type: keyword
description: >
The connection method that is selected to connect to the gateway.
- key: proofpoint
title: Proofpoint Email Security
description: >
proofpoint fields.
fields:
- name: network.interface.name
overwrite: true
type: keyword
description: >
Name of the network interface where the traffic has been observed.
- name: rsa
overwrite: true
type: group
fields:
- name: internal
overwrite: true
type: group
fields:
- name: msg
overwrite: true
type: keyword
description: This key is used to capture the raw message that comes into the
Log Decoder
- name: messageid
overwrite: true
type: keyword
- name: event_desc
overwrite: true
type: keyword
- name: message
overwrite: true
type: keyword
description: This key captures the contents of instant messages
- name: time
overwrite: true
type: date
description: This is the time at which a session hits a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness.
- name: level
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: msg_id
overwrite: true
type: keyword
description: This is the Message ID1 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: msg_vid
overwrite: true
type: keyword
description: This is the Message ID2 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: data
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_server
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_val
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: resource
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_id
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: statement
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: audit_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: entry
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: hcode
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: inode
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: resource_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: dead
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: feed_desc
overwrite: true
type: keyword
description: This is used to capture the description of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: feed_name
overwrite: true
type: keyword
description: This is used to capture the name of the feed. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: cid
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Concentrator.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_class
overwrite: true
type: keyword
description: This is the Classification of the Log Event Source under a predefined
fixed set of Event Source Classifications. This key should never be used to
parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
key in NetWitness
- name: device_group
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_host
overwrite: true
type: keyword
description: This is the Hostname of the log Event Source sending the logs to
NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ip
overwrite: true
type: ip
description: This is the IPv4 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ipv6
overwrite: true
type: ip
description: This is the IPv6 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_type
overwrite: true
type: keyword
description: This is the name of the log parser which parsed a given session.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_type_id
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: did
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: entropy_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: entropy_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: event_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: feed_category
overwrite: true
type: keyword
description: This is used to capture the category of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: forward_ip
overwrite: true
type: ip
description: This key should be used to capture the IPV4 address of a relay
system which forwarded the events from the original system to NetWitness.
- name: forward_ipv6
overwrite: true
type: ip
description: This key is used to capture the IPV6 address of a relay system
which forwarded the events from the original system to NetWitness. This key
should never be used to parse Meta data from a session (Logs/Packets) Directly,
this is a Reserved key in NetWitness
- name: header_id
overwrite: true
type: keyword
description: This is the Header ID value that identifies the exact log parser
header definition that parses a particular log session. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: lc_cid
overwrite: true
type: keyword
description: This is a unique Identifier of a Log Collector. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: lc_ctime
overwrite: true
type: date
description: This is the time at which a log is collected in a NetWitness Log
Collector. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: mcb_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
request is simply which byte for each side (0 thru 255) was seen the most
- name: mcb_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
response is simply which byte for each side (0 thru 255) was seen the most
- name: mcbc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: mcbc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: medium
overwrite: true
type: long
description: "This key is used to identify if it\u2019s a log/packet session\
\ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
\ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
\ 32 = log, 33 = correlation session, < 32 is packet session"
- name: node_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: nwe_callback_id
overwrite: true
type: keyword
description: This key denotes that event is endpoint related
- name: parse_error
overwrite: true
type: keyword
description: This is a special key that stores any Meta key validation error
found while parsing a log session. This key should never be used to parse
Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
NetWitness
- name: payload_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: payload_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: process_vid_dst
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the target process.
- name: process_vid_src
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the source process.
- name: rid
overwrite: true
type: long
description: This is a special ID of the Remote Session created by NetWitness
Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: session_split
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: site
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: size
overwrite: true
type: long
description: This is the size of the session as seen by the NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: sourcefile
overwrite: true
type: keyword
description: This is the name of the log file or PCAPs that can be imported
into NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: ubc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: ubc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: word
overwrite: true
type: keyword
description: This is used by the Word Parsing technology to capture the first
5 character of every word in an unparsed log
- name: time
overwrite: true
type: group
fields:
- name: event_time
overwrite: true
type: date
description: This key is used to capture the time mentioned in a raw session
that represents the actual time an event occured in a standard normalized
form
- name: duration_time
overwrite: true
type: double
description: This key is used to capture the normalized duration/lifetime in
seconds.
- name: event_time_str
overwrite: true
type: keyword
description: This key is used to capture the incomplete time mentioned in a
session as a string
- name: starttime
overwrite: true
type: date
description: This key is used to capture the Start time mentioned in a session
in a standard form
- name: month
overwrite: true
type: keyword
- name: day
overwrite: true
type: keyword
- name: endtime
overwrite: true
type: date
description: This key is used to capture the End time mentioned in a session
in a standard form
- name: timezone
overwrite: true
type: keyword
description: This key is used to capture the timezone of the Event Time
- name: duration_str
overwrite: true
type: keyword
description: A text string version of the duration
- name: date
overwrite: true
type: keyword
- name: year
overwrite: true
type: keyword
- name: recorded_time
overwrite: true
type: date
description: The event time as recorded by the system the event is collected
from. The usage scenario is a multi-tier application where the management
layer of the system records it's own timestamp at the time of collection from
its child nodes. Must be in timestamp format.
- name: datetime
overwrite: true
type: keyword
- name: effective_time
overwrite: true
type: date
description: This key is the effective time referenced by an individual event
in a Standard Timestamp format
- name: expire_time
overwrite: true
type: date
description: This key is the timestamp that explicitly refers to an expiration.
- name: process_time
overwrite: true
type: keyword
description: Deprecated, use duration.time
- name: hour
overwrite: true
type: keyword
- name: min
overwrite: true
type: keyword
- name: timestamp
overwrite: true
type: keyword
- name: event_queue_time
overwrite: true
type: date
description: This key is the Time that the event was queued.
- name: p_time1
overwrite: true
type: keyword
- name: tzone
overwrite: true
type: keyword
- name: eventtime
overwrite: true
type: keyword
- name: gmtdate
overwrite: true
type: keyword
- name: gmttime
overwrite: true
type: keyword
- name: p_date
overwrite: true
type: keyword
- name: p_month
overwrite: true
type: keyword
- name: p_time
overwrite: true
type: keyword
- name: p_time2
overwrite: true
type: keyword
- name: p_year
overwrite: true
type: keyword
- name: expire_time_str
overwrite: true
type: keyword
description: This key is used to capture incomplete timestamp that explicitly
refers to an expiration.
- name: stamp
overwrite: true
type: date
description: Deprecated key defined only in table map.
- name: misc
overwrite: true
type: group
fields:
- name: action
overwrite: true
type: keyword
- name: result
overwrite: true
type: keyword
description: This key is used to capture the outcome/result string value of
an action in a session.
- name: severity
overwrite: true
type: keyword
description: This key is used to capture the severity given the session
- name: event_type
overwrite: true
type: keyword
description: This key captures the event category type as specified by the event
source.
- name: reference_id
overwrite: true
type: keyword
description: This key is used to capture an event id from the session directly
- name: version
overwrite: true
type: keyword
description: This key captures Version of the application or OS which is generating
the event.
- name: disposition
overwrite: true
type: keyword
description: This key captures the The end state of an action.
- name: result_code
overwrite: true
type: keyword
description: This key is used to capture the outcome/result numeric value of
an action in a session
- name: category
overwrite: true
type: keyword
description: This key is used to capture the category of an event given by the
vendor in the session
- name: obj_name
overwrite: true
type: keyword
description: This is used to capture name of object
- name: obj_type
overwrite: true
type: keyword
description: This is used to capture type of object
- name: event_source
overwrite: true
type: keyword
description: "This key captures Source of the event that\u2019s not a hostname"
- name: log_session_id
overwrite: true
type: keyword
description: This key is used to capture a sessionid from the session directly
- name: group
overwrite: true
type: keyword
description: This key captures the Group Name value
- name: policy_name
overwrite: true
type: keyword
description: This key is used to capture the Policy Name only.
- name: rule_name
overwrite: true
type: keyword
description: This key captures the Rule Name
- name: context
overwrite: true
type: keyword
description: This key captures Information which adds additional context to
the event.
- name: change_new
overwrite: true
type: keyword
description: "This key is used to capture the new values of the attribute that\u2019\
s changing in a session"
- name: space
overwrite: true
type: keyword
- name: client
overwrite: true
type: keyword
description: This key is used to capture only the name of the client application
requesting resources of the server. See the user.agent meta key for capture
of the specific user agent identifier or browser identification string.
- name: msgIdPart1
overwrite: true
type: keyword
- name: msgIdPart2
overwrite: true
type: keyword
- name: change_old
overwrite: true
type: keyword
description: "This key is used to capture the old value of the attribute that\u2019\
s changing in a session"
- name: operation_id
overwrite: true
type: keyword
description: An alert number or operation number. The values should be unique
and non-repeating.
- name: event_state
overwrite: true
type: keyword
description: This key captures the current state of the object/item referenced
within the event. Describing an on-going event.
- name: group_object
overwrite: true
type: keyword
description: This key captures a collection/grouping of entities. Specific usage
- name: node
overwrite: true
type: keyword
description: Common use case is the node name within a cluster. The cluster
name is reflected by the host name.
- name: rule
overwrite: true
type: keyword
description: This key captures the Rule number
- name: device_name
overwrite: true
type: keyword
description: 'This is used to capture name of the Device associated with the
node Like: a physical disk, printer, etc'
- name: param
overwrite: true
type: keyword
description: This key is the parameters passed as part of a command or application,
etc.
- name: change_attrib
overwrite: true
type: keyword
description: "This key is used to capture the name of the attribute that\u2019\
s changing in a session"
- name: event_computer
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
fully qualified domain name in a windows log.
- name: reference_id1
overwrite: true
type: keyword
description: This key is for Linked ID to be used as an addition to "reference.id"
- name: event_log
overwrite: true
type: keyword
description: This key captures the Name of the event log
- name: OS
overwrite: true
type: keyword
description: This key captures the Name of the Operating System
- name: terminal
overwrite: true
type: keyword
description: This key captures the Terminal Names only
- name: msgIdPart3
overwrite: true
type: keyword
- name: filter
overwrite: true
type: keyword
description: This key captures Filter used to reduce result set
- name: serial_number
overwrite: true
type: keyword
description: This key is the Serial number associated with a physical asset.
- name: checksum
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the entity
such as a file or process. Checksum should be used over checksum.src or checksum.dst
when it is unclear whether the entity is a source or target of an action.
- name: event_user
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
combination of domain name and username in a windows log.
- name: virusname
overwrite: true
type: keyword
description: This key captures the name of the virus
- name: content_type
overwrite: true
type: keyword
description: This key is used to capture Content Type only.
- name: group_id
overwrite: true
type: keyword
description: This key captures Group ID Number (related to the group name)
- name: policy_id
overwrite: true
type: keyword
description: This key is used to capture the Policy ID only, this should be
a numeric value, use policy.name otherwise
- name: vsys
overwrite: true
type: keyword
description: This key captures Virtual System Name
- name: connection_id
overwrite: true
type: keyword
description: This key captures the Connection ID
- name: reference_id2
overwrite: true
type: keyword
description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
or "reference.id1" value but should not be used unless the other two variables
are in play.
- name: sensor
overwrite: true
type: keyword
description: This key captures Name of the sensor. Typically used in IDS/IPS
based devices
- name: sig_id
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID
- name: port_name
overwrite: true
type: keyword
description: 'This key is used for Physical or logical port connection but does
NOT include a network port. (Example: Printer port name).'
- name: rule_group
overwrite: true
type: keyword
description: This key captures the Rule group name
- name: risk_num
overwrite: true
type: double
description: This key captures a Numeric Risk value
- name: trigger_val
overwrite: true
type: keyword
description: This key captures the Value of the trigger or threshold condition.
- name: log_session_id1
overwrite: true
type: keyword
description: This key is used to capture a Linked (Related) Session ID from
the session directly
- name: comp_version
overwrite: true
type: keyword
description: This key captures the Version level of a sub-component of a product.
- name: content_version
overwrite: true
type: keyword
description: This key captures Version level of a signature or database content.
- name: hardware_id
overwrite: true
type: keyword
description: This key is used to capture unique identifier for a device or system
(NOT a Mac address)
- name: risk
overwrite: true
type: keyword
description: This key captures the non-numeric risk value
- name: event_id
overwrite: true
type: keyword
- name: reason
overwrite: true
type: keyword
- name: status
overwrite: true
type: keyword
- name: mail_id
overwrite: true
type: keyword
description: This key is used to capture the mailbox id/name
- name: rule_uid
overwrite: true
type: keyword
description: This key is the Unique Identifier for a rule.
- name: trigger_desc
overwrite: true
type: keyword
description: This key captures the Description of the trigger or threshold condition.
- name: inout
overwrite: true
type: keyword
- name: p_msgid
overwrite: true
type: keyword
- name: data_type
overwrite: true
type: keyword
- name: msgIdPart4
overwrite: true
type: keyword
- name: error
overwrite: true
type: keyword
description: This key captures All non successful Error codes or responses
- name: index
overwrite: true
type: keyword
- name: listnum
overwrite: true
type: keyword
description: This key is used to capture listname or listnumber, primarily for
collecting access-list
- name: ntype
overwrite: true
type: keyword
- name: observed_val
overwrite: true
type: keyword
description: This key captures the Value observed (from the perspective of the
device generating the log).
- name: policy_value
overwrite: true
type: keyword
description: This key captures the contents of the policy. This contains details
about the policy
- name: pool_name
overwrite: true
type: keyword
description: This key captures the name of a resource pool
- name: rule_template
overwrite: true
type: keyword
description: A default set of parameters which are overlayed onto a rule (or
rulename) which efffectively constitutes a template
- name: count
overwrite: true
type: keyword
- name: number
overwrite: true
type: keyword
- name: sigcat
overwrite: true
type: keyword
- name: type
overwrite: true
type: keyword
- name: comments
overwrite: true
type: keyword
description: Comment information provided in the log message
- name: doc_number
overwrite: true
type: long
description: This key captures File Identification number
- name: expected_val
overwrite: true
type: keyword
description: This key captures the Value expected (from the perspective of the
device generating the log).
- name: job_num
overwrite: true
type: keyword
description: This key captures the Job Number
- name: spi_dst
overwrite: true
type: keyword
description: Destination SPI Index
- name: spi_src
overwrite: true
type: keyword
description: Source SPI Index
- name: code
overwrite: true
type: keyword
- name: agent_id
overwrite: true
type: keyword
description: This key is used to capture agent id
- name: message_body
overwrite: true
type: keyword
description: This key captures the The contents of the message body.
- name: phone
overwrite: true
type: keyword
- name: sig_id_str
overwrite: true
type: keyword
description: This key captures a string object of the sigid variable.
- name: cmd
overwrite: true
type: keyword
- name: misc
overwrite: true
type: keyword
- name: name
overwrite: true
type: keyword
- name: cpu
overwrite: true
type: long
description: This key is the CPU time used in the execution of the event being
recorded.
- name: event_desc
overwrite: true
type: keyword
description: This key is used to capture a description of an event available
directly or inferred
- name: sig_id1
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID. This must be linked
to the sig.id
- name: im_buddyid
overwrite: true
type: keyword
- name: im_client
overwrite: true
type: keyword
- name: im_userid
overwrite: true
type: keyword
- name: pid
overwrite: true
type: keyword
- name: priority
overwrite: true
type: keyword
- name: context_subject
overwrite: true
type: keyword
description: This key is to be used in an audit context where the subject is
the object being identified
- name: context_target
overwrite: true
type: keyword
- name: cve
overwrite: true
type: keyword
description: This key captures CVE (Common Vulnerabilities and Exposures) -
an identifier for known information security vulnerabilities.
- name: fcatnum
overwrite: true
type: keyword
description: This key captures Filter Category Number. Legacy Usage
- name: library
overwrite: true
type: keyword
description: This key is used to capture library information in mainframe devices
- name: parent_node
overwrite: true
type: keyword
description: This key captures the Parent Node Name. Must be related to node
variable.
- name: risk_info
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: tcp_flags
overwrite: true
type: long
description: This key is captures the TCP flags set in any packet of session
- name: tos
overwrite: true
type: long
description: This key describes the type of service
- name: vm_target
overwrite: true
type: keyword
description: VMWare Target **VMWARE** only varaible.
- name: workspace
overwrite: true
type: keyword
description: This key captures Workspace Description
- name: command
overwrite: true
type: keyword
- name: event_category
overwrite: true
type: keyword
- name: facilityname
overwrite: true
type: keyword
- name: forensic_info
overwrite: true
type: keyword
- name: jobname
overwrite: true
type: keyword
- name: mode
overwrite: true
type: keyword
- name: policy
overwrite: true
type: keyword
- name: policy_waiver
overwrite: true
type: keyword
- name: second
overwrite: true
type: keyword
- name: space1
overwrite: true
type: keyword
- name: subcategory
overwrite: true
type: keyword
- name: tbdstr2
overwrite: true
type: keyword
- name: alert_id
overwrite: true
type: keyword
description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: checksum_dst
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the the target
entity such as a process or file.
- name: checksum_src
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the source
entity such as a file or process.
- name: fresult
overwrite: true
type: long
description: This key captures the Filter Result
- name: payload_dst
overwrite: true
type: keyword
description: This key is used to capture destination payload
- name: payload_src
overwrite: true
type: keyword
description: This key is used to capture source payload
- name: pool_id
overwrite: true
type: keyword
description: This key captures the identifier (typically numeric field) of a
resource pool
- name: process_id_val
overwrite: true
type: keyword
description: This key is a failure key for Process ID when it is not an integer
value
- name: risk_num_comm
overwrite: true
type: double
description: This key captures Risk Number Community
- name: risk_num_next
overwrite: true
type: double
description: This key captures Risk Number NextGen
- name: risk_num_sand
overwrite: true
type: double
description: This key captures Risk Number SandBox
- name: risk_num_static
overwrite: true
type: double
description: This key captures Risk Number Static
- name: risk_suspicious
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: risk_warning
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: snmp_oid
overwrite: true
type: keyword
description: SNMP Object Identifier
- name: sql
overwrite: true
type: keyword
description: This key captures the SQL query
- name: vuln_ref
overwrite: true
type: keyword
description: This key captures the Vulnerability Reference details
- name: acl_id
overwrite: true
type: keyword
- name: acl_op
overwrite: true
type: keyword
- name: acl_pos
overwrite: true
type: keyword
- name: acl_table
overwrite: true
type: keyword
- name: admin
overwrite: true
type: keyword
- name: alarm_id
overwrite: true
type: keyword
- name: alarmname
overwrite: true
type: keyword
- name: app_id
overwrite: true
type: keyword
- name: audit
overwrite: true
type: keyword
- name: audit_object
overwrite: true
type: keyword
- name: auditdata
overwrite: true
type: keyword
- name: benchmark
overwrite: true
type: keyword
- name: bypass
overwrite: true
type: keyword
- name: cache
overwrite: true
type: keyword
- name: cache_hit
overwrite: true
type: keyword
- name: cefversion
overwrite: true
type: keyword
- name: cfg_attr
overwrite: true
type: keyword
- name: cfg_obj
overwrite: true
type: keyword
- name: cfg_path
overwrite: true
type: keyword
- name: changes
overwrite: true
type: keyword
- name: client_ip
overwrite: true
type: keyword
- name: clustermembers
overwrite: true
type: keyword
- name: cn_acttimeout
overwrite: true
type: keyword
- name: cn_asn_src
overwrite: true
type: keyword
- name: cn_bgpv4nxthop
overwrite: true
type: keyword
- name: cn_ctr_dst_code
overwrite: true
type: keyword
- name: cn_dst_tos
overwrite: true
type: keyword
- name: cn_dst_vlan
overwrite: true
type: keyword
- name: cn_engine_id
overwrite: true
type: keyword
- name: cn_engine_type
overwrite: true
type: keyword
- name: cn_f_switch
overwrite: true
type: keyword
- name: cn_flowsampid
overwrite: true
type: keyword
- name: cn_flowsampintv
overwrite: true
type: keyword
- name: cn_flowsampmode
overwrite: true
type: keyword
- name: cn_inacttimeout
overwrite: true
type: keyword
- name: cn_inpermbyts
overwrite: true
type: keyword
- name: cn_inpermpckts
overwrite: true
type: keyword
- name: cn_invalid
overwrite: true
type: keyword
- name: cn_ip_proto_ver
overwrite: true
type: keyword
- name: cn_ipv4_ident
overwrite: true
type: keyword
- name: cn_l_switch
overwrite: true
type: keyword
- name: cn_log_did
overwrite: true
type: keyword
- name: cn_log_rid
overwrite: true
type: keyword
- name: cn_max_ttl
overwrite: true
type: keyword
- name: cn_maxpcktlen
overwrite: true
type: keyword
- name: cn_min_ttl
overwrite: true
type: keyword
- name: cn_minpcktlen
overwrite: true
type: keyword
- name: cn_mpls_lbl_1
overwrite: true
type: keyword
- name: cn_mpls_lbl_10
overwrite: true
type: keyword
- name: cn_mpls_lbl_2
overwrite: true
type: keyword
- name: cn_mpls_lbl_3
overwrite: true
type: keyword
- name: cn_mpls_lbl_4
overwrite: true
type: keyword
- name: cn_mpls_lbl_5
overwrite: true
type: keyword
- name: cn_mpls_lbl_6
overwrite: true
type: keyword
- name: cn_mpls_lbl_7
overwrite: true
type: keyword
- name: cn_mpls_lbl_8
overwrite: true
type: keyword
- name: cn_mpls_lbl_9
overwrite: true
type: keyword
- name: cn_mplstoplabel
overwrite: true
type: keyword
- name: cn_mplstoplabip
overwrite: true
type: keyword
- name: cn_mul_dst_byt
overwrite: true
type: keyword
- name: cn_mul_dst_pks
overwrite: true
type: keyword
- name: cn_muligmptype
overwrite: true
type: keyword
- name: cn_sampalgo
overwrite: true
type: keyword
- name: cn_sampint
overwrite: true
type: keyword
- name: cn_seqctr
overwrite: true
type: keyword
- name: cn_spackets
overwrite: true
type: keyword
- name: cn_src_tos
overwrite: true
type: keyword
- name: cn_src_vlan
overwrite: true
type: keyword
- name: cn_sysuptime
overwrite: true
type: keyword
- name: cn_template_id
overwrite: true
type: keyword
- name: cn_totbytsexp
overwrite: true
type: keyword
- name: cn_totflowexp
overwrite: true
type: keyword
- name: cn_totpcktsexp
overwrite: true
type: keyword
- name: cn_unixnanosecs
overwrite: true
type: keyword
- name: cn_v6flowlabel
overwrite: true
type: keyword
- name: cn_v6optheaders
overwrite: true
type: keyword
- name: comp_class
overwrite: true
type: keyword
- name: comp_name
overwrite: true
type: keyword
- name: comp_rbytes
overwrite: true
type: keyword
- name: comp_sbytes
overwrite: true
type: keyword
- name: cpu_data
overwrite: true
type: keyword
- name: criticality
overwrite: true
type: keyword
- name: cs_agency_dst
overwrite: true
type: keyword
- name: cs_analyzedby
overwrite: true
type: keyword
- name: cs_av_other
overwrite: true
type: keyword
- name: cs_av_primary
overwrite: true
type: keyword
- name: cs_av_secondary
overwrite: true
type: keyword
- name: cs_bgpv6nxthop
overwrite: true
type: keyword
- name: cs_bit9status
overwrite: true
type: keyword
- name: cs_context
overwrite: true
type: keyword
- name: cs_control
overwrite: true
type: keyword
- name: cs_data
overwrite: true
type: keyword
- name: cs_datecret
overwrite: true
type: keyword
- name: cs_dst_tld
overwrite: true
type: keyword
- name: cs_eth_dst_ven
overwrite: true
type: keyword
- name: cs_eth_src_ven
overwrite: true
type: keyword
- name: cs_event_uuid
overwrite: true
type: keyword
- name: cs_filetype
overwrite: true
type: keyword
- name: cs_fld
overwrite: true
type: keyword
- name: cs_if_desc
overwrite: true
type: keyword
- name: cs_if_name
overwrite: true
type: keyword
- name: cs_ip_next_hop
overwrite: true
type: keyword
- name: cs_ipv4dstpre
overwrite: true
type: keyword
- name: cs_ipv4srcpre
overwrite: true
type: keyword
- name: cs_lifetime
overwrite: true
type: keyword
- name: cs_log_medium
overwrite: true
type: keyword
- name: cs_loginname
overwrite: true
type: keyword
- name: cs_modulescore
overwrite: true
type: keyword
- name: cs_modulesign
overwrite: true
type: keyword
- name: cs_opswatresult
overwrite: true
type: keyword
- name: cs_payload
overwrite: true
type: keyword
- name: cs_registrant
overwrite: true
type: keyword
- name: cs_registrar
overwrite: true
type: keyword
- name: cs_represult
overwrite: true
type: keyword
- name: cs_rpayload
overwrite: true
type: keyword
- name: cs_sampler_name
overwrite: true
type: keyword
- name: cs_sourcemodule
overwrite: true
type: keyword
- name: cs_streams
overwrite: true
type: keyword
- name: cs_targetmodule
overwrite: true
type: keyword
- name: cs_v6nxthop
overwrite: true
type: keyword
- name: cs_whois_server
overwrite: true
type: keyword
- name: cs_yararesult
overwrite: true
type: keyword
- name: description
overwrite: true
type: keyword
- name: devvendor
overwrite: true
type: keyword
- name: distance
overwrite: true
type: keyword
- name: dstburb
overwrite: true
type: keyword
- name: edomain
overwrite: true
type: keyword
- name: edomaub
overwrite: true
type: keyword
- name: euid
overwrite: true
type: keyword
- name: facility
overwrite: true
type: keyword
- name: finterface
overwrite: true
type: keyword
- name: flags
overwrite: true
type: keyword
- name: gaddr
overwrite: true
type: keyword
- name: id3
overwrite: true
type: keyword
- name: im_buddyname
overwrite: true
type: keyword
- name: im_croomid
overwrite: true
type: keyword
- name: im_croomtype
overwrite: true
type: keyword
- name: im_members
overwrite: true
type: keyword
- name: im_username
overwrite: true
type: keyword
- name: ipkt
overwrite: true
type: keyword
- name: ipscat
overwrite: true
type: keyword
- name: ipspri
overwrite: true
type: keyword
- name: latitude
overwrite: true
type: keyword
- name: linenum
overwrite: true
type: keyword
- name: list_name
overwrite: true
type: keyword
- name: load_data
overwrite: true
type: keyword
- name: location_floor
overwrite: true
type: keyword
- name: location_mark
overwrite: true
type: keyword
- name: log_id
overwrite: true
type: keyword
- name: log_type
overwrite: true
type: keyword
- name: logid
overwrite: true
type: keyword
- name: logip
overwrite: true
type: keyword
- name: logname
overwrite: true
type: keyword
- name: longitude
overwrite: true
type: keyword
- name: lport
overwrite: true
type: keyword
- name: mbug_data
overwrite: true
type: keyword
- name: misc_name
overwrite: true
type: keyword
- name: msg_type
overwrite: true
type: keyword
- name: msgid
overwrite: true
type: keyword
- name: netsessid
overwrite: true
type: keyword
- name: num
overwrite: true
type: keyword
- name: number1
overwrite: true
type: keyword
- name: number2
overwrite: true
type: keyword
- name: nwwn
overwrite: true
type: keyword
- name: object
overwrite: true
type: keyword
- name: operation
overwrite: true
type: keyword
- name: opkt
overwrite: true
type: keyword
- name: orig_from
overwrite: true
type: keyword
- name: owner_id
overwrite: true
type: keyword
- name: p_action
overwrite: true
type: keyword
- name: p_filter
overwrite: true
type: keyword
- name: p_group_object
overwrite: true
type: keyword
- name: p_id
overwrite: true
type: keyword
- name: p_msgid1
overwrite: true
type: keyword
- name: p_msgid2
overwrite: true
type: keyword
- name: p_result1
overwrite: true
type: keyword
- name: password_chg
overwrite: true
type: keyword
- name: password_expire
overwrite: true
type: keyword
- name: permgranted
overwrite: true
type: keyword
- name: permwanted
overwrite: true
type: keyword
- name: pgid
overwrite: true
type: keyword
- name: policyUUID
overwrite: true
type: keyword
- name: prog_asp_num
overwrite: true
type: keyword
- name: program
overwrite: true
type: keyword
- name: real_data
overwrite: true
type: keyword
- name: rec_asp_device
overwrite: true
type: keyword
- name: rec_asp_num
overwrite: true
type: keyword
- name: rec_library
overwrite: true
type: keyword
- name: recordnum
overwrite: true
type: keyword
- name: ruid
overwrite: true
type: keyword
- name: sburb
overwrite: true
type: keyword
- name: sdomain_fld
overwrite: true
type: keyword
- name: sec
overwrite: true
type: keyword
- name: sensorname
overwrite: true
type: keyword
- name: seqnum
overwrite: true
type: keyword
- name: session
overwrite: true
type: keyword
- name: sessiontype
overwrite: true
type: keyword
- name: sigUUID
overwrite: true
type: keyword
- name: spi
overwrite: true
type: keyword
- name: srcburb
overwrite: true
type: keyword
- name: srcdom
overwrite: true
type: keyword
- name: srcservice
overwrite: true
type: keyword
- name: state
overwrite: true
type: keyword
- name: status1
overwrite: true
type: keyword
- name: svcno
overwrite: true
type: keyword
- name: system
overwrite: true
type: keyword
- name: tbdstr1
overwrite: true
type: keyword
- name: tgtdom
overwrite: true
type: keyword
- name: tgtdomain
overwrite: true
type: keyword
- name: threshold
overwrite: true
type: keyword
- name: type1
overwrite: true
type: keyword
- name: udb_class
overwrite: true
type: keyword
- name: url_fld
overwrite: true
type: keyword
- name: user_div
overwrite: true
type: keyword
- name: userid
overwrite: true
type: keyword
- name: username_fld
overwrite: true
type: keyword
- name: utcstamp
overwrite: true
type: keyword
- name: v_instafname
overwrite: true
type: keyword
- name: virt_data
overwrite: true
type: keyword
- name: vpnid
overwrite: true
type: keyword
- name: autorun_type
overwrite: true
type: keyword
description: This is used to capture Auto Run type
- name: cc_number
overwrite: true
type: long
description: Valid Credit Card Numbers only
- name: content
overwrite: true
type: keyword
description: This key captures the content type from protocol headers
- name: ein_number
overwrite: true
type: long
description: Employee Identification Numbers only
- name: found
overwrite: true
type: keyword
description: This is used to capture the results of regex match
- name: language
overwrite: true
type: keyword
description: This is used to capture list of languages the client support and
what it prefers
- name: lifetime
overwrite: true
type: long
description: This key is used to capture the session lifetime in seconds.
- name: link
overwrite: true
type: keyword
description: This key is used to link the sessions together. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: match
overwrite: true
type: keyword
description: This key is for regex match name from search.ini
- name: param_dst
overwrite: true
type: keyword
description: This key captures the command line/launch argument of the target
process or file
- name: param_src
overwrite: true
type: keyword
description: This key captures source parameter
- name: search_text
overwrite: true
type: keyword
description: This key captures the Search Text used
- name: sig_name
overwrite: true
type: keyword
description: This key is used to capture the Signature Name only.
- name: snmp_value
overwrite: true
type: keyword
description: SNMP set request value
- name: streams
overwrite: true
type: long
description: This key captures number of streams in session
- name: db
overwrite: true
type: group
fields:
- name: index
overwrite: true
type: keyword
description: This key captures IndexID of the index.
- name: instance
overwrite: true
type: keyword
description: This key is used to capture the database server instance name
- name: database
overwrite: true
type: keyword
description: This key is used to capture the name of a database or an instance
as seen in a session
- name: transact_id
overwrite: true
type: keyword
description: This key captures the SQL transantion ID of the current session
- name: permissions
overwrite: true
type: keyword
description: This key captures permission or privilege level assigned to a resource.
- name: table_name
overwrite: true
type: keyword
description: This key is used to capture the table name
- name: db_id
overwrite: true
type: keyword
description: This key is used to capture the unique identifier for a database
- name: db_pid
overwrite: true
type: long
description: This key captures the process id of a connection with database
server
- name: lread
overwrite: true
type: long
description: This key is used for the number of logical reads
- name: lwrite
overwrite: true
type: long
description: This key is used for the number of logical writes
- name: pread
overwrite: true
type: long
description: This key is used for the number of physical writes
- name: network
overwrite: true
type: group
fields:
- name: alias_host
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
that isnt ad.computer.
- name: domain
overwrite: true
type: keyword
- name: host_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Hostname"
- name: network_service
overwrite: true
type: keyword
description: This is used to capture layer 7 protocols/service names
- name: interface
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of an interface is not clear
- name: network_port
overwrite: true
type: long
description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
- name: eth_host
overwrite: true
type: keyword
description: Deprecated, use alias.mac
- name: sinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Interface"
- name: dinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Interface"
- name: vlan
overwrite: true
type: long
description: This key should only be used to capture the ID of the Virtual LAN
- name: zone_src
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Zone."
- name: zone
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a Zone is not clear
- name: zone_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Zone."
- name: gateway
overwrite: true
type: keyword
description: This key is used to capture the IP Address of the gateway
- name: icmp_type
overwrite: true
type: long
description: This key is used to capture the ICMP type only
- name: mask
overwrite: true
type: keyword
description: This key is used to capture the device network IPmask.
- name: icmp_code
overwrite: true
type: long
description: This key is used to capture the ICMP code only
- name: protocol_detail
overwrite: true
type: keyword
description: This key should be used to capture additional protocol information
- name: dmask
overwrite: true
type: keyword
description: This key is used for Destionation Device network mask
- name: port
overwrite: true
type: long
description: This key should only be used to capture a Network Port when the
directionality is not clear
- name: smask
overwrite: true
type: keyword
description: This key is used for capturing source Network Mask
- name: netname
overwrite: true
type: keyword
description: This key is used to capture the network name associated with an
IP range. This is configured by the end user.
- name: paddr
overwrite: true
type: ip
description: Deprecated
- name: faddr
overwrite: true
type: keyword
- name: lhost
overwrite: true
type: keyword
- name: origin
overwrite: true
type: keyword
- name: remote_domain_id
overwrite: true
type: keyword
- name: addr
overwrite: true
type: keyword
- name: dns_a_record
overwrite: true
type: keyword
- name: dns_ptr_record
overwrite: true
type: keyword
- name: fhost
overwrite: true
type: keyword
- name: fport
overwrite: true
type: keyword
- name: laddr
overwrite: true
type: keyword
- name: linterface
overwrite: true
type: keyword
- name: phost
overwrite: true
type: keyword
- name: ad_computer_dst
overwrite: true
type: keyword
description: Deprecated, use host.dst
- name: eth_type
overwrite: true
type: long
description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
Only
- name: ip_proto
overwrite: true
type: long
description: This key should be used to capture the Protocol number, all the
protocol nubers are converted into string in UI
- name: dns_cname_record
overwrite: true
type: keyword
- name: dns_id
overwrite: true
type: keyword
- name: dns_opcode
overwrite: true
type: keyword
- name: dns_resp
overwrite: true
type: keyword
- name: dns_type
overwrite: true
type: keyword
- name: domain1
overwrite: true
type: keyword
- name: host_type
overwrite: true
type: keyword
- name: packet_length
overwrite: true
type: keyword
- name: host_orig
overwrite: true
type: keyword
description: This is used to capture the original hostname in case of a Forwarding
Agent or a Proxy in between.
- name: rpayload
overwrite: true
type: keyword
description: This key is used to capture the total number of payload bytes seen
in the retransmitted packets.
- name: vlan_name
overwrite: true
type: keyword
description: This key should only be used to capture the name of the Virtual
LAN
- name: investigations
overwrite: true
type: group
fields:
- name: ec_activity
overwrite: true
type: keyword
description: This key captures the particular event activity(Ex:Logoff)
- name: ec_theme
overwrite: true
type: keyword
description: This key captures the Theme of a particular Event(Ex:Authentication)
- name: ec_subject
overwrite: true
type: keyword
description: This key captures the Subject of a particular Event(Ex:User)
- name: ec_outcome
overwrite: true
type: keyword
description: This key captures the outcome of a particular Event(Ex:Success)
- name: event_cat
overwrite: true
type: long
description: This key captures the Event category number
- name: event_cat_name
overwrite: true
type: keyword
description: This key captures the event category name corresponding to the
event cat code
- name: event_vcat
overwrite: true
type: keyword
description: This is a vendor supplied category. This should be used in situations
where the vendor has adopted their own event_category taxonomy.
- name: analysis_file
overwrite: true
type: keyword
description: This is used to capture all indicators used in a File Analysis.
This key should be used to capture an analysis of a file
- name: analysis_service
overwrite: true
type: keyword
description: This is used to capture all indicators used in a Service Analysis.
This key should be used to capture an analysis of a service
- name: analysis_session
overwrite: true
type: keyword
description: This is used to capture all indicators used for a Session Analysis.
This key should be used to capture an analysis of a session
- name: boc
overwrite: true
type: keyword
description: This is used to capture behaviour of compromise
- name: eoc
overwrite: true
type: keyword
description: This is used to capture Enablers of Compromise
- name: inv_category
overwrite: true
type: keyword
description: This used to capture investigation category
- name: inv_context
overwrite: true
type: keyword
description: This used to capture investigation context
- name: ioc
overwrite: true
type: keyword
description: This is key capture indicator of compromise
- name: counters
overwrite: true
type: group
fields:
- name: dclass_c1
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c1.str only
- name: dclass_c2
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c2.str only
- name: event_counter
overwrite: true
type: long
description: This is used to capture the number of times an event repeated
- name: dclass_r1
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r1.str only
- name: dclass_c3
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c3.str only
- name: dclass_c1_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c1 only
- name: dclass_c2_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c2 only
- name: dclass_r1_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r1 only
- name: dclass_r2
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r2.str only
- name: dclass_c3_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c3 only
- name: dclass_r3
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r3.str only
- name: dclass_r2_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r2 only
- name: dclass_r3_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r3 only
- name: identity
overwrite: true
type: group
fields:
- name: auth_method
overwrite: true
type: keyword
description: This key is used to capture authentication methods used only
- name: user_role
overwrite: true
type: keyword
description: This key is used to capture the Role of a user only
- name: dn
overwrite: true
type: keyword
description: X.500 (LDAP) Distinguished Name
- name: logon_type
overwrite: true
type: keyword
description: This key is used to capture the type of logon method used.
- name: profile
overwrite: true
type: keyword
description: This key is used to capture the user profile
- name: accesses
overwrite: true
type: keyword
description: This key is used to capture actual privileges used in accessing
an object
- name: realm
overwrite: true
type: keyword
description: Radius realm or similar grouping of accounts
- name: user_sid_dst
overwrite: true
type: keyword
description: This key captures Destination User Session ID
- name: dn_src
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that is used in a context that
indicates a Source dn
- name: org
overwrite: true
type: keyword
description: This key captures the User organization
- name: dn_dst
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that used in a context that
indicates a Destination dn
- name: firstname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: lastname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: user_dept
overwrite: true
type: keyword
description: User's Department Names only
- name: user_sid_src
overwrite: true
type: keyword
description: This key captures Source User Session ID
- name: federated_sp
overwrite: true
type: keyword
description: This key is the Federated Service Provider. This is the application
requesting authentication.
- name: federated_idp
overwrite: true
type: keyword
description: This key is the federated Identity Provider. This is the server
providing the authentication.
- name: logon_type_desc
overwrite: true
type: keyword
description: This key is used to capture the textual description of an integer
logon type as stored in the meta key 'logon.type'.
- name: middlename
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: password
overwrite: true
type: keyword
description: This key is for Passwords seen in any session, plain text or encrypted
- name: host_role
overwrite: true
type: keyword
description: This key should only be used to capture the role of a Host Machine
- name: ldap
overwrite: true
type: keyword
description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
t have a clear query or response context"
- name: ldap_query
overwrite: true
type: keyword
description: This key is the Search criteria from an LDAP search
- name: ldap_response
overwrite: true
type: keyword
description: This key is to capture Results from an LDAP search
- name: owner
overwrite: true
type: keyword
description: This is used to capture username the process or service is running
as, the author of the task
- name: service_account
overwrite: true
type: keyword
description: This key is a windows specific key, used for capturing name of
the account a service (referenced in the event) is running under. Legacy Usage
- name: email
overwrite: true
type: group
fields:
- name: email_dst
overwrite: true
type: keyword
description: This key is used to capture the Destination email address only,
when the destination context is not clear use email
- name: email_src
overwrite: true
type: keyword
description: This key is used to capture the source email address only, when
the source context is not clear use email
- name: subject
overwrite: true
type: keyword
description: This key is used to capture the subject string from an Email only.
- name: email
overwrite: true
type: keyword
description: This key is used to capture a generic email address where the source
or destination context is not clear
- name: trans_from
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: trans_to
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: file
overwrite: true
type: group
fields:
- name: privilege
overwrite: true
type: keyword
description: Deprecated, use permissions
- name: attachment
overwrite: true
type: keyword
description: This key captures the attachment file name
- name: filesystem
overwrite: true
type: keyword
- name: binary
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: filename_dst
overwrite: true
type: keyword
description: This is used to capture name of the file targeted by the action
- name: filename_src
overwrite: true
type: keyword
description: This is used to capture name of the parent filename, the file which
performed the action
- name: filename_tmp
overwrite: true
type: keyword
- name: directory_dst
overwrite: true
type: keyword
description: <span>This key is used to capture the directory of the target process
or file</span>
- name: directory_src
overwrite: true
type: keyword
description: This key is used to capture the directory of the source process
or file
- name: file_entropy
overwrite: true
type: double
description: This is used to capture entropy vale of a file
- name: file_vendor
overwrite: true
type: keyword
description: This is used to capture Company name of file located in version_info
- name: task_name
overwrite: true
type: keyword
description: This is used to capture name of the task
- name: web
overwrite: true
type: group
fields:
- name: fqdn
overwrite: true
type: keyword
description: Fully Qualified Domain Names
- name: web_cookie
overwrite: true
type: keyword
description: This key is used to capture the Web cookies specifically.
- name: alias_host
overwrite: true
type: keyword
- name: reputation_num
overwrite: true
type: double
description: Reputation Number of an entity. Typically used for Web Domains
- name: web_ref_domain
overwrite: true
type: keyword
description: Web referer's domain
- name: web_ref_query
overwrite: true
type: keyword
description: This key captures Web referer's query portion of the URL
- name: remote_domain
overwrite: true
type: keyword
- name: web_ref_page
overwrite: true
type: keyword
description: This key captures Web referer's page information
- name: web_ref_root
overwrite: true
type: keyword
description: Web referer's root URL path
- name: cn_asn_dst
overwrite: true
type: keyword
- name: cn_rpackets
overwrite: true
type: keyword
- name: urlpage
overwrite: true
type: keyword
- name: urlroot
overwrite: true
type: keyword
- name: p_url
overwrite: true
type: keyword
- name: p_user_agent
overwrite: true
type: keyword
- name: p_web_cookie
overwrite: true
type: keyword
- name: p_web_method
overwrite: true
type: keyword
- name: p_web_referer
overwrite: true
type: keyword
- name: web_extension_tmp
overwrite: true
type: keyword
- name: web_page
overwrite: true
type: keyword
- name: threat
overwrite: true
type: group
fields:
- name: threat_category
overwrite: true
type: keyword
description: This key captures Threat Name/Threat Category/Categorization of
alert
- name: threat_desc
overwrite: true
type: keyword
description: This key is used to capture the threat description from the session
directly or inferred
- name: alert
overwrite: true
type: keyword
description: This key is used to capture name of the alert
- name: threat_source
overwrite: true
type: keyword
description: This key is used to capture source of the threat
- name: crypto
overwrite: true
type: group
fields:
- name: crypto
overwrite: true
type: keyword
description: This key is used to capture the Encryption Type or Encryption Key
only
- name: cipher_src
overwrite: true
type: keyword
description: This key is for Source (Client) Cipher
- name: cert_subject
overwrite: true
type: keyword
description: This key is used to capture the Certificate organization only
- name: peer
overwrite: true
type: keyword
description: This key is for Encryption peer's IP Address
- name: cipher_size_src
overwrite: true
type: long
description: This key captures Source (Client) Cipher Size
- name: ike
overwrite: true
type: keyword
description: IKE negotiation phase.
- name: scheme
overwrite: true
type: keyword
description: This key captures the Encryption scheme used
- name: peer_id
overwrite: true
type: keyword
description: "This key is for Encryption peer\u2019s identity"
- name: sig_type
overwrite: true
type: keyword
description: This key captures the Signature Type
- name: cert_issuer
overwrite: true
type: keyword
- name: cert_host_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: cert_error
overwrite: true
type: keyword
description: This key captures the Certificate Error String
- name: cipher_dst
overwrite: true
type: keyword
description: This key is for Destination (Server) Cipher
- name: cipher_size_dst
overwrite: true
type: long
description: This key captures Destination (Server) Cipher Size
- name: ssl_ver_src
overwrite: true
type: keyword
description: Deprecated, use version
- name: d_certauth
overwrite: true
type: keyword
- name: s_certauth
overwrite: true
type: keyword
- name: ike_cookie1
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
- name: ike_cookie2
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
- name: cert_checksum
overwrite: true
type: keyword
- name: cert_host_cat
overwrite: true
type: keyword
description: This key is used for the hostname category value of a certificate
- name: cert_serial
overwrite: true
type: keyword
description: This key is used to capture the Certificate serial number only
- name: cert_status
overwrite: true
type: keyword
description: This key captures Certificate validation status
- name: ssl_ver_dst
overwrite: true
type: keyword
description: Deprecated, use version
- name: cert_keysize
overwrite: true
type: keyword
- name: cert_username
overwrite: true
type: keyword
- name: https_insact
overwrite: true
type: keyword
- name: https_valid
overwrite: true
type: keyword
- name: cert_ca
overwrite: true
type: keyword
description: This key is used to capture the Certificate signing authority only
- name: cert_common
overwrite: true
type: keyword
description: This key is used to capture the Certificate common name only
- name: wireless
overwrite: true
type: group
fields:
- name: wlan_ssid
overwrite: true
type: keyword
description: This key is used to capture the ssid of a Wireless Session
- name: access_point
overwrite: true
type: keyword
description: This key is used to capture the access point name.
- name: wlan_channel
overwrite: true
type: long
description: This is used to capture the channel names
- name: wlan_name
overwrite: true
type: keyword
description: This key captures either WLAN number/name
- name: storage
overwrite: true
type: group
fields:
- name: disk_volume
overwrite: true
type: keyword
description: A unique name assigned to logical units (volumes) within a physical
disk
- name: lun
overwrite: true
type: keyword
description: Logical Unit Number.This key is a very useful concept in Storage.
- name: pwwn
overwrite: true
type: keyword
description: This uniquely identifies a port on a HBA.
- name: physical
overwrite: true
type: group
fields:
- name: org_dst
overwrite: true
type: keyword
description: This is used to capture the destination organization based on the
GEOPIP Maxmind database.
- name: org_src
overwrite: true
type: keyword
description: This is used to capture the source organization based on the GEOPIP
Maxmind database.
- name: healthcare
overwrite: true
type: group
fields:
- name: patient_fname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_id
overwrite: true
type: keyword
description: This key captures the unique ID for a patient
- name: patient_lname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_mname
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: endpoint
overwrite: true
type: group
fields:
- name: host_state
overwrite: true
type: keyword
description: This key is used to capture the current state of the machine, such
as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
disabled</strong> and so on
- name: registry_key
overwrite: true
type: keyword
description: This key captures the path to the registry key
- name: registry_value
overwrite: true
type: keyword
description: This key captures values or decorators used within a registry entry
- key: rabbitmq
title: "RabbitMQ"
description: >
RabbitMQ Module
fields:
- name: rabbitmq
type: group
description: >
fields:
- name: log
type: group
description: >
RabbitMQ log files
fields:
- name: pid
type: keyword
description: The Erlang process id
example: <0.222.0>
- key: radware
title: Radware DefensePro
description: >
radware fields.
fields:
- name: network.interface.name
overwrite: true
type: keyword
description: >
Name of the network interface where the traffic has been observed.
- name: rsa
overwrite: true
type: group
fields:
- name: internal
overwrite: true
type: group
fields:
- name: msg
overwrite: true
type: keyword
description: This key is used to capture the raw message that comes into the
Log Decoder
- name: messageid
overwrite: true
type: keyword
- name: event_desc
overwrite: true
type: keyword
- name: message
overwrite: true
type: keyword
description: This key captures the contents of instant messages
- name: time
overwrite: true
type: date
description: This is the time at which a session hits a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness.
- name: level
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: msg_id
overwrite: true
type: keyword
description: This is the Message ID1 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: msg_vid
overwrite: true
type: keyword
description: This is the Message ID2 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: data
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_server
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_val
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: resource
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_id
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: statement
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: audit_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: entry
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: hcode
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: inode
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: resource_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: dead
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: feed_desc
overwrite: true
type: keyword
description: This is used to capture the description of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: feed_name
overwrite: true
type: keyword
description: This is used to capture the name of the feed. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: cid
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Concentrator.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_class
overwrite: true
type: keyword
description: This is the Classification of the Log Event Source under a predefined
fixed set of Event Source Classifications. This key should never be used to
parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
key in NetWitness
- name: device_group
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_host
overwrite: true
type: keyword
description: This is the Hostname of the log Event Source sending the logs to
NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ip
overwrite: true
type: ip
description: This is the IPv4 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ipv6
overwrite: true
type: ip
description: This is the IPv6 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_type
overwrite: true
type: keyword
description: This is the name of the log parser which parsed a given session.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_type_id
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: did
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: entropy_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: entropy_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: event_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: feed_category
overwrite: true
type: keyword
description: This is used to capture the category of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: forward_ip
overwrite: true
type: ip
description: This key should be used to capture the IPV4 address of a relay
system which forwarded the events from the original system to NetWitness.
- name: forward_ipv6
overwrite: true
type: ip
description: This key is used to capture the IPV6 address of a relay system
which forwarded the events from the original system to NetWitness. This key
should never be used to parse Meta data from a session (Logs/Packets) Directly,
this is a Reserved key in NetWitness
- name: header_id
overwrite: true
type: keyword
description: This is the Header ID value that identifies the exact log parser
header definition that parses a particular log session. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: lc_cid
overwrite: true
type: keyword
description: This is a unique Identifier of a Log Collector. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: lc_ctime
overwrite: true
type: date
description: This is the time at which a log is collected in a NetWitness Log
Collector. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: mcb_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
request is simply which byte for each side (0 thru 255) was seen the most
- name: mcb_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
response is simply which byte for each side (0 thru 255) was seen the most
- name: mcbc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: mcbc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: medium
overwrite: true
type: long
description: "This key is used to identify if it\u2019s a log/packet session\
\ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
\ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
\ 32 = log, 33 = correlation session, < 32 is packet session"
- name: node_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: nwe_callback_id
overwrite: true
type: keyword
description: This key denotes that event is endpoint related
- name: parse_error
overwrite: true
type: keyword
description: This is a special key that stores any Meta key validation error
found while parsing a log session. This key should never be used to parse
Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
NetWitness
- name: payload_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: payload_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: process_vid_dst
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the target process.
- name: process_vid_src
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the source process.
- name: rid
overwrite: true
type: long
description: This is a special ID of the Remote Session created by NetWitness
Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: session_split
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: site
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: size
overwrite: true
type: long
description: This is the size of the session as seen by the NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: sourcefile
overwrite: true
type: keyword
description: This is the name of the log file or PCAPs that can be imported
into NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: ubc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: ubc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: word
overwrite: true
type: keyword
description: This is used by the Word Parsing technology to capture the first
5 character of every word in an unparsed log
- name: time
overwrite: true
type: group
fields:
- name: event_time
overwrite: true
type: date
description: This key is used to capture the time mentioned in a raw session
that represents the actual time an event occured in a standard normalized
form
- name: duration_time
overwrite: true
type: double
description: This key is used to capture the normalized duration/lifetime in
seconds.
- name: event_time_str
overwrite: true
type: keyword
description: This key is used to capture the incomplete time mentioned in a
session as a string
- name: starttime
overwrite: true
type: date
description: This key is used to capture the Start time mentioned in a session
in a standard form
- name: month
overwrite: true
type: keyword
- name: day
overwrite: true
type: keyword
- name: endtime
overwrite: true
type: date
description: This key is used to capture the End time mentioned in a session
in a standard form
- name: timezone
overwrite: true
type: keyword
description: This key is used to capture the timezone of the Event Time
- name: duration_str
overwrite: true
type: keyword
description: A text string version of the duration
- name: date
overwrite: true
type: keyword
- name: year
overwrite: true
type: keyword
- name: recorded_time
overwrite: true
type: date
description: The event time as recorded by the system the event is collected
from. The usage scenario is a multi-tier application where the management
layer of the system records it's own timestamp at the time of collection from
its child nodes. Must be in timestamp format.
- name: datetime
overwrite: true
type: keyword
- name: effective_time
overwrite: true
type: date
description: This key is the effective time referenced by an individual event
in a Standard Timestamp format
- name: expire_time
overwrite: true
type: date
description: This key is the timestamp that explicitly refers to an expiration.
- name: process_time
overwrite: true
type: keyword
description: Deprecated, use duration.time
- name: hour
overwrite: true
type: keyword
- name: min
overwrite: true
type: keyword
- name: timestamp
overwrite: true
type: keyword
- name: event_queue_time
overwrite: true
type: date
description: This key is the Time that the event was queued.
- name: p_time1
overwrite: true
type: keyword
- name: tzone
overwrite: true
type: keyword
- name: eventtime
overwrite: true
type: keyword
- name: gmtdate
overwrite: true
type: keyword
- name: gmttime
overwrite: true
type: keyword
- name: p_date
overwrite: true
type: keyword
- name: p_month
overwrite: true
type: keyword
- name: p_time
overwrite: true
type: keyword
- name: p_time2
overwrite: true
type: keyword
- name: p_year
overwrite: true
type: keyword
- name: expire_time_str
overwrite: true
type: keyword
description: This key is used to capture incomplete timestamp that explicitly
refers to an expiration.
- name: stamp
overwrite: true
type: date
description: Deprecated key defined only in table map.
- name: misc
overwrite: true
type: group
fields:
- name: action
overwrite: true
type: keyword
- name: result
overwrite: true
type: keyword
description: This key is used to capture the outcome/result string value of
an action in a session.
- name: severity
overwrite: true
type: keyword
description: This key is used to capture the severity given the session
- name: event_type
overwrite: true
type: keyword
description: This key captures the event category type as specified by the event
source.
- name: reference_id
overwrite: true
type: keyword
description: This key is used to capture an event id from the session directly
- name: version
overwrite: true
type: keyword
description: This key captures Version of the application or OS which is generating
the event.
- name: disposition
overwrite: true
type: keyword
description: This key captures the The end state of an action.
- name: result_code
overwrite: true
type: keyword
description: This key is used to capture the outcome/result numeric value of
an action in a session
- name: category
overwrite: true
type: keyword
description: This key is used to capture the category of an event given by the
vendor in the session
- name: obj_name
overwrite: true
type: keyword
description: This is used to capture name of object
- name: obj_type
overwrite: true
type: keyword
description: This is used to capture type of object
- name: event_source
overwrite: true
type: keyword
description: "This key captures Source of the event that\u2019s not a hostname"
- name: log_session_id
overwrite: true
type: keyword
description: This key is used to capture a sessionid from the session directly
- name: group
overwrite: true
type: keyword
description: This key captures the Group Name value
- name: policy_name
overwrite: true
type: keyword
description: This key is used to capture the Policy Name only.
- name: rule_name
overwrite: true
type: keyword
description: This key captures the Rule Name
- name: context
overwrite: true
type: keyword
description: This key captures Information which adds additional context to
the event.
- name: change_new
overwrite: true
type: keyword
description: "This key is used to capture the new values of the attribute that\u2019\
s changing in a session"
- name: space
overwrite: true
type: keyword
- name: client
overwrite: true
type: keyword
description: This key is used to capture only the name of the client application
requesting resources of the server. See the user.agent meta key for capture
of the specific user agent identifier or browser identification string.
- name: msgIdPart1
overwrite: true
type: keyword
- name: msgIdPart2
overwrite: true
type: keyword
- name: change_old
overwrite: true
type: keyword
description: "This key is used to capture the old value of the attribute that\u2019\
s changing in a session"
- name: operation_id
overwrite: true
type: keyword
description: An alert number or operation number. The values should be unique
and non-repeating.
- name: event_state
overwrite: true
type: keyword
description: This key captures the current state of the object/item referenced
within the event. Describing an on-going event.
- name: group_object
overwrite: true
type: keyword
description: This key captures a collection/grouping of entities. Specific usage
- name: node
overwrite: true
type: keyword
description: Common use case is the node name within a cluster. The cluster
name is reflected by the host name.
- name: rule
overwrite: true
type: keyword
description: This key captures the Rule number
- name: device_name
overwrite: true
type: keyword
description: 'This is used to capture name of the Device associated with the
node Like: a physical disk, printer, etc'
- name: param
overwrite: true
type: keyword
description: This key is the parameters passed as part of a command or application,
etc.
- name: change_attrib
overwrite: true
type: keyword
description: "This key is used to capture the name of the attribute that\u2019\
s changing in a session"
- name: event_computer
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
fully qualified domain name in a windows log.
- name: reference_id1
overwrite: true
type: keyword
description: This key is for Linked ID to be used as an addition to "reference.id"
- name: event_log
overwrite: true
type: keyword
description: This key captures the Name of the event log
- name: OS
overwrite: true
type: keyword
description: This key captures the Name of the Operating System
- name: terminal
overwrite: true
type: keyword
description: This key captures the Terminal Names only
- name: msgIdPart3
overwrite: true
type: keyword
- name: filter
overwrite: true
type: keyword
description: This key captures Filter used to reduce result set
- name: serial_number
overwrite: true
type: keyword
description: This key is the Serial number associated with a physical asset.
- name: checksum
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the entity
such as a file or process. Checksum should be used over checksum.src or checksum.dst
when it is unclear whether the entity is a source or target of an action.
- name: event_user
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
combination of domain name and username in a windows log.
- name: virusname
overwrite: true
type: keyword
description: This key captures the name of the virus
- name: content_type
overwrite: true
type: keyword
description: This key is used to capture Content Type only.
- name: group_id
overwrite: true
type: keyword
description: This key captures Group ID Number (related to the group name)
- name: policy_id
overwrite: true
type: keyword
description: This key is used to capture the Policy ID only, this should be
a numeric value, use policy.name otherwise
- name: vsys
overwrite: true
type: keyword
description: This key captures Virtual System Name
- name: connection_id
overwrite: true
type: keyword
description: This key captures the Connection ID
- name: reference_id2
overwrite: true
type: keyword
description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
or "reference.id1" value but should not be used unless the other two variables
are in play.
- name: sensor
overwrite: true
type: keyword
description: This key captures Name of the sensor. Typically used in IDS/IPS
based devices
- name: sig_id
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID
- name: port_name
overwrite: true
type: keyword
description: 'This key is used for Physical or logical port connection but does
NOT include a network port. (Example: Printer port name).'
- name: rule_group
overwrite: true
type: keyword
description: This key captures the Rule group name
- name: risk_num
overwrite: true
type: double
description: This key captures a Numeric Risk value
- name: trigger_val
overwrite: true
type: keyword
description: This key captures the Value of the trigger or threshold condition.
- name: log_session_id1
overwrite: true
type: keyword
description: This key is used to capture a Linked (Related) Session ID from
the session directly
- name: comp_version
overwrite: true
type: keyword
description: This key captures the Version level of a sub-component of a product.
- name: content_version
overwrite: true
type: keyword
description: This key captures Version level of a signature or database content.
- name: hardware_id
overwrite: true
type: keyword
description: This key is used to capture unique identifier for a device or system
(NOT a Mac address)
- name: risk
overwrite: true
type: keyword
description: This key captures the non-numeric risk value
- name: event_id
overwrite: true
type: keyword
- name: reason
overwrite: true
type: keyword
- name: status
overwrite: true
type: keyword
- name: mail_id
overwrite: true
type: keyword
description: This key is used to capture the mailbox id/name
- name: rule_uid
overwrite: true
type: keyword
description: This key is the Unique Identifier for a rule.
- name: trigger_desc
overwrite: true
type: keyword
description: This key captures the Description of the trigger or threshold condition.
- name: inout
overwrite: true
type: keyword
- name: p_msgid
overwrite: true
type: keyword
- name: data_type
overwrite: true
type: keyword
- name: msgIdPart4
overwrite: true
type: keyword
- name: error
overwrite: true
type: keyword
description: This key captures All non successful Error codes or responses
- name: index
overwrite: true
type: keyword
- name: listnum
overwrite: true
type: keyword
description: This key is used to capture listname or listnumber, primarily for
collecting access-list
- name: ntype
overwrite: true
type: keyword
- name: observed_val
overwrite: true
type: keyword
description: This key captures the Value observed (from the perspective of the
device generating the log).
- name: policy_value
overwrite: true
type: keyword
description: This key captures the contents of the policy. This contains details
about the policy
- name: pool_name
overwrite: true
type: keyword
description: This key captures the name of a resource pool
- name: rule_template
overwrite: true
type: keyword
description: A default set of parameters which are overlayed onto a rule (or
rulename) which efffectively constitutes a template
- name: count
overwrite: true
type: keyword
- name: number
overwrite: true
type: keyword
- name: sigcat
overwrite: true
type: keyword
- name: type
overwrite: true
type: keyword
- name: comments
overwrite: true
type: keyword
description: Comment information provided in the log message
- name: doc_number
overwrite: true
type: long
description: This key captures File Identification number
- name: expected_val
overwrite: true
type: keyword
description: This key captures the Value expected (from the perspective of the
device generating the log).
- name: job_num
overwrite: true
type: keyword
description: This key captures the Job Number
- name: spi_dst
overwrite: true
type: keyword
description: Destination SPI Index
- name: spi_src
overwrite: true
type: keyword
description: Source SPI Index
- name: code
overwrite: true
type: keyword
- name: agent_id
overwrite: true
type: keyword
description: This key is used to capture agent id
- name: message_body
overwrite: true
type: keyword
description: This key captures the The contents of the message body.
- name: phone
overwrite: true
type: keyword
- name: sig_id_str
overwrite: true
type: keyword
description: This key captures a string object of the sigid variable.
- name: cmd
overwrite: true
type: keyword
- name: misc
overwrite: true
type: keyword
- name: name
overwrite: true
type: keyword
- name: cpu
overwrite: true
type: long
description: This key is the CPU time used in the execution of the event being
recorded.
- name: event_desc
overwrite: true
type: keyword
description: This key is used to capture a description of an event available
directly or inferred
- name: sig_id1
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID. This must be linked
to the sig.id
- name: im_buddyid
overwrite: true
type: keyword
- name: im_client
overwrite: true
type: keyword
- name: im_userid
overwrite: true
type: keyword
- name: pid
overwrite: true
type: keyword
- name: priority
overwrite: true
type: keyword
- name: context_subject
overwrite: true
type: keyword
description: This key is to be used in an audit context where the subject is
the object being identified
- name: context_target
overwrite: true
type: keyword
- name: cve
overwrite: true
type: keyword
description: This key captures CVE (Common Vulnerabilities and Exposures) -
an identifier for known information security vulnerabilities.
- name: fcatnum
overwrite: true
type: keyword
description: This key captures Filter Category Number. Legacy Usage
- name: library
overwrite: true
type: keyword
description: This key is used to capture library information in mainframe devices
- name: parent_node
overwrite: true
type: keyword
description: This key captures the Parent Node Name. Must be related to node
variable.
- name: risk_info
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: tcp_flags
overwrite: true
type: long
description: This key is captures the TCP flags set in any packet of session
- name: tos
overwrite: true
type: long
description: This key describes the type of service
- name: vm_target
overwrite: true
type: keyword
description: VMWare Target **VMWARE** only varaible.
- name: workspace
overwrite: true
type: keyword
description: This key captures Workspace Description
- name: command
overwrite: true
type: keyword
- name: event_category
overwrite: true
type: keyword
- name: facilityname
overwrite: true
type: keyword
- name: forensic_info
overwrite: true
type: keyword
- name: jobname
overwrite: true
type: keyword
- name: mode
overwrite: true
type: keyword
- name: policy
overwrite: true
type: keyword
- name: policy_waiver
overwrite: true
type: keyword
- name: second
overwrite: true
type: keyword
- name: space1
overwrite: true
type: keyword
- name: subcategory
overwrite: true
type: keyword
- name: tbdstr2
overwrite: true
type: keyword
- name: alert_id
overwrite: true
type: keyword
description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: checksum_dst
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the the target
entity such as a process or file.
- name: checksum_src
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the source
entity such as a file or process.
- name: fresult
overwrite: true
type: long
description: This key captures the Filter Result
- name: payload_dst
overwrite: true
type: keyword
description: This key is used to capture destination payload
- name: payload_src
overwrite: true
type: keyword
description: This key is used to capture source payload
- name: pool_id
overwrite: true
type: keyword
description: This key captures the identifier (typically numeric field) of a
resource pool
- name: process_id_val
overwrite: true
type: keyword
description: This key is a failure key for Process ID when it is not an integer
value
- name: risk_num_comm
overwrite: true
type: double
description: This key captures Risk Number Community
- name: risk_num_next
overwrite: true
type: double
description: This key captures Risk Number NextGen
- name: risk_num_sand
overwrite: true
type: double
description: This key captures Risk Number SandBox
- name: risk_num_static
overwrite: true
type: double
description: This key captures Risk Number Static
- name: risk_suspicious
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: risk_warning
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: snmp_oid
overwrite: true
type: keyword
description: SNMP Object Identifier
- name: sql
overwrite: true
type: keyword
description: This key captures the SQL query
- name: vuln_ref
overwrite: true
type: keyword
description: This key captures the Vulnerability Reference details
- name: acl_id
overwrite: true
type: keyword
- name: acl_op
overwrite: true
type: keyword
- name: acl_pos
overwrite: true
type: keyword
- name: acl_table
overwrite: true
type: keyword
- name: admin
overwrite: true
type: keyword
- name: alarm_id
overwrite: true
type: keyword
- name: alarmname
overwrite: true
type: keyword
- name: app_id
overwrite: true
type: keyword
- name: audit
overwrite: true
type: keyword
- name: audit_object
overwrite: true
type: keyword
- name: auditdata
overwrite: true
type: keyword
- name: benchmark
overwrite: true
type: keyword
- name: bypass
overwrite: true
type: keyword
- name: cache
overwrite: true
type: keyword
- name: cache_hit
overwrite: true
type: keyword
- name: cefversion
overwrite: true
type: keyword
- name: cfg_attr
overwrite: true
type: keyword
- name: cfg_obj
overwrite: true
type: keyword
- name: cfg_path
overwrite: true
type: keyword
- name: changes
overwrite: true
type: keyword
- name: client_ip
overwrite: true
type: keyword
- name: clustermembers
overwrite: true
type: keyword
- name: cn_acttimeout
overwrite: true
type: keyword
- name: cn_asn_src
overwrite: true
type: keyword
- name: cn_bgpv4nxthop
overwrite: true
type: keyword
- name: cn_ctr_dst_code
overwrite: true
type: keyword
- name: cn_dst_tos
overwrite: true
type: keyword
- name: cn_dst_vlan
overwrite: true
type: keyword
- name: cn_engine_id
overwrite: true
type: keyword
- name: cn_engine_type
overwrite: true
type: keyword
- name: cn_f_switch
overwrite: true
type: keyword
- name: cn_flowsampid
overwrite: true
type: keyword
- name: cn_flowsampintv
overwrite: true
type: keyword
- name: cn_flowsampmode
overwrite: true
type: keyword
- name: cn_inacttimeout
overwrite: true
type: keyword
- name: cn_inpermbyts
overwrite: true
type: keyword
- name: cn_inpermpckts
overwrite: true
type: keyword
- name: cn_invalid
overwrite: true
type: keyword
- name: cn_ip_proto_ver
overwrite: true
type: keyword
- name: cn_ipv4_ident
overwrite: true
type: keyword
- name: cn_l_switch
overwrite: true
type: keyword
- name: cn_log_did
overwrite: true
type: keyword
- name: cn_log_rid
overwrite: true
type: keyword
- name: cn_max_ttl
overwrite: true
type: keyword
- name: cn_maxpcktlen
overwrite: true
type: keyword
- name: cn_min_ttl
overwrite: true
type: keyword
- name: cn_minpcktlen
overwrite: true
type: keyword
- name: cn_mpls_lbl_1
overwrite: true
type: keyword
- name: cn_mpls_lbl_10
overwrite: true
type: keyword
- name: cn_mpls_lbl_2
overwrite: true
type: keyword
- name: cn_mpls_lbl_3
overwrite: true
type: keyword
- name: cn_mpls_lbl_4
overwrite: true
type: keyword
- name: cn_mpls_lbl_5
overwrite: true
type: keyword
- name: cn_mpls_lbl_6
overwrite: true
type: keyword
- name: cn_mpls_lbl_7
overwrite: true
type: keyword
- name: cn_mpls_lbl_8
overwrite: true
type: keyword
- name: cn_mpls_lbl_9
overwrite: true
type: keyword
- name: cn_mplstoplabel
overwrite: true
type: keyword
- name: cn_mplstoplabip
overwrite: true
type: keyword
- name: cn_mul_dst_byt
overwrite: true
type: keyword
- name: cn_mul_dst_pks
overwrite: true
type: keyword
- name: cn_muligmptype
overwrite: true
type: keyword
- name: cn_sampalgo
overwrite: true
type: keyword
- name: cn_sampint
overwrite: true
type: keyword
- name: cn_seqctr
overwrite: true
type: keyword
- name: cn_spackets
overwrite: true
type: keyword
- name: cn_src_tos
overwrite: true
type: keyword
- name: cn_src_vlan
overwrite: true
type: keyword
- name: cn_sysuptime
overwrite: true
type: keyword
- name: cn_template_id
overwrite: true
type: keyword
- name: cn_totbytsexp
overwrite: true
type: keyword
- name: cn_totflowexp
overwrite: true
type: keyword
- name: cn_totpcktsexp
overwrite: true
type: keyword
- name: cn_unixnanosecs
overwrite: true
type: keyword
- name: cn_v6flowlabel
overwrite: true
type: keyword
- name: cn_v6optheaders
overwrite: true
type: keyword
- name: comp_class
overwrite: true
type: keyword
- name: comp_name
overwrite: true
type: keyword
- name: comp_rbytes
overwrite: true
type: keyword
- name: comp_sbytes
overwrite: true
type: keyword
- name: cpu_data
overwrite: true
type: keyword
- name: criticality
overwrite: true
type: keyword
- name: cs_agency_dst
overwrite: true
type: keyword
- name: cs_analyzedby
overwrite: true
type: keyword
- name: cs_av_other
overwrite: true
type: keyword
- name: cs_av_primary
overwrite: true
type: keyword
- name: cs_av_secondary
overwrite: true
type: keyword
- name: cs_bgpv6nxthop
overwrite: true
type: keyword
- name: cs_bit9status
overwrite: true
type: keyword
- name: cs_context
overwrite: true
type: keyword
- name: cs_control
overwrite: true
type: keyword
- name: cs_data
overwrite: true
type: keyword
- name: cs_datecret
overwrite: true
type: keyword
- name: cs_dst_tld
overwrite: true
type: keyword
- name: cs_eth_dst_ven
overwrite: true
type: keyword
- name: cs_eth_src_ven
overwrite: true
type: keyword
- name: cs_event_uuid
overwrite: true
type: keyword
- name: cs_filetype
overwrite: true
type: keyword
- name: cs_fld
overwrite: true
type: keyword
- name: cs_if_desc
overwrite: true
type: keyword
- name: cs_if_name
overwrite: true
type: keyword
- name: cs_ip_next_hop
overwrite: true
type: keyword
- name: cs_ipv4dstpre
overwrite: true
type: keyword
- name: cs_ipv4srcpre
overwrite: true
type: keyword
- name: cs_lifetime
overwrite: true
type: keyword
- name: cs_log_medium
overwrite: true
type: keyword
- name: cs_loginname
overwrite: true
type: keyword
- name: cs_modulescore
overwrite: true
type: keyword
- name: cs_modulesign
overwrite: true
type: keyword
- name: cs_opswatresult
overwrite: true
type: keyword
- name: cs_payload
overwrite: true
type: keyword
- name: cs_registrant
overwrite: true
type: keyword
- name: cs_registrar
overwrite: true
type: keyword
- name: cs_represult
overwrite: true
type: keyword
- name: cs_rpayload
overwrite: true
type: keyword
- name: cs_sampler_name
overwrite: true
type: keyword
- name: cs_sourcemodule
overwrite: true
type: keyword
- name: cs_streams
overwrite: true
type: keyword
- name: cs_targetmodule
overwrite: true
type: keyword
- name: cs_v6nxthop
overwrite: true
type: keyword
- name: cs_whois_server
overwrite: true
type: keyword
- name: cs_yararesult
overwrite: true
type: keyword
- name: description
overwrite: true
type: keyword
- name: devvendor
overwrite: true
type: keyword
- name: distance
overwrite: true
type: keyword
- name: dstburb
overwrite: true
type: keyword
- name: edomain
overwrite: true
type: keyword
- name: edomaub
overwrite: true
type: keyword
- name: euid
overwrite: true
type: keyword
- name: facility
overwrite: true
type: keyword
- name: finterface
overwrite: true
type: keyword
- name: flags
overwrite: true
type: keyword
- name: gaddr
overwrite: true
type: keyword
- name: id3
overwrite: true
type: keyword
- name: im_buddyname
overwrite: true
type: keyword
- name: im_croomid
overwrite: true
type: keyword
- name: im_croomtype
overwrite: true
type: keyword
- name: im_members
overwrite: true
type: keyword
- name: im_username
overwrite: true
type: keyword
- name: ipkt
overwrite: true
type: keyword
- name: ipscat
overwrite: true
type: keyword
- name: ipspri
overwrite: true
type: keyword
- name: latitude
overwrite: true
type: keyword
- name: linenum
overwrite: true
type: keyword
- name: list_name
overwrite: true
type: keyword
- name: load_data
overwrite: true
type: keyword
- name: location_floor
overwrite: true
type: keyword
- name: location_mark
overwrite: true
type: keyword
- name: log_id
overwrite: true
type: keyword
- name: log_type
overwrite: true
type: keyword
- name: logid
overwrite: true
type: keyword
- name: logip
overwrite: true
type: keyword
- name: logname
overwrite: true
type: keyword
- name: longitude
overwrite: true
type: keyword
- name: lport
overwrite: true
type: keyword
- name: mbug_data
overwrite: true
type: keyword
- name: misc_name
overwrite: true
type: keyword
- name: msg_type
overwrite: true
type: keyword
- name: msgid
overwrite: true
type: keyword
- name: netsessid
overwrite: true
type: keyword
- name: num
overwrite: true
type: keyword
- name: number1
overwrite: true
type: keyword
- name: number2
overwrite: true
type: keyword
- name: nwwn
overwrite: true
type: keyword
- name: object
overwrite: true
type: keyword
- name: operation
overwrite: true
type: keyword
- name: opkt
overwrite: true
type: keyword
- name: orig_from
overwrite: true
type: keyword
- name: owner_id
overwrite: true
type: keyword
- name: p_action
overwrite: true
type: keyword
- name: p_filter
overwrite: true
type: keyword
- name: p_group_object
overwrite: true
type: keyword
- name: p_id
overwrite: true
type: keyword
- name: p_msgid1
overwrite: true
type: keyword
- name: p_msgid2
overwrite: true
type: keyword
- name: p_result1
overwrite: true
type: keyword
- name: password_chg
overwrite: true
type: keyword
- name: password_expire
overwrite: true
type: keyword
- name: permgranted
overwrite: true
type: keyword
- name: permwanted
overwrite: true
type: keyword
- name: pgid
overwrite: true
type: keyword
- name: policyUUID
overwrite: true
type: keyword
- name: prog_asp_num
overwrite: true
type: keyword
- name: program
overwrite: true
type: keyword
- name: real_data
overwrite: true
type: keyword
- name: rec_asp_device
overwrite: true
type: keyword
- name: rec_asp_num
overwrite: true
type: keyword
- name: rec_library
overwrite: true
type: keyword
- name: recordnum
overwrite: true
type: keyword
- name: ruid
overwrite: true
type: keyword
- name: sburb
overwrite: true
type: keyword
- name: sdomain_fld
overwrite: true
type: keyword
- name: sec
overwrite: true
type: keyword
- name: sensorname
overwrite: true
type: keyword
- name: seqnum
overwrite: true
type: keyword
- name: session
overwrite: true
type: keyword
- name: sessiontype
overwrite: true
type: keyword
- name: sigUUID
overwrite: true
type: keyword
- name: spi
overwrite: true
type: keyword
- name: srcburb
overwrite: true
type: keyword
- name: srcdom
overwrite: true
type: keyword
- name: srcservice
overwrite: true
type: keyword
- name: state
overwrite: true
type: keyword
- name: status1
overwrite: true
type: keyword
- name: svcno
overwrite: true
type: keyword
- name: system
overwrite: true
type: keyword
- name: tbdstr1
overwrite: true
type: keyword
- name: tgtdom
overwrite: true
type: keyword
- name: tgtdomain
overwrite: true
type: keyword
- name: threshold
overwrite: true
type: keyword
- name: type1
overwrite: true
type: keyword
- name: udb_class
overwrite: true
type: keyword
- name: url_fld
overwrite: true
type: keyword
- name: user_div
overwrite: true
type: keyword
- name: userid
overwrite: true
type: keyword
- name: username_fld
overwrite: true
type: keyword
- name: utcstamp
overwrite: true
type: keyword
- name: v_instafname
overwrite: true
type: keyword
- name: virt_data
overwrite: true
type: keyword
- name: vpnid
overwrite: true
type: keyword
- name: autorun_type
overwrite: true
type: keyword
description: This is used to capture Auto Run type
- name: cc_number
overwrite: true
type: long
description: Valid Credit Card Numbers only
- name: content
overwrite: true
type: keyword
description: This key captures the content type from protocol headers
- name: ein_number
overwrite: true
type: long
description: Employee Identification Numbers only
- name: found
overwrite: true
type: keyword
description: This is used to capture the results of regex match
- name: language
overwrite: true
type: keyword
description: This is used to capture list of languages the client support and
what it prefers
- name: lifetime
overwrite: true
type: long
description: This key is used to capture the session lifetime in seconds.
- name: link
overwrite: true
type: keyword
description: This key is used to link the sessions together. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: match
overwrite: true
type: keyword
description: This key is for regex match name from search.ini
- name: param_dst
overwrite: true
type: keyword
description: This key captures the command line/launch argument of the target
process or file
- name: param_src
overwrite: true
type: keyword
description: This key captures source parameter
- name: search_text
overwrite: true
type: keyword
description: This key captures the Search Text used
- name: sig_name
overwrite: true
type: keyword
description: This key is used to capture the Signature Name only.
- name: snmp_value
overwrite: true
type: keyword
description: SNMP set request value
- name: streams
overwrite: true
type: long
description: This key captures number of streams in session
- name: db
overwrite: true
type: group
fields:
- name: index
overwrite: true
type: keyword
description: This key captures IndexID of the index.
- name: instance
overwrite: true
type: keyword
description: This key is used to capture the database server instance name
- name: database
overwrite: true
type: keyword
description: This key is used to capture the name of a database or an instance
as seen in a session
- name: transact_id
overwrite: true
type: keyword
description: This key captures the SQL transantion ID of the current session
- name: permissions
overwrite: true
type: keyword
description: This key captures permission or privilege level assigned to a resource.
- name: table_name
overwrite: true
type: keyword
description: This key is used to capture the table name
- name: db_id
overwrite: true
type: keyword
description: This key is used to capture the unique identifier for a database
- name: db_pid
overwrite: true
type: long
description: This key captures the process id of a connection with database
server
- name: lread
overwrite: true
type: long
description: This key is used for the number of logical reads
- name: lwrite
overwrite: true
type: long
description: This key is used for the number of logical writes
- name: pread
overwrite: true
type: long
description: This key is used for the number of physical writes
- name: network
overwrite: true
type: group
fields:
- name: alias_host
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
that isnt ad.computer.
- name: domain
overwrite: true
type: keyword
- name: host_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Hostname"
- name: network_service
overwrite: true
type: keyword
description: This is used to capture layer 7 protocols/service names
- name: interface
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of an interface is not clear
- name: network_port
overwrite: true
type: long
description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
- name: eth_host
overwrite: true
type: keyword
description: Deprecated, use alias.mac
- name: sinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Interface"
- name: dinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Interface"
- name: vlan
overwrite: true
type: long
description: This key should only be used to capture the ID of the Virtual LAN
- name: zone_src
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Zone."
- name: zone
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a Zone is not clear
- name: zone_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Zone."
- name: gateway
overwrite: true
type: keyword
description: This key is used to capture the IP Address of the gateway
- name: icmp_type
overwrite: true
type: long
description: This key is used to capture the ICMP type only
- name: mask
overwrite: true
type: keyword
description: This key is used to capture the device network IPmask.
- name: icmp_code
overwrite: true
type: long
description: This key is used to capture the ICMP code only
- name: protocol_detail
overwrite: true
type: keyword
description: This key should be used to capture additional protocol information
- name: dmask
overwrite: true
type: keyword
description: This key is used for Destionation Device network mask
- name: port
overwrite: true
type: long
description: This key should only be used to capture a Network Port when the
directionality is not clear
- name: smask
overwrite: true
type: keyword
description: This key is used for capturing source Network Mask
- name: netname
overwrite: true
type: keyword
description: This key is used to capture the network name associated with an
IP range. This is configured by the end user.
- name: paddr
overwrite: true
type: ip
description: Deprecated
- name: faddr
overwrite: true
type: keyword
- name: lhost
overwrite: true
type: keyword
- name: origin
overwrite: true
type: keyword
- name: remote_domain_id
overwrite: true
type: keyword
- name: addr
overwrite: true
type: keyword
- name: dns_a_record
overwrite: true
type: keyword
- name: dns_ptr_record
overwrite: true
type: keyword
- name: fhost
overwrite: true
type: keyword
- name: fport
overwrite: true
type: keyword
- name: laddr
overwrite: true
type: keyword
- name: linterface
overwrite: true
type: keyword
- name: phost
overwrite: true
type: keyword
- name: ad_computer_dst
overwrite: true
type: keyword
description: Deprecated, use host.dst
- name: eth_type
overwrite: true
type: long
description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
Only
- name: ip_proto
overwrite: true
type: long
description: This key should be used to capture the Protocol number, all the
protocol nubers are converted into string in UI
- name: dns_cname_record
overwrite: true
type: keyword
- name: dns_id
overwrite: true
type: keyword
- name: dns_opcode
overwrite: true
type: keyword
- name: dns_resp
overwrite: true
type: keyword
- name: dns_type
overwrite: true
type: keyword
- name: domain1
overwrite: true
type: keyword
- name: host_type
overwrite: true
type: keyword
- name: packet_length
overwrite: true
type: keyword
- name: host_orig
overwrite: true
type: keyword
description: This is used to capture the original hostname in case of a Forwarding
Agent or a Proxy in between.
- name: rpayload
overwrite: true
type: keyword
description: This key is used to capture the total number of payload bytes seen
in the retransmitted packets.
- name: vlan_name
overwrite: true
type: keyword
description: This key should only be used to capture the name of the Virtual
LAN
- name: investigations
overwrite: true
type: group
fields:
- name: ec_activity
overwrite: true
type: keyword
description: This key captures the particular event activity(Ex:Logoff)
- name: ec_theme
overwrite: true
type: keyword
description: This key captures the Theme of a particular Event(Ex:Authentication)
- name: ec_subject
overwrite: true
type: keyword
description: This key captures the Subject of a particular Event(Ex:User)
- name: ec_outcome
overwrite: true
type: keyword
description: This key captures the outcome of a particular Event(Ex:Success)
- name: event_cat
overwrite: true
type: long
description: This key captures the Event category number
- name: event_cat_name
overwrite: true
type: keyword
description: This key captures the event category name corresponding to the
event cat code
- name: event_vcat
overwrite: true
type: keyword
description: This is a vendor supplied category. This should be used in situations
where the vendor has adopted their own event_category taxonomy.
- name: analysis_file
overwrite: true
type: keyword
description: This is used to capture all indicators used in a File Analysis.
This key should be used to capture an analysis of a file
- name: analysis_service
overwrite: true
type: keyword
description: This is used to capture all indicators used in a Service Analysis.
This key should be used to capture an analysis of a service
- name: analysis_session
overwrite: true
type: keyword
description: This is used to capture all indicators used for a Session Analysis.
This key should be used to capture an analysis of a session
- name: boc
overwrite: true
type: keyword
description: This is used to capture behaviour of compromise
- name: eoc
overwrite: true
type: keyword
description: This is used to capture Enablers of Compromise
- name: inv_category
overwrite: true
type: keyword
description: This used to capture investigation category
- name: inv_context
overwrite: true
type: keyword
description: This used to capture investigation context
- name: ioc
overwrite: true
type: keyword
description: This is key capture indicator of compromise
- name: counters
overwrite: true
type: group
fields:
- name: dclass_c1
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c1.str only
- name: dclass_c2
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c2.str only
- name: event_counter
overwrite: true
type: long
description: This is used to capture the number of times an event repeated
- name: dclass_r1
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r1.str only
- name: dclass_c3
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c3.str only
- name: dclass_c1_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c1 only
- name: dclass_c2_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c2 only
- name: dclass_r1_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r1 only
- name: dclass_r2
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r2.str only
- name: dclass_c3_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c3 only
- name: dclass_r3
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r3.str only
- name: dclass_r2_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r2 only
- name: dclass_r3_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r3 only
- name: identity
overwrite: true
type: group
fields:
- name: auth_method
overwrite: true
type: keyword
description: This key is used to capture authentication methods used only
- name: user_role
overwrite: true
type: keyword
description: This key is used to capture the Role of a user only
- name: dn
overwrite: true
type: keyword
description: X.500 (LDAP) Distinguished Name
- name: logon_type
overwrite: true
type: keyword
description: This key is used to capture the type of logon method used.
- name: profile
overwrite: true
type: keyword
description: This key is used to capture the user profile
- name: accesses
overwrite: true
type: keyword
description: This key is used to capture actual privileges used in accessing
an object
- name: realm
overwrite: true
type: keyword
description: Radius realm or similar grouping of accounts
- name: user_sid_dst
overwrite: true
type: keyword
description: This key captures Destination User Session ID
- name: dn_src
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that is used in a context that
indicates a Source dn
- name: org
overwrite: true
type: keyword
description: This key captures the User organization
- name: dn_dst
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that used in a context that
indicates a Destination dn
- name: firstname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: lastname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: user_dept
overwrite: true
type: keyword
description: User's Department Names only
- name: user_sid_src
overwrite: true
type: keyword
description: This key captures Source User Session ID
- name: federated_sp
overwrite: true
type: keyword
description: This key is the Federated Service Provider. This is the application
requesting authentication.
- name: federated_idp
overwrite: true
type: keyword
description: This key is the federated Identity Provider. This is the server
providing the authentication.
- name: logon_type_desc
overwrite: true
type: keyword
description: This key is used to capture the textual description of an integer
logon type as stored in the meta key 'logon.type'.
- name: middlename
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: password
overwrite: true
type: keyword
description: This key is for Passwords seen in any session, plain text or encrypted
- name: host_role
overwrite: true
type: keyword
description: This key should only be used to capture the role of a Host Machine
- name: ldap
overwrite: true
type: keyword
description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
t have a clear query or response context"
- name: ldap_query
overwrite: true
type: keyword
description: This key is the Search criteria from an LDAP search
- name: ldap_response
overwrite: true
type: keyword
description: This key is to capture Results from an LDAP search
- name: owner
overwrite: true
type: keyword
description: This is used to capture username the process or service is running
as, the author of the task
- name: service_account
overwrite: true
type: keyword
description: This key is a windows specific key, used for capturing name of
the account a service (referenced in the event) is running under. Legacy Usage
- name: email
overwrite: true
type: group
fields:
- name: email_dst
overwrite: true
type: keyword
description: This key is used to capture the Destination email address only,
when the destination context is not clear use email
- name: email_src
overwrite: true
type: keyword
description: This key is used to capture the source email address only, when
the source context is not clear use email
- name: subject
overwrite: true
type: keyword
description: This key is used to capture the subject string from an Email only.
- name: email
overwrite: true
type: keyword
description: This key is used to capture a generic email address where the source
or destination context is not clear
- name: trans_from
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: trans_to
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: file
overwrite: true
type: group
fields:
- name: privilege
overwrite: true
type: keyword
description: Deprecated, use permissions
- name: attachment
overwrite: true
type: keyword
description: This key captures the attachment file name
- name: filesystem
overwrite: true
type: keyword
- name: binary
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: filename_dst
overwrite: true
type: keyword
description: This is used to capture name of the file targeted by the action
- name: filename_src
overwrite: true
type: keyword
description: This is used to capture name of the parent filename, the file which
performed the action
- name: filename_tmp
overwrite: true
type: keyword
- name: directory_dst
overwrite: true
type: keyword
description: <span>This key is used to capture the directory of the target process
or file</span>
- name: directory_src
overwrite: true
type: keyword
description: This key is used to capture the directory of the source process
or file
- name: file_entropy
overwrite: true
type: double
description: This is used to capture entropy vale of a file
- name: file_vendor
overwrite: true
type: keyword
description: This is used to capture Company name of file located in version_info
- name: task_name
overwrite: true
type: keyword
description: This is used to capture name of the task
- name: web
overwrite: true
type: group
fields:
- name: fqdn
overwrite: true
type: keyword
description: Fully Qualified Domain Names
- name: web_cookie
overwrite: true
type: keyword
description: This key is used to capture the Web cookies specifically.
- name: alias_host
overwrite: true
type: keyword
- name: reputation_num
overwrite: true
type: double
description: Reputation Number of an entity. Typically used for Web Domains
- name: web_ref_domain
overwrite: true
type: keyword
description: Web referer's domain
- name: web_ref_query
overwrite: true
type: keyword
description: This key captures Web referer's query portion of the URL
- name: remote_domain
overwrite: true
type: keyword
- name: web_ref_page
overwrite: true
type: keyword
description: This key captures Web referer's page information
- name: web_ref_root
overwrite: true
type: keyword
description: Web referer's root URL path
- name: cn_asn_dst
overwrite: true
type: keyword
- name: cn_rpackets
overwrite: true
type: keyword
- name: urlpage
overwrite: true
type: keyword
- name: urlroot
overwrite: true
type: keyword
- name: p_url
overwrite: true
type: keyword
- name: p_user_agent
overwrite: true
type: keyword
- name: p_web_cookie
overwrite: true
type: keyword
- name: p_web_method
overwrite: true
type: keyword
- name: p_web_referer
overwrite: true
type: keyword
- name: web_extension_tmp
overwrite: true
type: keyword
- name: web_page
overwrite: true
type: keyword
- name: threat
overwrite: true
type: group
fields:
- name: threat_category
overwrite: true
type: keyword
description: This key captures Threat Name/Threat Category/Categorization of
alert
- name: threat_desc
overwrite: true
type: keyword
description: This key is used to capture the threat description from the session
directly or inferred
- name: alert
overwrite: true
type: keyword
description: This key is used to capture name of the alert
- name: threat_source
overwrite: true
type: keyword
description: This key is used to capture source of the threat
- name: crypto
overwrite: true
type: group
fields:
- name: crypto
overwrite: true
type: keyword
description: This key is used to capture the Encryption Type or Encryption Key
only
- name: cipher_src
overwrite: true
type: keyword
description: This key is for Source (Client) Cipher
- name: cert_subject
overwrite: true
type: keyword
description: This key is used to capture the Certificate organization only
- name: peer
overwrite: true
type: keyword
description: This key is for Encryption peer's IP Address
- name: cipher_size_src
overwrite: true
type: long
description: This key captures Source (Client) Cipher Size
- name: ike
overwrite: true
type: keyword
description: IKE negotiation phase.
- name: scheme
overwrite: true
type: keyword
description: This key captures the Encryption scheme used
- name: peer_id
overwrite: true
type: keyword
description: "This key is for Encryption peer\u2019s identity"
- name: sig_type
overwrite: true
type: keyword
description: This key captures the Signature Type
- name: cert_issuer
overwrite: true
type: keyword
- name: cert_host_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: cert_error
overwrite: true
type: keyword
description: This key captures the Certificate Error String
- name: cipher_dst
overwrite: true
type: keyword
description: This key is for Destination (Server) Cipher
- name: cipher_size_dst
overwrite: true
type: long
description: This key captures Destination (Server) Cipher Size
- name: ssl_ver_src
overwrite: true
type: keyword
description: Deprecated, use version
- name: d_certauth
overwrite: true
type: keyword
- name: s_certauth
overwrite: true
type: keyword
- name: ike_cookie1
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
- name: ike_cookie2
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
- name: cert_checksum
overwrite: true
type: keyword
- name: cert_host_cat
overwrite: true
type: keyword
description: This key is used for the hostname category value of a certificate
- name: cert_serial
overwrite: true
type: keyword
description: This key is used to capture the Certificate serial number only
- name: cert_status
overwrite: true
type: keyword
description: This key captures Certificate validation status
- name: ssl_ver_dst
overwrite: true
type: keyword
description: Deprecated, use version
- name: cert_keysize
overwrite: true
type: keyword
- name: cert_username
overwrite: true
type: keyword
- name: https_insact
overwrite: true
type: keyword
- name: https_valid
overwrite: true
type: keyword
- name: cert_ca
overwrite: true
type: keyword
description: This key is used to capture the Certificate signing authority only
- name: cert_common
overwrite: true
type: keyword
description: This key is used to capture the Certificate common name only
- name: wireless
overwrite: true
type: group
fields:
- name: wlan_ssid
overwrite: true
type: keyword
description: This key is used to capture the ssid of a Wireless Session
- name: access_point
overwrite: true
type: keyword
description: This key is used to capture the access point name.
- name: wlan_channel
overwrite: true
type: long
description: This is used to capture the channel names
- name: wlan_name
overwrite: true
type: keyword
description: This key captures either WLAN number/name
- name: storage
overwrite: true
type: group
fields:
- name: disk_volume
overwrite: true
type: keyword
description: A unique name assigned to logical units (volumes) within a physical
disk
- name: lun
overwrite: true
type: keyword
description: Logical Unit Number.This key is a very useful concept in Storage.
- name: pwwn
overwrite: true
type: keyword
description: This uniquely identifies a port on a HBA.
- name: physical
overwrite: true
type: group
fields:
- name: org_dst
overwrite: true
type: keyword
description: This is used to capture the destination organization based on the
GEOPIP Maxmind database.
- name: org_src
overwrite: true
type: keyword
description: This is used to capture the source organization based on the GEOPIP
Maxmind database.
- name: healthcare
overwrite: true
type: group
fields:
- name: patient_fname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_id
overwrite: true
type: keyword
description: This key captures the unique ID for a patient
- name: patient_lname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_mname
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: endpoint
overwrite: true
type: group
fields:
- name: host_state
overwrite: true
type: keyword
description: This key is used to capture the current state of the machine, such
as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
disabled</strong> and so on
- name: registry_key
overwrite: true
type: keyword
description: This key captures the path to the registry key
- name: registry_value
overwrite: true
type: keyword
description: This key captures values or decorators used within a registry entry
- key: salesforce
title: "Salesforce"
description: >
Salesforce Module
fields:
- name: salesforce
type: group
release: beta
description: >
Fileset for ingesting Salesforce Apex logs.
fields:
- name: access_mode
type: keyword
description: >
The mode of collecting logs from Salesforce - "rest" or "stream".
- name: apex
type: group
release: beta
description: >
Fileset for ingesting Salesforce Apex logs.
fields:
- name: action
type: keyword
description: >
Action performed by the callout.
- name: callout_time
type: keyword
description: >
Time spent waiting on webservice callouts, in milliseconds.
- name: class_name
type: keyword
description: >
The Apex class name. If the class is part of a managed package, this string includes the package namespace.
- name: client_name
type: keyword
description: >
The name of the client that's using Salesforce services. This field is an optional parameter that can be passed in API calls. If blank, the caller didnt specify a client in the CallOptions header.
- name: cpu_time
type: keyword
description: >
The CPU time in milliseconds used to complete the request.
- name: db_blocks
type: keyword
description: >
Indicates how much activity is occurring in the database. A high value for this field suggests that adding indexes or filters on your queries would benefit performance.
- name: db_cpu_time
type: keyword
description: >
The CPU time in milliseconds to complete the request. Indicates the amount of activity taking place in the database layer during the request.
- name: db_total_time
type: keyword
description: >
Time (in milliseconds) spent waiting for database processing in aggregate for all operations in the request. Compare this field to CPU_TIME to determine whether performance issues are occurring in the database layer or in your own code.
- name: entity
type: keyword
description: >
Name of the external object being accessed.
- name: entity_name
type: keyword
description: >
The name of the object affected by the trigger.
- name: entry_point
type: keyword
description: >
The entry point for this Apex execution.
- name: event_type
type: keyword
description: >
The type of event. The value is always ApexCallout.
- name: execute_ms
type: keyword
description: >
How long it took (in milliseconds) for Salesforce to prepare and execute the query. Available in API version 42.0 and later.
- name: fetch_ms
type: keyword
description: >
How long it took (in milliseconds) to retrieve the query results from the external system. Available in API version 42.0 and later.
- name: filter
type: keyword
description: >
Field expressions to filter which rows to return. Corresponds to WHERE in SOQL queries.
- name: is_long_running_request
type: keyword
description: >
Indicates whether the request is counted against your org's concurrent long-running Apex request limit (true) or not (false).
- name: limit
type: keyword
description: >
Maximum number of rows to return for a query. Corresponds to LIMIT in SOQL queries.
- name: limit_usage_percent
type: keyword
description: >
The percentage of Apex SOAP calls that were made against the organization's limit.
- name: login_key
type: keyword
description: >
The string that ties together all events in a given user's login session. It starts with a login event and ends with either a logout event or the user session expiring.
- name: media_type
type: keyword
description: >
The media type of the response.
- name: message
type: keyword
description: >
Error or warning message associated with the failed call.
- name: method_name
type: keyword
description: >
The name of the calling Apex method.
- name: number_fields
type: keyword
description: >
The number of fields or columns, where applicable.
- name: number_soql_queries
type: keyword
description: >
The number of SOQL queries that were executed during the event.
- name: offset
type: keyword
description: >
Number of rows to skip when paging through a result set. Corresponds to OFFSET in SOQL queries.
- name: orderby
type: keyword
description: >
Field or column to use for sorting query results, and whether to sort the results in ascending (default) or descending order. Corresponds to ORDER BY in SOQL queries.
- name: organization_id
type: keyword
description: >
The 15-character ID of the organization.
- name: query
type: keyword
description: >
The SOQL query, if one was performed.
- name: quiddity
type: keyword
description: >
The type of outer execution associated with this event.
- name: request.id
type: keyword
description: >
The unique ID of a single transaction. A transaction can contain one or more events. Each event in a given transaction has the same REQUEST_ID.
- name: request.status
type: keyword
description: >
The status of the request for a page view or user interface action.
- name: rows.total
type: keyword
description: >
Total number of records in the result set. The value is always -1 if the custom adapter's DataSource.Provider class doesn't declare the QUERY_TOTAL_SIZE capability.
- name: rows.fetched
type: keyword
description: >
Number of rows fetched by the callout. Available in API version 42.0 and later.
- name: rows.processed
type: keyword
description: >
The number of rows that were processed in the request.
- name: run_time
type: keyword
description: >
Not used for this event type. Use the TIME field instead.
- name: select
type: keyword
description: >
Comma-separated list of fields being queried. Corresponds to SELECT in SOQL queries.
- name: subqueries
type: keyword
description: >
Reserved for future use.
- name: throughput
type: keyword
description: >
Number of records retrieved in one second.
- name: trigger
type: group
fields:
- name: id
type: keyword
description: >
The 15-character ID of the trigger that was fired.
- name: name
type: keyword
description: >
For triggers coming from managed packages, TRIGGER_NAME includes a namespace prefix separated with a . character. If no namespace prefix is present, the trigger is from an unmanaged trigger.
- name: type
type: keyword
description: >
The type of this trigger.
- name: type
type: keyword
description: >
The type of Apex callout.
- name: uri
type: keyword
description: >
The URI of the page that's receiving the request.
- name: uri_id_derived
type: keyword
description: >
The 18-character case-safe ID of the URI of the page that's receiving the request.
- name: user_agent
type: keyword
description: >
The numeric code for the type of client used to make the request (for example, the browser, application, or API).
- name: user_id_derived
type: keyword
description: >
The 18-character case-safe ID of the user who's using Salesforce services through the UI or the API.
- name: salesforce.login
type: group
release: beta
description: >
Fileset for ingesting Salesforce Login (REST) logs.
fields:
- name: api_type
type: keyword
description: >
The type of API request.
- name: api_version
type: keyword
description: >
The version of the API that’s being used.
- name: login_key
type: keyword
description: >
The string that ties together all events in a given user’s login session. It starts with a login event and ends with either a logout event or the user session expiring.
- name: authentication_method_reference
type: keyword
description: >
The authentication method used by a third-party identification provider for an OpenID Connect single sign-on protocol. This field is available in API version 51.0 and later.
- name: client_ip
type: keyword
description: >
The IP address of the client that’s using Salesforce services. A Salesforce internal IP (such as a login from Salesforce Workbench or AppExchange) is shown as “Salesforce.com IP”.
- name: cpu_time
type: keyword
description: >
The CPU time in milliseconds used to complete the request. This field indicates the amount of activity taking place in the app server layer.
- name: db_total_time
type: keyword
description: >
The time in nanoseconds for a database round trip. Includes time spent in the JDBC driver, network to the database, and DB_CPU_TIME. Compare this field to CPU_TIME to determine whether performance issues are occurring in the database layer or in your own code.
- name: event_type
type: keyword
description: >
The type of event. The value is always Login.
- name: organization_id
type: keyword
description: >
The 15-character ID of the organization.
- name: request_id
type: keyword
description: >
The unique ID of a single transaction. A transaction can contain one or more events. Each event in a given transaction has the same REQUEST_ID.
- name: request_status
type: keyword
description: >
The status of the request for a page view or user interface action.
- name: run_time
type: keyword
description: >
The amount of time that the request took in milliseconds.
- name: uri_id_derived
type: keyword
description: >
The 18-character case insensitive ID of the URI of the page that’s receiving the request.
- name: user_id_derived
type: keyword
description: >
The 18-character case insensitive ID of the user who’s using Salesforce services through the UI or the API.
- name: salesforce.login
type: group
release: beta
description: >
Fileset for ingesting Salesforce Login (Streaming) logs.
fields:
- name: application
type: keyword
description: >
The application used to access the org. Possible values include: AppExchange, Browser, Salesforce for iOS, Salesforce Developers API Explorer, N/A
- name: auth_method_reference
type: keyword
description: >
The authentication method used by a third-party identification provider for an OpenID Connect single sign-on protocol.
- name: auth_service_id
type: keyword
description: >
The 18-character ID for an authentication service for a login event.
- name: client_version
type: keyword
description: >
The version number of the login client. If no version number is available, “Unknown” is returned.
- name: created_by_id
type: keyword
description: >
Unavailable
- name: evaluation_time
type: keyword
description: >
The amount of time it took to evaluate the transaction security policy, in milliseconds.
- name: login_geo_id
type: keyword
description: >
The Salesforce ID of the LoginGeo object associated with the login user’s IP address.
- name: login_history_id
type: keyword
description: >
Tracks a user session so you can correlate user activity with a particular login instance. This field is also available on the LoginHistory, AuthSession, and LoginHistory objects, making it easier to trace events back to a user’s original authentication.
- name: login_type
type: keyword
description: >
The type of login used to access the session.
- name: policy_id
type: keyword
description: >
The ID of the transaction security policy associated with this event.
- name: policy_outcome
type: keyword
description: >
The result of the transaction policy.
- name: related_event_identifier
type: keyword
description: >
This field is populated only when the activity that this event monitors requires extra authentication, such as multi-factor authentication. In this case, Salesforce generates more events and sets the RelatedEventIdentifier field of the new events to the value of the EventIdentifier field of the original event. Use this field with the EventIdentifier field to correlate all the related events. If no extra authentication is required, this field is blank.
- name: session_level
type: keyword
description: >
Session-level security controls user access to features that support it, such as connected apps and reporting. Possible values are: HIGH_ASSURANCE, LOW, STANDARD
- name: salesforce.logout
type: group
release: beta
description: >
Fileset for parsing Salesforce Logout (REST) logs.
fields:
- name: session_level
type: keyword
description: >
Indicates the session-level security of the session that the user is logging out of for this event. Session-level security controls user access to features that support it, such as connected apps and reporting. Possible values are: HIGH_ASSURANCE, LOW, STANDARD
- name: login_key
type: keyword
description: >
The string that ties together all events in a given user’s login session. It starts with a login event and ends with either a logout event or the user session expiring.
- name: api_type
type: keyword
description: >
The type of API request.
- name: api_version
type: keyword
description: >
The version of the API that’s being used.
- name: app_type
type: keyword
description: >
The application type that was in use upon logging out.
- name: browser_type
type: keyword
description: >
The identifier string returned by the browser used at login.
- name: client_version
type: keyword
description: >
The version of the client that was in use upon logging out.
- name: event_type
type: keyword
description: >
The type of event. The value is always Logout.
- name: organization_by_id
type: keyword
description: >
The 15-character ID of the organization.
- name: platform_type
type: keyword
description: >
The code for the client platform. If a timeout caused the logout, this field is null.
- name: resolution_type
type: keyword
description: >
The screen resolution of the client. If a timeout caused the logout, this field is null.
- name: session_type
type: keyword
description: >
The session type that was used when logging out.
- name: user_id_derived
type: keyword
description: >
The 18-character case-safe ID of the user who’s using Salesforce services through the UI or the API.
- name: user_initiated_logout
type: keyword
description: >
The value is 1 if the user intentionally logged out of the organization by clicking the Logout button. If the user’s session timed out due to inactivity or another implicit logout action, the value is 0.
- name: salesforce.logout
type: group
release: beta
description: >
Fileset for parsing Salesforce Logout (Streaming) logs.
fields:
- name: created_by_id
type: keyword
description: >
Unavailable
- name: related_event_identifier
type: keyword
description: >
This field is populated only when the activity that this event monitors requires extra authentication, such as multi-factor authentication. In this case, Salesforce generates more events and sets the RelatedEventIdentifier field of the new events to the value of the EventIdentifier field of the original event. Use this field with the EventIdentifier field to correlate all the related events. If no extra authentication is required, this field is blank.
- name: replay_id
type: keyword
description: >
Represents an ID value that is populated by the system and refers to the position of the event in the event stream. Replay ID values aren’t guaranteed to be contiguous for consecutive events. A subscriber can store a replay ID value and use it on resubscription to retrieve missed events that are within the retention window.
- name: schema
type: keyword
description: >
Unavailable
- name: salesforce.setup_audit_trail
type: group
release: beta
description: >
Fileset for ingesting Salesforce SetupAuditTrail logs.
fields:
- name: event_type
type: keyword
description: >
Event type
- name: created_by_context
type: keyword
description: >
The context under which the Setup change was made. For example, if Einstein uses cloud-to-cloud services to make a change in Setup, the value of this field is Einstein.
- name: created_by_id
type: keyword
description: >
Unknown
- name: created_by_issuer
type: keyword
description: >
Reserved for future use.
- name: delegate_user
type: keyword
description: >
The Login-As user who executed the action in Setup. If a Login-As user didn’t perform the action, this field is blank. This field is available in API version 35.0 and later.
- name: display
type: keyword
description: >
The full description of changes made in Setup. For example, if the Action field has a value of PermSetCreate, the Display field has a value like “Created permission set MAD: with user license Salesforce.
- name: responsible_namespace_prefix
type: keyword
description: >
Unknown
- name: section
type: keyword
description: >
The section in the Setup menu where the action occurred. For example, Manage Users or Company Profile.
- key: snort
title: Snort/Sourcefire
description: >
snort fields.
fields:
- name: network.interface.name
overwrite: true
type: keyword
description: >
Name of the network interface where the traffic has been observed.
- name: rsa
overwrite: true
type: group
fields:
- name: internal
overwrite: true
type: group
fields:
- name: msg
overwrite: true
type: keyword
description: This key is used to capture the raw message that comes into the
Log Decoder
- name: messageid
overwrite: true
type: keyword
- name: event_desc
overwrite: true
type: keyword
- name: message
overwrite: true
type: keyword
description: This key captures the contents of instant messages
- name: time
overwrite: true
type: date
description: This is the time at which a session hits a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness.
- name: level
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: msg_id
overwrite: true
type: keyword
description: This is the Message ID1 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: msg_vid
overwrite: true
type: keyword
description: This is the Message ID2 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: data
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_server
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_val
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: resource
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_id
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: statement
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: audit_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: entry
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: hcode
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: inode
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: resource_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: dead
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: feed_desc
overwrite: true
type: keyword
description: This is used to capture the description of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: feed_name
overwrite: true
type: keyword
description: This is used to capture the name of the feed. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: cid
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Concentrator.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_class
overwrite: true
type: keyword
description: This is the Classification of the Log Event Source under a predefined
fixed set of Event Source Classifications. This key should never be used to
parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
key in NetWitness
- name: device_group
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_host
overwrite: true
type: keyword
description: This is the Hostname of the log Event Source sending the logs to
NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ip
overwrite: true
type: ip
description: This is the IPv4 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ipv6
overwrite: true
type: ip
description: This is the IPv6 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_type
overwrite: true
type: keyword
description: This is the name of the log parser which parsed a given session.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_type_id
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: did
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: entropy_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: entropy_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: event_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: feed_category
overwrite: true
type: keyword
description: This is used to capture the category of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: forward_ip
overwrite: true
type: ip
description: This key should be used to capture the IPV4 address of a relay
system which forwarded the events from the original system to NetWitness.
- name: forward_ipv6
overwrite: true
type: ip
description: This key is used to capture the IPV6 address of a relay system
which forwarded the events from the original system to NetWitness. This key
should never be used to parse Meta data from a session (Logs/Packets) Directly,
this is a Reserved key in NetWitness
- name: header_id
overwrite: true
type: keyword
description: This is the Header ID value that identifies the exact log parser
header definition that parses a particular log session. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: lc_cid
overwrite: true
type: keyword
description: This is a unique Identifier of a Log Collector. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: lc_ctime
overwrite: true
type: date
description: This is the time at which a log is collected in a NetWitness Log
Collector. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: mcb_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
request is simply which byte for each side (0 thru 255) was seen the most
- name: mcb_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
response is simply which byte for each side (0 thru 255) was seen the most
- name: mcbc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: mcbc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: medium
overwrite: true
type: long
description: "This key is used to identify if it\u2019s a log/packet session\
\ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
\ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
\ 32 = log, 33 = correlation session, < 32 is packet session"
- name: node_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: nwe_callback_id
overwrite: true
type: keyword
description: This key denotes that event is endpoint related
- name: parse_error
overwrite: true
type: keyword
description: This is a special key that stores any Meta key validation error
found while parsing a log session. This key should never be used to parse
Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
NetWitness
- name: payload_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: payload_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: process_vid_dst
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the target process.
- name: process_vid_src
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the source process.
- name: rid
overwrite: true
type: long
description: This is a special ID of the Remote Session created by NetWitness
Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: session_split
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: site
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: size
overwrite: true
type: long
description: This is the size of the session as seen by the NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: sourcefile
overwrite: true
type: keyword
description: This is the name of the log file or PCAPs that can be imported
into NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: ubc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: ubc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: word
overwrite: true
type: keyword
description: This is used by the Word Parsing technology to capture the first
5 character of every word in an unparsed log
- name: time
overwrite: true
type: group
fields:
- name: event_time
overwrite: true
type: date
description: This key is used to capture the time mentioned in a raw session
that represents the actual time an event occured in a standard normalized
form
- name: duration_time
overwrite: true
type: double
description: This key is used to capture the normalized duration/lifetime in
seconds.
- name: event_time_str
overwrite: true
type: keyword
description: This key is used to capture the incomplete time mentioned in a
session as a string
- name: starttime
overwrite: true
type: date
description: This key is used to capture the Start time mentioned in a session
in a standard form
- name: month
overwrite: true
type: keyword
- name: day
overwrite: true
type: keyword
- name: endtime
overwrite: true
type: date
description: This key is used to capture the End time mentioned in a session
in a standard form
- name: timezone
overwrite: true
type: keyword
description: This key is used to capture the timezone of the Event Time
- name: duration_str
overwrite: true
type: keyword
description: A text string version of the duration
- name: date
overwrite: true
type: keyword
- name: year
overwrite: true
type: keyword
- name: recorded_time
overwrite: true
type: date
description: The event time as recorded by the system the event is collected
from. The usage scenario is a multi-tier application where the management
layer of the system records it's own timestamp at the time of collection from
its child nodes. Must be in timestamp format.
- name: datetime
overwrite: true
type: keyword
- name: effective_time
overwrite: true
type: date
description: This key is the effective time referenced by an individual event
in a Standard Timestamp format
- name: expire_time
overwrite: true
type: date
description: This key is the timestamp that explicitly refers to an expiration.
- name: process_time
overwrite: true
type: keyword
description: Deprecated, use duration.time
- name: hour
overwrite: true
type: keyword
- name: min
overwrite: true
type: keyword
- name: timestamp
overwrite: true
type: keyword
- name: event_queue_time
overwrite: true
type: date
description: This key is the Time that the event was queued.
- name: p_time1
overwrite: true
type: keyword
- name: tzone
overwrite: true
type: keyword
- name: eventtime
overwrite: true
type: keyword
- name: gmtdate
overwrite: true
type: keyword
- name: gmttime
overwrite: true
type: keyword
- name: p_date
overwrite: true
type: keyword
- name: p_month
overwrite: true
type: keyword
- name: p_time
overwrite: true
type: keyword
- name: p_time2
overwrite: true
type: keyword
- name: p_year
overwrite: true
type: keyword
- name: expire_time_str
overwrite: true
type: keyword
description: This key is used to capture incomplete timestamp that explicitly
refers to an expiration.
- name: stamp
overwrite: true
type: date
description: Deprecated key defined only in table map.
- name: misc
overwrite: true
type: group
fields:
- name: action
overwrite: true
type: keyword
- name: result
overwrite: true
type: keyword
description: This key is used to capture the outcome/result string value of
an action in a session.
- name: severity
overwrite: true
type: keyword
description: This key is used to capture the severity given the session
- name: event_type
overwrite: true
type: keyword
description: This key captures the event category type as specified by the event
source.
- name: reference_id
overwrite: true
type: keyword
description: This key is used to capture an event id from the session directly
- name: version
overwrite: true
type: keyword
description: This key captures Version of the application or OS which is generating
the event.
- name: disposition
overwrite: true
type: keyword
description: This key captures the The end state of an action.
- name: result_code
overwrite: true
type: keyword
description: This key is used to capture the outcome/result numeric value of
an action in a session
- name: category
overwrite: true
type: keyword
description: This key is used to capture the category of an event given by the
vendor in the session
- name: obj_name
overwrite: true
type: keyword
description: This is used to capture name of object
- name: obj_type
overwrite: true
type: keyword
description: This is used to capture type of object
- name: event_source
overwrite: true
type: keyword
description: "This key captures Source of the event that\u2019s not a hostname"
- name: log_session_id
overwrite: true
type: keyword
description: This key is used to capture a sessionid from the session directly
- name: group
overwrite: true
type: keyword
description: This key captures the Group Name value
- name: policy_name
overwrite: true
type: keyword
description: This key is used to capture the Policy Name only.
- name: rule_name
overwrite: true
type: keyword
description: This key captures the Rule Name
- name: context
overwrite: true
type: keyword
description: This key captures Information which adds additional context to
the event.
- name: change_new
overwrite: true
type: keyword
description: "This key is used to capture the new values of the attribute that\u2019\
s changing in a session"
- name: space
overwrite: true
type: keyword
- name: client
overwrite: true
type: keyword
description: This key is used to capture only the name of the client application
requesting resources of the server. See the user.agent meta key for capture
of the specific user agent identifier or browser identification string.
- name: msgIdPart1
overwrite: true
type: keyword
- name: msgIdPart2
overwrite: true
type: keyword
- name: change_old
overwrite: true
type: keyword
description: "This key is used to capture the old value of the attribute that\u2019\
s changing in a session"
- name: operation_id
overwrite: true
type: keyword
description: An alert number or operation number. The values should be unique
and non-repeating.
- name: event_state
overwrite: true
type: keyword
description: This key captures the current state of the object/item referenced
within the event. Describing an on-going event.
- name: group_object
overwrite: true
type: keyword
description: This key captures a collection/grouping of entities. Specific usage
- name: node
overwrite: true
type: keyword
description: Common use case is the node name within a cluster. The cluster
name is reflected by the host name.
- name: rule
overwrite: true
type: keyword
description: This key captures the Rule number
- name: device_name
overwrite: true
type: keyword
description: 'This is used to capture name of the Device associated with the
node Like: a physical disk, printer, etc'
- name: param
overwrite: true
type: keyword
description: This key is the parameters passed as part of a command or application,
etc.
- name: change_attrib
overwrite: true
type: keyword
description: "This key is used to capture the name of the attribute that\u2019\
s changing in a session"
- name: event_computer
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
fully qualified domain name in a windows log.
- name: reference_id1
overwrite: true
type: keyword
description: This key is for Linked ID to be used as an addition to "reference.id"
- name: event_log
overwrite: true
type: keyword
description: This key captures the Name of the event log
- name: OS
overwrite: true
type: keyword
description: This key captures the Name of the Operating System
- name: terminal
overwrite: true
type: keyword
description: This key captures the Terminal Names only
- name: msgIdPart3
overwrite: true
type: keyword
- name: filter
overwrite: true
type: keyword
description: This key captures Filter used to reduce result set
- name: serial_number
overwrite: true
type: keyword
description: This key is the Serial number associated with a physical asset.
- name: checksum
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the entity
such as a file or process. Checksum should be used over checksum.src or checksum.dst
when it is unclear whether the entity is a source or target of an action.
- name: event_user
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
combination of domain name and username in a windows log.
- name: virusname
overwrite: true
type: keyword
description: This key captures the name of the virus
- name: content_type
overwrite: true
type: keyword
description: This key is used to capture Content Type only.
- name: group_id
overwrite: true
type: keyword
description: This key captures Group ID Number (related to the group name)
- name: policy_id
overwrite: true
type: keyword
description: This key is used to capture the Policy ID only, this should be
a numeric value, use policy.name otherwise
- name: vsys
overwrite: true
type: keyword
description: This key captures Virtual System Name
- name: connection_id
overwrite: true
type: keyword
description: This key captures the Connection ID
- name: reference_id2
overwrite: true
type: keyword
description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
or "reference.id1" value but should not be used unless the other two variables
are in play.
- name: sensor
overwrite: true
type: keyword
description: This key captures Name of the sensor. Typically used in IDS/IPS
based devices
- name: sig_id
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID
- name: port_name
overwrite: true
type: keyword
description: 'This key is used for Physical or logical port connection but does
NOT include a network port. (Example: Printer port name).'
- name: rule_group
overwrite: true
type: keyword
description: This key captures the Rule group name
- name: risk_num
overwrite: true
type: double
description: This key captures a Numeric Risk value
- name: trigger_val
overwrite: true
type: keyword
description: This key captures the Value of the trigger or threshold condition.
- name: log_session_id1
overwrite: true
type: keyword
description: This key is used to capture a Linked (Related) Session ID from
the session directly
- name: comp_version
overwrite: true
type: keyword
description: This key captures the Version level of a sub-component of a product.
- name: content_version
overwrite: true
type: keyword
description: This key captures Version level of a signature or database content.
- name: hardware_id
overwrite: true
type: keyword
description: This key is used to capture unique identifier for a device or system
(NOT a Mac address)
- name: risk
overwrite: true
type: keyword
description: This key captures the non-numeric risk value
- name: event_id
overwrite: true
type: keyword
- name: reason
overwrite: true
type: keyword
- name: status
overwrite: true
type: keyword
- name: mail_id
overwrite: true
type: keyword
description: This key is used to capture the mailbox id/name
- name: rule_uid
overwrite: true
type: keyword
description: This key is the Unique Identifier for a rule.
- name: trigger_desc
overwrite: true
type: keyword
description: This key captures the Description of the trigger or threshold condition.
- name: inout
overwrite: true
type: keyword
- name: p_msgid
overwrite: true
type: keyword
- name: data_type
overwrite: true
type: keyword
- name: msgIdPart4
overwrite: true
type: keyword
- name: error
overwrite: true
type: keyword
description: This key captures All non successful Error codes or responses
- name: index
overwrite: true
type: keyword
- name: listnum
overwrite: true
type: keyword
description: This key is used to capture listname or listnumber, primarily for
collecting access-list
- name: ntype
overwrite: true
type: keyword
- name: observed_val
overwrite: true
type: keyword
description: This key captures the Value observed (from the perspective of the
device generating the log).
- name: policy_value
overwrite: true
type: keyword
description: This key captures the contents of the policy. This contains details
about the policy
- name: pool_name
overwrite: true
type: keyword
description: This key captures the name of a resource pool
- name: rule_template
overwrite: true
type: keyword
description: A default set of parameters which are overlayed onto a rule (or
rulename) which efffectively constitutes a template
- name: count
overwrite: true
type: keyword
- name: number
overwrite: true
type: keyword
- name: sigcat
overwrite: true
type: keyword
- name: type
overwrite: true
type: keyword
- name: comments
overwrite: true
type: keyword
description: Comment information provided in the log message
- name: doc_number
overwrite: true
type: long
description: This key captures File Identification number
- name: expected_val
overwrite: true
type: keyword
description: This key captures the Value expected (from the perspective of the
device generating the log).
- name: job_num
overwrite: true
type: keyword
description: This key captures the Job Number
- name: spi_dst
overwrite: true
type: keyword
description: Destination SPI Index
- name: spi_src
overwrite: true
type: keyword
description: Source SPI Index
- name: code
overwrite: true
type: keyword
- name: agent_id
overwrite: true
type: keyword
description: This key is used to capture agent id
- name: message_body
overwrite: true
type: keyword
description: This key captures the The contents of the message body.
- name: phone
overwrite: true
type: keyword
- name: sig_id_str
overwrite: true
type: keyword
description: This key captures a string object of the sigid variable.
- name: cmd
overwrite: true
type: keyword
- name: misc
overwrite: true
type: keyword
- name: name
overwrite: true
type: keyword
- name: cpu
overwrite: true
type: long
description: This key is the CPU time used in the execution of the event being
recorded.
- name: event_desc
overwrite: true
type: keyword
description: This key is used to capture a description of an event available
directly or inferred
- name: sig_id1
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID. This must be linked
to the sig.id
- name: im_buddyid
overwrite: true
type: keyword
- name: im_client
overwrite: true
type: keyword
- name: im_userid
overwrite: true
type: keyword
- name: pid
overwrite: true
type: keyword
- name: priority
overwrite: true
type: keyword
- name: context_subject
overwrite: true
type: keyword
description: This key is to be used in an audit context where the subject is
the object being identified
- name: context_target
overwrite: true
type: keyword
- name: cve
overwrite: true
type: keyword
description: This key captures CVE (Common Vulnerabilities and Exposures) -
an identifier for known information security vulnerabilities.
- name: fcatnum
overwrite: true
type: keyword
description: This key captures Filter Category Number. Legacy Usage
- name: library
overwrite: true
type: keyword
description: This key is used to capture library information in mainframe devices
- name: parent_node
overwrite: true
type: keyword
description: This key captures the Parent Node Name. Must be related to node
variable.
- name: risk_info
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: tcp_flags
overwrite: true
type: long
description: This key is captures the TCP flags set in any packet of session
- name: tos
overwrite: true
type: long
description: This key describes the type of service
- name: vm_target
overwrite: true
type: keyword
description: VMWare Target **VMWARE** only varaible.
- name: workspace
overwrite: true
type: keyword
description: This key captures Workspace Description
- name: command
overwrite: true
type: keyword
- name: event_category
overwrite: true
type: keyword
- name: facilityname
overwrite: true
type: keyword
- name: forensic_info
overwrite: true
type: keyword
- name: jobname
overwrite: true
type: keyword
- name: mode
overwrite: true
type: keyword
- name: policy
overwrite: true
type: keyword
- name: policy_waiver
overwrite: true
type: keyword
- name: second
overwrite: true
type: keyword
- name: space1
overwrite: true
type: keyword
- name: subcategory
overwrite: true
type: keyword
- name: tbdstr2
overwrite: true
type: keyword
- name: alert_id
overwrite: true
type: keyword
description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: checksum_dst
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the the target
entity such as a process or file.
- name: checksum_src
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the source
entity such as a file or process.
- name: fresult
overwrite: true
type: long
description: This key captures the Filter Result
- name: payload_dst
overwrite: true
type: keyword
description: This key is used to capture destination payload
- name: payload_src
overwrite: true
type: keyword
description: This key is used to capture source payload
- name: pool_id
overwrite: true
type: keyword
description: This key captures the identifier (typically numeric field) of a
resource pool
- name: process_id_val
overwrite: true
type: keyword
description: This key is a failure key for Process ID when it is not an integer
value
- name: risk_num_comm
overwrite: true
type: double
description: This key captures Risk Number Community
- name: risk_num_next
overwrite: true
type: double
description: This key captures Risk Number NextGen
- name: risk_num_sand
overwrite: true
type: double
description: This key captures Risk Number SandBox
- name: risk_num_static
overwrite: true
type: double
description: This key captures Risk Number Static
- name: risk_suspicious
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: risk_warning
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: snmp_oid
overwrite: true
type: keyword
description: SNMP Object Identifier
- name: sql
overwrite: true
type: keyword
description: This key captures the SQL query
- name: vuln_ref
overwrite: true
type: keyword
description: This key captures the Vulnerability Reference details
- name: acl_id
overwrite: true
type: keyword
- name: acl_op
overwrite: true
type: keyword
- name: acl_pos
overwrite: true
type: keyword
- name: acl_table
overwrite: true
type: keyword
- name: admin
overwrite: true
type: keyword
- name: alarm_id
overwrite: true
type: keyword
- name: alarmname
overwrite: true
type: keyword
- name: app_id
overwrite: true
type: keyword
- name: audit
overwrite: true
type: keyword
- name: audit_object
overwrite: true
type: keyword
- name: auditdata
overwrite: true
type: keyword
- name: benchmark
overwrite: true
type: keyword
- name: bypass
overwrite: true
type: keyword
- name: cache
overwrite: true
type: keyword
- name: cache_hit
overwrite: true
type: keyword
- name: cefversion
overwrite: true
type: keyword
- name: cfg_attr
overwrite: true
type: keyword
- name: cfg_obj
overwrite: true
type: keyword
- name: cfg_path
overwrite: true
type: keyword
- name: changes
overwrite: true
type: keyword
- name: client_ip
overwrite: true
type: keyword
- name: clustermembers
overwrite: true
type: keyword
- name: cn_acttimeout
overwrite: true
type: keyword
- name: cn_asn_src
overwrite: true
type: keyword
- name: cn_bgpv4nxthop
overwrite: true
type: keyword
- name: cn_ctr_dst_code
overwrite: true
type: keyword
- name: cn_dst_tos
overwrite: true
type: keyword
- name: cn_dst_vlan
overwrite: true
type: keyword
- name: cn_engine_id
overwrite: true
type: keyword
- name: cn_engine_type
overwrite: true
type: keyword
- name: cn_f_switch
overwrite: true
type: keyword
- name: cn_flowsampid
overwrite: true
type: keyword
- name: cn_flowsampintv
overwrite: true
type: keyword
- name: cn_flowsampmode
overwrite: true
type: keyword
- name: cn_inacttimeout
overwrite: true
type: keyword
- name: cn_inpermbyts
overwrite: true
type: keyword
- name: cn_inpermpckts
overwrite: true
type: keyword
- name: cn_invalid
overwrite: true
type: keyword
- name: cn_ip_proto_ver
overwrite: true
type: keyword
- name: cn_ipv4_ident
overwrite: true
type: keyword
- name: cn_l_switch
overwrite: true
type: keyword
- name: cn_log_did
overwrite: true
type: keyword
- name: cn_log_rid
overwrite: true
type: keyword
- name: cn_max_ttl
overwrite: true
type: keyword
- name: cn_maxpcktlen
overwrite: true
type: keyword
- name: cn_min_ttl
overwrite: true
type: keyword
- name: cn_minpcktlen
overwrite: true
type: keyword
- name: cn_mpls_lbl_1
overwrite: true
type: keyword
- name: cn_mpls_lbl_10
overwrite: true
type: keyword
- name: cn_mpls_lbl_2
overwrite: true
type: keyword
- name: cn_mpls_lbl_3
overwrite: true
type: keyword
- name: cn_mpls_lbl_4
overwrite: true
type: keyword
- name: cn_mpls_lbl_5
overwrite: true
type: keyword
- name: cn_mpls_lbl_6
overwrite: true
type: keyword
- name: cn_mpls_lbl_7
overwrite: true
type: keyword
- name: cn_mpls_lbl_8
overwrite: true
type: keyword
- name: cn_mpls_lbl_9
overwrite: true
type: keyword
- name: cn_mplstoplabel
overwrite: true
type: keyword
- name: cn_mplstoplabip
overwrite: true
type: keyword
- name: cn_mul_dst_byt
overwrite: true
type: keyword
- name: cn_mul_dst_pks
overwrite: true
type: keyword
- name: cn_muligmptype
overwrite: true
type: keyword
- name: cn_sampalgo
overwrite: true
type: keyword
- name: cn_sampint
overwrite: true
type: keyword
- name: cn_seqctr
overwrite: true
type: keyword
- name: cn_spackets
overwrite: true
type: keyword
- name: cn_src_tos
overwrite: true
type: keyword
- name: cn_src_vlan
overwrite: true
type: keyword
- name: cn_sysuptime
overwrite: true
type: keyword
- name: cn_template_id
overwrite: true
type: keyword
- name: cn_totbytsexp
overwrite: true
type: keyword
- name: cn_totflowexp
overwrite: true
type: keyword
- name: cn_totpcktsexp
overwrite: true
type: keyword
- name: cn_unixnanosecs
overwrite: true
type: keyword
- name: cn_v6flowlabel
overwrite: true
type: keyword
- name: cn_v6optheaders
overwrite: true
type: keyword
- name: comp_class
overwrite: true
type: keyword
- name: comp_name
overwrite: true
type: keyword
- name: comp_rbytes
overwrite: true
type: keyword
- name: comp_sbytes
overwrite: true
type: keyword
- name: cpu_data
overwrite: true
type: keyword
- name: criticality
overwrite: true
type: keyword
- name: cs_agency_dst
overwrite: true
type: keyword
- name: cs_analyzedby
overwrite: true
type: keyword
- name: cs_av_other
overwrite: true
type: keyword
- name: cs_av_primary
overwrite: true
type: keyword
- name: cs_av_secondary
overwrite: true
type: keyword
- name: cs_bgpv6nxthop
overwrite: true
type: keyword
- name: cs_bit9status
overwrite: true
type: keyword
- name: cs_context
overwrite: true
type: keyword
- name: cs_control
overwrite: true
type: keyword
- name: cs_data
overwrite: true
type: keyword
- name: cs_datecret
overwrite: true
type: keyword
- name: cs_dst_tld
overwrite: true
type: keyword
- name: cs_eth_dst_ven
overwrite: true
type: keyword
- name: cs_eth_src_ven
overwrite: true
type: keyword
- name: cs_event_uuid
overwrite: true
type: keyword
- name: cs_filetype
overwrite: true
type: keyword
- name: cs_fld
overwrite: true
type: keyword
- name: cs_if_desc
overwrite: true
type: keyword
- name: cs_if_name
overwrite: true
type: keyword
- name: cs_ip_next_hop
overwrite: true
type: keyword
- name: cs_ipv4dstpre
overwrite: true
type: keyword
- name: cs_ipv4srcpre
overwrite: true
type: keyword
- name: cs_lifetime
overwrite: true
type: keyword
- name: cs_log_medium
overwrite: true
type: keyword
- name: cs_loginname
overwrite: true
type: keyword
- name: cs_modulescore
overwrite: true
type: keyword
- name: cs_modulesign
overwrite: true
type: keyword
- name: cs_opswatresult
overwrite: true
type: keyword
- name: cs_payload
overwrite: true
type: keyword
- name: cs_registrant
overwrite: true
type: keyword
- name: cs_registrar
overwrite: true
type: keyword
- name: cs_represult
overwrite: true
type: keyword
- name: cs_rpayload
overwrite: true
type: keyword
- name: cs_sampler_name
overwrite: true
type: keyword
- name: cs_sourcemodule
overwrite: true
type: keyword
- name: cs_streams
overwrite: true
type: keyword
- name: cs_targetmodule
overwrite: true
type: keyword
- name: cs_v6nxthop
overwrite: true
type: keyword
- name: cs_whois_server
overwrite: true
type: keyword
- name: cs_yararesult
overwrite: true
type: keyword
- name: description
overwrite: true
type: keyword
- name: devvendor
overwrite: true
type: keyword
- name: distance
overwrite: true
type: keyword
- name: dstburb
overwrite: true
type: keyword
- name: edomain
overwrite: true
type: keyword
- name: edomaub
overwrite: true
type: keyword
- name: euid
overwrite: true
type: keyword
- name: facility
overwrite: true
type: keyword
- name: finterface
overwrite: true
type: keyword
- name: flags
overwrite: true
type: keyword
- name: gaddr
overwrite: true
type: keyword
- name: id3
overwrite: true
type: keyword
- name: im_buddyname
overwrite: true
type: keyword
- name: im_croomid
overwrite: true
type: keyword
- name: im_croomtype
overwrite: true
type: keyword
- name: im_members
overwrite: true
type: keyword
- name: im_username
overwrite: true
type: keyword
- name: ipkt
overwrite: true
type: keyword
- name: ipscat
overwrite: true
type: keyword
- name: ipspri
overwrite: true
type: keyword
- name: latitude
overwrite: true
type: keyword
- name: linenum
overwrite: true
type: keyword
- name: list_name
overwrite: true
type: keyword
- name: load_data
overwrite: true
type: keyword
- name: location_floor
overwrite: true
type: keyword
- name: location_mark
overwrite: true
type: keyword
- name: log_id
overwrite: true
type: keyword
- name: log_type
overwrite: true
type: keyword
- name: logid
overwrite: true
type: keyword
- name: logip
overwrite: true
type: keyword
- name: logname
overwrite: true
type: keyword
- name: longitude
overwrite: true
type: keyword
- name: lport
overwrite: true
type: keyword
- name: mbug_data
overwrite: true
type: keyword
- name: misc_name
overwrite: true
type: keyword
- name: msg_type
overwrite: true
type: keyword
- name: msgid
overwrite: true
type: keyword
- name: netsessid
overwrite: true
type: keyword
- name: num
overwrite: true
type: keyword
- name: number1
overwrite: true
type: keyword
- name: number2
overwrite: true
type: keyword
- name: nwwn
overwrite: true
type: keyword
- name: object
overwrite: true
type: keyword
- name: operation
overwrite: true
type: keyword
- name: opkt
overwrite: true
type: keyword
- name: orig_from
overwrite: true
type: keyword
- name: owner_id
overwrite: true
type: keyword
- name: p_action
overwrite: true
type: keyword
- name: p_filter
overwrite: true
type: keyword
- name: p_group_object
overwrite: true
type: keyword
- name: p_id
overwrite: true
type: keyword
- name: p_msgid1
overwrite: true
type: keyword
- name: p_msgid2
overwrite: true
type: keyword
- name: p_result1
overwrite: true
type: keyword
- name: password_chg
overwrite: true
type: keyword
- name: password_expire
overwrite: true
type: keyword
- name: permgranted
overwrite: true
type: keyword
- name: permwanted
overwrite: true
type: keyword
- name: pgid
overwrite: true
type: keyword
- name: policyUUID
overwrite: true
type: keyword
- name: prog_asp_num
overwrite: true
type: keyword
- name: program
overwrite: true
type: keyword
- name: real_data
overwrite: true
type: keyword
- name: rec_asp_device
overwrite: true
type: keyword
- name: rec_asp_num
overwrite: true
type: keyword
- name: rec_library
overwrite: true
type: keyword
- name: recordnum
overwrite: true
type: keyword
- name: ruid
overwrite: true
type: keyword
- name: sburb
overwrite: true
type: keyword
- name: sdomain_fld
overwrite: true
type: keyword
- name: sec
overwrite: true
type: keyword
- name: sensorname
overwrite: true
type: keyword
- name: seqnum
overwrite: true
type: keyword
- name: session
overwrite: true
type: keyword
- name: sessiontype
overwrite: true
type: keyword
- name: sigUUID
overwrite: true
type: keyword
- name: spi
overwrite: true
type: keyword
- name: srcburb
overwrite: true
type: keyword
- name: srcdom
overwrite: true
type: keyword
- name: srcservice
overwrite: true
type: keyword
- name: state
overwrite: true
type: keyword
- name: status1
overwrite: true
type: keyword
- name: svcno
overwrite: true
type: keyword
- name: system
overwrite: true
type: keyword
- name: tbdstr1
overwrite: true
type: keyword
- name: tgtdom
overwrite: true
type: keyword
- name: tgtdomain
overwrite: true
type: keyword
- name: threshold
overwrite: true
type: keyword
- name: type1
overwrite: true
type: keyword
- name: udb_class
overwrite: true
type: keyword
- name: url_fld
overwrite: true
type: keyword
- name: user_div
overwrite: true
type: keyword
- name: userid
overwrite: true
type: keyword
- name: username_fld
overwrite: true
type: keyword
- name: utcstamp
overwrite: true
type: keyword
- name: v_instafname
overwrite: true
type: keyword
- name: virt_data
overwrite: true
type: keyword
- name: vpnid
overwrite: true
type: keyword
- name: autorun_type
overwrite: true
type: keyword
description: This is used to capture Auto Run type
- name: cc_number
overwrite: true
type: long
description: Valid Credit Card Numbers only
- name: content
overwrite: true
type: keyword
description: This key captures the content type from protocol headers
- name: ein_number
overwrite: true
type: long
description: Employee Identification Numbers only
- name: found
overwrite: true
type: keyword
description: This is used to capture the results of regex match
- name: language
overwrite: true
type: keyword
description: This is used to capture list of languages the client support and
what it prefers
- name: lifetime
overwrite: true
type: long
description: This key is used to capture the session lifetime in seconds.
- name: link
overwrite: true
type: keyword
description: This key is used to link the sessions together. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: match
overwrite: true
type: keyword
description: This key is for regex match name from search.ini
- name: param_dst
overwrite: true
type: keyword
description: This key captures the command line/launch argument of the target
process or file
- name: param_src
overwrite: true
type: keyword
description: This key captures source parameter
- name: search_text
overwrite: true
type: keyword
description: This key captures the Search Text used
- name: sig_name
overwrite: true
type: keyword
description: This key is used to capture the Signature Name only.
- name: snmp_value
overwrite: true
type: keyword
description: SNMP set request value
- name: streams
overwrite: true
type: long
description: This key captures number of streams in session
- name: db
overwrite: true
type: group
fields:
- name: index
overwrite: true
type: keyword
description: This key captures IndexID of the index.
- name: instance
overwrite: true
type: keyword
description: This key is used to capture the database server instance name
- name: database
overwrite: true
type: keyword
description: This key is used to capture the name of a database or an instance
as seen in a session
- name: transact_id
overwrite: true
type: keyword
description: This key captures the SQL transantion ID of the current session
- name: permissions
overwrite: true
type: keyword
description: This key captures permission or privilege level assigned to a resource.
- name: table_name
overwrite: true
type: keyword
description: This key is used to capture the table name
- name: db_id
overwrite: true
type: keyword
description: This key is used to capture the unique identifier for a database
- name: db_pid
overwrite: true
type: long
description: This key captures the process id of a connection with database
server
- name: lread
overwrite: true
type: long
description: This key is used for the number of logical reads
- name: lwrite
overwrite: true
type: long
description: This key is used for the number of logical writes
- name: pread
overwrite: true
type: long
description: This key is used for the number of physical writes
- name: network
overwrite: true
type: group
fields:
- name: alias_host
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
that isnt ad.computer.
- name: domain
overwrite: true
type: keyword
- name: host_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Hostname"
- name: network_service
overwrite: true
type: keyword
description: This is used to capture layer 7 protocols/service names
- name: interface
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of an interface is not clear
- name: network_port
overwrite: true
type: long
description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
- name: eth_host
overwrite: true
type: keyword
description: Deprecated, use alias.mac
- name: sinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Interface"
- name: dinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Interface"
- name: vlan
overwrite: true
type: long
description: This key should only be used to capture the ID of the Virtual LAN
- name: zone_src
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Zone."
- name: zone
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a Zone is not clear
- name: zone_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Zone."
- name: gateway
overwrite: true
type: keyword
description: This key is used to capture the IP Address of the gateway
- name: icmp_type
overwrite: true
type: long
description: This key is used to capture the ICMP type only
- name: mask
overwrite: true
type: keyword
description: This key is used to capture the device network IPmask.
- name: icmp_code
overwrite: true
type: long
description: This key is used to capture the ICMP code only
- name: protocol_detail
overwrite: true
type: keyword
description: This key should be used to capture additional protocol information
- name: dmask
overwrite: true
type: keyword
description: This key is used for Destionation Device network mask
- name: port
overwrite: true
type: long
description: This key should only be used to capture a Network Port when the
directionality is not clear
- name: smask
overwrite: true
type: keyword
description: This key is used for capturing source Network Mask
- name: netname
overwrite: true
type: keyword
description: This key is used to capture the network name associated with an
IP range. This is configured by the end user.
- name: paddr
overwrite: true
type: ip
description: Deprecated
- name: faddr
overwrite: true
type: keyword
- name: lhost
overwrite: true
type: keyword
- name: origin
overwrite: true
type: keyword
- name: remote_domain_id
overwrite: true
type: keyword
- name: addr
overwrite: true
type: keyword
- name: dns_a_record
overwrite: true
type: keyword
- name: dns_ptr_record
overwrite: true
type: keyword
- name: fhost
overwrite: true
type: keyword
- name: fport
overwrite: true
type: keyword
- name: laddr
overwrite: true
type: keyword
- name: linterface
overwrite: true
type: keyword
- name: phost
overwrite: true
type: keyword
- name: ad_computer_dst
overwrite: true
type: keyword
description: Deprecated, use host.dst
- name: eth_type
overwrite: true
type: long
description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
Only
- name: ip_proto
overwrite: true
type: long
description: This key should be used to capture the Protocol number, all the
protocol nubers are converted into string in UI
- name: dns_cname_record
overwrite: true
type: keyword
- name: dns_id
overwrite: true
type: keyword
- name: dns_opcode
overwrite: true
type: keyword
- name: dns_resp
overwrite: true
type: keyword
- name: dns_type
overwrite: true
type: keyword
- name: domain1
overwrite: true
type: keyword
- name: host_type
overwrite: true
type: keyword
- name: packet_length
overwrite: true
type: keyword
- name: host_orig
overwrite: true
type: keyword
description: This is used to capture the original hostname in case of a Forwarding
Agent or a Proxy in between.
- name: rpayload
overwrite: true
type: keyword
description: This key is used to capture the total number of payload bytes seen
in the retransmitted packets.
- name: vlan_name
overwrite: true
type: keyword
description: This key should only be used to capture the name of the Virtual
LAN
- name: investigations
overwrite: true
type: group
fields:
- name: ec_activity
overwrite: true
type: keyword
description: This key captures the particular event activity(Ex:Logoff)
- name: ec_theme
overwrite: true
type: keyword
description: This key captures the Theme of a particular Event(Ex:Authentication)
- name: ec_subject
overwrite: true
type: keyword
description: This key captures the Subject of a particular Event(Ex:User)
- name: ec_outcome
overwrite: true
type: keyword
description: This key captures the outcome of a particular Event(Ex:Success)
- name: event_cat
overwrite: true
type: long
description: This key captures the Event category number
- name: event_cat_name
overwrite: true
type: keyword
description: This key captures the event category name corresponding to the
event cat code
- name: event_vcat
overwrite: true
type: keyword
description: This is a vendor supplied category. This should be used in situations
where the vendor has adopted their own event_category taxonomy.
- name: analysis_file
overwrite: true
type: keyword
description: This is used to capture all indicators used in a File Analysis.
This key should be used to capture an analysis of a file
- name: analysis_service
overwrite: true
type: keyword
description: This is used to capture all indicators used in a Service Analysis.
This key should be used to capture an analysis of a service
- name: analysis_session
overwrite: true
type: keyword
description: This is used to capture all indicators used for a Session Analysis.
This key should be used to capture an analysis of a session
- name: boc
overwrite: true
type: keyword
description: This is used to capture behaviour of compromise
- name: eoc
overwrite: true
type: keyword
description: This is used to capture Enablers of Compromise
- name: inv_category
overwrite: true
type: keyword
description: This used to capture investigation category
- name: inv_context
overwrite: true
type: keyword
description: This used to capture investigation context
- name: ioc
overwrite: true
type: keyword
description: This is key capture indicator of compromise
- name: counters
overwrite: true
type: group
fields:
- name: dclass_c1
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c1.str only
- name: dclass_c2
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c2.str only
- name: event_counter
overwrite: true
type: long
description: This is used to capture the number of times an event repeated
- name: dclass_r1
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r1.str only
- name: dclass_c3
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c3.str only
- name: dclass_c1_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c1 only
- name: dclass_c2_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c2 only
- name: dclass_r1_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r1 only
- name: dclass_r2
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r2.str only
- name: dclass_c3_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c3 only
- name: dclass_r3
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r3.str only
- name: dclass_r2_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r2 only
- name: dclass_r3_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r3 only
- name: identity
overwrite: true
type: group
fields:
- name: auth_method
overwrite: true
type: keyword
description: This key is used to capture authentication methods used only
- name: user_role
overwrite: true
type: keyword
description: This key is used to capture the Role of a user only
- name: dn
overwrite: true
type: keyword
description: X.500 (LDAP) Distinguished Name
- name: logon_type
overwrite: true
type: keyword
description: This key is used to capture the type of logon method used.
- name: profile
overwrite: true
type: keyword
description: This key is used to capture the user profile
- name: accesses
overwrite: true
type: keyword
description: This key is used to capture actual privileges used in accessing
an object
- name: realm
overwrite: true
type: keyword
description: Radius realm or similar grouping of accounts
- name: user_sid_dst
overwrite: true
type: keyword
description: This key captures Destination User Session ID
- name: dn_src
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that is used in a context that
indicates a Source dn
- name: org
overwrite: true
type: keyword
description: This key captures the User organization
- name: dn_dst
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that used in a context that
indicates a Destination dn
- name: firstname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: lastname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: user_dept
overwrite: true
type: keyword
description: User's Department Names only
- name: user_sid_src
overwrite: true
type: keyword
description: This key captures Source User Session ID
- name: federated_sp
overwrite: true
type: keyword
description: This key is the Federated Service Provider. This is the application
requesting authentication.
- name: federated_idp
overwrite: true
type: keyword
description: This key is the federated Identity Provider. This is the server
providing the authentication.
- name: logon_type_desc
overwrite: true
type: keyword
description: This key is used to capture the textual description of an integer
logon type as stored in the meta key 'logon.type'.
- name: middlename
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: password
overwrite: true
type: keyword
description: This key is for Passwords seen in any session, plain text or encrypted
- name: host_role
overwrite: true
type: keyword
description: This key should only be used to capture the role of a Host Machine
- name: ldap
overwrite: true
type: keyword
description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
t have a clear query or response context"
- name: ldap_query
overwrite: true
type: keyword
description: This key is the Search criteria from an LDAP search
- name: ldap_response
overwrite: true
type: keyword
description: This key is to capture Results from an LDAP search
- name: owner
overwrite: true
type: keyword
description: This is used to capture username the process or service is running
as, the author of the task
- name: service_account
overwrite: true
type: keyword
description: This key is a windows specific key, used for capturing name of
the account a service (referenced in the event) is running under. Legacy Usage
- name: email
overwrite: true
type: group
fields:
- name: email_dst
overwrite: true
type: keyword
description: This key is used to capture the Destination email address only,
when the destination context is not clear use email
- name: email_src
overwrite: true
type: keyword
description: This key is used to capture the source email address only, when
the source context is not clear use email
- name: subject
overwrite: true
type: keyword
description: This key is used to capture the subject string from an Email only.
- name: email
overwrite: true
type: keyword
description: This key is used to capture a generic email address where the source
or destination context is not clear
- name: trans_from
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: trans_to
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: file
overwrite: true
type: group
fields:
- name: privilege
overwrite: true
type: keyword
description: Deprecated, use permissions
- name: attachment
overwrite: true
type: keyword
description: This key captures the attachment file name
- name: filesystem
overwrite: true
type: keyword
- name: binary
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: filename_dst
overwrite: true
type: keyword
description: This is used to capture name of the file targeted by the action
- name: filename_src
overwrite: true
type: keyword
description: This is used to capture name of the parent filename, the file which
performed the action
- name: filename_tmp
overwrite: true
type: keyword
- name: directory_dst
overwrite: true
type: keyword
description: <span>This key is used to capture the directory of the target process
or file</span>
- name: directory_src
overwrite: true
type: keyword
description: This key is used to capture the directory of the source process
or file
- name: file_entropy
overwrite: true
type: double
description: This is used to capture entropy vale of a file
- name: file_vendor
overwrite: true
type: keyword
description: This is used to capture Company name of file located in version_info
- name: task_name
overwrite: true
type: keyword
description: This is used to capture name of the task
- name: web
overwrite: true
type: group
fields:
- name: fqdn
overwrite: true
type: keyword
description: Fully Qualified Domain Names
- name: web_cookie
overwrite: true
type: keyword
description: This key is used to capture the Web cookies specifically.
- name: alias_host
overwrite: true
type: keyword
- name: reputation_num
overwrite: true
type: double
description: Reputation Number of an entity. Typically used for Web Domains
- name: web_ref_domain
overwrite: true
type: keyword
description: Web referer's domain
- name: web_ref_query
overwrite: true
type: keyword
description: This key captures Web referer's query portion of the URL
- name: remote_domain
overwrite: true
type: keyword
- name: web_ref_page
overwrite: true
type: keyword
description: This key captures Web referer's page information
- name: web_ref_root
overwrite: true
type: keyword
description: Web referer's root URL path
- name: cn_asn_dst
overwrite: true
type: keyword
- name: cn_rpackets
overwrite: true
type: keyword
- name: urlpage
overwrite: true
type: keyword
- name: urlroot
overwrite: true
type: keyword
- name: p_url
overwrite: true
type: keyword
- name: p_user_agent
overwrite: true
type: keyword
- name: p_web_cookie
overwrite: true
type: keyword
- name: p_web_method
overwrite: true
type: keyword
- name: p_web_referer
overwrite: true
type: keyword
- name: web_extension_tmp
overwrite: true
type: keyword
- name: web_page
overwrite: true
type: keyword
- name: threat
overwrite: true
type: group
fields:
- name: threat_category
overwrite: true
type: keyword
description: This key captures Threat Name/Threat Category/Categorization of
alert
- name: threat_desc
overwrite: true
type: keyword
description: This key is used to capture the threat description from the session
directly or inferred
- name: alert
overwrite: true
type: keyword
description: This key is used to capture name of the alert
- name: threat_source
overwrite: true
type: keyword
description: This key is used to capture source of the threat
- name: crypto
overwrite: true
type: group
fields:
- name: crypto
overwrite: true
type: keyword
description: This key is used to capture the Encryption Type or Encryption Key
only
- name: cipher_src
overwrite: true
type: keyword
description: This key is for Source (Client) Cipher
- name: cert_subject
overwrite: true
type: keyword
description: This key is used to capture the Certificate organization only
- name: peer
overwrite: true
type: keyword
description: This key is for Encryption peer's IP Address
- name: cipher_size_src
overwrite: true
type: long
description: This key captures Source (Client) Cipher Size
- name: ike
overwrite: true
type: keyword
description: IKE negotiation phase.
- name: scheme
overwrite: true
type: keyword
description: This key captures the Encryption scheme used
- name: peer_id
overwrite: true
type: keyword
description: "This key is for Encryption peer\u2019s identity"
- name: sig_type
overwrite: true
type: keyword
description: This key captures the Signature Type
- name: cert_issuer
overwrite: true
type: keyword
- name: cert_host_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: cert_error
overwrite: true
type: keyword
description: This key captures the Certificate Error String
- name: cipher_dst
overwrite: true
type: keyword
description: This key is for Destination (Server) Cipher
- name: cipher_size_dst
overwrite: true
type: long
description: This key captures Destination (Server) Cipher Size
- name: ssl_ver_src
overwrite: true
type: keyword
description: Deprecated, use version
- name: d_certauth
overwrite: true
type: keyword
- name: s_certauth
overwrite: true
type: keyword
- name: ike_cookie1
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
- name: ike_cookie2
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
- name: cert_checksum
overwrite: true
type: keyword
- name: cert_host_cat
overwrite: true
type: keyword
description: This key is used for the hostname category value of a certificate
- name: cert_serial
overwrite: true
type: keyword
description: This key is used to capture the Certificate serial number only
- name: cert_status
overwrite: true
type: keyword
description: This key captures Certificate validation status
- name: ssl_ver_dst
overwrite: true
type: keyword
description: Deprecated, use version
- name: cert_keysize
overwrite: true
type: keyword
- name: cert_username
overwrite: true
type: keyword
- name: https_insact
overwrite: true
type: keyword
- name: https_valid
overwrite: true
type: keyword
- name: cert_ca
overwrite: true
type: keyword
description: This key is used to capture the Certificate signing authority only
- name: cert_common
overwrite: true
type: keyword
description: This key is used to capture the Certificate common name only
- name: wireless
overwrite: true
type: group
fields:
- name: wlan_ssid
overwrite: true
type: keyword
description: This key is used to capture the ssid of a Wireless Session
- name: access_point
overwrite: true
type: keyword
description: This key is used to capture the access point name.
- name: wlan_channel
overwrite: true
type: long
description: This is used to capture the channel names
- name: wlan_name
overwrite: true
type: keyword
description: This key captures either WLAN number/name
- name: storage
overwrite: true
type: group
fields:
- name: disk_volume
overwrite: true
type: keyword
description: A unique name assigned to logical units (volumes) within a physical
disk
- name: lun
overwrite: true
type: keyword
description: Logical Unit Number.This key is a very useful concept in Storage.
- name: pwwn
overwrite: true
type: keyword
description: This uniquely identifies a port on a HBA.
- name: physical
overwrite: true
type: group
fields:
- name: org_dst
overwrite: true
type: keyword
description: This is used to capture the destination organization based on the
GEOPIP Maxmind database.
- name: org_src
overwrite: true
type: keyword
description: This is used to capture the source organization based on the GEOPIP
Maxmind database.
- name: healthcare
overwrite: true
type: group
fields:
- name: patient_fname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_id
overwrite: true
type: keyword
description: This key captures the unique ID for a patient
- name: patient_lname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_mname
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: endpoint
overwrite: true
type: group
fields:
- name: host_state
overwrite: true
type: keyword
description: This key is used to capture the current state of the machine, such
as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
disabled</strong> and so on
- name: registry_key
overwrite: true
type: keyword
description: This key captures the path to the registry key
- name: registry_value
overwrite: true
type: keyword
description: This key captures values or decorators used within a registry entry
- key: snyk
title: Snyk
description: >
Snyk module
fields:
- name: snyk
type: group
release: beta
description: >
Module for parsing Snyk project vulnerabilities.
fields:
- name: projects
type: flattened
description: >
Array with all related projects objects.
- name: related.projects
type: keyword
description: >
Array of all the related project ID's.
- name: audit
type: group
release: beta
description: >
Module for parsing Snyk audit logs.
fields:
- name: org_id
type: keyword
description: >
ID of the related Organization related to the event.
- name: project_id
type: keyword
description: >
ID of the project related to the event.
- name: content
type: flattened
description: >
Overview of the content that was changed, both old and new values.
- name: vulnerabilities
type: group
release: beta
description: >
Module for parsing Snyk project vulnerabilities.
fields:
- name: cvss3
type: keyword
description: >
CSSv3 scores.
- name: disclosure_time
type: date
description: >
The time this vulnerability was originally disclosed to the package maintainers.
- name: exploit_maturity
type: keyword
description: >
The Snyk exploit maturity level.
- name: id
type: keyword
description: >
The vulnerability reference ID.
- name: is_ignored
type: boolean
description: >
If the vulnerability report has been ignored.
- name: is_patchable
type: boolean
description: >
If vulnerability is fixable by using a Snyk supplied patch.
- name: is_patched
type: boolean
description: >
If the vulnerability has been patched.
- name: is_pinnable
type: boolean
description: >
If the vulnerability is fixable by pinning a transitive dependency.
- name: is_upgradable
type: boolean
description: >
If the vulnerability fixable by upgrading a dependency.
- name: language
type: keyword
description: >
The package's programming language.
- name: package
type: keyword
description: >
The package identifier according to its package manager.
- name: package_manager
type: keyword
description: >
The package manager.
- name: patches
type: flattened
description: >
Patches required to resolve the issue created by Snyk.
- name: priority_score
type: long
description: >
The CVS priority score.
- name: publication_time
type: date
description: >
The vulnerability publication time.
- name: jira_issue_url
type: keyword
description: >
Link to the related Jira issue.
- name: original_severity
type: long
description: >
The original severity of the vulnerability.
- name: reachability
type: keyword
description: >
If the vulnerable function from the library is used in the code scanned. Can either be No Info, Potentially reachable and Reachable.
- name: title
type: keyword
description: >
The issue title.
- name: type
type: keyword
description: >
The issue type. Can be either "license" or "vulnerability".
- name: unique_severities_list
type: keyword
description: >
A list of related unique severities.
- name: version
type: keyword
description: >
The package version this issue is applicable to.
- name: introduced_date
type: date
description: >
The date the vulnerability was initially found.
- name: is_fixed
type: boolean
description: >
If the related vulnerability has been resolved.
- name: credit
type: keyword
description: >
Reference to the person that original found the vulnerability.
- name: semver
type: flattened
description: >
One or more semver ranges this issue is applicable to. The format varies according to package manager.
- name: identifiers.alternative
type: keyword
description: >
Additional vulnerability identifiers.
- name: identifiers.cwe
type: keyword
description: >
CWE vulnerability identifiers.
- key: sonicwall
title: Sonicwall-FW
description: >
sonicwall fields.
fields:
- name: network.interface.name
overwrite: true
type: keyword
description: >
Name of the network interface where the traffic has been observed.
- name: rsa
overwrite: true
type: group
fields:
- name: internal
overwrite: true
type: group
fields:
- name: msg
overwrite: true
type: keyword
description: This key is used to capture the raw message that comes into the
Log Decoder
- name: messageid
overwrite: true
type: keyword
- name: event_desc
overwrite: true
type: keyword
- name: message
overwrite: true
type: keyword
description: This key captures the contents of instant messages
- name: time
overwrite: true
type: date
description: This is the time at which a session hits a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness.
- name: level
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: msg_id
overwrite: true
type: keyword
description: This is the Message ID1 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: msg_vid
overwrite: true
type: keyword
description: This is the Message ID2 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: data
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_server
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_val
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: resource
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_id
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: statement
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: audit_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: entry
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: hcode
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: inode
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: resource_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: dead
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: feed_desc
overwrite: true
type: keyword
description: This is used to capture the description of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: feed_name
overwrite: true
type: keyword
description: This is used to capture the name of the feed. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: cid
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Concentrator.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_class
overwrite: true
type: keyword
description: This is the Classification of the Log Event Source under a predefined
fixed set of Event Source Classifications. This key should never be used to
parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
key in NetWitness
- name: device_group
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_host
overwrite: true
type: keyword
description: This is the Hostname of the log Event Source sending the logs to
NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ip
overwrite: true
type: ip
description: This is the IPv4 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ipv6
overwrite: true
type: ip
description: This is the IPv6 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_type
overwrite: true
type: keyword
description: This is the name of the log parser which parsed a given session.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_type_id
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: did
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: entropy_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: entropy_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: event_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: feed_category
overwrite: true
type: keyword
description: This is used to capture the category of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: forward_ip
overwrite: true
type: ip
description: This key should be used to capture the IPV4 address of a relay
system which forwarded the events from the original system to NetWitness.
- name: forward_ipv6
overwrite: true
type: ip
description: This key is used to capture the IPV6 address of a relay system
which forwarded the events from the original system to NetWitness. This key
should never be used to parse Meta data from a session (Logs/Packets) Directly,
this is a Reserved key in NetWitness
- name: header_id
overwrite: true
type: keyword
description: This is the Header ID value that identifies the exact log parser
header definition that parses a particular log session. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: lc_cid
overwrite: true
type: keyword
description: This is a unique Identifier of a Log Collector. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: lc_ctime
overwrite: true
type: date
description: This is the time at which a log is collected in a NetWitness Log
Collector. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: mcb_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
request is simply which byte for each side (0 thru 255) was seen the most
- name: mcb_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
response is simply which byte for each side (0 thru 255) was seen the most
- name: mcbc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: mcbc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: medium
overwrite: true
type: long
description: "This key is used to identify if it\u2019s a log/packet session\
\ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
\ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
\ 32 = log, 33 = correlation session, < 32 is packet session"
- name: node_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: nwe_callback_id
overwrite: true
type: keyword
description: This key denotes that event is endpoint related
- name: parse_error
overwrite: true
type: keyword
description: This is a special key that stores any Meta key validation error
found while parsing a log session. This key should never be used to parse
Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
NetWitness
- name: payload_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: payload_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: process_vid_dst
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the target process.
- name: process_vid_src
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the source process.
- name: rid
overwrite: true
type: long
description: This is a special ID of the Remote Session created by NetWitness
Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: session_split
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: site
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: size
overwrite: true
type: long
description: This is the size of the session as seen by the NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: sourcefile
overwrite: true
type: keyword
description: This is the name of the log file or PCAPs that can be imported
into NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: ubc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: ubc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: word
overwrite: true
type: keyword
description: This is used by the Word Parsing technology to capture the first
5 character of every word in an unparsed log
- name: time
overwrite: true
type: group
fields:
- name: event_time
overwrite: true
type: date
description: This key is used to capture the time mentioned in a raw session
that represents the actual time an event occured in a standard normalized
form
- name: duration_time
overwrite: true
type: double
description: This key is used to capture the normalized duration/lifetime in
seconds.
- name: event_time_str
overwrite: true
type: keyword
description: This key is used to capture the incomplete time mentioned in a
session as a string
- name: starttime
overwrite: true
type: date
description: This key is used to capture the Start time mentioned in a session
in a standard form
- name: month
overwrite: true
type: keyword
- name: day
overwrite: true
type: keyword
- name: endtime
overwrite: true
type: date
description: This key is used to capture the End time mentioned in a session
in a standard form
- name: timezone
overwrite: true
type: keyword
description: This key is used to capture the timezone of the Event Time
- name: duration_str
overwrite: true
type: keyword
description: A text string version of the duration
- name: date
overwrite: true
type: keyword
- name: year
overwrite: true
type: keyword
- name: recorded_time
overwrite: true
type: date
description: The event time as recorded by the system the event is collected
from. The usage scenario is a multi-tier application where the management
layer of the system records it's own timestamp at the time of collection from
its child nodes. Must be in timestamp format.
- name: datetime
overwrite: true
type: keyword
- name: effective_time
overwrite: true
type: date
description: This key is the effective time referenced by an individual event
in a Standard Timestamp format
- name: expire_time
overwrite: true
type: date
description: This key is the timestamp that explicitly refers to an expiration.
- name: process_time
overwrite: true
type: keyword
description: Deprecated, use duration.time
- name: hour
overwrite: true
type: keyword
- name: min
overwrite: true
type: keyword
- name: timestamp
overwrite: true
type: keyword
- name: event_queue_time
overwrite: true
type: date
description: This key is the Time that the event was queued.
- name: p_time1
overwrite: true
type: keyword
- name: tzone
overwrite: true
type: keyword
- name: eventtime
overwrite: true
type: keyword
- name: gmtdate
overwrite: true
type: keyword
- name: gmttime
overwrite: true
type: keyword
- name: p_date
overwrite: true
type: keyword
- name: p_month
overwrite: true
type: keyword
- name: p_time
overwrite: true
type: keyword
- name: p_time2
overwrite: true
type: keyword
- name: p_year
overwrite: true
type: keyword
- name: expire_time_str
overwrite: true
type: keyword
description: This key is used to capture incomplete timestamp that explicitly
refers to an expiration.
- name: stamp
overwrite: true
type: date
description: Deprecated key defined only in table map.
- name: misc
overwrite: true
type: group
fields:
- name: action
overwrite: true
type: keyword
- name: result
overwrite: true
type: keyword
description: This key is used to capture the outcome/result string value of
an action in a session.
- name: severity
overwrite: true
type: keyword
description: This key is used to capture the severity given the session
- name: event_type
overwrite: true
type: keyword
description: This key captures the event category type as specified by the event
source.
- name: reference_id
overwrite: true
type: keyword
description: This key is used to capture an event id from the session directly
- name: version
overwrite: true
type: keyword
description: This key captures Version of the application or OS which is generating
the event.
- name: disposition
overwrite: true
type: keyword
description: This key captures the The end state of an action.
- name: result_code
overwrite: true
type: keyword
description: This key is used to capture the outcome/result numeric value of
an action in a session
- name: category
overwrite: true
type: keyword
description: This key is used to capture the category of an event given by the
vendor in the session
- name: obj_name
overwrite: true
type: keyword
description: This is used to capture name of object
- name: obj_type
overwrite: true
type: keyword
description: This is used to capture type of object
- name: event_source
overwrite: true
type: keyword
description: "This key captures Source of the event that\u2019s not a hostname"
- name: log_session_id
overwrite: true
type: keyword
description: This key is used to capture a sessionid from the session directly
- name: group
overwrite: true
type: keyword
description: This key captures the Group Name value
- name: policy_name
overwrite: true
type: keyword
description: This key is used to capture the Policy Name only.
- name: rule_name
overwrite: true
type: keyword
description: This key captures the Rule Name
- name: context
overwrite: true
type: keyword
description: This key captures Information which adds additional context to
the event.
- name: change_new
overwrite: true
type: keyword
description: "This key is used to capture the new values of the attribute that\u2019\
s changing in a session"
- name: space
overwrite: true
type: keyword
- name: client
overwrite: true
type: keyword
description: This key is used to capture only the name of the client application
requesting resources of the server. See the user.agent meta key for capture
of the specific user agent identifier or browser identification string.
- name: msgIdPart1
overwrite: true
type: keyword
- name: msgIdPart2
overwrite: true
type: keyword
- name: change_old
overwrite: true
type: keyword
description: "This key is used to capture the old value of the attribute that\u2019\
s changing in a session"
- name: operation_id
overwrite: true
type: keyword
description: An alert number or operation number. The values should be unique
and non-repeating.
- name: event_state
overwrite: true
type: keyword
description: This key captures the current state of the object/item referenced
within the event. Describing an on-going event.
- name: group_object
overwrite: true
type: keyword
description: This key captures a collection/grouping of entities. Specific usage
- name: node
overwrite: true
type: keyword
description: Common use case is the node name within a cluster. The cluster
name is reflected by the host name.
- name: rule
overwrite: true
type: keyword
description: This key captures the Rule number
- name: device_name
overwrite: true
type: keyword
description: 'This is used to capture name of the Device associated with the
node Like: a physical disk, printer, etc'
- name: param
overwrite: true
type: keyword
description: This key is the parameters passed as part of a command or application,
etc.
- name: change_attrib
overwrite: true
type: keyword
description: "This key is used to capture the name of the attribute that\u2019\
s changing in a session"
- name: event_computer
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
fully qualified domain name in a windows log.
- name: reference_id1
overwrite: true
type: keyword
description: This key is for Linked ID to be used as an addition to "reference.id"
- name: event_log
overwrite: true
type: keyword
description: This key captures the Name of the event log
- name: OS
overwrite: true
type: keyword
description: This key captures the Name of the Operating System
- name: terminal
overwrite: true
type: keyword
description: This key captures the Terminal Names only
- name: msgIdPart3
overwrite: true
type: keyword
- name: filter
overwrite: true
type: keyword
description: This key captures Filter used to reduce result set
- name: serial_number
overwrite: true
type: keyword
description: This key is the Serial number associated with a physical asset.
- name: checksum
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the entity
such as a file or process. Checksum should be used over checksum.src or checksum.dst
when it is unclear whether the entity is a source or target of an action.
- name: event_user
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
combination of domain name and username in a windows log.
- name: virusname
overwrite: true
type: keyword
description: This key captures the name of the virus
- name: content_type
overwrite: true
type: keyword
description: This key is used to capture Content Type only.
- name: group_id
overwrite: true
type: keyword
description: This key captures Group ID Number (related to the group name)
- name: policy_id
overwrite: true
type: keyword
description: This key is used to capture the Policy ID only, this should be
a numeric value, use policy.name otherwise
- name: vsys
overwrite: true
type: keyword
description: This key captures Virtual System Name
- name: connection_id
overwrite: true
type: keyword
description: This key captures the Connection ID
- name: reference_id2
overwrite: true
type: keyword
description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
or "reference.id1" value but should not be used unless the other two variables
are in play.
- name: sensor
overwrite: true
type: keyword
description: This key captures Name of the sensor. Typically used in IDS/IPS
based devices
- name: sig_id
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID
- name: port_name
overwrite: true
type: keyword
description: 'This key is used for Physical or logical port connection but does
NOT include a network port. (Example: Printer port name).'
- name: rule_group
overwrite: true
type: keyword
description: This key captures the Rule group name
- name: risk_num
overwrite: true
type: double
description: This key captures a Numeric Risk value
- name: trigger_val
overwrite: true
type: keyword
description: This key captures the Value of the trigger or threshold condition.
- name: log_session_id1
overwrite: true
type: keyword
description: This key is used to capture a Linked (Related) Session ID from
the session directly
- name: comp_version
overwrite: true
type: keyword
description: This key captures the Version level of a sub-component of a product.
- name: content_version
overwrite: true
type: keyword
description: This key captures Version level of a signature or database content.
- name: hardware_id
overwrite: true
type: keyword
description: This key is used to capture unique identifier for a device or system
(NOT a Mac address)
- name: risk
overwrite: true
type: keyword
description: This key captures the non-numeric risk value
- name: event_id
overwrite: true
type: keyword
- name: reason
overwrite: true
type: keyword
- name: status
overwrite: true
type: keyword
- name: mail_id
overwrite: true
type: keyword
description: This key is used to capture the mailbox id/name
- name: rule_uid
overwrite: true
type: keyword
description: This key is the Unique Identifier for a rule.
- name: trigger_desc
overwrite: true
type: keyword
description: This key captures the Description of the trigger or threshold condition.
- name: inout
overwrite: true
type: keyword
- name: p_msgid
overwrite: true
type: keyword
- name: data_type
overwrite: true
type: keyword
- name: msgIdPart4
overwrite: true
type: keyword
- name: error
overwrite: true
type: keyword
description: This key captures All non successful Error codes or responses
- name: index
overwrite: true
type: keyword
- name: listnum
overwrite: true
type: keyword
description: This key is used to capture listname or listnumber, primarily for
collecting access-list
- name: ntype
overwrite: true
type: keyword
- name: observed_val
overwrite: true
type: keyword
description: This key captures the Value observed (from the perspective of the
device generating the log).
- name: policy_value
overwrite: true
type: keyword
description: This key captures the contents of the policy. This contains details
about the policy
- name: pool_name
overwrite: true
type: keyword
description: This key captures the name of a resource pool
- name: rule_template
overwrite: true
type: keyword
description: A default set of parameters which are overlayed onto a rule (or
rulename) which efffectively constitutes a template
- name: count
overwrite: true
type: keyword
- name: number
overwrite: true
type: keyword
- name: sigcat
overwrite: true
type: keyword
- name: type
overwrite: true
type: keyword
- name: comments
overwrite: true
type: keyword
description: Comment information provided in the log message
- name: doc_number
overwrite: true
type: long
description: This key captures File Identification number
- name: expected_val
overwrite: true
type: keyword
description: This key captures the Value expected (from the perspective of the
device generating the log).
- name: job_num
overwrite: true
type: keyword
description: This key captures the Job Number
- name: spi_dst
overwrite: true
type: keyword
description: Destination SPI Index
- name: spi_src
overwrite: true
type: keyword
description: Source SPI Index
- name: code
overwrite: true
type: keyword
- name: agent_id
overwrite: true
type: keyword
description: This key is used to capture agent id
- name: message_body
overwrite: true
type: keyword
description: This key captures the The contents of the message body.
- name: phone
overwrite: true
type: keyword
- name: sig_id_str
overwrite: true
type: keyword
description: This key captures a string object of the sigid variable.
- name: cmd
overwrite: true
type: keyword
- name: misc
overwrite: true
type: keyword
- name: name
overwrite: true
type: keyword
- name: cpu
overwrite: true
type: long
description: This key is the CPU time used in the execution of the event being
recorded.
- name: event_desc
overwrite: true
type: keyword
description: This key is used to capture a description of an event available
directly or inferred
- name: sig_id1
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID. This must be linked
to the sig.id
- name: im_buddyid
overwrite: true
type: keyword
- name: im_client
overwrite: true
type: keyword
- name: im_userid
overwrite: true
type: keyword
- name: pid
overwrite: true
type: keyword
- name: priority
overwrite: true
type: keyword
- name: context_subject
overwrite: true
type: keyword
description: This key is to be used in an audit context where the subject is
the object being identified
- name: context_target
overwrite: true
type: keyword
- name: cve
overwrite: true
type: keyword
description: This key captures CVE (Common Vulnerabilities and Exposures) -
an identifier for known information security vulnerabilities.
- name: fcatnum
overwrite: true
type: keyword
description: This key captures Filter Category Number. Legacy Usage
- name: library
overwrite: true
type: keyword
description: This key is used to capture library information in mainframe devices
- name: parent_node
overwrite: true
type: keyword
description: This key captures the Parent Node Name. Must be related to node
variable.
- name: risk_info
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: tcp_flags
overwrite: true
type: long
description: This key is captures the TCP flags set in any packet of session
- name: tos
overwrite: true
type: long
description: This key describes the type of service
- name: vm_target
overwrite: true
type: keyword
description: VMWare Target **VMWARE** only varaible.
- name: workspace
overwrite: true
type: keyword
description: This key captures Workspace Description
- name: command
overwrite: true
type: keyword
- name: event_category
overwrite: true
type: keyword
- name: facilityname
overwrite: true
type: keyword
- name: forensic_info
overwrite: true
type: keyword
- name: jobname
overwrite: true
type: keyword
- name: mode
overwrite: true
type: keyword
- name: policy
overwrite: true
type: keyword
- name: policy_waiver
overwrite: true
type: keyword
- name: second
overwrite: true
type: keyword
- name: space1
overwrite: true
type: keyword
- name: subcategory
overwrite: true
type: keyword
- name: tbdstr2
overwrite: true
type: keyword
- name: alert_id
overwrite: true
type: keyword
description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: checksum_dst
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the the target
entity such as a process or file.
- name: checksum_src
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the source
entity such as a file or process.
- name: fresult
overwrite: true
type: long
description: This key captures the Filter Result
- name: payload_dst
overwrite: true
type: keyword
description: This key is used to capture destination payload
- name: payload_src
overwrite: true
type: keyword
description: This key is used to capture source payload
- name: pool_id
overwrite: true
type: keyword
description: This key captures the identifier (typically numeric field) of a
resource pool
- name: process_id_val
overwrite: true
type: keyword
description: This key is a failure key for Process ID when it is not an integer
value
- name: risk_num_comm
overwrite: true
type: double
description: This key captures Risk Number Community
- name: risk_num_next
overwrite: true
type: double
description: This key captures Risk Number NextGen
- name: risk_num_sand
overwrite: true
type: double
description: This key captures Risk Number SandBox
- name: risk_num_static
overwrite: true
type: double
description: This key captures Risk Number Static
- name: risk_suspicious
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: risk_warning
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: snmp_oid
overwrite: true
type: keyword
description: SNMP Object Identifier
- name: sql
overwrite: true
type: keyword
description: This key captures the SQL query
- name: vuln_ref
overwrite: true
type: keyword
description: This key captures the Vulnerability Reference details
- name: acl_id
overwrite: true
type: keyword
- name: acl_op
overwrite: true
type: keyword
- name: acl_pos
overwrite: true
type: keyword
- name: acl_table
overwrite: true
type: keyword
- name: admin
overwrite: true
type: keyword
- name: alarm_id
overwrite: true
type: keyword
- name: alarmname
overwrite: true
type: keyword
- name: app_id
overwrite: true
type: keyword
- name: audit
overwrite: true
type: keyword
- name: audit_object
overwrite: true
type: keyword
- name: auditdata
overwrite: true
type: keyword
- name: benchmark
overwrite: true
type: keyword
- name: bypass
overwrite: true
type: keyword
- name: cache
overwrite: true
type: keyword
- name: cache_hit
overwrite: true
type: keyword
- name: cefversion
overwrite: true
type: keyword
- name: cfg_attr
overwrite: true
type: keyword
- name: cfg_obj
overwrite: true
type: keyword
- name: cfg_path
overwrite: true
type: keyword
- name: changes
overwrite: true
type: keyword
- name: client_ip
overwrite: true
type: keyword
- name: clustermembers
overwrite: true
type: keyword
- name: cn_acttimeout
overwrite: true
type: keyword
- name: cn_asn_src
overwrite: true
type: keyword
- name: cn_bgpv4nxthop
overwrite: true
type: keyword
- name: cn_ctr_dst_code
overwrite: true
type: keyword
- name: cn_dst_tos
overwrite: true
type: keyword
- name: cn_dst_vlan
overwrite: true
type: keyword
- name: cn_engine_id
overwrite: true
type: keyword
- name: cn_engine_type
overwrite: true
type: keyword
- name: cn_f_switch
overwrite: true
type: keyword
- name: cn_flowsampid
overwrite: true
type: keyword
- name: cn_flowsampintv
overwrite: true
type: keyword
- name: cn_flowsampmode
overwrite: true
type: keyword
- name: cn_inacttimeout
overwrite: true
type: keyword
- name: cn_inpermbyts
overwrite: true
type: keyword
- name: cn_inpermpckts
overwrite: true
type: keyword
- name: cn_invalid
overwrite: true
type: keyword
- name: cn_ip_proto_ver
overwrite: true
type: keyword
- name: cn_ipv4_ident
overwrite: true
type: keyword
- name: cn_l_switch
overwrite: true
type: keyword
- name: cn_log_did
overwrite: true
type: keyword
- name: cn_log_rid
overwrite: true
type: keyword
- name: cn_max_ttl
overwrite: true
type: keyword
- name: cn_maxpcktlen
overwrite: true
type: keyword
- name: cn_min_ttl
overwrite: true
type: keyword
- name: cn_minpcktlen
overwrite: true
type: keyword
- name: cn_mpls_lbl_1
overwrite: true
type: keyword
- name: cn_mpls_lbl_10
overwrite: true
type: keyword
- name: cn_mpls_lbl_2
overwrite: true
type: keyword
- name: cn_mpls_lbl_3
overwrite: true
type: keyword
- name: cn_mpls_lbl_4
overwrite: true
type: keyword
- name: cn_mpls_lbl_5
overwrite: true
type: keyword
- name: cn_mpls_lbl_6
overwrite: true
type: keyword
- name: cn_mpls_lbl_7
overwrite: true
type: keyword
- name: cn_mpls_lbl_8
overwrite: true
type: keyword
- name: cn_mpls_lbl_9
overwrite: true
type: keyword
- name: cn_mplstoplabel
overwrite: true
type: keyword
- name: cn_mplstoplabip
overwrite: true
type: keyword
- name: cn_mul_dst_byt
overwrite: true
type: keyword
- name: cn_mul_dst_pks
overwrite: true
type: keyword
- name: cn_muligmptype
overwrite: true
type: keyword
- name: cn_sampalgo
overwrite: true
type: keyword
- name: cn_sampint
overwrite: true
type: keyword
- name: cn_seqctr
overwrite: true
type: keyword
- name: cn_spackets
overwrite: true
type: keyword
- name: cn_src_tos
overwrite: true
type: keyword
- name: cn_src_vlan
overwrite: true
type: keyword
- name: cn_sysuptime
overwrite: true
type: keyword
- name: cn_template_id
overwrite: true
type: keyword
- name: cn_totbytsexp
overwrite: true
type: keyword
- name: cn_totflowexp
overwrite: true
type: keyword
- name: cn_totpcktsexp
overwrite: true
type: keyword
- name: cn_unixnanosecs
overwrite: true
type: keyword
- name: cn_v6flowlabel
overwrite: true
type: keyword
- name: cn_v6optheaders
overwrite: true
type: keyword
- name: comp_class
overwrite: true
type: keyword
- name: comp_name
overwrite: true
type: keyword
- name: comp_rbytes
overwrite: true
type: keyword
- name: comp_sbytes
overwrite: true
type: keyword
- name: cpu_data
overwrite: true
type: keyword
- name: criticality
overwrite: true
type: keyword
- name: cs_agency_dst
overwrite: true
type: keyword
- name: cs_analyzedby
overwrite: true
type: keyword
- name: cs_av_other
overwrite: true
type: keyword
- name: cs_av_primary
overwrite: true
type: keyword
- name: cs_av_secondary
overwrite: true
type: keyword
- name: cs_bgpv6nxthop
overwrite: true
type: keyword
- name: cs_bit9status
overwrite: true
type: keyword
- name: cs_context
overwrite: true
type: keyword
- name: cs_control
overwrite: true
type: keyword
- name: cs_data
overwrite: true
type: keyword
- name: cs_datecret
overwrite: true
type: keyword
- name: cs_dst_tld
overwrite: true
type: keyword
- name: cs_eth_dst_ven
overwrite: true
type: keyword
- name: cs_eth_src_ven
overwrite: true
type: keyword
- name: cs_event_uuid
overwrite: true
type: keyword
- name: cs_filetype
overwrite: true
type: keyword
- name: cs_fld
overwrite: true
type: keyword
- name: cs_if_desc
overwrite: true
type: keyword
- name: cs_if_name
overwrite: true
type: keyword
- name: cs_ip_next_hop
overwrite: true
type: keyword
- name: cs_ipv4dstpre
overwrite: true
type: keyword
- name: cs_ipv4srcpre
overwrite: true
type: keyword
- name: cs_lifetime
overwrite: true
type: keyword
- name: cs_log_medium
overwrite: true
type: keyword
- name: cs_loginname
overwrite: true
type: keyword
- name: cs_modulescore
overwrite: true
type: keyword
- name: cs_modulesign
overwrite: true
type: keyword
- name: cs_opswatresult
overwrite: true
type: keyword
- name: cs_payload
overwrite: true
type: keyword
- name: cs_registrant
overwrite: true
type: keyword
- name: cs_registrar
overwrite: true
type: keyword
- name: cs_represult
overwrite: true
type: keyword
- name: cs_rpayload
overwrite: true
type: keyword
- name: cs_sampler_name
overwrite: true
type: keyword
- name: cs_sourcemodule
overwrite: true
type: keyword
- name: cs_streams
overwrite: true
type: keyword
- name: cs_targetmodule
overwrite: true
type: keyword
- name: cs_v6nxthop
overwrite: true
type: keyword
- name: cs_whois_server
overwrite: true
type: keyword
- name: cs_yararesult
overwrite: true
type: keyword
- name: description
overwrite: true
type: keyword
- name: devvendor
overwrite: true
type: keyword
- name: distance
overwrite: true
type: keyword
- name: dstburb
overwrite: true
type: keyword
- name: edomain
overwrite: true
type: keyword
- name: edomaub
overwrite: true
type: keyword
- name: euid
overwrite: true
type: keyword
- name: facility
overwrite: true
type: keyword
- name: finterface
overwrite: true
type: keyword
- name: flags
overwrite: true
type: keyword
- name: gaddr
overwrite: true
type: keyword
- name: id3
overwrite: true
type: keyword
- name: im_buddyname
overwrite: true
type: keyword
- name: im_croomid
overwrite: true
type: keyword
- name: im_croomtype
overwrite: true
type: keyword
- name: im_members
overwrite: true
type: keyword
- name: im_username
overwrite: true
type: keyword
- name: ipkt
overwrite: true
type: keyword
- name: ipscat
overwrite: true
type: keyword
- name: ipspri
overwrite: true
type: keyword
- name: latitude
overwrite: true
type: keyword
- name: linenum
overwrite: true
type: keyword
- name: list_name
overwrite: true
type: keyword
- name: load_data
overwrite: true
type: keyword
- name: location_floor
overwrite: true
type: keyword
- name: location_mark
overwrite: true
type: keyword
- name: log_id
overwrite: true
type: keyword
- name: log_type
overwrite: true
type: keyword
- name: logid
overwrite: true
type: keyword
- name: logip
overwrite: true
type: keyword
- name: logname
overwrite: true
type: keyword
- name: longitude
overwrite: true
type: keyword
- name: lport
overwrite: true
type: keyword
- name: mbug_data
overwrite: true
type: keyword
- name: misc_name
overwrite: true
type: keyword
- name: msg_type
overwrite: true
type: keyword
- name: msgid
overwrite: true
type: keyword
- name: netsessid
overwrite: true
type: keyword
- name: num
overwrite: true
type: keyword
- name: number1
overwrite: true
type: keyword
- name: number2
overwrite: true
type: keyword
- name: nwwn
overwrite: true
type: keyword
- name: object
overwrite: true
type: keyword
- name: operation
overwrite: true
type: keyword
- name: opkt
overwrite: true
type: keyword
- name: orig_from
overwrite: true
type: keyword
- name: owner_id
overwrite: true
type: keyword
- name: p_action
overwrite: true
type: keyword
- name: p_filter
overwrite: true
type: keyword
- name: p_group_object
overwrite: true
type: keyword
- name: p_id
overwrite: true
type: keyword
- name: p_msgid1
overwrite: true
type: keyword
- name: p_msgid2
overwrite: true
type: keyword
- name: p_result1
overwrite: true
type: keyword
- name: password_chg
overwrite: true
type: keyword
- name: password_expire
overwrite: true
type: keyword
- name: permgranted
overwrite: true
type: keyword
- name: permwanted
overwrite: true
type: keyword
- name: pgid
overwrite: true
type: keyword
- name: policyUUID
overwrite: true
type: keyword
- name: prog_asp_num
overwrite: true
type: keyword
- name: program
overwrite: true
type: keyword
- name: real_data
overwrite: true
type: keyword
- name: rec_asp_device
overwrite: true
type: keyword
- name: rec_asp_num
overwrite: true
type: keyword
- name: rec_library
overwrite: true
type: keyword
- name: recordnum
overwrite: true
type: keyword
- name: ruid
overwrite: true
type: keyword
- name: sburb
overwrite: true
type: keyword
- name: sdomain_fld
overwrite: true
type: keyword
- name: sec
overwrite: true
type: keyword
- name: sensorname
overwrite: true
type: keyword
- name: seqnum
overwrite: true
type: keyword
- name: session
overwrite: true
type: keyword
- name: sessiontype
overwrite: true
type: keyword
- name: sigUUID
overwrite: true
type: keyword
- name: spi
overwrite: true
type: keyword
- name: srcburb
overwrite: true
type: keyword
- name: srcdom
overwrite: true
type: keyword
- name: srcservice
overwrite: true
type: keyword
- name: state
overwrite: true
type: keyword
- name: status1
overwrite: true
type: keyword
- name: svcno
overwrite: true
type: keyword
- name: system
overwrite: true
type: keyword
- name: tbdstr1
overwrite: true
type: keyword
- name: tgtdom
overwrite: true
type: keyword
- name: tgtdomain
overwrite: true
type: keyword
- name: threshold
overwrite: true
type: keyword
- name: type1
overwrite: true
type: keyword
- name: udb_class
overwrite: true
type: keyword
- name: url_fld
overwrite: true
type: keyword
- name: user_div
overwrite: true
type: keyword
- name: userid
overwrite: true
type: keyword
- name: username_fld
overwrite: true
type: keyword
- name: utcstamp
overwrite: true
type: keyword
- name: v_instafname
overwrite: true
type: keyword
- name: virt_data
overwrite: true
type: keyword
- name: vpnid
overwrite: true
type: keyword
- name: autorun_type
overwrite: true
type: keyword
description: This is used to capture Auto Run type
- name: cc_number
overwrite: true
type: long
description: Valid Credit Card Numbers only
- name: content
overwrite: true
type: keyword
description: This key captures the content type from protocol headers
- name: ein_number
overwrite: true
type: long
description: Employee Identification Numbers only
- name: found
overwrite: true
type: keyword
description: This is used to capture the results of regex match
- name: language
overwrite: true
type: keyword
description: This is used to capture list of languages the client support and
what it prefers
- name: lifetime
overwrite: true
type: long
description: This key is used to capture the session lifetime in seconds.
- name: link
overwrite: true
type: keyword
description: This key is used to link the sessions together. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: match
overwrite: true
type: keyword
description: This key is for regex match name from search.ini
- name: param_dst
overwrite: true
type: keyword
description: This key captures the command line/launch argument of the target
process or file
- name: param_src
overwrite: true
type: keyword
description: This key captures source parameter
- name: search_text
overwrite: true
type: keyword
description: This key captures the Search Text used
- name: sig_name
overwrite: true
type: keyword
description: This key is used to capture the Signature Name only.
- name: snmp_value
overwrite: true
type: keyword
description: SNMP set request value
- name: streams
overwrite: true
type: long
description: This key captures number of streams in session
- name: db
overwrite: true
type: group
fields:
- name: index
overwrite: true
type: keyword
description: This key captures IndexID of the index.
- name: instance
overwrite: true
type: keyword
description: This key is used to capture the database server instance name
- name: database
overwrite: true
type: keyword
description: This key is used to capture the name of a database or an instance
as seen in a session
- name: transact_id
overwrite: true
type: keyword
description: This key captures the SQL transantion ID of the current session
- name: permissions
overwrite: true
type: keyword
description: This key captures permission or privilege level assigned to a resource.
- name: table_name
overwrite: true
type: keyword
description: This key is used to capture the table name
- name: db_id
overwrite: true
type: keyword
description: This key is used to capture the unique identifier for a database
- name: db_pid
overwrite: true
type: long
description: This key captures the process id of a connection with database
server
- name: lread
overwrite: true
type: long
description: This key is used for the number of logical reads
- name: lwrite
overwrite: true
type: long
description: This key is used for the number of logical writes
- name: pread
overwrite: true
type: long
description: This key is used for the number of physical writes
- name: network
overwrite: true
type: group
fields:
- name: alias_host
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
that isnt ad.computer.
- name: domain
overwrite: true
type: keyword
- name: host_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Hostname"
- name: network_service
overwrite: true
type: keyword
description: This is used to capture layer 7 protocols/service names
- name: interface
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of an interface is not clear
- name: network_port
overwrite: true
type: long
description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
- name: eth_host
overwrite: true
type: keyword
description: Deprecated, use alias.mac
- name: sinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Interface"
- name: dinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Interface"
- name: vlan
overwrite: true
type: long
description: This key should only be used to capture the ID of the Virtual LAN
- name: zone_src
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Zone."
- name: zone
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a Zone is not clear
- name: zone_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Zone."
- name: gateway
overwrite: true
type: keyword
description: This key is used to capture the IP Address of the gateway
- name: icmp_type
overwrite: true
type: long
description: This key is used to capture the ICMP type only
- name: mask
overwrite: true
type: keyword
description: This key is used to capture the device network IPmask.
- name: icmp_code
overwrite: true
type: long
description: This key is used to capture the ICMP code only
- name: protocol_detail
overwrite: true
type: keyword
description: This key should be used to capture additional protocol information
- name: dmask
overwrite: true
type: keyword
description: This key is used for Destionation Device network mask
- name: port
overwrite: true
type: long
description: This key should only be used to capture a Network Port when the
directionality is not clear
- name: smask
overwrite: true
type: keyword
description: This key is used for capturing source Network Mask
- name: netname
overwrite: true
type: keyword
description: This key is used to capture the network name associated with an
IP range. This is configured by the end user.
- name: paddr
overwrite: true
type: ip
description: Deprecated
- name: faddr
overwrite: true
type: keyword
- name: lhost
overwrite: true
type: keyword
- name: origin
overwrite: true
type: keyword
- name: remote_domain_id
overwrite: true
type: keyword
- name: addr
overwrite: true
type: keyword
- name: dns_a_record
overwrite: true
type: keyword
- name: dns_ptr_record
overwrite: true
type: keyword
- name: fhost
overwrite: true
type: keyword
- name: fport
overwrite: true
type: keyword
- name: laddr
overwrite: true
type: keyword
- name: linterface
overwrite: true
type: keyword
- name: phost
overwrite: true
type: keyword
- name: ad_computer_dst
overwrite: true
type: keyword
description: Deprecated, use host.dst
- name: eth_type
overwrite: true
type: long
description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
Only
- name: ip_proto
overwrite: true
type: long
description: This key should be used to capture the Protocol number, all the
protocol nubers are converted into string in UI
- name: dns_cname_record
overwrite: true
type: keyword
- name: dns_id
overwrite: true
type: keyword
- name: dns_opcode
overwrite: true
type: keyword
- name: dns_resp
overwrite: true
type: keyword
- name: dns_type
overwrite: true
type: keyword
- name: domain1
overwrite: true
type: keyword
- name: host_type
overwrite: true
type: keyword
- name: packet_length
overwrite: true
type: keyword
- name: host_orig
overwrite: true
type: keyword
description: This is used to capture the original hostname in case of a Forwarding
Agent or a Proxy in between.
- name: rpayload
overwrite: true
type: keyword
description: This key is used to capture the total number of payload bytes seen
in the retransmitted packets.
- name: vlan_name
overwrite: true
type: keyword
description: This key should only be used to capture the name of the Virtual
LAN
- name: investigations
overwrite: true
type: group
fields:
- name: ec_activity
overwrite: true
type: keyword
description: This key captures the particular event activity(Ex:Logoff)
- name: ec_theme
overwrite: true
type: keyword
description: This key captures the Theme of a particular Event(Ex:Authentication)
- name: ec_subject
overwrite: true
type: keyword
description: This key captures the Subject of a particular Event(Ex:User)
- name: ec_outcome
overwrite: true
type: keyword
description: This key captures the outcome of a particular Event(Ex:Success)
- name: event_cat
overwrite: true
type: long
description: This key captures the Event category number
- name: event_cat_name
overwrite: true
type: keyword
description: This key captures the event category name corresponding to the
event cat code
- name: event_vcat
overwrite: true
type: keyword
description: This is a vendor supplied category. This should be used in situations
where the vendor has adopted their own event_category taxonomy.
- name: analysis_file
overwrite: true
type: keyword
description: This is used to capture all indicators used in a File Analysis.
This key should be used to capture an analysis of a file
- name: analysis_service
overwrite: true
type: keyword
description: This is used to capture all indicators used in a Service Analysis.
This key should be used to capture an analysis of a service
- name: analysis_session
overwrite: true
type: keyword
description: This is used to capture all indicators used for a Session Analysis.
This key should be used to capture an analysis of a session
- name: boc
overwrite: true
type: keyword
description: This is used to capture behaviour of compromise
- name: eoc
overwrite: true
type: keyword
description: This is used to capture Enablers of Compromise
- name: inv_category
overwrite: true
type: keyword
description: This used to capture investigation category
- name: inv_context
overwrite: true
type: keyword
description: This used to capture investigation context
- name: ioc
overwrite: true
type: keyword
description: This is key capture indicator of compromise
- name: counters
overwrite: true
type: group
fields:
- name: dclass_c1
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c1.str only
- name: dclass_c2
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c2.str only
- name: event_counter
overwrite: true
type: long
description: This is used to capture the number of times an event repeated
- name: dclass_r1
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r1.str only
- name: dclass_c3
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c3.str only
- name: dclass_c1_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c1 only
- name: dclass_c2_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c2 only
- name: dclass_r1_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r1 only
- name: dclass_r2
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r2.str only
- name: dclass_c3_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c3 only
- name: dclass_r3
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r3.str only
- name: dclass_r2_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r2 only
- name: dclass_r3_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r3 only
- name: identity
overwrite: true
type: group
fields:
- name: auth_method
overwrite: true
type: keyword
description: This key is used to capture authentication methods used only
- name: user_role
overwrite: true
type: keyword
description: This key is used to capture the Role of a user only
- name: dn
overwrite: true
type: keyword
description: X.500 (LDAP) Distinguished Name
- name: logon_type
overwrite: true
type: keyword
description: This key is used to capture the type of logon method used.
- name: profile
overwrite: true
type: keyword
description: This key is used to capture the user profile
- name: accesses
overwrite: true
type: keyword
description: This key is used to capture actual privileges used in accessing
an object
- name: realm
overwrite: true
type: keyword
description: Radius realm or similar grouping of accounts
- name: user_sid_dst
overwrite: true
type: keyword
description: This key captures Destination User Session ID
- name: dn_src
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that is used in a context that
indicates a Source dn
- name: org
overwrite: true
type: keyword
description: This key captures the User organization
- name: dn_dst
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that used in a context that
indicates a Destination dn
- name: firstname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: lastname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: user_dept
overwrite: true
type: keyword
description: User's Department Names only
- name: user_sid_src
overwrite: true
type: keyword
description: This key captures Source User Session ID
- name: federated_sp
overwrite: true
type: keyword
description: This key is the Federated Service Provider. This is the application
requesting authentication.
- name: federated_idp
overwrite: true
type: keyword
description: This key is the federated Identity Provider. This is the server
providing the authentication.
- name: logon_type_desc
overwrite: true
type: keyword
description: This key is used to capture the textual description of an integer
logon type as stored in the meta key 'logon.type'.
- name: middlename
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: password
overwrite: true
type: keyword
description: This key is for Passwords seen in any session, plain text or encrypted
- name: host_role
overwrite: true
type: keyword
description: This key should only be used to capture the role of a Host Machine
- name: ldap
overwrite: true
type: keyword
description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
t have a clear query or response context"
- name: ldap_query
overwrite: true
type: keyword
description: This key is the Search criteria from an LDAP search
- name: ldap_response
overwrite: true
type: keyword
description: This key is to capture Results from an LDAP search
- name: owner
overwrite: true
type: keyword
description: This is used to capture username the process or service is running
as, the author of the task
- name: service_account
overwrite: true
type: keyword
description: This key is a windows specific key, used for capturing name of
the account a service (referenced in the event) is running under. Legacy Usage
- name: email
overwrite: true
type: group
fields:
- name: email_dst
overwrite: true
type: keyword
description: This key is used to capture the Destination email address only,
when the destination context is not clear use email
- name: email_src
overwrite: true
type: keyword
description: This key is used to capture the source email address only, when
the source context is not clear use email
- name: subject
overwrite: true
type: keyword
description: This key is used to capture the subject string from an Email only.
- name: email
overwrite: true
type: keyword
description: This key is used to capture a generic email address where the source
or destination context is not clear
- name: trans_from
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: trans_to
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: file
overwrite: true
type: group
fields:
- name: privilege
overwrite: true
type: keyword
description: Deprecated, use permissions
- name: attachment
overwrite: true
type: keyword
description: This key captures the attachment file name
- name: filesystem
overwrite: true
type: keyword
- name: binary
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: filename_dst
overwrite: true
type: keyword
description: This is used to capture name of the file targeted by the action
- name: filename_src
overwrite: true
type: keyword
description: This is used to capture name of the parent filename, the file which
performed the action
- name: filename_tmp
overwrite: true
type: keyword
- name: directory_dst
overwrite: true
type: keyword
description: <span>This key is used to capture the directory of the target process
or file</span>
- name: directory_src
overwrite: true
type: keyword
description: This key is used to capture the directory of the source process
or file
- name: file_entropy
overwrite: true
type: double
description: This is used to capture entropy vale of a file
- name: file_vendor
overwrite: true
type: keyword
description: This is used to capture Company name of file located in version_info
- name: task_name
overwrite: true
type: keyword
description: This is used to capture name of the task
- name: web
overwrite: true
type: group
fields:
- name: fqdn
overwrite: true
type: keyword
description: Fully Qualified Domain Names
- name: web_cookie
overwrite: true
type: keyword
description: This key is used to capture the Web cookies specifically.
- name: alias_host
overwrite: true
type: keyword
- name: reputation_num
overwrite: true
type: double
description: Reputation Number of an entity. Typically used for Web Domains
- name: web_ref_domain
overwrite: true
type: keyword
description: Web referer's domain
- name: web_ref_query
overwrite: true
type: keyword
description: This key captures Web referer's query portion of the URL
- name: remote_domain
overwrite: true
type: keyword
- name: web_ref_page
overwrite: true
type: keyword
description: This key captures Web referer's page information
- name: web_ref_root
overwrite: true
type: keyword
description: Web referer's root URL path
- name: cn_asn_dst
overwrite: true
type: keyword
- name: cn_rpackets
overwrite: true
type: keyword
- name: urlpage
overwrite: true
type: keyword
- name: urlroot
overwrite: true
type: keyword
- name: p_url
overwrite: true
type: keyword
- name: p_user_agent
overwrite: true
type: keyword
- name: p_web_cookie
overwrite: true
type: keyword
- name: p_web_method
overwrite: true
type: keyword
- name: p_web_referer
overwrite: true
type: keyword
- name: web_extension_tmp
overwrite: true
type: keyword
- name: web_page
overwrite: true
type: keyword
- name: threat
overwrite: true
type: group
fields:
- name: threat_category
overwrite: true
type: keyword
description: This key captures Threat Name/Threat Category/Categorization of
alert
- name: threat_desc
overwrite: true
type: keyword
description: This key is used to capture the threat description from the session
directly or inferred
- name: alert
overwrite: true
type: keyword
description: This key is used to capture name of the alert
- name: threat_source
overwrite: true
type: keyword
description: This key is used to capture source of the threat
- name: crypto
overwrite: true
type: group
fields:
- name: crypto
overwrite: true
type: keyword
description: This key is used to capture the Encryption Type or Encryption Key
only
- name: cipher_src
overwrite: true
type: keyword
description: This key is for Source (Client) Cipher
- name: cert_subject
overwrite: true
type: keyword
description: This key is used to capture the Certificate organization only
- name: peer
overwrite: true
type: keyword
description: This key is for Encryption peer's IP Address
- name: cipher_size_src
overwrite: true
type: long
description: This key captures Source (Client) Cipher Size
- name: ike
overwrite: true
type: keyword
description: IKE negotiation phase.
- name: scheme
overwrite: true
type: keyword
description: This key captures the Encryption scheme used
- name: peer_id
overwrite: true
type: keyword
description: "This key is for Encryption peer\u2019s identity"
- name: sig_type
overwrite: true
type: keyword
description: This key captures the Signature Type
- name: cert_issuer
overwrite: true
type: keyword
- name: cert_host_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: cert_error
overwrite: true
type: keyword
description: This key captures the Certificate Error String
- name: cipher_dst
overwrite: true
type: keyword
description: This key is for Destination (Server) Cipher
- name: cipher_size_dst
overwrite: true
type: long
description: This key captures Destination (Server) Cipher Size
- name: ssl_ver_src
overwrite: true
type: keyword
description: Deprecated, use version
- name: d_certauth
overwrite: true
type: keyword
- name: s_certauth
overwrite: true
type: keyword
- name: ike_cookie1
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
- name: ike_cookie2
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
- name: cert_checksum
overwrite: true
type: keyword
- name: cert_host_cat
overwrite: true
type: keyword
description: This key is used for the hostname category value of a certificate
- name: cert_serial
overwrite: true
type: keyword
description: This key is used to capture the Certificate serial number only
- name: cert_status
overwrite: true
type: keyword
description: This key captures Certificate validation status
- name: ssl_ver_dst
overwrite: true
type: keyword
description: Deprecated, use version
- name: cert_keysize
overwrite: true
type: keyword
- name: cert_username
overwrite: true
type: keyword
- name: https_insact
overwrite: true
type: keyword
- name: https_valid
overwrite: true
type: keyword
- name: cert_ca
overwrite: true
type: keyword
description: This key is used to capture the Certificate signing authority only
- name: cert_common
overwrite: true
type: keyword
description: This key is used to capture the Certificate common name only
- name: wireless
overwrite: true
type: group
fields:
- name: wlan_ssid
overwrite: true
type: keyword
description: This key is used to capture the ssid of a Wireless Session
- name: access_point
overwrite: true
type: keyword
description: This key is used to capture the access point name.
- name: wlan_channel
overwrite: true
type: long
description: This is used to capture the channel names
- name: wlan_name
overwrite: true
type: keyword
description: This key captures either WLAN number/name
- name: storage
overwrite: true
type: group
fields:
- name: disk_volume
overwrite: true
type: keyword
description: A unique name assigned to logical units (volumes) within a physical
disk
- name: lun
overwrite: true
type: keyword
description: Logical Unit Number.This key is a very useful concept in Storage.
- name: pwwn
overwrite: true
type: keyword
description: This uniquely identifies a port on a HBA.
- name: physical
overwrite: true
type: group
fields:
- name: org_dst
overwrite: true
type: keyword
description: This is used to capture the destination organization based on the
GEOPIP Maxmind database.
- name: org_src
overwrite: true
type: keyword
description: This is used to capture the source organization based on the GEOPIP
Maxmind database.
- name: healthcare
overwrite: true
type: group
fields:
- name: patient_fname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_id
overwrite: true
type: keyword
description: This key captures the unique ID for a patient
- name: patient_lname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_mname
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: endpoint
overwrite: true
type: group
fields:
- name: host_state
overwrite: true
type: keyword
description: This key is used to capture the current state of the machine, such
as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
disabled</strong> and so on
- name: registry_key
overwrite: true
type: keyword
description: This key captures the path to the registry key
- name: registry_value
overwrite: true
type: keyword
description: This key captures values or decorators used within a registry entry
- key: sophos
title: "sophos"
description: >
sophos Module
fields:
- name: network.interface.name
overwrite: true
type: keyword
description: >
Name of the network interface where the traffic has been observed.
- name: rsa
overwrite: true
type: group
fields:
- name: internal
overwrite: true
type: group
fields:
- name: msg
overwrite: true
type: keyword
description: This key is used to capture the raw message that comes into the
Log Decoder
- name: messageid
overwrite: true
type: keyword
- name: event_desc
overwrite: true
type: keyword
- name: message
overwrite: true
type: keyword
description: This key captures the contents of instant messages
- name: time
overwrite: true
type: date
description: This is the time at which a session hits a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness.
- name: level
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: msg_id
overwrite: true
type: keyword
description: This is the Message ID1 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: msg_vid
overwrite: true
type: keyword
description: This is the Message ID2 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: data
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_server
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_val
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: resource
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_id
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: statement
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: audit_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: entry
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: hcode
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: inode
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: resource_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: dead
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: feed_desc
overwrite: true
type: keyword
description: This is used to capture the description of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: feed_name
overwrite: true
type: keyword
description: This is used to capture the name of the feed. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: cid
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Concentrator.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_class
overwrite: true
type: keyword
description: This is the Classification of the Log Event Source under a predefined
fixed set of Event Source Classifications. This key should never be used to
parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
key in NetWitness
- name: device_group
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_host
overwrite: true
type: keyword
description: This is the Hostname of the log Event Source sending the logs to
NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ip
overwrite: true
type: ip
description: This is the IPv4 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ipv6
overwrite: true
type: ip
description: This is the IPv6 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_type
overwrite: true
type: keyword
description: This is the name of the log parser which parsed a given session.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_type_id
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: did
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: entropy_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: entropy_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: event_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: feed_category
overwrite: true
type: keyword
description: This is used to capture the category of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: forward_ip
overwrite: true
type: ip
description: This key should be used to capture the IPV4 address of a relay
system which forwarded the events from the original system to NetWitness.
- name: forward_ipv6
overwrite: true
type: ip
description: This key is used to capture the IPV6 address of a relay system
which forwarded the events from the original system to NetWitness. This key
should never be used to parse Meta data from a session (Logs/Packets) Directly,
this is a Reserved key in NetWitness
- name: header_id
overwrite: true
type: keyword
description: This is the Header ID value that identifies the exact log parser
header definition that parses a particular log session. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: lc_cid
overwrite: true
type: keyword
description: This is a unique Identifier of a Log Collector. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: lc_ctime
overwrite: true
type: date
description: This is the time at which a log is collected in a NetWitness Log
Collector. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: mcb_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
request is simply which byte for each side (0 thru 255) was seen the most
- name: mcb_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
response is simply which byte for each side (0 thru 255) was seen the most
- name: mcbc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: mcbc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: medium
overwrite: true
type: long
description: "This key is used to identify if it\u2019s a log/packet session\
\ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
\ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
\ 32 = log, 33 = correlation session, < 32 is packet session"
- name: node_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: nwe_callback_id
overwrite: true
type: keyword
description: This key denotes that event is endpoint related
- name: parse_error
overwrite: true
type: keyword
description: This is a special key that stores any Meta key validation error
found while parsing a log session. This key should never be used to parse
Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
NetWitness
- name: payload_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: payload_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: process_vid_dst
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the target process.
- name: process_vid_src
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the source process.
- name: rid
overwrite: true
type: long
description: This is a special ID of the Remote Session created by NetWitness
Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: session_split
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: site
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: size
overwrite: true
type: long
description: This is the size of the session as seen by the NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: sourcefile
overwrite: true
type: keyword
description: This is the name of the log file or PCAPs that can be imported
into NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: ubc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: ubc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: word
overwrite: true
type: keyword
description: This is used by the Word Parsing technology to capture the first
5 character of every word in an unparsed log
- name: time
overwrite: true
type: group
fields:
- name: event_time
overwrite: true
type: date
description: This key is used to capture the time mentioned in a raw session
that represents the actual time an event occured in a standard normalized
form
- name: duration_time
overwrite: true
type: double
description: This key is used to capture the normalized duration/lifetime in
seconds.
- name: event_time_str
overwrite: true
type: keyword
description: This key is used to capture the incomplete time mentioned in a
session as a string
- name: starttime
overwrite: true
type: date
description: This key is used to capture the Start time mentioned in a session
in a standard form
- name: month
overwrite: true
type: keyword
- name: day
overwrite: true
type: keyword
- name: endtime
overwrite: true
type: date
description: This key is used to capture the End time mentioned in a session
in a standard form
- name: timezone
overwrite: true
type: keyword
description: This key is used to capture the timezone of the Event Time
- name: duration_str
overwrite: true
type: keyword
description: A text string version of the duration
- name: date
overwrite: true
type: keyword
- name: year
overwrite: true
type: keyword
- name: recorded_time
overwrite: true
type: date
description: The event time as recorded by the system the event is collected
from. The usage scenario is a multi-tier application where the management
layer of the system records it's own timestamp at the time of collection from
its child nodes. Must be in timestamp format.
- name: datetime
overwrite: true
type: keyword
- name: effective_time
overwrite: true
type: date
description: This key is the effective time referenced by an individual event
in a Standard Timestamp format
- name: expire_time
overwrite: true
type: date
description: This key is the timestamp that explicitly refers to an expiration.
- name: process_time
overwrite: true
type: keyword
description: Deprecated, use duration.time
- name: hour
overwrite: true
type: keyword
- name: min
overwrite: true
type: keyword
- name: timestamp
overwrite: true
type: keyword
- name: event_queue_time
overwrite: true
type: date
description: This key is the Time that the event was queued.
- name: p_time1
overwrite: true
type: keyword
- name: tzone
overwrite: true
type: keyword
- name: eventtime
overwrite: true
type: keyword
- name: gmtdate
overwrite: true
type: keyword
- name: gmttime
overwrite: true
type: keyword
- name: p_date
overwrite: true
type: keyword
- name: p_month
overwrite: true
type: keyword
- name: p_time
overwrite: true
type: keyword
- name: p_time2
overwrite: true
type: keyword
- name: p_year
overwrite: true
type: keyword
- name: expire_time_str
overwrite: true
type: keyword
description: This key is used to capture incomplete timestamp that explicitly
refers to an expiration.
- name: stamp
overwrite: true
type: date
description: Deprecated key defined only in table map.
- name: misc
overwrite: true
type: group
fields:
- name: action
overwrite: true
type: keyword
- name: result
overwrite: true
type: keyword
description: This key is used to capture the outcome/result string value of
an action in a session.
- name: severity
overwrite: true
type: keyword
description: This key is used to capture the severity given the session
- name: event_type
overwrite: true
type: keyword
description: This key captures the event category type as specified by the event
source.
- name: reference_id
overwrite: true
type: keyword
description: This key is used to capture an event id from the session directly
- name: version
overwrite: true
type: keyword
description: This key captures Version of the application or OS which is generating
the event.
- name: disposition
overwrite: true
type: keyword
description: This key captures the The end state of an action.
- name: result_code
overwrite: true
type: keyword
description: This key is used to capture the outcome/result numeric value of
an action in a session
- name: category
overwrite: true
type: keyword
description: This key is used to capture the category of an event given by the
vendor in the session
- name: obj_name
overwrite: true
type: keyword
description: This is used to capture name of object
- name: obj_type
overwrite: true
type: keyword
description: This is used to capture type of object
- name: event_source
overwrite: true
type: keyword
description: "This key captures Source of the event that\u2019s not a hostname"
- name: log_session_id
overwrite: true
type: keyword
description: This key is used to capture a sessionid from the session directly
- name: group
overwrite: true
type: keyword
description: This key captures the Group Name value
- name: policy_name
overwrite: true
type: keyword
description: This key is used to capture the Policy Name only.
- name: rule_name
overwrite: true
type: keyword
description: This key captures the Rule Name
- name: context
overwrite: true
type: keyword
description: This key captures Information which adds additional context to
the event.
- name: change_new
overwrite: true
type: keyword
description: "This key is used to capture the new values of the attribute that\u2019\
s changing in a session"
- name: space
overwrite: true
type: keyword
- name: client
overwrite: true
type: keyword
description: This key is used to capture only the name of the client application
requesting resources of the server. See the user.agent meta key for capture
of the specific user agent identifier or browser identification string.
- name: msgIdPart1
overwrite: true
type: keyword
- name: msgIdPart2
overwrite: true
type: keyword
- name: change_old
overwrite: true
type: keyword
description: "This key is used to capture the old value of the attribute that\u2019\
s changing in a session"
- name: operation_id
overwrite: true
type: keyword
description: An alert number or operation number. The values should be unique
and non-repeating.
- name: event_state
overwrite: true
type: keyword
description: This key captures the current state of the object/item referenced
within the event. Describing an on-going event.
- name: group_object
overwrite: true
type: keyword
description: This key captures a collection/grouping of entities. Specific usage
- name: node
overwrite: true
type: keyword
description: Common use case is the node name within a cluster. The cluster
name is reflected by the host name.
- name: rule
overwrite: true
type: keyword
description: This key captures the Rule number
- name: device_name
overwrite: true
type: keyword
description: 'This is used to capture name of the Device associated with the
node Like: a physical disk, printer, etc'
- name: param
overwrite: true
type: keyword
description: This key is the parameters passed as part of a command or application,
etc.
- name: change_attrib
overwrite: true
type: keyword
description: "This key is used to capture the name of the attribute that\u2019\
s changing in a session"
- name: event_computer
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
fully qualified domain name in a windows log.
- name: reference_id1
overwrite: true
type: keyword
description: This key is for Linked ID to be used as an addition to "reference.id"
- name: event_log
overwrite: true
type: keyword
description: This key captures the Name of the event log
- name: OS
overwrite: true
type: keyword
description: This key captures the Name of the Operating System
- name: terminal
overwrite: true
type: keyword
description: This key captures the Terminal Names only
- name: msgIdPart3
overwrite: true
type: keyword
- name: filter
overwrite: true
type: keyword
description: This key captures Filter used to reduce result set
- name: serial_number
overwrite: true
type: keyword
description: This key is the Serial number associated with a physical asset.
- name: checksum
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the entity
such as a file or process. Checksum should be used over checksum.src or checksum.dst
when it is unclear whether the entity is a source or target of an action.
- name: event_user
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
combination of domain name and username in a windows log.
- name: virusname
overwrite: true
type: keyword
description: This key captures the name of the virus
- name: content_type
overwrite: true
type: keyword
description: This key is used to capture Content Type only.
- name: group_id
overwrite: true
type: keyword
description: This key captures Group ID Number (related to the group name)
- name: policy_id
overwrite: true
type: keyword
description: This key is used to capture the Policy ID only, this should be
a numeric value, use policy.name otherwise
- name: vsys
overwrite: true
type: keyword
description: This key captures Virtual System Name
- name: connection_id
overwrite: true
type: keyword
description: This key captures the Connection ID
- name: reference_id2
overwrite: true
type: keyword
description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
or "reference.id1" value but should not be used unless the other two variables
are in play.
- name: sensor
overwrite: true
type: keyword
description: This key captures Name of the sensor. Typically used in IDS/IPS
based devices
- name: sig_id
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID
- name: port_name
overwrite: true
type: keyword
description: 'This key is used for Physical or logical port connection but does
NOT include a network port. (Example: Printer port name).'
- name: rule_group
overwrite: true
type: keyword
description: This key captures the Rule group name
- name: risk_num
overwrite: true
type: double
description: This key captures a Numeric Risk value
- name: trigger_val
overwrite: true
type: keyword
description: This key captures the Value of the trigger or threshold condition.
- name: log_session_id1
overwrite: true
type: keyword
description: This key is used to capture a Linked (Related) Session ID from
the session directly
- name: comp_version
overwrite: true
type: keyword
description: This key captures the Version level of a sub-component of a product.
- name: content_version
overwrite: true
type: keyword
description: This key captures Version level of a signature or database content.
- name: hardware_id
overwrite: true
type: keyword
description: This key is used to capture unique identifier for a device or system
(NOT a Mac address)
- name: risk
overwrite: true
type: keyword
description: This key captures the non-numeric risk value
- name: event_id
overwrite: true
type: keyword
- name: reason
overwrite: true
type: keyword
- name: status
overwrite: true
type: keyword
- name: mail_id
overwrite: true
type: keyword
description: This key is used to capture the mailbox id/name
- name: rule_uid
overwrite: true
type: keyword
description: This key is the Unique Identifier for a rule.
- name: trigger_desc
overwrite: true
type: keyword
description: This key captures the Description of the trigger or threshold condition.
- name: inout
overwrite: true
type: keyword
- name: p_msgid
overwrite: true
type: keyword
- name: data_type
overwrite: true
type: keyword
- name: msgIdPart4
overwrite: true
type: keyword
- name: error
overwrite: true
type: keyword
description: This key captures All non successful Error codes or responses
- name: index
overwrite: true
type: keyword
- name: listnum
overwrite: true
type: keyword
description: This key is used to capture listname or listnumber, primarily for
collecting access-list
- name: ntype
overwrite: true
type: keyword
- name: observed_val
overwrite: true
type: keyword
description: This key captures the Value observed (from the perspective of the
device generating the log).
- name: policy_value
overwrite: true
type: keyword
description: This key captures the contents of the policy. This contains details
about the policy
- name: pool_name
overwrite: true
type: keyword
description: This key captures the name of a resource pool
- name: rule_template
overwrite: true
type: keyword
description: A default set of parameters which are overlayed onto a rule (or
rulename) which efffectively constitutes a template
- name: count
overwrite: true
type: keyword
- name: number
overwrite: true
type: keyword
- name: sigcat
overwrite: true
type: keyword
- name: type
overwrite: true
type: keyword
- name: comments
overwrite: true
type: keyword
description: Comment information provided in the log message
- name: doc_number
overwrite: true
type: long
description: This key captures File Identification number
- name: expected_val
overwrite: true
type: keyword
description: This key captures the Value expected (from the perspective of the
device generating the log).
- name: job_num
overwrite: true
type: keyword
description: This key captures the Job Number
- name: spi_dst
overwrite: true
type: keyword
description: Destination SPI Index
- name: spi_src
overwrite: true
type: keyword
description: Source SPI Index
- name: code
overwrite: true
type: keyword
- name: agent_id
overwrite: true
type: keyword
description: This key is used to capture agent id
- name: message_body
overwrite: true
type: keyword
description: This key captures the The contents of the message body.
- name: phone
overwrite: true
type: keyword
- name: sig_id_str
overwrite: true
type: keyword
description: This key captures a string object of the sigid variable.
- name: cmd
overwrite: true
type: keyword
- name: misc
overwrite: true
type: keyword
- name: name
overwrite: true
type: keyword
- name: cpu
overwrite: true
type: long
description: This key is the CPU time used in the execution of the event being
recorded.
- name: event_desc
overwrite: true
type: keyword
description: This key is used to capture a description of an event available
directly or inferred
- name: sig_id1
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID. This must be linked
to the sig.id
- name: im_buddyid
overwrite: true
type: keyword
- name: im_client
overwrite: true
type: keyword
- name: im_userid
overwrite: true
type: keyword
- name: pid
overwrite: true
type: keyword
- name: priority
overwrite: true
type: keyword
- name: context_subject
overwrite: true
type: keyword
description: This key is to be used in an audit context where the subject is
the object being identified
- name: context_target
overwrite: true
type: keyword
- name: cve
overwrite: true
type: keyword
description: This key captures CVE (Common Vulnerabilities and Exposures) -
an identifier for known information security vulnerabilities.
- name: fcatnum
overwrite: true
type: keyword
description: This key captures Filter Category Number. Legacy Usage
- name: library
overwrite: true
type: keyword
description: This key is used to capture library information in mainframe devices
- name: parent_node
overwrite: true
type: keyword
description: This key captures the Parent Node Name. Must be related to node
variable.
- name: risk_info
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: tcp_flags
overwrite: true
type: long
description: This key is captures the TCP flags set in any packet of session
- name: tos
overwrite: true
type: long
description: This key describes the type of service
- name: vm_target
overwrite: true
type: keyword
description: VMWare Target **VMWARE** only varaible.
- name: workspace
overwrite: true
type: keyword
description: This key captures Workspace Description
- name: command
overwrite: true
type: keyword
- name: event_category
overwrite: true
type: keyword
- name: facilityname
overwrite: true
type: keyword
- name: forensic_info
overwrite: true
type: keyword
- name: jobname
overwrite: true
type: keyword
- name: mode
overwrite: true
type: keyword
- name: policy
overwrite: true
type: keyword
- name: policy_waiver
overwrite: true
type: keyword
- name: second
overwrite: true
type: keyword
- name: space1
overwrite: true
type: keyword
- name: subcategory
overwrite: true
type: keyword
- name: tbdstr2
overwrite: true
type: keyword
- name: alert_id
overwrite: true
type: keyword
description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: checksum_dst
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the the target
entity such as a process or file.
- name: checksum_src
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the source
entity such as a file or process.
- name: fresult
overwrite: true
type: long
description: This key captures the Filter Result
- name: payload_dst
overwrite: true
type: keyword
description: This key is used to capture destination payload
- name: payload_src
overwrite: true
type: keyword
description: This key is used to capture source payload
- name: pool_id
overwrite: true
type: keyword
description: This key captures the identifier (typically numeric field) of a
resource pool
- name: process_id_val
overwrite: true
type: keyword
description: This key is a failure key for Process ID when it is not an integer
value
- name: risk_num_comm
overwrite: true
type: double
description: This key captures Risk Number Community
- name: risk_num_next
overwrite: true
type: double
description: This key captures Risk Number NextGen
- name: risk_num_sand
overwrite: true
type: double
description: This key captures Risk Number SandBox
- name: risk_num_static
overwrite: true
type: double
description: This key captures Risk Number Static
- name: risk_suspicious
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: risk_warning
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: snmp_oid
overwrite: true
type: keyword
description: SNMP Object Identifier
- name: sql
overwrite: true
type: keyword
description: This key captures the SQL query
- name: vuln_ref
overwrite: true
type: keyword
description: This key captures the Vulnerability Reference details
- name: acl_id
overwrite: true
type: keyword
- name: acl_op
overwrite: true
type: keyword
- name: acl_pos
overwrite: true
type: keyword
- name: acl_table
overwrite: true
type: keyword
- name: admin
overwrite: true
type: keyword
- name: alarm_id
overwrite: true
type: keyword
- name: alarmname
overwrite: true
type: keyword
- name: app_id
overwrite: true
type: keyword
- name: audit
overwrite: true
type: keyword
- name: audit_object
overwrite: true
type: keyword
- name: auditdata
overwrite: true
type: keyword
- name: benchmark
overwrite: true
type: keyword
- name: bypass
overwrite: true
type: keyword
- name: cache
overwrite: true
type: keyword
- name: cache_hit
overwrite: true
type: keyword
- name: cefversion
overwrite: true
type: keyword
- name: cfg_attr
overwrite: true
type: keyword
- name: cfg_obj
overwrite: true
type: keyword
- name: cfg_path
overwrite: true
type: keyword
- name: changes
overwrite: true
type: keyword
- name: client_ip
overwrite: true
type: keyword
- name: clustermembers
overwrite: true
type: keyword
- name: cn_acttimeout
overwrite: true
type: keyword
- name: cn_asn_src
overwrite: true
type: keyword
- name: cn_bgpv4nxthop
overwrite: true
type: keyword
- name: cn_ctr_dst_code
overwrite: true
type: keyword
- name: cn_dst_tos
overwrite: true
type: keyword
- name: cn_dst_vlan
overwrite: true
type: keyword
- name: cn_engine_id
overwrite: true
type: keyword
- name: cn_engine_type
overwrite: true
type: keyword
- name: cn_f_switch
overwrite: true
type: keyword
- name: cn_flowsampid
overwrite: true
type: keyword
- name: cn_flowsampintv
overwrite: true
type: keyword
- name: cn_flowsampmode
overwrite: true
type: keyword
- name: cn_inacttimeout
overwrite: true
type: keyword
- name: cn_inpermbyts
overwrite: true
type: keyword
- name: cn_inpermpckts
overwrite: true
type: keyword
- name: cn_invalid
overwrite: true
type: keyword
- name: cn_ip_proto_ver
overwrite: true
type: keyword
- name: cn_ipv4_ident
overwrite: true
type: keyword
- name: cn_l_switch
overwrite: true
type: keyword
- name: cn_log_did
overwrite: true
type: keyword
- name: cn_log_rid
overwrite: true
type: keyword
- name: cn_max_ttl
overwrite: true
type: keyword
- name: cn_maxpcktlen
overwrite: true
type: keyword
- name: cn_min_ttl
overwrite: true
type: keyword
- name: cn_minpcktlen
overwrite: true
type: keyword
- name: cn_mpls_lbl_1
overwrite: true
type: keyword
- name: cn_mpls_lbl_10
overwrite: true
type: keyword
- name: cn_mpls_lbl_2
overwrite: true
type: keyword
- name: cn_mpls_lbl_3
overwrite: true
type: keyword
- name: cn_mpls_lbl_4
overwrite: true
type: keyword
- name: cn_mpls_lbl_5
overwrite: true
type: keyword
- name: cn_mpls_lbl_6
overwrite: true
type: keyword
- name: cn_mpls_lbl_7
overwrite: true
type: keyword
- name: cn_mpls_lbl_8
overwrite: true
type: keyword
- name: cn_mpls_lbl_9
overwrite: true
type: keyword
- name: cn_mplstoplabel
overwrite: true
type: keyword
- name: cn_mplstoplabip
overwrite: true
type: keyword
- name: cn_mul_dst_byt
overwrite: true
type: keyword
- name: cn_mul_dst_pks
overwrite: true
type: keyword
- name: cn_muligmptype
overwrite: true
type: keyword
- name: cn_sampalgo
overwrite: true
type: keyword
- name: cn_sampint
overwrite: true
type: keyword
- name: cn_seqctr
overwrite: true
type: keyword
- name: cn_spackets
overwrite: true
type: keyword
- name: cn_src_tos
overwrite: true
type: keyword
- name: cn_src_vlan
overwrite: true
type: keyword
- name: cn_sysuptime
overwrite: true
type: keyword
- name: cn_template_id
overwrite: true
type: keyword
- name: cn_totbytsexp
overwrite: true
type: keyword
- name: cn_totflowexp
overwrite: true
type: keyword
- name: cn_totpcktsexp
overwrite: true
type: keyword
- name: cn_unixnanosecs
overwrite: true
type: keyword
- name: cn_v6flowlabel
overwrite: true
type: keyword
- name: cn_v6optheaders
overwrite: true
type: keyword
- name: comp_class
overwrite: true
type: keyword
- name: comp_name
overwrite: true
type: keyword
- name: comp_rbytes
overwrite: true
type: keyword
- name: comp_sbytes
overwrite: true
type: keyword
- name: cpu_data
overwrite: true
type: keyword
- name: criticality
overwrite: true
type: keyword
- name: cs_agency_dst
overwrite: true
type: keyword
- name: cs_analyzedby
overwrite: true
type: keyword
- name: cs_av_other
overwrite: true
type: keyword
- name: cs_av_primary
overwrite: true
type: keyword
- name: cs_av_secondary
overwrite: true
type: keyword
- name: cs_bgpv6nxthop
overwrite: true
type: keyword
- name: cs_bit9status
overwrite: true
type: keyword
- name: cs_context
overwrite: true
type: keyword
- name: cs_control
overwrite: true
type: keyword
- name: cs_data
overwrite: true
type: keyword
- name: cs_datecret
overwrite: true
type: keyword
- name: cs_dst_tld
overwrite: true
type: keyword
- name: cs_eth_dst_ven
overwrite: true
type: keyword
- name: cs_eth_src_ven
overwrite: true
type: keyword
- name: cs_event_uuid
overwrite: true
type: keyword
- name: cs_filetype
overwrite: true
type: keyword
- name: cs_fld
overwrite: true
type: keyword
- name: cs_if_desc
overwrite: true
type: keyword
- name: cs_if_name
overwrite: true
type: keyword
- name: cs_ip_next_hop
overwrite: true
type: keyword
- name: cs_ipv4dstpre
overwrite: true
type: keyword
- name: cs_ipv4srcpre
overwrite: true
type: keyword
- name: cs_lifetime
overwrite: true
type: keyword
- name: cs_log_medium
overwrite: true
type: keyword
- name: cs_loginname
overwrite: true
type: keyword
- name: cs_modulescore
overwrite: true
type: keyword
- name: cs_modulesign
overwrite: true
type: keyword
- name: cs_opswatresult
overwrite: true
type: keyword
- name: cs_payload
overwrite: true
type: keyword
- name: cs_registrant
overwrite: true
type: keyword
- name: cs_registrar
overwrite: true
type: keyword
- name: cs_represult
overwrite: true
type: keyword
- name: cs_rpayload
overwrite: true
type: keyword
- name: cs_sampler_name
overwrite: true
type: keyword
- name: cs_sourcemodule
overwrite: true
type: keyword
- name: cs_streams
overwrite: true
type: keyword
- name: cs_targetmodule
overwrite: true
type: keyword
- name: cs_v6nxthop
overwrite: true
type: keyword
- name: cs_whois_server
overwrite: true
type: keyword
- name: cs_yararesult
overwrite: true
type: keyword
- name: description
overwrite: true
type: keyword
- name: devvendor
overwrite: true
type: keyword
- name: distance
overwrite: true
type: keyword
- name: dstburb
overwrite: true
type: keyword
- name: edomain
overwrite: true
type: keyword
- name: edomaub
overwrite: true
type: keyword
- name: euid
overwrite: true
type: keyword
- name: facility
overwrite: true
type: keyword
- name: finterface
overwrite: true
type: keyword
- name: flags
overwrite: true
type: keyword
- name: gaddr
overwrite: true
type: keyword
- name: id3
overwrite: true
type: keyword
- name: im_buddyname
overwrite: true
type: keyword
- name: im_croomid
overwrite: true
type: keyword
- name: im_croomtype
overwrite: true
type: keyword
- name: im_members
overwrite: true
type: keyword
- name: im_username
overwrite: true
type: keyword
- name: ipkt
overwrite: true
type: keyword
- name: ipscat
overwrite: true
type: keyword
- name: ipspri
overwrite: true
type: keyword
- name: latitude
overwrite: true
type: keyword
- name: linenum
overwrite: true
type: keyword
- name: list_name
overwrite: true
type: keyword
- name: load_data
overwrite: true
type: keyword
- name: location_floor
overwrite: true
type: keyword
- name: location_mark
overwrite: true
type: keyword
- name: log_id
overwrite: true
type: keyword
- name: log_type
overwrite: true
type: keyword
- name: logid
overwrite: true
type: keyword
- name: logip
overwrite: true
type: keyword
- name: logname
overwrite: true
type: keyword
- name: longitude
overwrite: true
type: keyword
- name: lport
overwrite: true
type: keyword
- name: mbug_data
overwrite: true
type: keyword
- name: misc_name
overwrite: true
type: keyword
- name: msg_type
overwrite: true
type: keyword
- name: msgid
overwrite: true
type: keyword
- name: netsessid
overwrite: true
type: keyword
- name: num
overwrite: true
type: keyword
- name: number1
overwrite: true
type: keyword
- name: number2
overwrite: true
type: keyword
- name: nwwn
overwrite: true
type: keyword
- name: object
overwrite: true
type: keyword
- name: operation
overwrite: true
type: keyword
- name: opkt
overwrite: true
type: keyword
- name: orig_from
overwrite: true
type: keyword
- name: owner_id
overwrite: true
type: keyword
- name: p_action
overwrite: true
type: keyword
- name: p_filter
overwrite: true
type: keyword
- name: p_group_object
overwrite: true
type: keyword
- name: p_id
overwrite: true
type: keyword
- name: p_msgid1
overwrite: true
type: keyword
- name: p_msgid2
overwrite: true
type: keyword
- name: p_result1
overwrite: true
type: keyword
- name: password_chg
overwrite: true
type: keyword
- name: password_expire
overwrite: true
type: keyword
- name: permgranted
overwrite: true
type: keyword
- name: permwanted
overwrite: true
type: keyword
- name: pgid
overwrite: true
type: keyword
- name: policyUUID
overwrite: true
type: keyword
- name: prog_asp_num
overwrite: true
type: keyword
- name: program
overwrite: true
type: keyword
- name: real_data
overwrite: true
type: keyword
- name: rec_asp_device
overwrite: true
type: keyword
- name: rec_asp_num
overwrite: true
type: keyword
- name: rec_library
overwrite: true
type: keyword
- name: recordnum
overwrite: true
type: keyword
- name: ruid
overwrite: true
type: keyword
- name: sburb
overwrite: true
type: keyword
- name: sdomain_fld
overwrite: true
type: keyword
- name: sec
overwrite: true
type: keyword
- name: sensorname
overwrite: true
type: keyword
- name: seqnum
overwrite: true
type: keyword
- name: session
overwrite: true
type: keyword
- name: sessiontype
overwrite: true
type: keyword
- name: sigUUID
overwrite: true
type: keyword
- name: spi
overwrite: true
type: keyword
- name: srcburb
overwrite: true
type: keyword
- name: srcdom
overwrite: true
type: keyword
- name: srcservice
overwrite: true
type: keyword
- name: state
overwrite: true
type: keyword
- name: status1
overwrite: true
type: keyword
- name: svcno
overwrite: true
type: keyword
- name: system
overwrite: true
type: keyword
- name: tbdstr1
overwrite: true
type: keyword
- name: tgtdom
overwrite: true
type: keyword
- name: tgtdomain
overwrite: true
type: keyword
- name: threshold
overwrite: true
type: keyword
- name: type1
overwrite: true
type: keyword
- name: udb_class
overwrite: true
type: keyword
- name: url_fld
overwrite: true
type: keyword
- name: user_div
overwrite: true
type: keyword
- name: userid
overwrite: true
type: keyword
- name: username_fld
overwrite: true
type: keyword
- name: utcstamp
overwrite: true
type: keyword
- name: v_instafname
overwrite: true
type: keyword
- name: virt_data
overwrite: true
type: keyword
- name: vpnid
overwrite: true
type: keyword
- name: autorun_type
overwrite: true
type: keyword
description: This is used to capture Auto Run type
- name: cc_number
overwrite: true
type: long
description: Valid Credit Card Numbers only
- name: content
overwrite: true
type: keyword
description: This key captures the content type from protocol headers
- name: ein_number
overwrite: true
type: long
description: Employee Identification Numbers only
- name: found
overwrite: true
type: keyword
description: This is used to capture the results of regex match
- name: language
overwrite: true
type: keyword
description: This is used to capture list of languages the client support and
what it prefers
- name: lifetime
overwrite: true
type: long
description: This key is used to capture the session lifetime in seconds.
- name: link
overwrite: true
type: keyword
description: This key is used to link the sessions together. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: match
overwrite: true
type: keyword
description: This key is for regex match name from search.ini
- name: param_dst
overwrite: true
type: keyword
description: This key captures the command line/launch argument of the target
process or file
- name: param_src
overwrite: true
type: keyword
description: This key captures source parameter
- name: search_text
overwrite: true
type: keyword
description: This key captures the Search Text used
- name: sig_name
overwrite: true
type: keyword
description: This key is used to capture the Signature Name only.
- name: snmp_value
overwrite: true
type: keyword
description: SNMP set request value
- name: streams
overwrite: true
type: long
description: This key captures number of streams in session
- name: db
overwrite: true
type: group
fields:
- name: index
overwrite: true
type: keyword
description: This key captures IndexID of the index.
- name: instance
overwrite: true
type: keyword
description: This key is used to capture the database server instance name
- name: database
overwrite: true
type: keyword
description: This key is used to capture the name of a database or an instance
as seen in a session
- name: transact_id
overwrite: true
type: keyword
description: This key captures the SQL transantion ID of the current session
- name: permissions
overwrite: true
type: keyword
description: This key captures permission or privilege level assigned to a resource.
- name: table_name
overwrite: true
type: keyword
description: This key is used to capture the table name
- name: db_id
overwrite: true
type: keyword
description: This key is used to capture the unique identifier for a database
- name: db_pid
overwrite: true
type: long
description: This key captures the process id of a connection with database
server
- name: lread
overwrite: true
type: long
description: This key is used for the number of logical reads
- name: lwrite
overwrite: true
type: long
description: This key is used for the number of logical writes
- name: pread
overwrite: true
type: long
description: This key is used for the number of physical writes
- name: network
overwrite: true
type: group
fields:
- name: alias_host
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
that isnt ad.computer.
- name: domain
overwrite: true
type: keyword
- name: host_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Hostname"
- name: network_service
overwrite: true
type: keyword
description: This is used to capture layer 7 protocols/service names
- name: interface
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of an interface is not clear
- name: network_port
overwrite: true
type: long
description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
- name: eth_host
overwrite: true
type: keyword
description: Deprecated, use alias.mac
- name: sinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Interface"
- name: dinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Interface"
- name: vlan
overwrite: true
type: long
description: This key should only be used to capture the ID of the Virtual LAN
- name: zone_src
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Zone."
- name: zone
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a Zone is not clear
- name: zone_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Zone."
- name: gateway
overwrite: true
type: keyword
description: This key is used to capture the IP Address of the gateway
- name: icmp_type
overwrite: true
type: long
description: This key is used to capture the ICMP type only
- name: mask
overwrite: true
type: keyword
description: This key is used to capture the device network IPmask.
- name: icmp_code
overwrite: true
type: long
description: This key is used to capture the ICMP code only
- name: protocol_detail
overwrite: true
type: keyword
description: This key should be used to capture additional protocol information
- name: dmask
overwrite: true
type: keyword
description: This key is used for Destionation Device network mask
- name: port
overwrite: true
type: long
description: This key should only be used to capture a Network Port when the
directionality is not clear
- name: smask
overwrite: true
type: keyword
description: This key is used for capturing source Network Mask
- name: netname
overwrite: true
type: keyword
description: This key is used to capture the network name associated with an
IP range. This is configured by the end user.
- name: paddr
overwrite: true
type: ip
description: Deprecated
- name: faddr
overwrite: true
type: keyword
- name: lhost
overwrite: true
type: keyword
- name: origin
overwrite: true
type: keyword
- name: remote_domain_id
overwrite: true
type: keyword
- name: addr
overwrite: true
type: keyword
- name: dns_a_record
overwrite: true
type: keyword
- name: dns_ptr_record
overwrite: true
type: keyword
- name: fhost
overwrite: true
type: keyword
- name: fport
overwrite: true
type: keyword
- name: laddr
overwrite: true
type: keyword
- name: linterface
overwrite: true
type: keyword
- name: phost
overwrite: true
type: keyword
- name: ad_computer_dst
overwrite: true
type: keyword
description: Deprecated, use host.dst
- name: eth_type
overwrite: true
type: long
description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
Only
- name: ip_proto
overwrite: true
type: long
description: This key should be used to capture the Protocol number, all the
protocol nubers are converted into string in UI
- name: dns_cname_record
overwrite: true
type: keyword
- name: dns_id
overwrite: true
type: keyword
- name: dns_opcode
overwrite: true
type: keyword
- name: dns_resp
overwrite: true
type: keyword
- name: dns_type
overwrite: true
type: keyword
- name: domain1
overwrite: true
type: keyword
- name: host_type
overwrite: true
type: keyword
- name: packet_length
overwrite: true
type: keyword
- name: host_orig
overwrite: true
type: keyword
description: This is used to capture the original hostname in case of a Forwarding
Agent or a Proxy in between.
- name: rpayload
overwrite: true
type: keyword
description: This key is used to capture the total number of payload bytes seen
in the retransmitted packets.
- name: vlan_name
overwrite: true
type: keyword
description: This key should only be used to capture the name of the Virtual
LAN
- name: investigations
overwrite: true
type: group
fields:
- name: ec_activity
overwrite: true
type: keyword
description: This key captures the particular event activity(Ex:Logoff)
- name: ec_theme
overwrite: true
type: keyword
description: This key captures the Theme of a particular Event(Ex:Authentication)
- name: ec_subject
overwrite: true
type: keyword
description: This key captures the Subject of a particular Event(Ex:User)
- name: ec_outcome
overwrite: true
type: keyword
description: This key captures the outcome of a particular Event(Ex:Success)
- name: event_cat
overwrite: true
type: long
description: This key captures the Event category number
- name: event_cat_name
overwrite: true
type: keyword
description: This key captures the event category name corresponding to the
event cat code
- name: event_vcat
overwrite: true
type: keyword
description: This is a vendor supplied category. This should be used in situations
where the vendor has adopted their own event_category taxonomy.
- name: analysis_file
overwrite: true
type: keyword
description: This is used to capture all indicators used in a File Analysis.
This key should be used to capture an analysis of a file
- name: analysis_service
overwrite: true
type: keyword
description: This is used to capture all indicators used in a Service Analysis.
This key should be used to capture an analysis of a service
- name: analysis_session
overwrite: true
type: keyword
description: This is used to capture all indicators used for a Session Analysis.
This key should be used to capture an analysis of a session
- name: boc
overwrite: true
type: keyword
description: This is used to capture behaviour of compromise
- name: eoc
overwrite: true
type: keyword
description: This is used to capture Enablers of Compromise
- name: inv_category
overwrite: true
type: keyword
description: This used to capture investigation category
- name: inv_context
overwrite: true
type: keyword
description: This used to capture investigation context
- name: ioc
overwrite: true
type: keyword
description: This is key capture indicator of compromise
- name: counters
overwrite: true
type: group
fields:
- name: dclass_c1
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c1.str only
- name: dclass_c2
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c2.str only
- name: event_counter
overwrite: true
type: long
description: This is used to capture the number of times an event repeated
- name: dclass_r1
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r1.str only
- name: dclass_c3
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c3.str only
- name: dclass_c1_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c1 only
- name: dclass_c2_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c2 only
- name: dclass_r1_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r1 only
- name: dclass_r2
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r2.str only
- name: dclass_c3_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c3 only
- name: dclass_r3
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r3.str only
- name: dclass_r2_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r2 only
- name: dclass_r3_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r3 only
- name: identity
overwrite: true
type: group
fields:
- name: auth_method
overwrite: true
type: keyword
description: This key is used to capture authentication methods used only
- name: user_role
overwrite: true
type: keyword
description: This key is used to capture the Role of a user only
- name: dn
overwrite: true
type: keyword
description: X.500 (LDAP) Distinguished Name
- name: logon_type
overwrite: true
type: keyword
description: This key is used to capture the type of logon method used.
- name: profile
overwrite: true
type: keyword
description: This key is used to capture the user profile
- name: accesses
overwrite: true
type: keyword
description: This key is used to capture actual privileges used in accessing
an object
- name: realm
overwrite: true
type: keyword
description: Radius realm or similar grouping of accounts
- name: user_sid_dst
overwrite: true
type: keyword
description: This key captures Destination User Session ID
- name: dn_src
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that is used in a context that
indicates a Source dn
- name: org
overwrite: true
type: keyword
description: This key captures the User organization
- name: dn_dst
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that used in a context that
indicates a Destination dn
- name: firstname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: lastname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: user_dept
overwrite: true
type: keyword
description: User's Department Names only
- name: user_sid_src
overwrite: true
type: keyword
description: This key captures Source User Session ID
- name: federated_sp
overwrite: true
type: keyword
description: This key is the Federated Service Provider. This is the application
requesting authentication.
- name: federated_idp
overwrite: true
type: keyword
description: This key is the federated Identity Provider. This is the server
providing the authentication.
- name: logon_type_desc
overwrite: true
type: keyword
description: This key is used to capture the textual description of an integer
logon type as stored in the meta key 'logon.type'.
- name: middlename
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: password
overwrite: true
type: keyword
description: This key is for Passwords seen in any session, plain text or encrypted
- name: host_role
overwrite: true
type: keyword
description: This key should only be used to capture the role of a Host Machine
- name: ldap
overwrite: true
type: keyword
description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
t have a clear query or response context"
- name: ldap_query
overwrite: true
type: keyword
description: This key is the Search criteria from an LDAP search
- name: ldap_response
overwrite: true
type: keyword
description: This key is to capture Results from an LDAP search
- name: owner
overwrite: true
type: keyword
description: This is used to capture username the process or service is running
as, the author of the task
- name: service_account
overwrite: true
type: keyword
description: This key is a windows specific key, used for capturing name of
the account a service (referenced in the event) is running under. Legacy Usage
- name: email
overwrite: true
type: group
fields:
- name: email_dst
overwrite: true
type: keyword
description: This key is used to capture the Destination email address only,
when the destination context is not clear use email
- name: email_src
overwrite: true
type: keyword
description: This key is used to capture the source email address only, when
the source context is not clear use email
- name: subject
overwrite: true
type: keyword
description: This key is used to capture the subject string from an Email only.
- name: email
overwrite: true
type: keyword
description: This key is used to capture a generic email address where the source
or destination context is not clear
- name: trans_from
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: trans_to
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: file
overwrite: true
type: group
fields:
- name: privilege
overwrite: true
type: keyword
description: Deprecated, use permissions
- name: attachment
overwrite: true
type: keyword
description: This key captures the attachment file name
- name: filesystem
overwrite: true
type: keyword
- name: binary
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: filename_dst
overwrite: true
type: keyword
description: This is used to capture name of the file targeted by the action
- name: filename_src
overwrite: true
type: keyword
description: This is used to capture name of the parent filename, the file which
performed the action
- name: filename_tmp
overwrite: true
type: keyword
- name: directory_dst
overwrite: true
type: keyword
description: <span>This key is used to capture the directory of the target process
or file</span>
- name: directory_src
overwrite: true
type: keyword
description: This key is used to capture the directory of the source process
or file
- name: file_entropy
overwrite: true
type: double
description: This is used to capture entropy vale of a file
- name: file_vendor
overwrite: true
type: keyword
description: This is used to capture Company name of file located in version_info
- name: task_name
overwrite: true
type: keyword
description: This is used to capture name of the task
- name: web
overwrite: true
type: group
fields:
- name: fqdn
overwrite: true
type: keyword
description: Fully Qualified Domain Names
- name: web_cookie
overwrite: true
type: keyword
description: This key is used to capture the Web cookies specifically.
- name: alias_host
overwrite: true
type: keyword
- name: reputation_num
overwrite: true
type: double
description: Reputation Number of an entity. Typically used for Web Domains
- name: web_ref_domain
overwrite: true
type: keyword
description: Web referer's domain
- name: web_ref_query
overwrite: true
type: keyword
description: This key captures Web referer's query portion of the URL
- name: remote_domain
overwrite: true
type: keyword
- name: web_ref_page
overwrite: true
type: keyword
description: This key captures Web referer's page information
- name: web_ref_root
overwrite: true
type: keyword
description: Web referer's root URL path
- name: cn_asn_dst
overwrite: true
type: keyword
- name: cn_rpackets
overwrite: true
type: keyword
- name: urlpage
overwrite: true
type: keyword
- name: urlroot
overwrite: true
type: keyword
- name: p_url
overwrite: true
type: keyword
- name: p_user_agent
overwrite: true
type: keyword
- name: p_web_cookie
overwrite: true
type: keyword
- name: p_web_method
overwrite: true
type: keyword
- name: p_web_referer
overwrite: true
type: keyword
- name: web_extension_tmp
overwrite: true
type: keyword
- name: web_page
overwrite: true
type: keyword
- name: threat
overwrite: true
type: group
fields:
- name: threat_category
overwrite: true
type: keyword
description: This key captures Threat Name/Threat Category/Categorization of
alert
- name: threat_desc
overwrite: true
type: keyword
description: This key is used to capture the threat description from the session
directly or inferred
- name: alert
overwrite: true
type: keyword
description: This key is used to capture name of the alert
- name: threat_source
overwrite: true
type: keyword
description: This key is used to capture source of the threat
- name: crypto
overwrite: true
type: group
fields:
- name: crypto
overwrite: true
type: keyword
description: This key is used to capture the Encryption Type or Encryption Key
only
- name: cipher_src
overwrite: true
type: keyword
description: This key is for Source (Client) Cipher
- name: cert_subject
overwrite: true
type: keyword
description: This key is used to capture the Certificate organization only
- name: peer
overwrite: true
type: keyword
description: This key is for Encryption peer's IP Address
- name: cipher_size_src
overwrite: true
type: long
description: This key captures Source (Client) Cipher Size
- name: ike
overwrite: true
type: keyword
description: IKE negotiation phase.
- name: scheme
overwrite: true
type: keyword
description: This key captures the Encryption scheme used
- name: peer_id
overwrite: true
type: keyword
description: "This key is for Encryption peer\u2019s identity"
- name: sig_type
overwrite: true
type: keyword
description: This key captures the Signature Type
- name: cert_issuer
overwrite: true
type: keyword
- name: cert_host_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: cert_error
overwrite: true
type: keyword
description: This key captures the Certificate Error String
- name: cipher_dst
overwrite: true
type: keyword
description: This key is for Destination (Server) Cipher
- name: cipher_size_dst
overwrite: true
type: long
description: This key captures Destination (Server) Cipher Size
- name: ssl_ver_src
overwrite: true
type: keyword
description: Deprecated, use version
- name: d_certauth
overwrite: true
type: keyword
- name: s_certauth
overwrite: true
type: keyword
- name: ike_cookie1
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
- name: ike_cookie2
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
- name: cert_checksum
overwrite: true
type: keyword
- name: cert_host_cat
overwrite: true
type: keyword
description: This key is used for the hostname category value of a certificate
- name: cert_serial
overwrite: true
type: keyword
description: This key is used to capture the Certificate serial number only
- name: cert_status
overwrite: true
type: keyword
description: This key captures Certificate validation status
- name: ssl_ver_dst
overwrite: true
type: keyword
description: Deprecated, use version
- name: cert_keysize
overwrite: true
type: keyword
- name: cert_username
overwrite: true
type: keyword
- name: https_insact
overwrite: true
type: keyword
- name: https_valid
overwrite: true
type: keyword
- name: cert_ca
overwrite: true
type: keyword
description: This key is used to capture the Certificate signing authority only
- name: cert_common
overwrite: true
type: keyword
description: This key is used to capture the Certificate common name only
- name: wireless
overwrite: true
type: group
fields:
- name: wlan_ssid
overwrite: true
type: keyword
description: This key is used to capture the ssid of a Wireless Session
- name: access_point
overwrite: true
type: keyword
description: This key is used to capture the access point name.
- name: wlan_channel
overwrite: true
type: long
description: This is used to capture the channel names
- name: wlan_name
overwrite: true
type: keyword
description: This key captures either WLAN number/name
- name: storage
overwrite: true
type: group
fields:
- name: disk_volume
overwrite: true
type: keyword
description: A unique name assigned to logical units (volumes) within a physical
disk
- name: lun
overwrite: true
type: keyword
description: Logical Unit Number.This key is a very useful concept in Storage.
- name: pwwn
overwrite: true
type: keyword
description: This uniquely identifies a port on a HBA.
- name: physical
overwrite: true
type: group
fields:
- name: org_dst
overwrite: true
type: keyword
description: This is used to capture the destination organization based on the
GEOPIP Maxmind database.
- name: org_src
overwrite: true
type: keyword
description: This is used to capture the source organization based on the GEOPIP
Maxmind database.
- name: healthcare
overwrite: true
type: group
fields:
- name: patient_fname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_id
overwrite: true
type: keyword
description: This key captures the unique ID for a patient
- name: patient_lname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_mname
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: endpoint
overwrite: true
type: group
fields:
- name: host_state
overwrite: true
type: keyword
description: This key is used to capture the current state of the machine, such
as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
disabled</strong> and so on
- name: registry_key
overwrite: true
type: keyword
description: This key captures the path to the registry key
- name: registry_value
overwrite: true
type: keyword
description: This key captures values or decorators used within a registry entry
- name: sophos.xg
type: group
release: beta
description: >
Module for parsing sophosxg syslog.
fields:
- name: action
type: keyword
description: |
Event Action
- name: activityname
type: keyword
description: |
Web policy activity that matched and caused the policy result.
- name: ap
type: keyword
description: |
Access Point Serial ID or LocalWifi0 or LocalWifi1.
- name: app_category
type: keyword
description: |
Name of the category under which application falls
- name: app_filter_policy_id
type: keyword
description: |
Application filter policy ID applied on the traffic
- name: app_is_cloud
type: keyword
description: |
Application is Cloud
- name: app_name
type: keyword
description: |
Application name
- name: app_resolved_by
type: keyword
description: |
Application is resolved by signature or synchronized application
- name: app_risk
type: keyword
description: |
Risk level assigned to the application
- name: app_technology
type: keyword
description: |
Technology of the application
- name: appfilter_policy_id
type: integer
description: |
Application Filter policy applied on the traffic
- name: application
type: keyword
description: |
Application name
- name: application_category
type: keyword
description: |
Application is resolved by signature or synchronized application
- name: application_filter_policy
type: integer
description: |
Application Filter policy applied on the traffic
- name: application_name
type: keyword
description: |
Application name
- name: application_risk
type: keyword
description: |
Risk level assigned to the application
- name: application_technology
type: keyword
description: |
Technology of the application
- name: appresolvedby
type: keyword
description: |
Technology of the application
- name: auth_client
type: keyword
description: |
Auth Client
- name: auth_mechanism
type: keyword
description: |
Auth mechanism
- name: av_policy_name
type: keyword
description: |
Malware scanning policy name which is applied on the traffic
- name: backup_mode
type: keyword
description: |
Backup mode
- name: branch_name
type: keyword
description: |
Branch Name
- name: category
type: keyword
description: |
IPS signature category.
- name: category_type
type: keyword
description: |
Type of category under which website falls
- name: classification
type: keyword
description: |
Signature classification
- name: client_host_name
type: keyword
description: |
Client host name
- name: client_physical_address
type: keyword
description: |
Client physical address
- name: clients_conn_ssid
type: long
description: |
Number of client connected to the SSID.
- name: collisions
type: long
description: |
collisions
- name: con_event
type: keyword
description: |
Event Start/Stop
- name: con_id
type: integer
description: |
Unique identifier of connection
- name: configuration
type: float
description: |
Configuration
- name: conn_id
type: integer
description: |
Unique identifier of connection
- name: connectionname
type: keyword
description: |
Connectionname
- name: connectiontype
type: keyword
description: |
Connectiontype
- name: connevent
type: keyword
description: |
Event on which this log is generated
- name: connid
type: keyword
description: |
Connection ID
- name: content_type
type: keyword
description: |
Type of the content
- name: contenttype
type: keyword
description: |
Type of the content
- name: context_match
type: keyword
description: |
Context Match
- name: context_prefix
type: keyword
description: |
Content Prefix
- name: context_suffix
type: keyword
description: |
Context Suffix
- name: cookie
type: keyword
description: |
cookie
- name: date
type: date
description: |
Date (yyyy-mm-dd) when the event occurred
- name: destinationip
type: ip
description: |
Original destination IP address of traffic
- name: device
type: keyword
description: |
device
- name: device_id
type: keyword
description: |
Serial number of the device
- name: device_model
type: keyword
description: |
Model number of the device
- name: device_name
type: keyword
description: |
Model number of the device
- name: dictionary_name
type: keyword
description: |
Dictionary Name
- name: dir_disp
type: keyword
description: |
TPacket direction. Possible values:“org”, “reply”, “”
- name: direction
type: keyword
description: |
Direction
- name: domainname
type: keyword
description: |
Domain from which virus was downloaded
- name: download_file_name
type: keyword
description: |
Download file name
- name: download_file_type
type: keyword
description: |
Download file type
- name: dst_country_code
type: keyword
description: |
Code of the country to which the destination IP belongs
- name: dst_domainname
type: keyword
description: |
Receiver domain name
- name: dst_ip
type: ip
description: |
Original destination IP address of traffic
- name: dst_port
type: integer
description: |
Original destination port of TCP and UDP traffic
- name: dst_zone_type
type: keyword
description: |
Type of destination zone
- name: dstdomain
type: keyword
description: |
Destination Domain
- name: duration
type: long
description: |
Durability of traffic (seconds)
- name: email_subject
type: keyword
description: |
Email Subject
- name: ep_uuid
type: keyword
description: |
Endpoint UUID
- name: ether_type
type: keyword
description: |
ethernet frame type
- name: eventid
type: keyword
description: |
ATP Evenet ID
- name: eventtime
type: date
description: |
Event time
- name: eventtype
type: keyword
description: |
ATP event type
- name: exceptions
type: keyword
description: |
List of the checks excluded by web exceptions.
- name: execution_path
type: keyword
description: |
ATP execution path
- name: extra
type: keyword
description: |
extra
- name: file_name
type: keyword
description: |
Filename
- name: file_path
type: keyword
description: |
File path
- name: file_size
type: integer
description: |
File Size
- name: filename
type: keyword
description: |
File name associated with the event
- name: filepath
type: keyword
description: |
Path of the file containing virus
- name: filesize
type: integer
description: |
Size of the file that contained virus
- name: free
type: integer
description: |
free
- name: from_email_address
type: keyword
description: |
Sender email address
- name: ftp_direction
type: keyword
description: |
Direction of FTP transfer: Upload or Download
- name: ftp_url
type: keyword
description: |
FTP URL from which virus was downloaded
- name: ftpcommand
type: keyword
description: |
FTP command used when virus was found
- name: fw_rule_id
type: integer
description: |
Firewall Rule ID which is applied on the traffic
- name: fw_rule_type
type: keyword
description: |
Firewall rule type which is applied on the traffic
- name: hb_health
type: keyword
description: |
Heartbeat status
- name: hb_status
type: keyword
description: |
Heartbeat status
- name: host
type: keyword
description: |
Host
- name: http_category
type: keyword
description: |
HTTP Category
- name: http_category_type
type: keyword
description: |
HTTP Category Type
- name: httpresponsecode
type: long
description: |
code of HTTP response
- name: iap
type: keyword
description: |
Internet Access policy ID applied on the traffic
- name: icmp_code
type: keyword
description: |
ICMP code of ICMP traffic
- name: icmp_type
type: keyword
description: |
ICMP type of ICMP traffic
- name: idle_cpu
type: float
description: |
idle ##
- name: idp_policy_id
type: integer
description: |
IPS policy ID which is applied on the traffic
- name: idp_policy_name
type: keyword
description: |
IPS policy name i.e. IPS policy name which is applied on the traffic
- name: in_interface
type: keyword
description: |
Interface for incoming traffic, e.g., Port A
- name: interface
type: keyword
description: |
interface
- name: ipaddress
type: keyword
description: |
Ipaddress
- name: ips_policy_id
type: integer
description: |
IPS policy ID applied on the traffic
- name: lease_time
type: keyword
description: |
Lease Time
- name: localgateway
type: keyword
description: |
Localgateway
- name: localnetwork
type: keyword
description: |
Localnetwork
- name: log_component
type: keyword
description: |
Component responsible for logging e.g. Firewall rule
- name: log_id
type: keyword
description: |
Unique 12 characters code (0101011)
- name: log_subtype
type: keyword
description: |
Sub type of event
- name: log_type
type: keyword
description: |
Type of event e.g. firewall event
- name: log_version
type: keyword
description: |
Log Version
- name: login_user
type: keyword
description: |
ATP login user
- name: mailid
type: keyword
description: |
mailid
- name: mailsize
type: integer
description: |
mailsize
- name: message
type: keyword
description: |
Message
- name: mode
type: keyword
description: |
Mode
- name: nat_rule_id
type: keyword
description: |
NAT Rule ID
- name: newversion
type: keyword
description: |
Newversion
- name: oldversion
type: keyword
description: |
Oldversion
- name: out_interface
type: keyword
description: |
Interface for outgoing traffic, e.g., Port B
- name: override_authorizer
type: keyword
description: |
Override authorizer
- name: override_name
type: keyword
description: |
Override name
- name: override_token
type: keyword
description: |
Override token
- name: phpsessid
type: keyword
description: |
PHP session ID
- name: platform
type: keyword
description: |
Platform of the traffic.
- name: policy_type
type: keyword
description: |
Policy type applied to the traffic
- name: priority
type: keyword
description: |
Severity level of traffic
- name: protocol
type: keyword
description: |
Protocol number of traffic
- name: qualifier
type: keyword
description: |
Qualifier
- name: quarantine
type: keyword
description: |
Path and filename of the file quarantined
- name: quarantine_reason
type: keyword
description: |
Quarantine reason
- name: querystring
type: keyword
description: |
querystring
- name: raw_data
type: keyword
description: |
Raw data
- name: received_pkts
type: long
description: |
Total number of packets received
- name: receiveddrops
type: long
description: |
received drops
- name: receivederrors
type: keyword
description: |
received errors
- name: receivedkbits
type: long
description: |
received kbits
- name: recv_bytes
type: long
description: |
Total number of bytes received
- name: red_id
type: keyword
description: |
RED ID
- name: referer
type: keyword
description: |
Referer
- name: remote_ip
type: ip
description: |
Remote IP
- name: remotenetwork
type: keyword
description: |
remotenetwork
- name: reported_host
type: keyword
description: |
Reported Host
- name: reported_ip
type: keyword
description: |
Reported IP
- name: reports
type: float
description: |
Reports
- name: rule_priority
type: keyword
description: |
Priority of IPS policy
- name: sent_bytes
type: long
description: |
Total number of bytes sent
- name: sent_pkts
type: long
description: |
Total number of packets sent
- name: server
type: keyword
description: |
Server
- name: sessionid
type: keyword
description: |
Sessionid
- name: sha1sum
type: keyword
description: |
SHA1 checksum of the item being analyzed
- name: signature
type: float
description: |
Signature
- name: signature_id
type: keyword
description: |
Signature ID
- name: signature_msg
type: keyword
description: |
Signature messsage
- name: site_category
type: keyword
description: |
Site Category
- name: source
type: keyword
description: |
Source
- name: sourceip
type: ip
description: |
Original source IP address of traffic
- name: spamaction
type: keyword
description: |
Spam Action
- name: sqli
type: keyword
description: |
related SQLI caught by the WAF
- name: src_country_code
type: keyword
description: |
Code of the country to which the source IP belongs
- name: src_domainname
type: keyword
description: |
Sender domain name
- name: src_ip
type: ip
description: |
Original source IP address of traffic
- name: src_mac
type: keyword
description: |
Original source MAC address of traffic
- name: src_port
type: integer
description: |
Original source port of TCP and UDP traffic
- name: src_zone_type
type: keyword
description: |-
Type of source zone
- name: ssid
type: keyword
description: |
Configured SSID name.
- name: start_time
type: date
description: |
Start time
- name: starttime
type: date
description: |
Starttime
- name: status
type: keyword
description: |
Ultimate status of traffic – Allowed or Denied
- name: status_code
type: keyword
description: |
Status code
- name: subject
type: keyword
description: |
Email subject
- name: syslog_server_name
type: keyword
description: |
Syslog server name.
- name: system_cpu
type: float
description: |
system
- name: target
type: keyword
description: |
Platform of the traffic.
- name: temp
type: float
description: |
Temp
- name: threatname
type: keyword
description: |
ATP threatname
- name: timestamp
type: date
description: |
timestamp
- name: timezone
type: keyword
description: |
Time (hh:mm:ss) when the event occurred
- name: to_email_address
type: keyword
description: |
Receipeint email address
- name: total_memory
type: integer
description: |
Total Memory
- name: trans_dst_ip
type: ip
description: |
Translated destination IP address for outgoing traffic
- name: trans_dst_port
type: integer
description: |
Translated destination port for outgoing traffic
- name: trans_src_ip
type: ip
description: |
Translated source IP address for outgoing traffic
- name: trans_src_port
type: integer
description: |
Translated source port for outgoing traffic
- name: transaction_id
type: keyword
description: |
Transaction ID
- name: transactionid
type: keyword
description: |
Transaction ID of the AV scan.
- name: transmitteddrops
type: long
description: |
transmitted drops
- name: transmittederrors
type: keyword
description: |
transmitted errors
- name: transmittedkbits
type: long
description: |
transmitted kbits
- name: unit
type: keyword
description: |
unit
- name: updatedip
type: ip
description: |
updatedip
- name: upload_file_name
type: keyword
description: |
Upload file name
- name: upload_file_type
type: keyword
description: |
Upload file type
- name: url
type: keyword
description: |
URL from which virus was downloaded
- name: used
type: integer
description: |
used
- name: used_quota
type: keyword
description: |
Used Quota
- name: user
type: keyword
description: |
User
- name: user_cpu
type: float
description: |
system
- name: user_gp
type: keyword
description: |
Group name to which the user belongs.
- name: user_group
type: keyword
description: |
Group name to which the user belongs
- name: user_name
type: keyword
description: |
user_name
- name: users
type: long
description: |
Number of users from System Health / Live User events.
- name: vconn_id
type: integer
description: |
Connection ID of the master connection
- name: virus
type: keyword
description: |
virus name
- name: web_policy_id
type: keyword
description: |
Web policy ID
- name: website
type: keyword
description: |
Website
- name: xss
type: keyword
description: |
related XSS caught by the WAF
- key: squid
title: Squid
description: >
squid fields.
fields:
- name: network.interface.name
overwrite: true
type: keyword
description: >
Name of the network interface where the traffic has been observed.
- name: rsa
overwrite: true
type: group
fields:
- name: internal
overwrite: true
type: group
fields:
- name: msg
overwrite: true
type: keyword
description: This key is used to capture the raw message that comes into the
Log Decoder
- name: messageid
overwrite: true
type: keyword
- name: event_desc
overwrite: true
type: keyword
- name: message
overwrite: true
type: keyword
description: This key captures the contents of instant messages
- name: time
overwrite: true
type: date
description: This is the time at which a session hits a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness.
- name: level
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: msg_id
overwrite: true
type: keyword
description: This is the Message ID1 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: msg_vid
overwrite: true
type: keyword
description: This is the Message ID2 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: data
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_server
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_val
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: resource
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_id
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: statement
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: audit_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: entry
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: hcode
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: inode
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: resource_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: dead
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: feed_desc
overwrite: true
type: keyword
description: This is used to capture the description of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: feed_name
overwrite: true
type: keyword
description: This is used to capture the name of the feed. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: cid
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Concentrator.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_class
overwrite: true
type: keyword
description: This is the Classification of the Log Event Source under a predefined
fixed set of Event Source Classifications. This key should never be used to
parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
key in NetWitness
- name: device_group
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_host
overwrite: true
type: keyword
description: This is the Hostname of the log Event Source sending the logs to
NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ip
overwrite: true
type: ip
description: This is the IPv4 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ipv6
overwrite: true
type: ip
description: This is the IPv6 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_type
overwrite: true
type: keyword
description: This is the name of the log parser which parsed a given session.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_type_id
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: did
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: entropy_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: entropy_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: event_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: feed_category
overwrite: true
type: keyword
description: This is used to capture the category of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: forward_ip
overwrite: true
type: ip
description: This key should be used to capture the IPV4 address of a relay
system which forwarded the events from the original system to NetWitness.
- name: forward_ipv6
overwrite: true
type: ip
description: This key is used to capture the IPV6 address of a relay system
which forwarded the events from the original system to NetWitness. This key
should never be used to parse Meta data from a session (Logs/Packets) Directly,
this is a Reserved key in NetWitness
- name: header_id
overwrite: true
type: keyword
description: This is the Header ID value that identifies the exact log parser
header definition that parses a particular log session. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: lc_cid
overwrite: true
type: keyword
description: This is a unique Identifier of a Log Collector. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: lc_ctime
overwrite: true
type: date
description: This is the time at which a log is collected in a NetWitness Log
Collector. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: mcb_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
request is simply which byte for each side (0 thru 255) was seen the most
- name: mcb_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
response is simply which byte for each side (0 thru 255) was seen the most
- name: mcbc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: mcbc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: medium
overwrite: true
type: long
description: "This key is used to identify if it\u2019s a log/packet session\
\ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
\ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
\ 32 = log, 33 = correlation session, < 32 is packet session"
- name: node_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: nwe_callback_id
overwrite: true
type: keyword
description: This key denotes that event is endpoint related
- name: parse_error
overwrite: true
type: keyword
description: This is a special key that stores any Meta key validation error
found while parsing a log session. This key should never be used to parse
Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
NetWitness
- name: payload_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: payload_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: process_vid_dst
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the target process.
- name: process_vid_src
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the source process.
- name: rid
overwrite: true
type: long
description: This is a special ID of the Remote Session created by NetWitness
Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: session_split
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: site
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: size
overwrite: true
type: long
description: This is the size of the session as seen by the NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: sourcefile
overwrite: true
type: keyword
description: This is the name of the log file or PCAPs that can be imported
into NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: ubc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: ubc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: word
overwrite: true
type: keyword
description: This is used by the Word Parsing technology to capture the first
5 character of every word in an unparsed log
- name: time
overwrite: true
type: group
fields:
- name: event_time
overwrite: true
type: date
description: This key is used to capture the time mentioned in a raw session
that represents the actual time an event occured in a standard normalized
form
- name: duration_time
overwrite: true
type: double
description: This key is used to capture the normalized duration/lifetime in
seconds.
- name: event_time_str
overwrite: true
type: keyword
description: This key is used to capture the incomplete time mentioned in a
session as a string
- name: starttime
overwrite: true
type: date
description: This key is used to capture the Start time mentioned in a session
in a standard form
- name: month
overwrite: true
type: keyword
- name: day
overwrite: true
type: keyword
- name: endtime
overwrite: true
type: date
description: This key is used to capture the End time mentioned in a session
in a standard form
- name: timezone
overwrite: true
type: keyword
description: This key is used to capture the timezone of the Event Time
- name: duration_str
overwrite: true
type: keyword
description: A text string version of the duration
- name: date
overwrite: true
type: keyword
- name: year
overwrite: true
type: keyword
- name: recorded_time
overwrite: true
type: date
description: The event time as recorded by the system the event is collected
from. The usage scenario is a multi-tier application where the management
layer of the system records it's own timestamp at the time of collection from
its child nodes. Must be in timestamp format.
- name: datetime
overwrite: true
type: keyword
- name: effective_time
overwrite: true
type: date
description: This key is the effective time referenced by an individual event
in a Standard Timestamp format
- name: expire_time
overwrite: true
type: date
description: This key is the timestamp that explicitly refers to an expiration.
- name: process_time
overwrite: true
type: keyword
description: Deprecated, use duration.time
- name: hour
overwrite: true
type: keyword
- name: min
overwrite: true
type: keyword
- name: timestamp
overwrite: true
type: keyword
- name: event_queue_time
overwrite: true
type: date
description: This key is the Time that the event was queued.
- name: p_time1
overwrite: true
type: keyword
- name: tzone
overwrite: true
type: keyword
- name: eventtime
overwrite: true
type: keyword
- name: gmtdate
overwrite: true
type: keyword
- name: gmttime
overwrite: true
type: keyword
- name: p_date
overwrite: true
type: keyword
- name: p_month
overwrite: true
type: keyword
- name: p_time
overwrite: true
type: keyword
- name: p_time2
overwrite: true
type: keyword
- name: p_year
overwrite: true
type: keyword
- name: expire_time_str
overwrite: true
type: keyword
description: This key is used to capture incomplete timestamp that explicitly
refers to an expiration.
- name: stamp
overwrite: true
type: date
description: Deprecated key defined only in table map.
- name: misc
overwrite: true
type: group
fields:
- name: action
overwrite: true
type: keyword
- name: result
overwrite: true
type: keyword
description: This key is used to capture the outcome/result string value of
an action in a session.
- name: severity
overwrite: true
type: keyword
description: This key is used to capture the severity given the session
- name: event_type
overwrite: true
type: keyword
description: This key captures the event category type as specified by the event
source.
- name: reference_id
overwrite: true
type: keyword
description: This key is used to capture an event id from the session directly
- name: version
overwrite: true
type: keyword
description: This key captures Version of the application or OS which is generating
the event.
- name: disposition
overwrite: true
type: keyword
description: This key captures the The end state of an action.
- name: result_code
overwrite: true
type: keyword
description: This key is used to capture the outcome/result numeric value of
an action in a session
- name: category
overwrite: true
type: keyword
description: This key is used to capture the category of an event given by the
vendor in the session
- name: obj_name
overwrite: true
type: keyword
description: This is used to capture name of object
- name: obj_type
overwrite: true
type: keyword
description: This is used to capture type of object
- name: event_source
overwrite: true
type: keyword
description: "This key captures Source of the event that\u2019s not a hostname"
- name: log_session_id
overwrite: true
type: keyword
description: This key is used to capture a sessionid from the session directly
- name: group
overwrite: true
type: keyword
description: This key captures the Group Name value
- name: policy_name
overwrite: true
type: keyword
description: This key is used to capture the Policy Name only.
- name: rule_name
overwrite: true
type: keyword
description: This key captures the Rule Name
- name: context
overwrite: true
type: keyword
description: This key captures Information which adds additional context to
the event.
- name: change_new
overwrite: true
type: keyword
description: "This key is used to capture the new values of the attribute that\u2019\
s changing in a session"
- name: space
overwrite: true
type: keyword
- name: client
overwrite: true
type: keyword
description: This key is used to capture only the name of the client application
requesting resources of the server. See the user.agent meta key for capture
of the specific user agent identifier or browser identification string.
- name: msgIdPart1
overwrite: true
type: keyword
- name: msgIdPart2
overwrite: true
type: keyword
- name: change_old
overwrite: true
type: keyword
description: "This key is used to capture the old value of the attribute that\u2019\
s changing in a session"
- name: operation_id
overwrite: true
type: keyword
description: An alert number or operation number. The values should be unique
and non-repeating.
- name: event_state
overwrite: true
type: keyword
description: This key captures the current state of the object/item referenced
within the event. Describing an on-going event.
- name: group_object
overwrite: true
type: keyword
description: This key captures a collection/grouping of entities. Specific usage
- name: node
overwrite: true
type: keyword
description: Common use case is the node name within a cluster. The cluster
name is reflected by the host name.
- name: rule
overwrite: true
type: keyword
description: This key captures the Rule number
- name: device_name
overwrite: true
type: keyword
description: 'This is used to capture name of the Device associated with the
node Like: a physical disk, printer, etc'
- name: param
overwrite: true
type: keyword
description: This key is the parameters passed as part of a command or application,
etc.
- name: change_attrib
overwrite: true
type: keyword
description: "This key is used to capture the name of the attribute that\u2019\
s changing in a session"
- name: event_computer
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
fully qualified domain name in a windows log.
- name: reference_id1
overwrite: true
type: keyword
description: This key is for Linked ID to be used as an addition to "reference.id"
- name: event_log
overwrite: true
type: keyword
description: This key captures the Name of the event log
- name: OS
overwrite: true
type: keyword
description: This key captures the Name of the Operating System
- name: terminal
overwrite: true
type: keyword
description: This key captures the Terminal Names only
- name: msgIdPart3
overwrite: true
type: keyword
- name: filter
overwrite: true
type: keyword
description: This key captures Filter used to reduce result set
- name: serial_number
overwrite: true
type: keyword
description: This key is the Serial number associated with a physical asset.
- name: checksum
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the entity
such as a file or process. Checksum should be used over checksum.src or checksum.dst
when it is unclear whether the entity is a source or target of an action.
- name: event_user
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
combination of domain name and username in a windows log.
- name: virusname
overwrite: true
type: keyword
description: This key captures the name of the virus
- name: content_type
overwrite: true
type: keyword
description: This key is used to capture Content Type only.
- name: group_id
overwrite: true
type: keyword
description: This key captures Group ID Number (related to the group name)
- name: policy_id
overwrite: true
type: keyword
description: This key is used to capture the Policy ID only, this should be
a numeric value, use policy.name otherwise
- name: vsys
overwrite: true
type: keyword
description: This key captures Virtual System Name
- name: connection_id
overwrite: true
type: keyword
description: This key captures the Connection ID
- name: reference_id2
overwrite: true
type: keyword
description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
or "reference.id1" value but should not be used unless the other two variables
are in play.
- name: sensor
overwrite: true
type: keyword
description: This key captures Name of the sensor. Typically used in IDS/IPS
based devices
- name: sig_id
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID
- name: port_name
overwrite: true
type: keyword
description: 'This key is used for Physical or logical port connection but does
NOT include a network port. (Example: Printer port name).'
- name: rule_group
overwrite: true
type: keyword
description: This key captures the Rule group name
- name: risk_num
overwrite: true
type: double
description: This key captures a Numeric Risk value
- name: trigger_val
overwrite: true
type: keyword
description: This key captures the Value of the trigger or threshold condition.
- name: log_session_id1
overwrite: true
type: keyword
description: This key is used to capture a Linked (Related) Session ID from
the session directly
- name: comp_version
overwrite: true
type: keyword
description: This key captures the Version level of a sub-component of a product.
- name: content_version
overwrite: true
type: keyword
description: This key captures Version level of a signature or database content.
- name: hardware_id
overwrite: true
type: keyword
description: This key is used to capture unique identifier for a device or system
(NOT a Mac address)
- name: risk
overwrite: true
type: keyword
description: This key captures the non-numeric risk value
- name: event_id
overwrite: true
type: keyword
- name: reason
overwrite: true
type: keyword
- name: status
overwrite: true
type: keyword
- name: mail_id
overwrite: true
type: keyword
description: This key is used to capture the mailbox id/name
- name: rule_uid
overwrite: true
type: keyword
description: This key is the Unique Identifier for a rule.
- name: trigger_desc
overwrite: true
type: keyword
description: This key captures the Description of the trigger or threshold condition.
- name: inout
overwrite: true
type: keyword
- name: p_msgid
overwrite: true
type: keyword
- name: data_type
overwrite: true
type: keyword
- name: msgIdPart4
overwrite: true
type: keyword
- name: error
overwrite: true
type: keyword
description: This key captures All non successful Error codes or responses
- name: index
overwrite: true
type: keyword
- name: listnum
overwrite: true
type: keyword
description: This key is used to capture listname or listnumber, primarily for
collecting access-list
- name: ntype
overwrite: true
type: keyword
- name: observed_val
overwrite: true
type: keyword
description: This key captures the Value observed (from the perspective of the
device generating the log).
- name: policy_value
overwrite: true
type: keyword
description: This key captures the contents of the policy. This contains details
about the policy
- name: pool_name
overwrite: true
type: keyword
description: This key captures the name of a resource pool
- name: rule_template
overwrite: true
type: keyword
description: A default set of parameters which are overlayed onto a rule (or
rulename) which efffectively constitutes a template
- name: count
overwrite: true
type: keyword
- name: number
overwrite: true
type: keyword
- name: sigcat
overwrite: true
type: keyword
- name: type
overwrite: true
type: keyword
- name: comments
overwrite: true
type: keyword
description: Comment information provided in the log message
- name: doc_number
overwrite: true
type: long
description: This key captures File Identification number
- name: expected_val
overwrite: true
type: keyword
description: This key captures the Value expected (from the perspective of the
device generating the log).
- name: job_num
overwrite: true
type: keyword
description: This key captures the Job Number
- name: spi_dst
overwrite: true
type: keyword
description: Destination SPI Index
- name: spi_src
overwrite: true
type: keyword
description: Source SPI Index
- name: code
overwrite: true
type: keyword
- name: agent_id
overwrite: true
type: keyword
description: This key is used to capture agent id
- name: message_body
overwrite: true
type: keyword
description: This key captures the The contents of the message body.
- name: phone
overwrite: true
type: keyword
- name: sig_id_str
overwrite: true
type: keyword
description: This key captures a string object of the sigid variable.
- name: cmd
overwrite: true
type: keyword
- name: misc
overwrite: true
type: keyword
- name: name
overwrite: true
type: keyword
- name: cpu
overwrite: true
type: long
description: This key is the CPU time used in the execution of the event being
recorded.
- name: event_desc
overwrite: true
type: keyword
description: This key is used to capture a description of an event available
directly or inferred
- name: sig_id1
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID. This must be linked
to the sig.id
- name: im_buddyid
overwrite: true
type: keyword
- name: im_client
overwrite: true
type: keyword
- name: im_userid
overwrite: true
type: keyword
- name: pid
overwrite: true
type: keyword
- name: priority
overwrite: true
type: keyword
- name: context_subject
overwrite: true
type: keyword
description: This key is to be used in an audit context where the subject is
the object being identified
- name: context_target
overwrite: true
type: keyword
- name: cve
overwrite: true
type: keyword
description: This key captures CVE (Common Vulnerabilities and Exposures) -
an identifier for known information security vulnerabilities.
- name: fcatnum
overwrite: true
type: keyword
description: This key captures Filter Category Number. Legacy Usage
- name: library
overwrite: true
type: keyword
description: This key is used to capture library information in mainframe devices
- name: parent_node
overwrite: true
type: keyword
description: This key captures the Parent Node Name. Must be related to node
variable.
- name: risk_info
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: tcp_flags
overwrite: true
type: long
description: This key is captures the TCP flags set in any packet of session
- name: tos
overwrite: true
type: long
description: This key describes the type of service
- name: vm_target
overwrite: true
type: keyword
description: VMWare Target **VMWARE** only varaible.
- name: workspace
overwrite: true
type: keyword
description: This key captures Workspace Description
- name: command
overwrite: true
type: keyword
- name: event_category
overwrite: true
type: keyword
- name: facilityname
overwrite: true
type: keyword
- name: forensic_info
overwrite: true
type: keyword
- name: jobname
overwrite: true
type: keyword
- name: mode
overwrite: true
type: keyword
- name: policy
overwrite: true
type: keyword
- name: policy_waiver
overwrite: true
type: keyword
- name: second
overwrite: true
type: keyword
- name: space1
overwrite: true
type: keyword
- name: subcategory
overwrite: true
type: keyword
- name: tbdstr2
overwrite: true
type: keyword
- name: alert_id
overwrite: true
type: keyword
description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: checksum_dst
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the the target
entity such as a process or file.
- name: checksum_src
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the source
entity such as a file or process.
- name: fresult
overwrite: true
type: long
description: This key captures the Filter Result
- name: payload_dst
overwrite: true
type: keyword
description: This key is used to capture destination payload
- name: payload_src
overwrite: true
type: keyword
description: This key is used to capture source payload
- name: pool_id
overwrite: true
type: keyword
description: This key captures the identifier (typically numeric field) of a
resource pool
- name: process_id_val
overwrite: true
type: keyword
description: This key is a failure key for Process ID when it is not an integer
value
- name: risk_num_comm
overwrite: true
type: double
description: This key captures Risk Number Community
- name: risk_num_next
overwrite: true
type: double
description: This key captures Risk Number NextGen
- name: risk_num_sand
overwrite: true
type: double
description: This key captures Risk Number SandBox
- name: risk_num_static
overwrite: true
type: double
description: This key captures Risk Number Static
- name: risk_suspicious
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: risk_warning
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: snmp_oid
overwrite: true
type: keyword
description: SNMP Object Identifier
- name: sql
overwrite: true
type: keyword
description: This key captures the SQL query
- name: vuln_ref
overwrite: true
type: keyword
description: This key captures the Vulnerability Reference details
- name: acl_id
overwrite: true
type: keyword
- name: acl_op
overwrite: true
type: keyword
- name: acl_pos
overwrite: true
type: keyword
- name: acl_table
overwrite: true
type: keyword
- name: admin
overwrite: true
type: keyword
- name: alarm_id
overwrite: true
type: keyword
- name: alarmname
overwrite: true
type: keyword
- name: app_id
overwrite: true
type: keyword
- name: audit
overwrite: true
type: keyword
- name: audit_object
overwrite: true
type: keyword
- name: auditdata
overwrite: true
type: keyword
- name: benchmark
overwrite: true
type: keyword
- name: bypass
overwrite: true
type: keyword
- name: cache
overwrite: true
type: keyword
- name: cache_hit
overwrite: true
type: keyword
- name: cefversion
overwrite: true
type: keyword
- name: cfg_attr
overwrite: true
type: keyword
- name: cfg_obj
overwrite: true
type: keyword
- name: cfg_path
overwrite: true
type: keyword
- name: changes
overwrite: true
type: keyword
- name: client_ip
overwrite: true
type: keyword
- name: clustermembers
overwrite: true
type: keyword
- name: cn_acttimeout
overwrite: true
type: keyword
- name: cn_asn_src
overwrite: true
type: keyword
- name: cn_bgpv4nxthop
overwrite: true
type: keyword
- name: cn_ctr_dst_code
overwrite: true
type: keyword
- name: cn_dst_tos
overwrite: true
type: keyword
- name: cn_dst_vlan
overwrite: true
type: keyword
- name: cn_engine_id
overwrite: true
type: keyword
- name: cn_engine_type
overwrite: true
type: keyword
- name: cn_f_switch
overwrite: true
type: keyword
- name: cn_flowsampid
overwrite: true
type: keyword
- name: cn_flowsampintv
overwrite: true
type: keyword
- name: cn_flowsampmode
overwrite: true
type: keyword
- name: cn_inacttimeout
overwrite: true
type: keyword
- name: cn_inpermbyts
overwrite: true
type: keyword
- name: cn_inpermpckts
overwrite: true
type: keyword
- name: cn_invalid
overwrite: true
type: keyword
- name: cn_ip_proto_ver
overwrite: true
type: keyword
- name: cn_ipv4_ident
overwrite: true
type: keyword
- name: cn_l_switch
overwrite: true
type: keyword
- name: cn_log_did
overwrite: true
type: keyword
- name: cn_log_rid
overwrite: true
type: keyword
- name: cn_max_ttl
overwrite: true
type: keyword
- name: cn_maxpcktlen
overwrite: true
type: keyword
- name: cn_min_ttl
overwrite: true
type: keyword
- name: cn_minpcktlen
overwrite: true
type: keyword
- name: cn_mpls_lbl_1
overwrite: true
type: keyword
- name: cn_mpls_lbl_10
overwrite: true
type: keyword
- name: cn_mpls_lbl_2
overwrite: true
type: keyword
- name: cn_mpls_lbl_3
overwrite: true
type: keyword
- name: cn_mpls_lbl_4
overwrite: true
type: keyword
- name: cn_mpls_lbl_5
overwrite: true
type: keyword
- name: cn_mpls_lbl_6
overwrite: true
type: keyword
- name: cn_mpls_lbl_7
overwrite: true
type: keyword
- name: cn_mpls_lbl_8
overwrite: true
type: keyword
- name: cn_mpls_lbl_9
overwrite: true
type: keyword
- name: cn_mplstoplabel
overwrite: true
type: keyword
- name: cn_mplstoplabip
overwrite: true
type: keyword
- name: cn_mul_dst_byt
overwrite: true
type: keyword
- name: cn_mul_dst_pks
overwrite: true
type: keyword
- name: cn_muligmptype
overwrite: true
type: keyword
- name: cn_sampalgo
overwrite: true
type: keyword
- name: cn_sampint
overwrite: true
type: keyword
- name: cn_seqctr
overwrite: true
type: keyword
- name: cn_spackets
overwrite: true
type: keyword
- name: cn_src_tos
overwrite: true
type: keyword
- name: cn_src_vlan
overwrite: true
type: keyword
- name: cn_sysuptime
overwrite: true
type: keyword
- name: cn_template_id
overwrite: true
type: keyword
- name: cn_totbytsexp
overwrite: true
type: keyword
- name: cn_totflowexp
overwrite: true
type: keyword
- name: cn_totpcktsexp
overwrite: true
type: keyword
- name: cn_unixnanosecs
overwrite: true
type: keyword
- name: cn_v6flowlabel
overwrite: true
type: keyword
- name: cn_v6optheaders
overwrite: true
type: keyword
- name: comp_class
overwrite: true
type: keyword
- name: comp_name
overwrite: true
type: keyword
- name: comp_rbytes
overwrite: true
type: keyword
- name: comp_sbytes
overwrite: true
type: keyword
- name: cpu_data
overwrite: true
type: keyword
- name: criticality
overwrite: true
type: keyword
- name: cs_agency_dst
overwrite: true
type: keyword
- name: cs_analyzedby
overwrite: true
type: keyword
- name: cs_av_other
overwrite: true
type: keyword
- name: cs_av_primary
overwrite: true
type: keyword
- name: cs_av_secondary
overwrite: true
type: keyword
- name: cs_bgpv6nxthop
overwrite: true
type: keyword
- name: cs_bit9status
overwrite: true
type: keyword
- name: cs_context
overwrite: true
type: keyword
- name: cs_control
overwrite: true
type: keyword
- name: cs_data
overwrite: true
type: keyword
- name: cs_datecret
overwrite: true
type: keyword
- name: cs_dst_tld
overwrite: true
type: keyword
- name: cs_eth_dst_ven
overwrite: true
type: keyword
- name: cs_eth_src_ven
overwrite: true
type: keyword
- name: cs_event_uuid
overwrite: true
type: keyword
- name: cs_filetype
overwrite: true
type: keyword
- name: cs_fld
overwrite: true
type: keyword
- name: cs_if_desc
overwrite: true
type: keyword
- name: cs_if_name
overwrite: true
type: keyword
- name: cs_ip_next_hop
overwrite: true
type: keyword
- name: cs_ipv4dstpre
overwrite: true
type: keyword
- name: cs_ipv4srcpre
overwrite: true
type: keyword
- name: cs_lifetime
overwrite: true
type: keyword
- name: cs_log_medium
overwrite: true
type: keyword
- name: cs_loginname
overwrite: true
type: keyword
- name: cs_modulescore
overwrite: true
type: keyword
- name: cs_modulesign
overwrite: true
type: keyword
- name: cs_opswatresult
overwrite: true
type: keyword
- name: cs_payload
overwrite: true
type: keyword
- name: cs_registrant
overwrite: true
type: keyword
- name: cs_registrar
overwrite: true
type: keyword
- name: cs_represult
overwrite: true
type: keyword
- name: cs_rpayload
overwrite: true
type: keyword
- name: cs_sampler_name
overwrite: true
type: keyword
- name: cs_sourcemodule
overwrite: true
type: keyword
- name: cs_streams
overwrite: true
type: keyword
- name: cs_targetmodule
overwrite: true
type: keyword
- name: cs_v6nxthop
overwrite: true
type: keyword
- name: cs_whois_server
overwrite: true
type: keyword
- name: cs_yararesult
overwrite: true
type: keyword
- name: description
overwrite: true
type: keyword
- name: devvendor
overwrite: true
type: keyword
- name: distance
overwrite: true
type: keyword
- name: dstburb
overwrite: true
type: keyword
- name: edomain
overwrite: true
type: keyword
- name: edomaub
overwrite: true
type: keyword
- name: euid
overwrite: true
type: keyword
- name: facility
overwrite: true
type: keyword
- name: finterface
overwrite: true
type: keyword
- name: flags
overwrite: true
type: keyword
- name: gaddr
overwrite: true
type: keyword
- name: id3
overwrite: true
type: keyword
- name: im_buddyname
overwrite: true
type: keyword
- name: im_croomid
overwrite: true
type: keyword
- name: im_croomtype
overwrite: true
type: keyword
- name: im_members
overwrite: true
type: keyword
- name: im_username
overwrite: true
type: keyword
- name: ipkt
overwrite: true
type: keyword
- name: ipscat
overwrite: true
type: keyword
- name: ipspri
overwrite: true
type: keyword
- name: latitude
overwrite: true
type: keyword
- name: linenum
overwrite: true
type: keyword
- name: list_name
overwrite: true
type: keyword
- name: load_data
overwrite: true
type: keyword
- name: location_floor
overwrite: true
type: keyword
- name: location_mark
overwrite: true
type: keyword
- name: log_id
overwrite: true
type: keyword
- name: log_type
overwrite: true
type: keyword
- name: logid
overwrite: true
type: keyword
- name: logip
overwrite: true
type: keyword
- name: logname
overwrite: true
type: keyword
- name: longitude
overwrite: true
type: keyword
- name: lport
overwrite: true
type: keyword
- name: mbug_data
overwrite: true
type: keyword
- name: misc_name
overwrite: true
type: keyword
- name: msg_type
overwrite: true
type: keyword
- name: msgid
overwrite: true
type: keyword
- name: netsessid
overwrite: true
type: keyword
- name: num
overwrite: true
type: keyword
- name: number1
overwrite: true
type: keyword
- name: number2
overwrite: true
type: keyword
- name: nwwn
overwrite: true
type: keyword
- name: object
overwrite: true
type: keyword
- name: operation
overwrite: true
type: keyword
- name: opkt
overwrite: true
type: keyword
- name: orig_from
overwrite: true
type: keyword
- name: owner_id
overwrite: true
type: keyword
- name: p_action
overwrite: true
type: keyword
- name: p_filter
overwrite: true
type: keyword
- name: p_group_object
overwrite: true
type: keyword
- name: p_id
overwrite: true
type: keyword
- name: p_msgid1
overwrite: true
type: keyword
- name: p_msgid2
overwrite: true
type: keyword
- name: p_result1
overwrite: true
type: keyword
- name: password_chg
overwrite: true
type: keyword
- name: password_expire
overwrite: true
type: keyword
- name: permgranted
overwrite: true
type: keyword
- name: permwanted
overwrite: true
type: keyword
- name: pgid
overwrite: true
type: keyword
- name: policyUUID
overwrite: true
type: keyword
- name: prog_asp_num
overwrite: true
type: keyword
- name: program
overwrite: true
type: keyword
- name: real_data
overwrite: true
type: keyword
- name: rec_asp_device
overwrite: true
type: keyword
- name: rec_asp_num
overwrite: true
type: keyword
- name: rec_library
overwrite: true
type: keyword
- name: recordnum
overwrite: true
type: keyword
- name: ruid
overwrite: true
type: keyword
- name: sburb
overwrite: true
type: keyword
- name: sdomain_fld
overwrite: true
type: keyword
- name: sec
overwrite: true
type: keyword
- name: sensorname
overwrite: true
type: keyword
- name: seqnum
overwrite: true
type: keyword
- name: session
overwrite: true
type: keyword
- name: sessiontype
overwrite: true
type: keyword
- name: sigUUID
overwrite: true
type: keyword
- name: spi
overwrite: true
type: keyword
- name: srcburb
overwrite: true
type: keyword
- name: srcdom
overwrite: true
type: keyword
- name: srcservice
overwrite: true
type: keyword
- name: state
overwrite: true
type: keyword
- name: status1
overwrite: true
type: keyword
- name: svcno
overwrite: true
type: keyword
- name: system
overwrite: true
type: keyword
- name: tbdstr1
overwrite: true
type: keyword
- name: tgtdom
overwrite: true
type: keyword
- name: tgtdomain
overwrite: true
type: keyword
- name: threshold
overwrite: true
type: keyword
- name: type1
overwrite: true
type: keyword
- name: udb_class
overwrite: true
type: keyword
- name: url_fld
overwrite: true
type: keyword
- name: user_div
overwrite: true
type: keyword
- name: userid
overwrite: true
type: keyword
- name: username_fld
overwrite: true
type: keyword
- name: utcstamp
overwrite: true
type: keyword
- name: v_instafname
overwrite: true
type: keyword
- name: virt_data
overwrite: true
type: keyword
- name: vpnid
overwrite: true
type: keyword
- name: autorun_type
overwrite: true
type: keyword
description: This is used to capture Auto Run type
- name: cc_number
overwrite: true
type: long
description: Valid Credit Card Numbers only
- name: content
overwrite: true
type: keyword
description: This key captures the content type from protocol headers
- name: ein_number
overwrite: true
type: long
description: Employee Identification Numbers only
- name: found
overwrite: true
type: keyword
description: This is used to capture the results of regex match
- name: language
overwrite: true
type: keyword
description: This is used to capture list of languages the client support and
what it prefers
- name: lifetime
overwrite: true
type: long
description: This key is used to capture the session lifetime in seconds.
- name: link
overwrite: true
type: keyword
description: This key is used to link the sessions together. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: match
overwrite: true
type: keyword
description: This key is for regex match name from search.ini
- name: param_dst
overwrite: true
type: keyword
description: This key captures the command line/launch argument of the target
process or file
- name: param_src
overwrite: true
type: keyword
description: This key captures source parameter
- name: search_text
overwrite: true
type: keyword
description: This key captures the Search Text used
- name: sig_name
overwrite: true
type: keyword
description: This key is used to capture the Signature Name only.
- name: snmp_value
overwrite: true
type: keyword
description: SNMP set request value
- name: streams
overwrite: true
type: long
description: This key captures number of streams in session
- name: db
overwrite: true
type: group
fields:
- name: index
overwrite: true
type: keyword
description: This key captures IndexID of the index.
- name: instance
overwrite: true
type: keyword
description: This key is used to capture the database server instance name
- name: database
overwrite: true
type: keyword
description: This key is used to capture the name of a database or an instance
as seen in a session
- name: transact_id
overwrite: true
type: keyword
description: This key captures the SQL transantion ID of the current session
- name: permissions
overwrite: true
type: keyword
description: This key captures permission or privilege level assigned to a resource.
- name: table_name
overwrite: true
type: keyword
description: This key is used to capture the table name
- name: db_id
overwrite: true
type: keyword
description: This key is used to capture the unique identifier for a database
- name: db_pid
overwrite: true
type: long
description: This key captures the process id of a connection with database
server
- name: lread
overwrite: true
type: long
description: This key is used for the number of logical reads
- name: lwrite
overwrite: true
type: long
description: This key is used for the number of logical writes
- name: pread
overwrite: true
type: long
description: This key is used for the number of physical writes
- name: network
overwrite: true
type: group
fields:
- name: alias_host
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
that isnt ad.computer.
- name: domain
overwrite: true
type: keyword
- name: host_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Hostname"
- name: network_service
overwrite: true
type: keyword
description: This is used to capture layer 7 protocols/service names
- name: interface
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of an interface is not clear
- name: network_port
overwrite: true
type: long
description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
- name: eth_host
overwrite: true
type: keyword
description: Deprecated, use alias.mac
- name: sinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Interface"
- name: dinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Interface"
- name: vlan
overwrite: true
type: long
description: This key should only be used to capture the ID of the Virtual LAN
- name: zone_src
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Zone."
- name: zone
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a Zone is not clear
- name: zone_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Zone."
- name: gateway
overwrite: true
type: keyword
description: This key is used to capture the IP Address of the gateway
- name: icmp_type
overwrite: true
type: long
description: This key is used to capture the ICMP type only
- name: mask
overwrite: true
type: keyword
description: This key is used to capture the device network IPmask.
- name: icmp_code
overwrite: true
type: long
description: This key is used to capture the ICMP code only
- name: protocol_detail
overwrite: true
type: keyword
description: This key should be used to capture additional protocol information
- name: dmask
overwrite: true
type: keyword
description: This key is used for Destionation Device network mask
- name: port
overwrite: true
type: long
description: This key should only be used to capture a Network Port when the
directionality is not clear
- name: smask
overwrite: true
type: keyword
description: This key is used for capturing source Network Mask
- name: netname
overwrite: true
type: keyword
description: This key is used to capture the network name associated with an
IP range. This is configured by the end user.
- name: paddr
overwrite: true
type: ip
description: Deprecated
- name: faddr
overwrite: true
type: keyword
- name: lhost
overwrite: true
type: keyword
- name: origin
overwrite: true
type: keyword
- name: remote_domain_id
overwrite: true
type: keyword
- name: addr
overwrite: true
type: keyword
- name: dns_a_record
overwrite: true
type: keyword
- name: dns_ptr_record
overwrite: true
type: keyword
- name: fhost
overwrite: true
type: keyword
- name: fport
overwrite: true
type: keyword
- name: laddr
overwrite: true
type: keyword
- name: linterface
overwrite: true
type: keyword
- name: phost
overwrite: true
type: keyword
- name: ad_computer_dst
overwrite: true
type: keyword
description: Deprecated, use host.dst
- name: eth_type
overwrite: true
type: long
description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
Only
- name: ip_proto
overwrite: true
type: long
description: This key should be used to capture the Protocol number, all the
protocol nubers are converted into string in UI
- name: dns_cname_record
overwrite: true
type: keyword
- name: dns_id
overwrite: true
type: keyword
- name: dns_opcode
overwrite: true
type: keyword
- name: dns_resp
overwrite: true
type: keyword
- name: dns_type
overwrite: true
type: keyword
- name: domain1
overwrite: true
type: keyword
- name: host_type
overwrite: true
type: keyword
- name: packet_length
overwrite: true
type: keyword
- name: host_orig
overwrite: true
type: keyword
description: This is used to capture the original hostname in case of a Forwarding
Agent or a Proxy in between.
- name: rpayload
overwrite: true
type: keyword
description: This key is used to capture the total number of payload bytes seen
in the retransmitted packets.
- name: vlan_name
overwrite: true
type: keyword
description: This key should only be used to capture the name of the Virtual
LAN
- name: investigations
overwrite: true
type: group
fields:
- name: ec_activity
overwrite: true
type: keyword
description: This key captures the particular event activity(Ex:Logoff)
- name: ec_theme
overwrite: true
type: keyword
description: This key captures the Theme of a particular Event(Ex:Authentication)
- name: ec_subject
overwrite: true
type: keyword
description: This key captures the Subject of a particular Event(Ex:User)
- name: ec_outcome
overwrite: true
type: keyword
description: This key captures the outcome of a particular Event(Ex:Success)
- name: event_cat
overwrite: true
type: long
description: This key captures the Event category number
- name: event_cat_name
overwrite: true
type: keyword
description: This key captures the event category name corresponding to the
event cat code
- name: event_vcat
overwrite: true
type: keyword
description: This is a vendor supplied category. This should be used in situations
where the vendor has adopted their own event_category taxonomy.
- name: analysis_file
overwrite: true
type: keyword
description: This is used to capture all indicators used in a File Analysis.
This key should be used to capture an analysis of a file
- name: analysis_service
overwrite: true
type: keyword
description: This is used to capture all indicators used in a Service Analysis.
This key should be used to capture an analysis of a service
- name: analysis_session
overwrite: true
type: keyword
description: This is used to capture all indicators used for a Session Analysis.
This key should be used to capture an analysis of a session
- name: boc
overwrite: true
type: keyword
description: This is used to capture behaviour of compromise
- name: eoc
overwrite: true
type: keyword
description: This is used to capture Enablers of Compromise
- name: inv_category
overwrite: true
type: keyword
description: This used to capture investigation category
- name: inv_context
overwrite: true
type: keyword
description: This used to capture investigation context
- name: ioc
overwrite: true
type: keyword
description: This is key capture indicator of compromise
- name: counters
overwrite: true
type: group
fields:
- name: dclass_c1
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c1.str only
- name: dclass_c2
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c2.str only
- name: event_counter
overwrite: true
type: long
description: This is used to capture the number of times an event repeated
- name: dclass_r1
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r1.str only
- name: dclass_c3
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c3.str only
- name: dclass_c1_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c1 only
- name: dclass_c2_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c2 only
- name: dclass_r1_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r1 only
- name: dclass_r2
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r2.str only
- name: dclass_c3_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c3 only
- name: dclass_r3
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r3.str only
- name: dclass_r2_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r2 only
- name: dclass_r3_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r3 only
- name: identity
overwrite: true
type: group
fields:
- name: auth_method
overwrite: true
type: keyword
description: This key is used to capture authentication methods used only
- name: user_role
overwrite: true
type: keyword
description: This key is used to capture the Role of a user only
- name: dn
overwrite: true
type: keyword
description: X.500 (LDAP) Distinguished Name
- name: logon_type
overwrite: true
type: keyword
description: This key is used to capture the type of logon method used.
- name: profile
overwrite: true
type: keyword
description: This key is used to capture the user profile
- name: accesses
overwrite: true
type: keyword
description: This key is used to capture actual privileges used in accessing
an object
- name: realm
overwrite: true
type: keyword
description: Radius realm or similar grouping of accounts
- name: user_sid_dst
overwrite: true
type: keyword
description: This key captures Destination User Session ID
- name: dn_src
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that is used in a context that
indicates a Source dn
- name: org
overwrite: true
type: keyword
description: This key captures the User organization
- name: dn_dst
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that used in a context that
indicates a Destination dn
- name: firstname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: lastname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: user_dept
overwrite: true
type: keyword
description: User's Department Names only
- name: user_sid_src
overwrite: true
type: keyword
description: This key captures Source User Session ID
- name: federated_sp
overwrite: true
type: keyword
description: This key is the Federated Service Provider. This is the application
requesting authentication.
- name: federated_idp
overwrite: true
type: keyword
description: This key is the federated Identity Provider. This is the server
providing the authentication.
- name: logon_type_desc
overwrite: true
type: keyword
description: This key is used to capture the textual description of an integer
logon type as stored in the meta key 'logon.type'.
- name: middlename
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: password
overwrite: true
type: keyword
description: This key is for Passwords seen in any session, plain text or encrypted
- name: host_role
overwrite: true
type: keyword
description: This key should only be used to capture the role of a Host Machine
- name: ldap
overwrite: true
type: keyword
description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
t have a clear query or response context"
- name: ldap_query
overwrite: true
type: keyword
description: This key is the Search criteria from an LDAP search
- name: ldap_response
overwrite: true
type: keyword
description: This key is to capture Results from an LDAP search
- name: owner
overwrite: true
type: keyword
description: This is used to capture username the process or service is running
as, the author of the task
- name: service_account
overwrite: true
type: keyword
description: This key is a windows specific key, used for capturing name of
the account a service (referenced in the event) is running under. Legacy Usage
- name: email
overwrite: true
type: group
fields:
- name: email_dst
overwrite: true
type: keyword
description: This key is used to capture the Destination email address only,
when the destination context is not clear use email
- name: email_src
overwrite: true
type: keyword
description: This key is used to capture the source email address only, when
the source context is not clear use email
- name: subject
overwrite: true
type: keyword
description: This key is used to capture the subject string from an Email only.
- name: email
overwrite: true
type: keyword
description: This key is used to capture a generic email address where the source
or destination context is not clear
- name: trans_from
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: trans_to
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: file
overwrite: true
type: group
fields:
- name: privilege
overwrite: true
type: keyword
description: Deprecated, use permissions
- name: attachment
overwrite: true
type: keyword
description: This key captures the attachment file name
- name: filesystem
overwrite: true
type: keyword
- name: binary
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: filename_dst
overwrite: true
type: keyword
description: This is used to capture name of the file targeted by the action
- name: filename_src
overwrite: true
type: keyword
description: This is used to capture name of the parent filename, the file which
performed the action
- name: filename_tmp
overwrite: true
type: keyword
- name: directory_dst
overwrite: true
type: keyword
description: <span>This key is used to capture the directory of the target process
or file</span>
- name: directory_src
overwrite: true
type: keyword
description: This key is used to capture the directory of the source process
or file
- name: file_entropy
overwrite: true
type: double
description: This is used to capture entropy vale of a file
- name: file_vendor
overwrite: true
type: keyword
description: This is used to capture Company name of file located in version_info
- name: task_name
overwrite: true
type: keyword
description: This is used to capture name of the task
- name: web
overwrite: true
type: group
fields:
- name: fqdn
overwrite: true
type: keyword
description: Fully Qualified Domain Names
- name: web_cookie
overwrite: true
type: keyword
description: This key is used to capture the Web cookies specifically.
- name: alias_host
overwrite: true
type: keyword
- name: reputation_num
overwrite: true
type: double
description: Reputation Number of an entity. Typically used for Web Domains
- name: web_ref_domain
overwrite: true
type: keyword
description: Web referer's domain
- name: web_ref_query
overwrite: true
type: keyword
description: This key captures Web referer's query portion of the URL
- name: remote_domain
overwrite: true
type: keyword
- name: web_ref_page
overwrite: true
type: keyword
description: This key captures Web referer's page information
- name: web_ref_root
overwrite: true
type: keyword
description: Web referer's root URL path
- name: cn_asn_dst
overwrite: true
type: keyword
- name: cn_rpackets
overwrite: true
type: keyword
- name: urlpage
overwrite: true
type: keyword
- name: urlroot
overwrite: true
type: keyword
- name: p_url
overwrite: true
type: keyword
- name: p_user_agent
overwrite: true
type: keyword
- name: p_web_cookie
overwrite: true
type: keyword
- name: p_web_method
overwrite: true
type: keyword
- name: p_web_referer
overwrite: true
type: keyword
- name: web_extension_tmp
overwrite: true
type: keyword
- name: web_page
overwrite: true
type: keyword
- name: threat
overwrite: true
type: group
fields:
- name: threat_category
overwrite: true
type: keyword
description: This key captures Threat Name/Threat Category/Categorization of
alert
- name: threat_desc
overwrite: true
type: keyword
description: This key is used to capture the threat description from the session
directly or inferred
- name: alert
overwrite: true
type: keyword
description: This key is used to capture name of the alert
- name: threat_source
overwrite: true
type: keyword
description: This key is used to capture source of the threat
- name: crypto
overwrite: true
type: group
fields:
- name: crypto
overwrite: true
type: keyword
description: This key is used to capture the Encryption Type or Encryption Key
only
- name: cipher_src
overwrite: true
type: keyword
description: This key is for Source (Client) Cipher
- name: cert_subject
overwrite: true
type: keyword
description: This key is used to capture the Certificate organization only
- name: peer
overwrite: true
type: keyword
description: This key is for Encryption peer's IP Address
- name: cipher_size_src
overwrite: true
type: long
description: This key captures Source (Client) Cipher Size
- name: ike
overwrite: true
type: keyword
description: IKE negotiation phase.
- name: scheme
overwrite: true
type: keyword
description: This key captures the Encryption scheme used
- name: peer_id
overwrite: true
type: keyword
description: "This key is for Encryption peer\u2019s identity"
- name: sig_type
overwrite: true
type: keyword
description: This key captures the Signature Type
- name: cert_issuer
overwrite: true
type: keyword
- name: cert_host_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: cert_error
overwrite: true
type: keyword
description: This key captures the Certificate Error String
- name: cipher_dst
overwrite: true
type: keyword
description: This key is for Destination (Server) Cipher
- name: cipher_size_dst
overwrite: true
type: long
description: This key captures Destination (Server) Cipher Size
- name: ssl_ver_src
overwrite: true
type: keyword
description: Deprecated, use version
- name: d_certauth
overwrite: true
type: keyword
- name: s_certauth
overwrite: true
type: keyword
- name: ike_cookie1
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
- name: ike_cookie2
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
- name: cert_checksum
overwrite: true
type: keyword
- name: cert_host_cat
overwrite: true
type: keyword
description: This key is used for the hostname category value of a certificate
- name: cert_serial
overwrite: true
type: keyword
description: This key is used to capture the Certificate serial number only
- name: cert_status
overwrite: true
type: keyword
description: This key captures Certificate validation status
- name: ssl_ver_dst
overwrite: true
type: keyword
description: Deprecated, use version
- name: cert_keysize
overwrite: true
type: keyword
- name: cert_username
overwrite: true
type: keyword
- name: https_insact
overwrite: true
type: keyword
- name: https_valid
overwrite: true
type: keyword
- name: cert_ca
overwrite: true
type: keyword
description: This key is used to capture the Certificate signing authority only
- name: cert_common
overwrite: true
type: keyword
description: This key is used to capture the Certificate common name only
- name: wireless
overwrite: true
type: group
fields:
- name: wlan_ssid
overwrite: true
type: keyword
description: This key is used to capture the ssid of a Wireless Session
- name: access_point
overwrite: true
type: keyword
description: This key is used to capture the access point name.
- name: wlan_channel
overwrite: true
type: long
description: This is used to capture the channel names
- name: wlan_name
overwrite: true
type: keyword
description: This key captures either WLAN number/name
- name: storage
overwrite: true
type: group
fields:
- name: disk_volume
overwrite: true
type: keyword
description: A unique name assigned to logical units (volumes) within a physical
disk
- name: lun
overwrite: true
type: keyword
description: Logical Unit Number.This key is a very useful concept in Storage.
- name: pwwn
overwrite: true
type: keyword
description: This uniquely identifies a port on a HBA.
- name: physical
overwrite: true
type: group
fields:
- name: org_dst
overwrite: true
type: keyword
description: This is used to capture the destination organization based on the
GEOPIP Maxmind database.
- name: org_src
overwrite: true
type: keyword
description: This is used to capture the source organization based on the GEOPIP
Maxmind database.
- name: healthcare
overwrite: true
type: group
fields:
- name: patient_fname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_id
overwrite: true
type: keyword
description: This key captures the unique ID for a patient
- name: patient_lname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_mname
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: endpoint
overwrite: true
type: group
fields:
- name: host_state
overwrite: true
type: keyword
description: This key is used to capture the current state of the machine, such
as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
disabled</strong> and so on
- name: registry_key
overwrite: true
type: keyword
description: This key captures the path to the registry key
- name: registry_value
overwrite: true
type: keyword
description: This key captures values or decorators used within a registry entry
- key: suricata
title: Suricata
description: >
Module for handling the EVE JSON logs produced by Suricata.
fields:
- name: suricata
type: group
description: >
Fields from the Suricata EVE log file.
fields:
- name: eve
type: group
description: >
Fields exported by the EVE JSON logs
fields:
- name: event_type
type: keyword
- name: app_proto_orig
type: keyword
- name: tcp
type: group
fields:
- name: tcp_flags
type: keyword
- name: psh
type: boolean
- name: tcp_flags_tc
type: keyword
- name: ack
type: boolean
- name: syn
type: boolean
- name: state
type: keyword
- name: tcp_flags_ts
type: keyword
- name: rst
type: boolean
- name: fin
type: boolean
- name: fileinfo
type: group
fields:
- name: sha1
type: keyword
- name: tx_id
type: long
- name: state
type: keyword
- name: stored
type: boolean
- name: gaps
type: boolean
- name: sha256
type: keyword
- name: md5
type: keyword
- name: icmp_type
type: long
- name: pcap_cnt
type: long
- name: dns
type: group
fields:
- name: type
type: keyword
- name: rrtype
type: keyword
- name: rrname
type: keyword
- name: rdata
type: keyword
- name: tx_id
type: long
- name: ttl
type: long
- name: rcode
type: keyword
- name: id
type: long
- name: flow_id
type: keyword
- name: email
type: group
fields:
- name: status
type: keyword
- name: icmp_code
type: long
- name: http
type: group
fields:
- name: redirect
type: keyword
- name: protocol
type: keyword
- name: http_content_type
type: keyword
- name: in_iface
type: keyword
- name: alert
type: group
fields:
- name: metadata
type: flattened
description: Metadata about the alert.
- name: category
type: keyword
- name: rev
type: long
- name: gid
type: long
- name: signature
type: keyword
- name: signature_id
type: long
- name: protocols
type: keyword
- name: attack_target
type: keyword
- name: capec_id
type: keyword
- name: cwe_id
type: keyword
- name: malware
type: keyword
- name: cve
type: keyword
- name: cvss_v2_base
type: keyword
- name: cvss_v2_temporal
type: keyword
- name: cvss_v3_base
type: keyword
- name: cvss_v3_temporal
type: keyword
- name: priority
type: keyword
- name: hostile
type: keyword
- name: infected
type: keyword
- name: created_at
type: date
- name: updated_at
type: date
- name: classtype
type: keyword
- name: rule_source
type: keyword
- name: sid
type: keyword
- name: affected_product
type: keyword
- name: deployment
type: keyword
- name: former_category
type: keyword
- name: mitre_tool_id
type: keyword
- name: performance_impact
type: keyword
- name: signature_severity
type: keyword
- name: tag
type: keyword
- name: ssh
type: group
fields:
- name: client
type: group
fields:
- name: proto_version
type: keyword
- name: software_version
type: keyword
- name: server
type: group
fields:
- name: proto_version
type: keyword
- name: software_version
type: keyword
- name: stats
type: group
fields:
- name: capture
type: group
fields:
- name: kernel_packets
type: long
- name: kernel_drops
type: long
- name: kernel_ifdrops
type: long
- name: uptime
type: long
- name: detect
type: group
fields:
- name: alert
type: long
- name: http
type: group
fields:
- name: memcap
type: long
- name: memuse
type: long
- name: file_store
type: group
fields:
- name: open_files
type: long
- name: defrag
type: group
fields:
- name: max_frag_hits
type: long
- name: ipv4
type: group
fields:
- name: timeouts
type: long
- name: fragments
type: long
- name: reassembled
type: long
- name: ipv6
type: group
fields:
- name: timeouts
type: long
- name: fragments
type: long
- name: reassembled
type: long
- name: flow
type: group
fields:
- name: tcp_reuse
type: long
- name: udp
type: long
- name: memcap
type: long
- name: emerg_mode_entered
type: long
- name: emerg_mode_over
type: long
- name: tcp
type: long
- name: icmpv6
type: long
- name: icmpv4
type: long
- name: spare
type: long
- name: memuse
type: long
- name: tcp
type: group
fields:
- name: pseudo_failed
type: long
- name: ssn_memcap_drop
type: long
- name: insert_data_overlap_fail
type: long
- name: sessions
type: long
- name: pseudo
type: long
- name: synack
type: long
- name: insert_data_normal_fail
type: long
- name: syn
type: long
- name: memuse
type: long
- name: invalid_checksum
type: long
- name: segment_memcap_drop
type: long
- name: overlap
type: long
- name: insert_list_fail
type: long
- name: rst
type: long
- name: stream_depth_reached
type: long
- name: reassembly_memuse
type: long
- name: reassembly_gap
type: long
- name: overlap_diff_data
type: long
- name: no_flow
type: long
- name: decoder
type: group
fields:
- name: avg_pkt_size
type: long
- name: bytes
type: long
- name: tcp
type: long
- name: raw
type: long
- name: ppp
type: long
- name: vlan_qinq
type: long
- name: 'null'
type: long
- name: ltnull
type: group
fields:
- name: unsupported_type
type: long
- name: pkt_too_small
type: long
- name: invalid
type: long
- name: gre
type: long
- name: ipv4
type: long
- name: ipv6
type: long
- name: pkts
type: long
- name: ipv6_in_ipv6
type: long
- name: ipraw
type: group
fields:
- name: invalid_ip_version
type: long
- name: pppoe
type: long
- name: udp
type: long
- name: dce
type: group
fields:
- name: pkt_too_small
type: long
- name: vlan
type: long
- name: sctp
type: long
- name: max_pkt_size
type: long
- name: teredo
type: long
- name: mpls
type: long
- name: sll
type: long
- name: icmpv6
type: long
- name: icmpv4
type: long
- name: erspan
type: long
- name: ethernet
type: long
- name: ipv4_in_ipv6
type: long
- name: ieee8021ah
type: long
- name: dns
type: group
fields:
- name: memcap_global
type: long
- name: memcap_state
type: long
- name: memuse
type: long
- name: flow_mgr
type: group
fields:
- name: rows_busy
type: long
- name: flows_timeout
type: long
- name: flows_notimeout
type: long
- name: rows_skipped
type: long
- name: closed_pruned
type: long
- name: new_pruned
type: long
- name: flows_removed
type: long
- name: bypassed_pruned
type: long
- name: est_pruned
type: long
- name: flows_timeout_inuse
type: long
- name: flows_checked
type: long
- name: rows_maxlen
type: long
- name: rows_checked
type: long
- name: rows_empty
type: long
- name: app_layer
type: group
fields:
- name: flow
type: group
fields:
- name: tls
type: long
- name: ftp
type: long
- name: http
type: long
- name: failed_udp
type: long
- name: dns_udp
type: long
- name: dns_tcp
type: long
- name: smtp
type: long
- name: failed_tcp
type: long
- name: msn
type: long
- name: ssh
type: long
- name: imap
type: long
- name: dcerpc_udp
type: long
- name: dcerpc_tcp
type: long
- name: smb
type: long
- name: tx
type: group
fields:
- name: tls
type: long
- name: ftp
type: long
- name: http
type: long
- name: dns_udp
type: long
- name: dns_tcp
type: long
- name: smtp
type: long
- name: ssh
type: long
- name: dcerpc_udp
type: long
- name: dcerpc_tcp
type: long
- name: smb
type: long
- name: tls
type: group
fields:
- name: notbefore
type: date
- name: issuerdn
type: keyword
- name: sni
type: keyword
- name: version
type: keyword
- name: session_resumed
type: boolean
- name: fingerprint
type: keyword
- name: serial
type: keyword
- name: notafter
type: date
- name: subject
type: keyword
- name: ja3s
type: group
fields:
- name: string
type: keyword
- name: hash
type: keyword
- name: ja3
type: group
fields:
- name: string
type: keyword
- name: hash
type: keyword
- name: app_proto_ts
type: keyword
- name: flow
type: group
fields:
- name: age
type: long
- name: state
type: keyword
- name: reason
type: keyword
- name: alerted
type: boolean
- name: tx_id
type: long
- name: app_proto_tc
type: keyword
- name: smtp
type: group
fields:
- name: rcpt_to
type: keyword
- name: mail_from
type: keyword
- name: helo
type: keyword
- name: app_proto_expected
type: keyword
- name: flags
type: group
fields:
- key: threatintel
title: threatintel
release: ga
description: >
Threat intelligence Filebeat Module.
fields:
- name: ""
type: group
fields:
- name: threat.indicator.file.hash.tlsh
type: keyword
description: >
The file's import tlsh, if available.
- name: threat.indicator.file.hash.sha384
type: keyword
description: >
The file's sha384 hash, if available.
- name: threat.feed.name
type: keyword
- name: threat.feed.dashboard_id
type: keyword
- name: abusech.malware
type: group
description: >
Fields for AbuseCH Malware Threat Intel
fields:
- name: file_type
type: keyword
description: >
File type guessed by URLhaus.
- name: signature
type: keyword
description: >
Malware familiy.
- name: urlhaus_download
type: keyword
description: >
Location (URL) where you can download a copy of this file.
- name: virustotal.result
type: keyword
description: >
AV detection ration.
- name: virustotal.percent
type: float
description: >
AV detection in percent.
- name: virustotal.link
type: keyword
description: >
Link to the Virustotal report.
- name: abusech.url
type: group
description: >
Fields for AbuseCH Malware Threat Intel
fields:
- name: id
type: keyword
description: >
The ID of the url.
- name: urlhaus_reference
type: keyword
description: >
Link to URLhaus entry.
- name: url_status
type: keyword
description: >
The current status of the URL. Possible values are: online, offline and unknown.
- name: threat
type: keyword
description: >
The threat corresponding to this malware URL.
- name: blacklists.surbl
type: keyword
description: >
SURBL blacklist status. Possible values are: listed and not_listed
- name: blacklists.spamhaus_dbl
type: keyword
description: >
Spamhaus DBL blacklist status.
- name: reporter
type: keyword
description: >
The Twitter handle of the reporter that has reported this malware URL (or anonymous).
- name: larted
type: boolean
description: >
Indicates whether the malware URL has been reported to the hosting provider (true or false)
- name: tags
type: keyword
description: >
A list of tags associated with the queried malware URL
- name: anomali.limo
type: group
description: >
Fields for Anomali Threat Intel
fields:
- name: id
type: keyword
description: >
The ID of the indicator.
- name: name
type: keyword
description: >
The name of the indicator.
- name: pattern
type: keyword
description: >
The pattern ID of the indicator.
- name: valid_from
type: date
description: >
When the indicator was first found or is considered valid.
- name: modified
type: date
description: >
When the indicator was last modified
- name: labels
type: keyword
description: >
The labels related to the indicator
- name: indicator
type: keyword
description: >
The value of the indicator, for example if the type is domain, this would be the value.
- name: description
type: keyword
description: >
A description of the indicator.
- name: title
type: keyword
description: >
Title describing the indicator.
- name: content
type: keyword
description: >
Extra text or descriptive content related to the indicator.
- name: type
type: keyword
description: >
The indicator type, can for example be "domain, email, FileHash-SHA256".
- name: object_marking_refs
type: keyword
description: >
The STIX reference object.
- name: anomali.threatstream
type: group
description: >
Fields for Anomali ThreatStream
fields:
- name: classification
type: keyword
description: >
Indicates whether an indicator is private or from a public feed and available publicly.
Possible values: private, public.
example: private
- name: confidence
type: short
description: >
The measure of the accuracy (from 0 to 100) assigned by ThreatStream's predictive analytics technology to indicators.
- name: detail2
type: text
description: >
Detail text for indicator.
example: Imported by user 42.
- name: id
type: keyword
description: >
The ID of the indicator.
- name: import_session_id
type: keyword
description: >
ID of the import session that created the indicator on ThreatStream.
- name: itype
type: keyword
description: >
Indicator type.
Possible values: "apt_domain", "apt_email", "apt_ip", "apt_url",
"bot_ip", "c2_domain", "c2_ip", "c2_url", "i2p_ip", "mal_domain",
"mal_email", "mal_ip", "mal_md5", "mal_url", "parked_ip", "phish_email",
"phish_ip", "phish_url", "scan_ip", "spam_domain", "ssh_ip",
"suspicious_domain", "tor_ip" and "torrent_tracker_url".
- name: maltype
type: wildcard
description: >
Information regarding a malware family, a CVE ID, or another attack or threat, associated with the indicator.
- name: md5
type: keyword
description: >
Hash for the indicator.
- name: resource_uri
type: keyword
description: >
Relative URI for the indicator details.
- name: severity
type: keyword
description: >
Criticality associated with the threat feed that supplied the indicator.
Possible values: low, medium, high, very-high.
- name: source
type: keyword
description: >
Source for the indicator.
example: Analyst
- name: source_feed_id
type: keyword
description: >
ID for the integrator source.
- name: state
type: keyword
description: >
State for this indicator.
example: active
- name: trusted_circle_ids
type: keyword
description: >
ID of the trusted circle that imported the indicator.
- name: update_id
type: keyword
description: >
Update ID.
- name: url
type: keyword
description: >
URL for the indicator.
- name: value_type
type: keyword
description: >
Data type of the indicator.
Possible values: ip, domain, url, email, md5.
- name: abusech.malwarebazaar
type: group
description: >
Fields for Malware Bazaar Threat Intel
fields:
- name: file_type
type: keyword
description: >
File type guessed by Malware Bazaar.
- name: signature
type: keyword
description: >
Malware familiy.
- name: tags
type: keyword
description: >
A list of tags associated with the queried malware sample.
- name: intelligence
type: group
fields:
- name: downloads
type: long
description: >
Number of downloads from MalwareBazaar.
- name: uploads
type: long
description: >
Number of uploads from MalwareBazaar.
- name: mail
type: group
fields:
- name: Generic
type: keyword
description: >
Malware seen in generic spam traffic.
- name: IT
type: keyword
description: >
Malware seen in IT spam traffic.
- name: anonymous
type: long
description: >
Identifies if the sample was submitted anonymously.
- name: code_sign
type: nested
description: >
Code signing information for the sample.
- name: misp
type: group
description: >
Fields for MISP Threat Intel
fields:
- name: id
type: keyword
description: >
Attribute ID.
- name: orgc_id
type: keyword
description: >
Organization Community ID of the event.
- name: org_id
type: keyword
description: >
Organization ID of the event.
- name: threat_level_id
type: long
description: >
Threat level from 5 to 1, where 1 is the most critical.
- name: info
type: keyword
description: >
Additional text or information related to the event.
- name: published
type: boolean
description: >
When the event was published.
- name: uuid
type: keyword
description: >
The UUID of the event object.
- name: date
type: date
description: >
The date of when the event object was created.
- name: attribute_count
type: long
description: >
How many attributes are included in a single event object.
- name: timestamp
type: date
description: >
The timestamp of when the event object was created.
- name: distribution
type: keyword
description: >
Distribution type related to MISP.
- name: proposal_email_lock
type: boolean
description: >
Settings configured on MISP for email lock on this event object.
- name: locked
type: boolean
description: >
If the current MISP event object is locked or not.
- name: publish_timestamp
type: date
description: >
At what time the event object was published
- name: sharing_group_id
type: keyword
description: >
The ID of the grouped events or sources of the event.
- name: disable_correlation
type: boolean
description: >
If correlation is disabled on the MISP event object.
- name: extends_uuid
type: keyword
description: >
The UUID of the event object it might extend.
- name: org.id
type: keyword
description: >
The organization ID related to the event object.
- name: org.name
type: keyword
description: >
The organization name related to the event object.
- name: org.uuid
type: keyword
description: >
The UUID of the organization related to the event object.
- name: org.local
type: boolean
description: >
If the event object is local or from a remote source.
- name: orgc.id
type: keyword
description: >
The Organization Community ID in which the event object was reported from.
- name: orgc.name
type: keyword
description: >
The Organization Community name in which the event object was reported from.
- name: orgc.uuid
type: keyword
description: >
The Organization Community UUID in which the event object was reported from.
- name: orgc.local
type: boolean
description: >
If the Organization Community was local or synced from a remote source.
- name: attribute.id
type: keyword
description: >
The ID of the attribute related to the event object.
- name: attribute.type
type: keyword
description: >
The type of the attribute related to the event object. For example email, ipv4, sha1 and such.
- name: attribute.category
type: keyword
description: >
The category of the attribute related to the event object. For example "Network Activity".
- name: attribute.to_ids
type: boolean
description: >
If the attribute should be automatically synced with an IDS.
- name: attribute.uuid
type: keyword
description: >
The UUID of the attribute related to the event.
- name: attribute.event_id
type: keyword
description: >
The local event ID of the attribute related to the event.
- name: attribute.distribution
type: long
description: >
How the attribute has been distributed, represented by integer numbers.
- name: attribute.timestamp
type: date
description: >
The timestamp in which the attribute was attached to the event object.
- name: attribute.comment
type: keyword
description: >
Comments made to the attribute itself.
- name: attribute.sharing_group_id
type: keyword
description: >
The group ID of the sharing group related to the specific attribute.
- name: attribute.deleted
type: boolean
description: >
If the attribute has been removed from the event object.
- name: attribute.disable_correlation
type: boolean
description: >
If correlation has been enabled on the attribute related to the event object.
- name: attribute.object_id
type: keyword
description: >
The ID of the Object in which the attribute is attached.
- name: attribute.object_relation
type: keyword
description: >
The type of relation the attribute has with the event object itself.
- name: attribute.value
type: keyword
description: >
The value of the attribute, depending on the type like "url, sha1, email-src".
- name: context.attribute.id
type: keyword
description: >
The ID of the secondary attribute related to the event object.
- name: context.attribute.type
type: keyword
description: >
The type of the secondary attribute related to the event object. For example email, ipv4, sha1 and such.
- name: context.attribute.category
type: keyword
description: >
The category of the secondary attribute related to the event object. For example "Network Activity".
- name: context.attribute.to_ids
type: boolean
description: >
If the secondary attribute should be automatically synced with an IDS.
- name: context.attribute.uuid
type: keyword
description: >
The UUID of the secondary attribute related to the event.
- name: context.attribute.event_id
type: keyword
description: >
The local event ID of the secondary attribute related to the event.
- name: context.attribute.distribution
type: long
description: >
How the secondary attribute has been distributed, represented by integer numbers.
- name: context.attribute.timestamp
type: date
description: >
The timestamp in which the secondary attribute was attached to the event object.
- name: context.attribute.comment
type: keyword
description: >
Comments made to the secondary attribute itself.
- name: context.attribute.sharing_group_id
type: keyword
description: >
The group ID of the sharing group related to the specific secondary attribute.
- name: context.attribute.deleted
type: boolean
description: >
If the secondary attribute has been removed from the event object.
- name: context.attribute.disable_correlation
type: boolean
description: >
If correlation has been enabled on the secondary attribute related to the event object.
- name: context.attribute.object_id
type: keyword
description: >
The ID of the Object in which the secondary attribute is attached.
- name: context.attribute.object_relation
type: keyword
description: >
The type of relation the secondary attribute has with the event object itself.
- name: context.attribute.value
type: keyword
description: >
The value of the attribute, depending on the type like "url, sha1, email-src".
- name: otx
type: group
description: >
Fields for OTX Threat Intel
fields:
- name: id
type: keyword
description: >
The ID of the indicator.
- name: indicator
type: keyword
description: >
The value of the indicator, for example if the type is domain, this would be the value.
- name: description
type: keyword
description: >
A description of the indicator.
- name: title
type: keyword
description: >
Title describing the indicator.
- name: content
type: keyword
description: >
Extra text or descriptive content related to the indicator.
- name: type
type: keyword
description: >
The indicator type, can for example be "domain, email, FileHash-SHA256".
- name: threatq
type: group
description: >
Fields for ThreatQ Threat Library
fields:
- name: updated_at
type: date
description: >
Last modification time
- name: created_at
type: date
description: >
Object creation time
- name: expires_at
type: date
description: >
Expiration time
- name: expires_calculated_at
type: date
description: >
Expiration calculation time
- name: published_at
type: date
description: >
Object publication time
- name: status
type: keyword
description: >
Object status within the Threat Library
- name: indicator_value
type: keyword
description: >
Original indicator value
- name: adversaries
type: keyword
description: >
Adversaries that are linked to the object
- name: attributes
type: flattened
description: >
These provide additional context about an object
- key: tomcat
title: Apache Tomcat
description: >
tomcat fields.
fields:
- name: network.interface.name
overwrite: true
type: keyword
description: >
Name of the network interface where the traffic has been observed.
- name: rsa
overwrite: true
type: group
fields:
- name: internal
overwrite: true
type: group
fields:
- name: msg
overwrite: true
type: keyword
description: This key is used to capture the raw message that comes into the
Log Decoder
- name: messageid
overwrite: true
type: keyword
- name: event_desc
overwrite: true
type: keyword
- name: message
overwrite: true
type: keyword
description: This key captures the contents of instant messages
- name: time
overwrite: true
type: date
description: This is the time at which a session hits a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness.
- name: level
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: msg_id
overwrite: true
type: keyword
description: This is the Message ID1 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: msg_vid
overwrite: true
type: keyword
description: This is the Message ID2 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: data
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_server
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_val
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: resource
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_id
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: statement
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: audit_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: entry
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: hcode
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: inode
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: resource_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: dead
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: feed_desc
overwrite: true
type: keyword
description: This is used to capture the description of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: feed_name
overwrite: true
type: keyword
description: This is used to capture the name of the feed. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: cid
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Concentrator.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_class
overwrite: true
type: keyword
description: This is the Classification of the Log Event Source under a predefined
fixed set of Event Source Classifications. This key should never be used to
parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
key in NetWitness
- name: device_group
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_host
overwrite: true
type: keyword
description: This is the Hostname of the log Event Source sending the logs to
NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ip
overwrite: true
type: ip
description: This is the IPv4 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ipv6
overwrite: true
type: ip
description: This is the IPv6 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_type
overwrite: true
type: keyword
description: This is the name of the log parser which parsed a given session.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_type_id
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: did
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: entropy_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: entropy_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: event_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: feed_category
overwrite: true
type: keyword
description: This is used to capture the category of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: forward_ip
overwrite: true
type: ip
description: This key should be used to capture the IPV4 address of a relay
system which forwarded the events from the original system to NetWitness.
- name: forward_ipv6
overwrite: true
type: ip
description: This key is used to capture the IPV6 address of a relay system
which forwarded the events from the original system to NetWitness. This key
should never be used to parse Meta data from a session (Logs/Packets) Directly,
this is a Reserved key in NetWitness
- name: header_id
overwrite: true
type: keyword
description: This is the Header ID value that identifies the exact log parser
header definition that parses a particular log session. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: lc_cid
overwrite: true
type: keyword
description: This is a unique Identifier of a Log Collector. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: lc_ctime
overwrite: true
type: date
description: This is the time at which a log is collected in a NetWitness Log
Collector. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: mcb_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
request is simply which byte for each side (0 thru 255) was seen the most
- name: mcb_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
response is simply which byte for each side (0 thru 255) was seen the most
- name: mcbc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: mcbc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: medium
overwrite: true
type: long
description: "This key is used to identify if it\u2019s a log/packet session\
\ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
\ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
\ 32 = log, 33 = correlation session, < 32 is packet session"
- name: node_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: nwe_callback_id
overwrite: true
type: keyword
description: This key denotes that event is endpoint related
- name: parse_error
overwrite: true
type: keyword
description: This is a special key that stores any Meta key validation error
found while parsing a log session. This key should never be used to parse
Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
NetWitness
- name: payload_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: payload_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: process_vid_dst
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the target process.
- name: process_vid_src
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the source process.
- name: rid
overwrite: true
type: long
description: This is a special ID of the Remote Session created by NetWitness
Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: session_split
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: site
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: size
overwrite: true
type: long
description: This is the size of the session as seen by the NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: sourcefile
overwrite: true
type: keyword
description: This is the name of the log file or PCAPs that can be imported
into NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: ubc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: ubc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: word
overwrite: true
type: keyword
description: This is used by the Word Parsing technology to capture the first
5 character of every word in an unparsed log
- name: time
overwrite: true
type: group
fields:
- name: event_time
overwrite: true
type: date
description: This key is used to capture the time mentioned in a raw session
that represents the actual time an event occured in a standard normalized
form
- name: duration_time
overwrite: true
type: double
description: This key is used to capture the normalized duration/lifetime in
seconds.
- name: event_time_str
overwrite: true
type: keyword
description: This key is used to capture the incomplete time mentioned in a
session as a string
- name: starttime
overwrite: true
type: date
description: This key is used to capture the Start time mentioned in a session
in a standard form
- name: month
overwrite: true
type: keyword
- name: day
overwrite: true
type: keyword
- name: endtime
overwrite: true
type: date
description: This key is used to capture the End time mentioned in a session
in a standard form
- name: timezone
overwrite: true
type: keyword
description: This key is used to capture the timezone of the Event Time
- name: duration_str
overwrite: true
type: keyword
description: A text string version of the duration
- name: date
overwrite: true
type: keyword
- name: year
overwrite: true
type: keyword
- name: recorded_time
overwrite: true
type: date
description: The event time as recorded by the system the event is collected
from. The usage scenario is a multi-tier application where the management
layer of the system records it's own timestamp at the time of collection from
its child nodes. Must be in timestamp format.
- name: datetime
overwrite: true
type: keyword
- name: effective_time
overwrite: true
type: date
description: This key is the effective time referenced by an individual event
in a Standard Timestamp format
- name: expire_time
overwrite: true
type: date
description: This key is the timestamp that explicitly refers to an expiration.
- name: process_time
overwrite: true
type: keyword
description: Deprecated, use duration.time
- name: hour
overwrite: true
type: keyword
- name: min
overwrite: true
type: keyword
- name: timestamp
overwrite: true
type: keyword
- name: event_queue_time
overwrite: true
type: date
description: This key is the Time that the event was queued.
- name: p_time1
overwrite: true
type: keyword
- name: tzone
overwrite: true
type: keyword
- name: eventtime
overwrite: true
type: keyword
- name: gmtdate
overwrite: true
type: keyword
- name: gmttime
overwrite: true
type: keyword
- name: p_date
overwrite: true
type: keyword
- name: p_month
overwrite: true
type: keyword
- name: p_time
overwrite: true
type: keyword
- name: p_time2
overwrite: true
type: keyword
- name: p_year
overwrite: true
type: keyword
- name: expire_time_str
overwrite: true
type: keyword
description: This key is used to capture incomplete timestamp that explicitly
refers to an expiration.
- name: stamp
overwrite: true
type: date
description: Deprecated key defined only in table map.
- name: misc
overwrite: true
type: group
fields:
- name: action
overwrite: true
type: keyword
- name: result
overwrite: true
type: keyword
description: This key is used to capture the outcome/result string value of
an action in a session.
- name: severity
overwrite: true
type: keyword
description: This key is used to capture the severity given the session
- name: event_type
overwrite: true
type: keyword
description: This key captures the event category type as specified by the event
source.
- name: reference_id
overwrite: true
type: keyword
description: This key is used to capture an event id from the session directly
- name: version
overwrite: true
type: keyword
description: This key captures Version of the application or OS which is generating
the event.
- name: disposition
overwrite: true
type: keyword
description: This key captures the The end state of an action.
- name: result_code
overwrite: true
type: keyword
description: This key is used to capture the outcome/result numeric value of
an action in a session
- name: category
overwrite: true
type: keyword
description: This key is used to capture the category of an event given by the
vendor in the session
- name: obj_name
overwrite: true
type: keyword
description: This is used to capture name of object
- name: obj_type
overwrite: true
type: keyword
description: This is used to capture type of object
- name: event_source
overwrite: true
type: keyword
description: "This key captures Source of the event that\u2019s not a hostname"
- name: log_session_id
overwrite: true
type: keyword
description: This key is used to capture a sessionid from the session directly
- name: group
overwrite: true
type: keyword
description: This key captures the Group Name value
- name: policy_name
overwrite: true
type: keyword
description: This key is used to capture the Policy Name only.
- name: rule_name
overwrite: true
type: keyword
description: This key captures the Rule Name
- name: context
overwrite: true
type: keyword
description: This key captures Information which adds additional context to
the event.
- name: change_new
overwrite: true
type: keyword
description: "This key is used to capture the new values of the attribute that\u2019\
s changing in a session"
- name: space
overwrite: true
type: keyword
- name: client
overwrite: true
type: keyword
description: This key is used to capture only the name of the client application
requesting resources of the server. See the user.agent meta key for capture
of the specific user agent identifier or browser identification string.
- name: msgIdPart1
overwrite: true
type: keyword
- name: msgIdPart2
overwrite: true
type: keyword
- name: change_old
overwrite: true
type: keyword
description: "This key is used to capture the old value of the attribute that\u2019\
s changing in a session"
- name: operation_id
overwrite: true
type: keyword
description: An alert number or operation number. The values should be unique
and non-repeating.
- name: event_state
overwrite: true
type: keyword
description: This key captures the current state of the object/item referenced
within the event. Describing an on-going event.
- name: group_object
overwrite: true
type: keyword
description: This key captures a collection/grouping of entities. Specific usage
- name: node
overwrite: true
type: keyword
description: Common use case is the node name within a cluster. The cluster
name is reflected by the host name.
- name: rule
overwrite: true
type: keyword
description: This key captures the Rule number
- name: device_name
overwrite: true
type: keyword
description: 'This is used to capture name of the Device associated with the
node Like: a physical disk, printer, etc'
- name: param
overwrite: true
type: keyword
description: This key is the parameters passed as part of a command or application,
etc.
- name: change_attrib
overwrite: true
type: keyword
description: "This key is used to capture the name of the attribute that\u2019\
s changing in a session"
- name: event_computer
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
fully qualified domain name in a windows log.
- name: reference_id1
overwrite: true
type: keyword
description: This key is for Linked ID to be used as an addition to "reference.id"
- name: event_log
overwrite: true
type: keyword
description: This key captures the Name of the event log
- name: OS
overwrite: true
type: keyword
description: This key captures the Name of the Operating System
- name: terminal
overwrite: true
type: keyword
description: This key captures the Terminal Names only
- name: msgIdPart3
overwrite: true
type: keyword
- name: filter
overwrite: true
type: keyword
description: This key captures Filter used to reduce result set
- name: serial_number
overwrite: true
type: keyword
description: This key is the Serial number associated with a physical asset.
- name: checksum
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the entity
such as a file or process. Checksum should be used over checksum.src or checksum.dst
when it is unclear whether the entity is a source or target of an action.
- name: event_user
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
combination of domain name and username in a windows log.
- name: virusname
overwrite: true
type: keyword
description: This key captures the name of the virus
- name: content_type
overwrite: true
type: keyword
description: This key is used to capture Content Type only.
- name: group_id
overwrite: true
type: keyword
description: This key captures Group ID Number (related to the group name)
- name: policy_id
overwrite: true
type: keyword
description: This key is used to capture the Policy ID only, this should be
a numeric value, use policy.name otherwise
- name: vsys
overwrite: true
type: keyword
description: This key captures Virtual System Name
- name: connection_id
overwrite: true
type: keyword
description: This key captures the Connection ID
- name: reference_id2
overwrite: true
type: keyword
description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
or "reference.id1" value but should not be used unless the other two variables
are in play.
- name: sensor
overwrite: true
type: keyword
description: This key captures Name of the sensor. Typically used in IDS/IPS
based devices
- name: sig_id
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID
- name: port_name
overwrite: true
type: keyword
description: 'This key is used for Physical or logical port connection but does
NOT include a network port. (Example: Printer port name).'
- name: rule_group
overwrite: true
type: keyword
description: This key captures the Rule group name
- name: risk_num
overwrite: true
type: double
description: This key captures a Numeric Risk value
- name: trigger_val
overwrite: true
type: keyword
description: This key captures the Value of the trigger or threshold condition.
- name: log_session_id1
overwrite: true
type: keyword
description: This key is used to capture a Linked (Related) Session ID from
the session directly
- name: comp_version
overwrite: true
type: keyword
description: This key captures the Version level of a sub-component of a product.
- name: content_version
overwrite: true
type: keyword
description: This key captures Version level of a signature or database content.
- name: hardware_id
overwrite: true
type: keyword
description: This key is used to capture unique identifier for a device or system
(NOT a Mac address)
- name: risk
overwrite: true
type: keyword
description: This key captures the non-numeric risk value
- name: event_id
overwrite: true
type: keyword
- name: reason
overwrite: true
type: keyword
- name: status
overwrite: true
type: keyword
- name: mail_id
overwrite: true
type: keyword
description: This key is used to capture the mailbox id/name
- name: rule_uid
overwrite: true
type: keyword
description: This key is the Unique Identifier for a rule.
- name: trigger_desc
overwrite: true
type: keyword
description: This key captures the Description of the trigger or threshold condition.
- name: inout
overwrite: true
type: keyword
- name: p_msgid
overwrite: true
type: keyword
- name: data_type
overwrite: true
type: keyword
- name: msgIdPart4
overwrite: true
type: keyword
- name: error
overwrite: true
type: keyword
description: This key captures All non successful Error codes or responses
- name: index
overwrite: true
type: keyword
- name: listnum
overwrite: true
type: keyword
description: This key is used to capture listname or listnumber, primarily for
collecting access-list
- name: ntype
overwrite: true
type: keyword
- name: observed_val
overwrite: true
type: keyword
description: This key captures the Value observed (from the perspective of the
device generating the log).
- name: policy_value
overwrite: true
type: keyword
description: This key captures the contents of the policy. This contains details
about the policy
- name: pool_name
overwrite: true
type: keyword
description: This key captures the name of a resource pool
- name: rule_template
overwrite: true
type: keyword
description: A default set of parameters which are overlayed onto a rule (or
rulename) which efffectively constitutes a template
- name: count
overwrite: true
type: keyword
- name: number
overwrite: true
type: keyword
- name: sigcat
overwrite: true
type: keyword
- name: type
overwrite: true
type: keyword
- name: comments
overwrite: true
type: keyword
description: Comment information provided in the log message
- name: doc_number
overwrite: true
type: long
description: This key captures File Identification number
- name: expected_val
overwrite: true
type: keyword
description: This key captures the Value expected (from the perspective of the
device generating the log).
- name: job_num
overwrite: true
type: keyword
description: This key captures the Job Number
- name: spi_dst
overwrite: true
type: keyword
description: Destination SPI Index
- name: spi_src
overwrite: true
type: keyword
description: Source SPI Index
- name: code
overwrite: true
type: keyword
- name: agent_id
overwrite: true
type: keyword
description: This key is used to capture agent id
- name: message_body
overwrite: true
type: keyword
description: This key captures the The contents of the message body.
- name: phone
overwrite: true
type: keyword
- name: sig_id_str
overwrite: true
type: keyword
description: This key captures a string object of the sigid variable.
- name: cmd
overwrite: true
type: keyword
- name: misc
overwrite: true
type: keyword
- name: name
overwrite: true
type: keyword
- name: cpu
overwrite: true
type: long
description: This key is the CPU time used in the execution of the event being
recorded.
- name: event_desc
overwrite: true
type: keyword
description: This key is used to capture a description of an event available
directly or inferred
- name: sig_id1
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID. This must be linked
to the sig.id
- name: im_buddyid
overwrite: true
type: keyword
- name: im_client
overwrite: true
type: keyword
- name: im_userid
overwrite: true
type: keyword
- name: pid
overwrite: true
type: keyword
- name: priority
overwrite: true
type: keyword
- name: context_subject
overwrite: true
type: keyword
description: This key is to be used in an audit context where the subject is
the object being identified
- name: context_target
overwrite: true
type: keyword
- name: cve
overwrite: true
type: keyword
description: This key captures CVE (Common Vulnerabilities and Exposures) -
an identifier for known information security vulnerabilities.
- name: fcatnum
overwrite: true
type: keyword
description: This key captures Filter Category Number. Legacy Usage
- name: library
overwrite: true
type: keyword
description: This key is used to capture library information in mainframe devices
- name: parent_node
overwrite: true
type: keyword
description: This key captures the Parent Node Name. Must be related to node
variable.
- name: risk_info
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: tcp_flags
overwrite: true
type: long
description: This key is captures the TCP flags set in any packet of session
- name: tos
overwrite: true
type: long
description: This key describes the type of service
- name: vm_target
overwrite: true
type: keyword
description: VMWare Target **VMWARE** only varaible.
- name: workspace
overwrite: true
type: keyword
description: This key captures Workspace Description
- name: command
overwrite: true
type: keyword
- name: event_category
overwrite: true
type: keyword
- name: facilityname
overwrite: true
type: keyword
- name: forensic_info
overwrite: true
type: keyword
- name: jobname
overwrite: true
type: keyword
- name: mode
overwrite: true
type: keyword
- name: policy
overwrite: true
type: keyword
- name: policy_waiver
overwrite: true
type: keyword
- name: second
overwrite: true
type: keyword
- name: space1
overwrite: true
type: keyword
- name: subcategory
overwrite: true
type: keyword
- name: tbdstr2
overwrite: true
type: keyword
- name: alert_id
overwrite: true
type: keyword
description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: checksum_dst
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the the target
entity such as a process or file.
- name: checksum_src
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the source
entity such as a file or process.
- name: fresult
overwrite: true
type: long
description: This key captures the Filter Result
- name: payload_dst
overwrite: true
type: keyword
description: This key is used to capture destination payload
- name: payload_src
overwrite: true
type: keyword
description: This key is used to capture source payload
- name: pool_id
overwrite: true
type: keyword
description: This key captures the identifier (typically numeric field) of a
resource pool
- name: process_id_val
overwrite: true
type: keyword
description: This key is a failure key for Process ID when it is not an integer
value
- name: risk_num_comm
overwrite: true
type: double
description: This key captures Risk Number Community
- name: risk_num_next
overwrite: true
type: double
description: This key captures Risk Number NextGen
- name: risk_num_sand
overwrite: true
type: double
description: This key captures Risk Number SandBox
- name: risk_num_static
overwrite: true
type: double
description: This key captures Risk Number Static
- name: risk_suspicious
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: risk_warning
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: snmp_oid
overwrite: true
type: keyword
description: SNMP Object Identifier
- name: sql
overwrite: true
type: keyword
description: This key captures the SQL query
- name: vuln_ref
overwrite: true
type: keyword
description: This key captures the Vulnerability Reference details
- name: acl_id
overwrite: true
type: keyword
- name: acl_op
overwrite: true
type: keyword
- name: acl_pos
overwrite: true
type: keyword
- name: acl_table
overwrite: true
type: keyword
- name: admin
overwrite: true
type: keyword
- name: alarm_id
overwrite: true
type: keyword
- name: alarmname
overwrite: true
type: keyword
- name: app_id
overwrite: true
type: keyword
- name: audit
overwrite: true
type: keyword
- name: audit_object
overwrite: true
type: keyword
- name: auditdata
overwrite: true
type: keyword
- name: benchmark
overwrite: true
type: keyword
- name: bypass
overwrite: true
type: keyword
- name: cache
overwrite: true
type: keyword
- name: cache_hit
overwrite: true
type: keyword
- name: cefversion
overwrite: true
type: keyword
- name: cfg_attr
overwrite: true
type: keyword
- name: cfg_obj
overwrite: true
type: keyword
- name: cfg_path
overwrite: true
type: keyword
- name: changes
overwrite: true
type: keyword
- name: client_ip
overwrite: true
type: keyword
- name: clustermembers
overwrite: true
type: keyword
- name: cn_acttimeout
overwrite: true
type: keyword
- name: cn_asn_src
overwrite: true
type: keyword
- name: cn_bgpv4nxthop
overwrite: true
type: keyword
- name: cn_ctr_dst_code
overwrite: true
type: keyword
- name: cn_dst_tos
overwrite: true
type: keyword
- name: cn_dst_vlan
overwrite: true
type: keyword
- name: cn_engine_id
overwrite: true
type: keyword
- name: cn_engine_type
overwrite: true
type: keyword
- name: cn_f_switch
overwrite: true
type: keyword
- name: cn_flowsampid
overwrite: true
type: keyword
- name: cn_flowsampintv
overwrite: true
type: keyword
- name: cn_flowsampmode
overwrite: true
type: keyword
- name: cn_inacttimeout
overwrite: true
type: keyword
- name: cn_inpermbyts
overwrite: true
type: keyword
- name: cn_inpermpckts
overwrite: true
type: keyword
- name: cn_invalid
overwrite: true
type: keyword
- name: cn_ip_proto_ver
overwrite: true
type: keyword
- name: cn_ipv4_ident
overwrite: true
type: keyword
- name: cn_l_switch
overwrite: true
type: keyword
- name: cn_log_did
overwrite: true
type: keyword
- name: cn_log_rid
overwrite: true
type: keyword
- name: cn_max_ttl
overwrite: true
type: keyword
- name: cn_maxpcktlen
overwrite: true
type: keyword
- name: cn_min_ttl
overwrite: true
type: keyword
- name: cn_minpcktlen
overwrite: true
type: keyword
- name: cn_mpls_lbl_1
overwrite: true
type: keyword
- name: cn_mpls_lbl_10
overwrite: true
type: keyword
- name: cn_mpls_lbl_2
overwrite: true
type: keyword
- name: cn_mpls_lbl_3
overwrite: true
type: keyword
- name: cn_mpls_lbl_4
overwrite: true
type: keyword
- name: cn_mpls_lbl_5
overwrite: true
type: keyword
- name: cn_mpls_lbl_6
overwrite: true
type: keyword
- name: cn_mpls_lbl_7
overwrite: true
type: keyword
- name: cn_mpls_lbl_8
overwrite: true
type: keyword
- name: cn_mpls_lbl_9
overwrite: true
type: keyword
- name: cn_mplstoplabel
overwrite: true
type: keyword
- name: cn_mplstoplabip
overwrite: true
type: keyword
- name: cn_mul_dst_byt
overwrite: true
type: keyword
- name: cn_mul_dst_pks
overwrite: true
type: keyword
- name: cn_muligmptype
overwrite: true
type: keyword
- name: cn_sampalgo
overwrite: true
type: keyword
- name: cn_sampint
overwrite: true
type: keyword
- name: cn_seqctr
overwrite: true
type: keyword
- name: cn_spackets
overwrite: true
type: keyword
- name: cn_src_tos
overwrite: true
type: keyword
- name: cn_src_vlan
overwrite: true
type: keyword
- name: cn_sysuptime
overwrite: true
type: keyword
- name: cn_template_id
overwrite: true
type: keyword
- name: cn_totbytsexp
overwrite: true
type: keyword
- name: cn_totflowexp
overwrite: true
type: keyword
- name: cn_totpcktsexp
overwrite: true
type: keyword
- name: cn_unixnanosecs
overwrite: true
type: keyword
- name: cn_v6flowlabel
overwrite: true
type: keyword
- name: cn_v6optheaders
overwrite: true
type: keyword
- name: comp_class
overwrite: true
type: keyword
- name: comp_name
overwrite: true
type: keyword
- name: comp_rbytes
overwrite: true
type: keyword
- name: comp_sbytes
overwrite: true
type: keyword
- name: cpu_data
overwrite: true
type: keyword
- name: criticality
overwrite: true
type: keyword
- name: cs_agency_dst
overwrite: true
type: keyword
- name: cs_analyzedby
overwrite: true
type: keyword
- name: cs_av_other
overwrite: true
type: keyword
- name: cs_av_primary
overwrite: true
type: keyword
- name: cs_av_secondary
overwrite: true
type: keyword
- name: cs_bgpv6nxthop
overwrite: true
type: keyword
- name: cs_bit9status
overwrite: true
type: keyword
- name: cs_context
overwrite: true
type: keyword
- name: cs_control
overwrite: true
type: keyword
- name: cs_data
overwrite: true
type: keyword
- name: cs_datecret
overwrite: true
type: keyword
- name: cs_dst_tld
overwrite: true
type: keyword
- name: cs_eth_dst_ven
overwrite: true
type: keyword
- name: cs_eth_src_ven
overwrite: true
type: keyword
- name: cs_event_uuid
overwrite: true
type: keyword
- name: cs_filetype
overwrite: true
type: keyword
- name: cs_fld
overwrite: true
type: keyword
- name: cs_if_desc
overwrite: true
type: keyword
- name: cs_if_name
overwrite: true
type: keyword
- name: cs_ip_next_hop
overwrite: true
type: keyword
- name: cs_ipv4dstpre
overwrite: true
type: keyword
- name: cs_ipv4srcpre
overwrite: true
type: keyword
- name: cs_lifetime
overwrite: true
type: keyword
- name: cs_log_medium
overwrite: true
type: keyword
- name: cs_loginname
overwrite: true
type: keyword
- name: cs_modulescore
overwrite: true
type: keyword
- name: cs_modulesign
overwrite: true
type: keyword
- name: cs_opswatresult
overwrite: true
type: keyword
- name: cs_payload
overwrite: true
type: keyword
- name: cs_registrant
overwrite: true
type: keyword
- name: cs_registrar
overwrite: true
type: keyword
- name: cs_represult
overwrite: true
type: keyword
- name: cs_rpayload
overwrite: true
type: keyword
- name: cs_sampler_name
overwrite: true
type: keyword
- name: cs_sourcemodule
overwrite: true
type: keyword
- name: cs_streams
overwrite: true
type: keyword
- name: cs_targetmodule
overwrite: true
type: keyword
- name: cs_v6nxthop
overwrite: true
type: keyword
- name: cs_whois_server
overwrite: true
type: keyword
- name: cs_yararesult
overwrite: true
type: keyword
- name: description
overwrite: true
type: keyword
- name: devvendor
overwrite: true
type: keyword
- name: distance
overwrite: true
type: keyword
- name: dstburb
overwrite: true
type: keyword
- name: edomain
overwrite: true
type: keyword
- name: edomaub
overwrite: true
type: keyword
- name: euid
overwrite: true
type: keyword
- name: facility
overwrite: true
type: keyword
- name: finterface
overwrite: true
type: keyword
- name: flags
overwrite: true
type: keyword
- name: gaddr
overwrite: true
type: keyword
- name: id3
overwrite: true
type: keyword
- name: im_buddyname
overwrite: true
type: keyword
- name: im_croomid
overwrite: true
type: keyword
- name: im_croomtype
overwrite: true
type: keyword
- name: im_members
overwrite: true
type: keyword
- name: im_username
overwrite: true
type: keyword
- name: ipkt
overwrite: true
type: keyword
- name: ipscat
overwrite: true
type: keyword
- name: ipspri
overwrite: true
type: keyword
- name: latitude
overwrite: true
type: keyword
- name: linenum
overwrite: true
type: keyword
- name: list_name
overwrite: true
type: keyword
- name: load_data
overwrite: true
type: keyword
- name: location_floor
overwrite: true
type: keyword
- name: location_mark
overwrite: true
type: keyword
- name: log_id
overwrite: true
type: keyword
- name: log_type
overwrite: true
type: keyword
- name: logid
overwrite: true
type: keyword
- name: logip
overwrite: true
type: keyword
- name: logname
overwrite: true
type: keyword
- name: longitude
overwrite: true
type: keyword
- name: lport
overwrite: true
type: keyword
- name: mbug_data
overwrite: true
type: keyword
- name: misc_name
overwrite: true
type: keyword
- name: msg_type
overwrite: true
type: keyword
- name: msgid
overwrite: true
type: keyword
- name: netsessid
overwrite: true
type: keyword
- name: num
overwrite: true
type: keyword
- name: number1
overwrite: true
type: keyword
- name: number2
overwrite: true
type: keyword
- name: nwwn
overwrite: true
type: keyword
- name: object
overwrite: true
type: keyword
- name: operation
overwrite: true
type: keyword
- name: opkt
overwrite: true
type: keyword
- name: orig_from
overwrite: true
type: keyword
- name: owner_id
overwrite: true
type: keyword
- name: p_action
overwrite: true
type: keyword
- name: p_filter
overwrite: true
type: keyword
- name: p_group_object
overwrite: true
type: keyword
- name: p_id
overwrite: true
type: keyword
- name: p_msgid1
overwrite: true
type: keyword
- name: p_msgid2
overwrite: true
type: keyword
- name: p_result1
overwrite: true
type: keyword
- name: password_chg
overwrite: true
type: keyword
- name: password_expire
overwrite: true
type: keyword
- name: permgranted
overwrite: true
type: keyword
- name: permwanted
overwrite: true
type: keyword
- name: pgid
overwrite: true
type: keyword
- name: policyUUID
overwrite: true
type: keyword
- name: prog_asp_num
overwrite: true
type: keyword
- name: program
overwrite: true
type: keyword
- name: real_data
overwrite: true
type: keyword
- name: rec_asp_device
overwrite: true
type: keyword
- name: rec_asp_num
overwrite: true
type: keyword
- name: rec_library
overwrite: true
type: keyword
- name: recordnum
overwrite: true
type: keyword
- name: ruid
overwrite: true
type: keyword
- name: sburb
overwrite: true
type: keyword
- name: sdomain_fld
overwrite: true
type: keyword
- name: sec
overwrite: true
type: keyword
- name: sensorname
overwrite: true
type: keyword
- name: seqnum
overwrite: true
type: keyword
- name: session
overwrite: true
type: keyword
- name: sessiontype
overwrite: true
type: keyword
- name: sigUUID
overwrite: true
type: keyword
- name: spi
overwrite: true
type: keyword
- name: srcburb
overwrite: true
type: keyword
- name: srcdom
overwrite: true
type: keyword
- name: srcservice
overwrite: true
type: keyword
- name: state
overwrite: true
type: keyword
- name: status1
overwrite: true
type: keyword
- name: svcno
overwrite: true
type: keyword
- name: system
overwrite: true
type: keyword
- name: tbdstr1
overwrite: true
type: keyword
- name: tgtdom
overwrite: true
type: keyword
- name: tgtdomain
overwrite: true
type: keyword
- name: threshold
overwrite: true
type: keyword
- name: type1
overwrite: true
type: keyword
- name: udb_class
overwrite: true
type: keyword
- name: url_fld
overwrite: true
type: keyword
- name: user_div
overwrite: true
type: keyword
- name: userid
overwrite: true
type: keyword
- name: username_fld
overwrite: true
type: keyword
- name: utcstamp
overwrite: true
type: keyword
- name: v_instafname
overwrite: true
type: keyword
- name: virt_data
overwrite: true
type: keyword
- name: vpnid
overwrite: true
type: keyword
- name: autorun_type
overwrite: true
type: keyword
description: This is used to capture Auto Run type
- name: cc_number
overwrite: true
type: long
description: Valid Credit Card Numbers only
- name: content
overwrite: true
type: keyword
description: This key captures the content type from protocol headers
- name: ein_number
overwrite: true
type: long
description: Employee Identification Numbers only
- name: found
overwrite: true
type: keyword
description: This is used to capture the results of regex match
- name: language
overwrite: true
type: keyword
description: This is used to capture list of languages the client support and
what it prefers
- name: lifetime
overwrite: true
type: long
description: This key is used to capture the session lifetime in seconds.
- name: link
overwrite: true
type: keyword
description: This key is used to link the sessions together. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: match
overwrite: true
type: keyword
description: This key is for regex match name from search.ini
- name: param_dst
overwrite: true
type: keyword
description: This key captures the command line/launch argument of the target
process or file
- name: param_src
overwrite: true
type: keyword
description: This key captures source parameter
- name: search_text
overwrite: true
type: keyword
description: This key captures the Search Text used
- name: sig_name
overwrite: true
type: keyword
description: This key is used to capture the Signature Name only.
- name: snmp_value
overwrite: true
type: keyword
description: SNMP set request value
- name: streams
overwrite: true
type: long
description: This key captures number of streams in session
- name: db
overwrite: true
type: group
fields:
- name: index
overwrite: true
type: keyword
description: This key captures IndexID of the index.
- name: instance
overwrite: true
type: keyword
description: This key is used to capture the database server instance name
- name: database
overwrite: true
type: keyword
description: This key is used to capture the name of a database or an instance
as seen in a session
- name: transact_id
overwrite: true
type: keyword
description: This key captures the SQL transantion ID of the current session
- name: permissions
overwrite: true
type: keyword
description: This key captures permission or privilege level assigned to a resource.
- name: table_name
overwrite: true
type: keyword
description: This key is used to capture the table name
- name: db_id
overwrite: true
type: keyword
description: This key is used to capture the unique identifier for a database
- name: db_pid
overwrite: true
type: long
description: This key captures the process id of a connection with database
server
- name: lread
overwrite: true
type: long
description: This key is used for the number of logical reads
- name: lwrite
overwrite: true
type: long
description: This key is used for the number of logical writes
- name: pread
overwrite: true
type: long
description: This key is used for the number of physical writes
- name: network
overwrite: true
type: group
fields:
- name: alias_host
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
that isnt ad.computer.
- name: domain
overwrite: true
type: keyword
- name: host_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Hostname"
- name: network_service
overwrite: true
type: keyword
description: This is used to capture layer 7 protocols/service names
- name: interface
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of an interface is not clear
- name: network_port
overwrite: true
type: long
description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
- name: eth_host
overwrite: true
type: keyword
description: Deprecated, use alias.mac
- name: sinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Interface"
- name: dinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Interface"
- name: vlan
overwrite: true
type: long
description: This key should only be used to capture the ID of the Virtual LAN
- name: zone_src
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Zone."
- name: zone
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a Zone is not clear
- name: zone_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Zone."
- name: gateway
overwrite: true
type: keyword
description: This key is used to capture the IP Address of the gateway
- name: icmp_type
overwrite: true
type: long
description: This key is used to capture the ICMP type only
- name: mask
overwrite: true
type: keyword
description: This key is used to capture the device network IPmask.
- name: icmp_code
overwrite: true
type: long
description: This key is used to capture the ICMP code only
- name: protocol_detail
overwrite: true
type: keyword
description: This key should be used to capture additional protocol information
- name: dmask
overwrite: true
type: keyword
description: This key is used for Destionation Device network mask
- name: port
overwrite: true
type: long
description: This key should only be used to capture a Network Port when the
directionality is not clear
- name: smask
overwrite: true
type: keyword
description: This key is used for capturing source Network Mask
- name: netname
overwrite: true
type: keyword
description: This key is used to capture the network name associated with an
IP range. This is configured by the end user.
- name: paddr
overwrite: true
type: ip
description: Deprecated
- name: faddr
overwrite: true
type: keyword
- name: lhost
overwrite: true
type: keyword
- name: origin
overwrite: true
type: keyword
- name: remote_domain_id
overwrite: true
type: keyword
- name: addr
overwrite: true
type: keyword
- name: dns_a_record
overwrite: true
type: keyword
- name: dns_ptr_record
overwrite: true
type: keyword
- name: fhost
overwrite: true
type: keyword
- name: fport
overwrite: true
type: keyword
- name: laddr
overwrite: true
type: keyword
- name: linterface
overwrite: true
type: keyword
- name: phost
overwrite: true
type: keyword
- name: ad_computer_dst
overwrite: true
type: keyword
description: Deprecated, use host.dst
- name: eth_type
overwrite: true
type: long
description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
Only
- name: ip_proto
overwrite: true
type: long
description: This key should be used to capture the Protocol number, all the
protocol nubers are converted into string in UI
- name: dns_cname_record
overwrite: true
type: keyword
- name: dns_id
overwrite: true
type: keyword
- name: dns_opcode
overwrite: true
type: keyword
- name: dns_resp
overwrite: true
type: keyword
- name: dns_type
overwrite: true
type: keyword
- name: domain1
overwrite: true
type: keyword
- name: host_type
overwrite: true
type: keyword
- name: packet_length
overwrite: true
type: keyword
- name: host_orig
overwrite: true
type: keyword
description: This is used to capture the original hostname in case of a Forwarding
Agent or a Proxy in between.
- name: rpayload
overwrite: true
type: keyword
description: This key is used to capture the total number of payload bytes seen
in the retransmitted packets.
- name: vlan_name
overwrite: true
type: keyword
description: This key should only be used to capture the name of the Virtual
LAN
- name: investigations
overwrite: true
type: group
fields:
- name: ec_activity
overwrite: true
type: keyword
description: This key captures the particular event activity(Ex:Logoff)
- name: ec_theme
overwrite: true
type: keyword
description: This key captures the Theme of a particular Event(Ex:Authentication)
- name: ec_subject
overwrite: true
type: keyword
description: This key captures the Subject of a particular Event(Ex:User)
- name: ec_outcome
overwrite: true
type: keyword
description: This key captures the outcome of a particular Event(Ex:Success)
- name: event_cat
overwrite: true
type: long
description: This key captures the Event category number
- name: event_cat_name
overwrite: true
type: keyword
description: This key captures the event category name corresponding to the
event cat code
- name: event_vcat
overwrite: true
type: keyword
description: This is a vendor supplied category. This should be used in situations
where the vendor has adopted their own event_category taxonomy.
- name: analysis_file
overwrite: true
type: keyword
description: This is used to capture all indicators used in a File Analysis.
This key should be used to capture an analysis of a file
- name: analysis_service
overwrite: true
type: keyword
description: This is used to capture all indicators used in a Service Analysis.
This key should be used to capture an analysis of a service
- name: analysis_session
overwrite: true
type: keyword
description: This is used to capture all indicators used for a Session Analysis.
This key should be used to capture an analysis of a session
- name: boc
overwrite: true
type: keyword
description: This is used to capture behaviour of compromise
- name: eoc
overwrite: true
type: keyword
description: This is used to capture Enablers of Compromise
- name: inv_category
overwrite: true
type: keyword
description: This used to capture investigation category
- name: inv_context
overwrite: true
type: keyword
description: This used to capture investigation context
- name: ioc
overwrite: true
type: keyword
description: This is key capture indicator of compromise
- name: counters
overwrite: true
type: group
fields:
- name: dclass_c1
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c1.str only
- name: dclass_c2
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c2.str only
- name: event_counter
overwrite: true
type: long
description: This is used to capture the number of times an event repeated
- name: dclass_r1
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r1.str only
- name: dclass_c3
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c3.str only
- name: dclass_c1_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c1 only
- name: dclass_c2_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c2 only
- name: dclass_r1_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r1 only
- name: dclass_r2
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r2.str only
- name: dclass_c3_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c3 only
- name: dclass_r3
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r3.str only
- name: dclass_r2_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r2 only
- name: dclass_r3_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r3 only
- name: identity
overwrite: true
type: group
fields:
- name: auth_method
overwrite: true
type: keyword
description: This key is used to capture authentication methods used only
- name: user_role
overwrite: true
type: keyword
description: This key is used to capture the Role of a user only
- name: dn
overwrite: true
type: keyword
description: X.500 (LDAP) Distinguished Name
- name: logon_type
overwrite: true
type: keyword
description: This key is used to capture the type of logon method used.
- name: profile
overwrite: true
type: keyword
description: This key is used to capture the user profile
- name: accesses
overwrite: true
type: keyword
description: This key is used to capture actual privileges used in accessing
an object
- name: realm
overwrite: true
type: keyword
description: Radius realm or similar grouping of accounts
- name: user_sid_dst
overwrite: true
type: keyword
description: This key captures Destination User Session ID
- name: dn_src
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that is used in a context that
indicates a Source dn
- name: org
overwrite: true
type: keyword
description: This key captures the User organization
- name: dn_dst
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that used in a context that
indicates a Destination dn
- name: firstname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: lastname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: user_dept
overwrite: true
type: keyword
description: User's Department Names only
- name: user_sid_src
overwrite: true
type: keyword
description: This key captures Source User Session ID
- name: federated_sp
overwrite: true
type: keyword
description: This key is the Federated Service Provider. This is the application
requesting authentication.
- name: federated_idp
overwrite: true
type: keyword
description: This key is the federated Identity Provider. This is the server
providing the authentication.
- name: logon_type_desc
overwrite: true
type: keyword
description: This key is used to capture the textual description of an integer
logon type as stored in the meta key 'logon.type'.
- name: middlename
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: password
overwrite: true
type: keyword
description: This key is for Passwords seen in any session, plain text or encrypted
- name: host_role
overwrite: true
type: keyword
description: This key should only be used to capture the role of a Host Machine
- name: ldap
overwrite: true
type: keyword
description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
t have a clear query or response context"
- name: ldap_query
overwrite: true
type: keyword
description: This key is the Search criteria from an LDAP search
- name: ldap_response
overwrite: true
type: keyword
description: This key is to capture Results from an LDAP search
- name: owner
overwrite: true
type: keyword
description: This is used to capture username the process or service is running
as, the author of the task
- name: service_account
overwrite: true
type: keyword
description: This key is a windows specific key, used for capturing name of
the account a service (referenced in the event) is running under. Legacy Usage
- name: email
overwrite: true
type: group
fields:
- name: email_dst
overwrite: true
type: keyword
description: This key is used to capture the Destination email address only,
when the destination context is not clear use email
- name: email_src
overwrite: true
type: keyword
description: This key is used to capture the source email address only, when
the source context is not clear use email
- name: subject
overwrite: true
type: keyword
description: This key is used to capture the subject string from an Email only.
- name: email
overwrite: true
type: keyword
description: This key is used to capture a generic email address where the source
or destination context is not clear
- name: trans_from
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: trans_to
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: file
overwrite: true
type: group
fields:
- name: privilege
overwrite: true
type: keyword
description: Deprecated, use permissions
- name: attachment
overwrite: true
type: keyword
description: This key captures the attachment file name
- name: filesystem
overwrite: true
type: keyword
- name: binary
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: filename_dst
overwrite: true
type: keyword
description: This is used to capture name of the file targeted by the action
- name: filename_src
overwrite: true
type: keyword
description: This is used to capture name of the parent filename, the file which
performed the action
- name: filename_tmp
overwrite: true
type: keyword
- name: directory_dst
overwrite: true
type: keyword
description: <span>This key is used to capture the directory of the target process
or file</span>
- name: directory_src
overwrite: true
type: keyword
description: This key is used to capture the directory of the source process
or file
- name: file_entropy
overwrite: true
type: double
description: This is used to capture entropy vale of a file
- name: file_vendor
overwrite: true
type: keyword
description: This is used to capture Company name of file located in version_info
- name: task_name
overwrite: true
type: keyword
description: This is used to capture name of the task
- name: web
overwrite: true
type: group
fields:
- name: fqdn
overwrite: true
type: keyword
description: Fully Qualified Domain Names
- name: web_cookie
overwrite: true
type: keyword
description: This key is used to capture the Web cookies specifically.
- name: alias_host
overwrite: true
type: keyword
- name: reputation_num
overwrite: true
type: double
description: Reputation Number of an entity. Typically used for Web Domains
- name: web_ref_domain
overwrite: true
type: keyword
description: Web referer's domain
- name: web_ref_query
overwrite: true
type: keyword
description: This key captures Web referer's query portion of the URL
- name: remote_domain
overwrite: true
type: keyword
- name: web_ref_page
overwrite: true
type: keyword
description: This key captures Web referer's page information
- name: web_ref_root
overwrite: true
type: keyword
description: Web referer's root URL path
- name: cn_asn_dst
overwrite: true
type: keyword
- name: cn_rpackets
overwrite: true
type: keyword
- name: urlpage
overwrite: true
type: keyword
- name: urlroot
overwrite: true
type: keyword
- name: p_url
overwrite: true
type: keyword
- name: p_user_agent
overwrite: true
type: keyword
- name: p_web_cookie
overwrite: true
type: keyword
- name: p_web_method
overwrite: true
type: keyword
- name: p_web_referer
overwrite: true
type: keyword
- name: web_extension_tmp
overwrite: true
type: keyword
- name: web_page
overwrite: true
type: keyword
- name: threat
overwrite: true
type: group
fields:
- name: threat_category
overwrite: true
type: keyword
description: This key captures Threat Name/Threat Category/Categorization of
alert
- name: threat_desc
overwrite: true
type: keyword
description: This key is used to capture the threat description from the session
directly or inferred
- name: alert
overwrite: true
type: keyword
description: This key is used to capture name of the alert
- name: threat_source
overwrite: true
type: keyword
description: This key is used to capture source of the threat
- name: crypto
overwrite: true
type: group
fields:
- name: crypto
overwrite: true
type: keyword
description: This key is used to capture the Encryption Type or Encryption Key
only
- name: cipher_src
overwrite: true
type: keyword
description: This key is for Source (Client) Cipher
- name: cert_subject
overwrite: true
type: keyword
description: This key is used to capture the Certificate organization only
- name: peer
overwrite: true
type: keyword
description: This key is for Encryption peer's IP Address
- name: cipher_size_src
overwrite: true
type: long
description: This key captures Source (Client) Cipher Size
- name: ike
overwrite: true
type: keyword
description: IKE negotiation phase.
- name: scheme
overwrite: true
type: keyword
description: This key captures the Encryption scheme used
- name: peer_id
overwrite: true
type: keyword
description: "This key is for Encryption peer\u2019s identity"
- name: sig_type
overwrite: true
type: keyword
description: This key captures the Signature Type
- name: cert_issuer
overwrite: true
type: keyword
- name: cert_host_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: cert_error
overwrite: true
type: keyword
description: This key captures the Certificate Error String
- name: cipher_dst
overwrite: true
type: keyword
description: This key is for Destination (Server) Cipher
- name: cipher_size_dst
overwrite: true
type: long
description: This key captures Destination (Server) Cipher Size
- name: ssl_ver_src
overwrite: true
type: keyword
description: Deprecated, use version
- name: d_certauth
overwrite: true
type: keyword
- name: s_certauth
overwrite: true
type: keyword
- name: ike_cookie1
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
- name: ike_cookie2
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
- name: cert_checksum
overwrite: true
type: keyword
- name: cert_host_cat
overwrite: true
type: keyword
description: This key is used for the hostname category value of a certificate
- name: cert_serial
overwrite: true
type: keyword
description: This key is used to capture the Certificate serial number only
- name: cert_status
overwrite: true
type: keyword
description: This key captures Certificate validation status
- name: ssl_ver_dst
overwrite: true
type: keyword
description: Deprecated, use version
- name: cert_keysize
overwrite: true
type: keyword
- name: cert_username
overwrite: true
type: keyword
- name: https_insact
overwrite: true
type: keyword
- name: https_valid
overwrite: true
type: keyword
- name: cert_ca
overwrite: true
type: keyword
description: This key is used to capture the Certificate signing authority only
- name: cert_common
overwrite: true
type: keyword
description: This key is used to capture the Certificate common name only
- name: wireless
overwrite: true
type: group
fields:
- name: wlan_ssid
overwrite: true
type: keyword
description: This key is used to capture the ssid of a Wireless Session
- name: access_point
overwrite: true
type: keyword
description: This key is used to capture the access point name.
- name: wlan_channel
overwrite: true
type: long
description: This is used to capture the channel names
- name: wlan_name
overwrite: true
type: keyword
description: This key captures either WLAN number/name
- name: storage
overwrite: true
type: group
fields:
- name: disk_volume
overwrite: true
type: keyword
description: A unique name assigned to logical units (volumes) within a physical
disk
- name: lun
overwrite: true
type: keyword
description: Logical Unit Number.This key is a very useful concept in Storage.
- name: pwwn
overwrite: true
type: keyword
description: This uniquely identifies a port on a HBA.
- name: physical
overwrite: true
type: group
fields:
- name: org_dst
overwrite: true
type: keyword
description: This is used to capture the destination organization based on the
GEOPIP Maxmind database.
- name: org_src
overwrite: true
type: keyword
description: This is used to capture the source organization based on the GEOPIP
Maxmind database.
- name: healthcare
overwrite: true
type: group
fields:
- name: patient_fname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_id
overwrite: true
type: keyword
description: This key captures the unique ID for a patient
- name: patient_lname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_mname
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: endpoint
overwrite: true
type: group
fields:
- name: host_state
overwrite: true
type: keyword
description: This key is used to capture the current state of the machine, such
as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
disabled</strong> and so on
- name: registry_key
overwrite: true
type: keyword
description: This key captures the path to the registry key
- name: registry_value
overwrite: true
type: keyword
description: This key captures values or decorators used within a registry entry
- key: zeek
title: Zeek
description: >
Module for handling logs produced by Zeek/Bro
fields:
- name: zeek
type: group
description: >
Fields from Zeek/Bro logs after normalization
fields:
- name: session_id
type: keyword
description: >
A unique identifier of the session
- name: capture_loss
type: group
description: >
Fields exported by the Zeek capture_loss log
fields:
- name: ts_delta
type: integer
description: |
The time delay between this measurement and the last.
- name: peer
type: keyword
description: |
In the event that there are multiple Bro instances logging to the same host, this distinguishes each peer with its individual name.
- name: gaps
type: integer
description: |
Number of missed ACKs from the previous measurement interval.
- name: acks
type: integer
description: |
Total number of ACKs seen in the previous measurement interval.
- name: percent_lost
type: double
description: |
Percentage of ACKs seen where the data being ACKed wasn't seen.
- name: connection
type: group
description: >
Fields exported by the Zeek Connection log
fields:
- name: local_orig
type: boolean
description: >
Indicates whether the session is originated locally.
- name: local_resp
type: boolean
description: >
Indicates whether the session is responded locally.
- name: missed_bytes
type: long
description: >
Missed bytes for the session.
- name: state
type: keyword
description: >
Code indicating the state of the session.
- name: state_message
type: keyword
description: >
The state of the session.
- name: icmp
type: group
fields:
- name: type
type: integer
description: >
ICMP message type.
- name: code
type: integer
description: >
ICMP message code.
- name: history
type: keyword
description: >
Flags indicating the history of the session.
- name: vlan
type: integer
description: >
VLAN identifier.
- name: inner_vlan
type: integer
description: >
VLAN identifier.
- name: dce_rpc
type: group
description: >
Fields exported by the Zeek DCE_RPC log
fields:
- name: rtt
type: integer
description: |
Round trip time from the request to the response. If either the request or response wasn't seen, this will be null.
- name: named_pipe
type: keyword
description: |
Remote pipe name.
- name: endpoint
type: keyword
description: |
Endpoint name looked up from the uuid.
- name: operation
type: keyword
description: |
Operation seen in the call.
- name: dhcp
type: group
description: >
Fields exported by the Zeek DHCP log
fields:
- name: domain
type: keyword
description: >
Domain given by the server in option 15.
- name: duration
type: double
description: |
Duration of the DHCP session representing the time from the first
message to the last, in seconds.
- name: hostname
type: keyword
description: >
Name given by client in Hostname option 12.
- name: client_fqdn
type: keyword
description: >
FQDN given by client in Client FQDN option 81.
- name: lease_time
type: integer
description: >
IP address lease interval in seconds.
- name: address
type: group
description: >
Addresses seen in this DHCP exchange.
fields:
- name: assigned
type: ip
description: >
IP address assigned by the server.
- name: client
type: ip
description: |
IP address of the client. If a transaction is only a client sending
INFORM messages then there is no lease information exchanged so this
is helpful to know who sent the messages. Getting an address in this
field does require that the client sources at least one DHCP message
using a non-broadcast address.
- name: mac
type: keyword
description: >
Client's hardware address.
- name: requested
type: ip
description: >
IP address requested by the client.
- name: server
type: ip
description: >
IP address of the DHCP server.
- name: msg
type: group
fields:
- name: types
type: keyword
description: >
List of DHCP message types seen in this exchange.
- name: origin
type: ip
description: |
(present if policy/protocols/dhcp/msg-orig.bro is loaded)
The address that originated each message from the msg.types field.
- name: client
type: keyword
description: |
Message typically accompanied with a DHCP_DECLINE so the client can
tell the server why it rejected an address.
- name: server
type: keyword
description: |
Message typically accompanied with a DHCP_NAK to let the client know
why it rejected the request.
- name: software
type: group
fields:
- name: client
type: keyword
description: |
(present if policy/protocols/dhcp/software.bro is loaded)
Software reported by the client in the vendor_class option.
- name: server
type: keyword
description: |
(present if policy/protocols/dhcp/software.bro is loaded)
Software reported by the client in the vendor_class option.
- name: id
type: group
fields:
- name: circuit
type: keyword
description: |
(present if policy/protocols/dhcp/sub-opts.bro is loaded)
Added by DHCP relay agents which terminate switched or permanent
circuits. It encodes an agent-local identifier of the circuit from
which a DHCP client-to-server packet was received. Typically it
should represent a router or switch interface number.
- name: remote_agent
type: keyword
description: |
(present if policy/protocols/dhcp/sub-opts.bro is loaded)
A globally unique identifier added by relay agents to identify the
remote host end of the circuit.
- name: subscriber
type: keyword
description: |
(present if policy/protocols/dhcp/sub-opts.bro is loaded)
The subscriber ID is a value independent of the physical network
configuration so that a customer's DHCP configuration can be given
to them correctly no matter where they are physically connected.
- name: dnp3
type: group
description: >
Fields exported by the Zeek DNP3 log
fields:
- name: function
type: group
fields:
- name: request
type: keyword
description: |
The name of the function message in the request.
- name: reply
type: keyword
description: |
The name of the function message in the reply.
- name: id
type: integer
description: |
The response's internal indication number.
- name: dns
type: group
description: >
Fields exported by the Zeek DNS log
fields:
- name: trans_id
type: keyword
description: >
DNS transaction identifier.
- name: rtt
type: double
description: >
Round trip time for the query and response.
- name: query
type: keyword
description: >
The domain name that is the subject of the DNS query.
- name: qclass
type: long
description: >
The QCLASS value specifying the class of the query.
- name: qclass_name
type: keyword
description: >
A descriptive name for the class of the query.
- name: qtype
type: long
description: >
A QTYPE value specifying the type of the query.
- name: qtype_name
type: keyword
description: >
A descriptive name for the type of the query.
- name: rcode
type: long
description: >
The response code value in DNS response messages.
- name: rcode_name
type: keyword
description: >
A descriptive name for the response code value.
- name: AA
type: boolean
description: |
The Authoritative Answer bit for response messages specifies that the responding
name server is an authority for the domain name in the question section.
- name: TC
type: boolean
description: >
The Truncation bit specifies that the message was truncated.
- name: RD
type: boolean
description: |
The Recursion Desired bit in a request message indicates that the client
wants recursive service for this query.
- name: RA
type: boolean
description: |
The Recursion Available bit in a response message indicates that the name
server supports recursive queries.
- name: answers
type: keyword
description: >
The set of resource descriptions in the query answer.
- name: TTLs
type: double
description: >
The caching intervals of the associated RRs described by the answers field.
- name: rejected
type: boolean
description: >
Indicates whether the DNS query was rejected by the server.
- name: total_answers
type: integer
description: >
The total number of resource records in the reply.
- name: total_replies
type: integer
description: >
The total number of resource records in the reply message.
- name: saw_query
type: boolean
description: >
Whether the full DNS query has been seen.
- name: saw_reply
type: boolean
description: >
Whether the full DNS reply has been seen.
- name: dpd
type: group
description: >
Fields exported by the Zeek DPD log
fields:
- name: analyzer
type: keyword
description: >
The analyzer that generated the violation.
- name: failure_reason
type: keyword
description: >
The textual reason for the analysis failure.
- name: packet_segment
type: keyword
description: |
(present if policy/frameworks/dpd/packet-segment-logging.bro is loaded)
A chunk of the payload that most likely resulted in the protocol violation.
- name: files
type: group
description: >
Fields exported by the Zeek Files log.
fields:
- name: fuid
type: keyword
description: >
A file unique identifier.
- name: tx_host
type: ip
description: >
The host that transferred the file.
- name: rx_host
type: ip
description: >
The host that received the file.
- name: session_ids
type: keyword
description: >
The sessions that have this file.
- name: source
type: keyword
description: |
An identification of the source of the file data. E.g. it may be a network protocol
over which it was transferred, or a local file path which was read, or some other
input source.
- name: depth
type: long
description: |
A value to represent the depth of this file in relation to its source. In SMTP, it
is the depth of the MIME attachment on the message. In HTTP, it is the depth of the
request within the TCP connection.
- name: analyzers
type: keyword
description: >
A set of analysis types done during the file analysis.
- name: mime_type
type: keyword
description: >
Mime type of the file.
- name: filename
type: keyword
description: >
Name of the file if available.
- name: local_orig
type: boolean
description: |
If the source of this file is a network connection, this field indicates if the data
originated from the local network or not.
- name: is_orig
type: boolean
description: |
If the source of this file is a network connection, this field indicates if the file is
being sent by the originator of the connection or the responder.
- name: duration
type: double
description: >
The duration the file was analyzed for. Not the duration of the session.
- name: seen_bytes
type: long
description: >
Number of bytes provided to the file analysis engine for the file.
- name: total_bytes
type: long
description: >
Total number of bytes that are supposed to comprise the full file.
- name: missing_bytes
type: long
description: |
The number of bytes in the file stream that were completely missed during the process
of analysis.
- name: overflow_bytes
type: long
description: |
The number of bytes in the file stream that were not delivered to stream file analyzers.
This could be overlapping bytes or bytes that couldn't be reassembled.
- name: timedout
type: boolean
description: >
Whether the file analysis timed out at least once for the file.
- name: parent_fuid
type: keyword
description: |
Identifier associated with a container file from which this one was extracted as part of
the file analysis.
- name: md5
type: keyword
description: >
An MD5 digest of the file contents.
- name: sha1
type: keyword
description: >
A SHA1 digest of the file contents.
- name: sha256
type: keyword
description: >
A SHA256 digest of the file contents.
- name: extracted
type: keyword
description: >
Local filename of extracted file.
- name: extracted_cutoff
type: boolean
description: >
Indicate whether the file being extracted was cut off hence not extracted completely.
- name: extracted_size
type: long
description: >
The number of bytes extracted to disk.
- name: entropy
type: double
description: >
The information density of the contents of the file.
- name: ftp
type: group
description: >
Fields exported by the Zeek FTP log
fields:
- name: user
type: keyword
description: |
User name for the current FTP session.
- name: password
type: keyword
description: |
Password for the current FTP session if captured.
- name: command
type: keyword
description: |
Command given by the client.
- name: arg
type: keyword
description: |
Argument for the command if one is given.
- name: file
type: group
fields:
- name: size
type: long
description: |
Size of the file if the command indicates a file transfer.
- name: mime_type
type: keyword
description: |
Sniffed mime type of file.
- name: fuid
type: keyword
description: |
(present if base/protocols/ftp/files.bro is loaded)
File unique ID.
- name: reply
type: group
fields:
- name: code
type: integer
description: |
Reply code from the server in response to the command.
- name: msg
type: keyword
description: |
Reply message from the server in response to the command.
- name: data_channel
type: group
description: |
Expected FTP data channel.
fields:
- name: passive
type: boolean
description: |
Whether PASV mode is toggled for control channel.
- name: originating_host
type: ip
description: |
The host that will be initiating the data connection.
- name: response_host
type: ip
description: |
The host that will be accepting the data connection.
- name: response_port
type: integer
description: |
The port at which the acceptor is listening for the data connection.
- name: cwd
type: keyword
description: |
Current working directory that this session is in. By making the default value '.', we can indicate that unless something more concrete is discovered that the existing but unknown directory is ok to use.
- name: cmdarg
type: group
description: |
Command that is currently waiting for a response.
fields:
- name: cmd
type: keyword
description: |
Command.
- name: arg
type: keyword
description: |
Argument for the command if one was given.
- name: seq
type: integer
description: |
Counter to track how many commands have been executed.
- name: pending_commands
type: integer
description: |
Queue for commands that have been sent but not yet responded to are tracked here.
- name: passive
type: boolean
description: |
Indicates if the session is in active or passive mode.
- name: capture_password
type: boolean
description: |
Determines if the password will be captured for this request.
- name: last_auth_requested
type: keyword
description: |
present if base/protocols/ftp/gridftp.bro is loaded.
Last authentication/security mechanism that was used.
- name: http
type: group
description: >
Fields exported by the Zeek HTTP log
fields:
- name: trans_depth
type: integer
description: >
Represents the pipelined depth into the connection of this request/response transaction.
- name: status_msg
type: keyword
description: >
Status message returned by the server.
- name: info_code
type: integer
description: >
Last seen 1xx informational reply code returned by the server.
- name: info_msg
type: keyword
description: >
Last seen 1xx informational reply message returned by the server.
- name: tags
type: keyword
description: |
A set of indicators of various attributes discovered and related to a particular
request/response pair.
- name: password
type: keyword
description: >
Password if basic-auth is performed for the request.
- name: captured_password
type: boolean
description: >
Determines if the password will be captured for this request.
- name: proxied
type: keyword
description: >
All of the headers that may indicate if the HTTP request was proxied.
- name: range_request
type: boolean
description: >
Indicates if this request can assume 206 partial content in response.
- name: client_header_names
type: keyword
description: |
The vector of HTTP header names sent by the client. No header values
are included here, just the header names.
- name: server_header_names
type: keyword
description: |
The vector of HTTP header names sent by the server. No header values
are included here, just the header names.
- name: orig_fuids
type: keyword
description: >
An ordered vector of file unique IDs from the originator.
- name: orig_mime_types
type: keyword
description: >
An ordered vector of mime types from the originator.
- name: orig_filenames
type: keyword
description: >
An ordered vector of filenames from the originator.
- name: resp_fuids
type: keyword
description: >
An ordered vector of file unique IDs from the responder.
- name: resp_mime_types
type: keyword
description: >
An ordered vector of mime types from the responder.
- name: resp_filenames
type: keyword
description: >
An ordered vector of filenames from the responder.
- name: orig_mime_depth
type: integer
description: >
Current number of MIME entities in the HTTP request message body.
- name: resp_mime_depth
type: integer
description: >
Current number of MIME entities in the HTTP response message body.
- name: intel
type: group
description: >
Fields exported by the Zeek Intel log.
fields:
- name: seen
type: group
fields:
- name: indicator
type: keyword
description: >
The intelligence indicator.
- name: indicator_type
type: keyword
description: >
The type of data the indicator represents.
- name: host
type: keyword
description: >
If the indicator type was Intel::ADDR, then this field will be present.
- name: conn
type: keyword
description: >
If the data was discovered within a connection, the connection record should go here to give context to the data.
- name: where
type: keyword
description: >
Where the data was discovered.
- name: node
type: keyword
description: >
The name of the node where the match was discovered.
- name: uid
type: keyword
description: >
If the data was discovered within a connection, the connection uid should go here to give context to the data. If the conn field is provided, this will be automatically filled out.
- name: f
type: object
description: >
If the data was discovered within a file, the file record should go here to provide context to the data.
- name: fuid
type: keyword
description: >
If the data was discovered within a file, the file uid should go here to provide context to the data. If the file record f is provided, this will be automatically filled out.
- name: matched
type: keyword
description: >
Event to represent a match in the intelligence data from data that was seen.
- name: sources
type: keyword
description: >
Sources which supplied data for this match.
- name: fuid
type: keyword
description: >
If a file was associated with this intelligence hit, this is the uid for the file.
- name: file_mime_type
type: keyword
description: >
A mime type if the intelligence hit is related to a file. If the $f field is provided this will be automatically filled out.
- name: file_desc
type: keyword
description: >
Frequently files can be described to give a bit more context. If the $f field is provided this field will be automatically filled out.
- name: irc
type: group
description: >
Fields exported by the Zeek IRC log
fields:
- name: nick
type: keyword
description: |
Nickname given for the connection.
- name: user
type: keyword
description: |
Username given for the connection.
- name: command
type: keyword
description: |
Command given by the client.
- name: value
type: keyword
description: |
Value for the command given by the client.
- name: addl
type: keyword
description: |
Any additional data for the command.
- name: dcc
type: group
fields:
- name: file
type: group
fields:
- name: name
type: keyword
description: |
Present if base/protocols/irc/dcc-send.bro is loaded.
DCC filename requested.
- name: size
type: long
description: |
Present if base/protocols/irc/dcc-send.bro is loaded.
Size of the DCC transfer as indicated by the sender.
- name: mime_type
type: keyword
description: |
present if base/protocols/irc/dcc-send.bro is loaded.
Sniffed mime type of the file.
- name: fuid
type: keyword
description: |
present if base/protocols/irc/files.bro is loaded.
File unique ID.
- name: kerberos
type: group
description: >
Fields exported by the Zeek Kerberos log
fields:
- name: request_type
type: keyword
description: >
Request type - Authentication Service (AS) or Ticket Granting Service (TGS).
- name: client
type: keyword
description: >
Client name.
- name: service
type: keyword
description: >
Service name.
- name: success
type: boolean
description: >
Request result.
- name: error
type: group
fields:
- name: code
type: integer
description: >
Error code.
- name: msg
type: keyword
description: >
Error message.
- name: valid
type: group
fields:
- name: from
type: date
description: >
Ticket valid from.
- name: until
type: date
description: >
Ticket valid until.
- name: days
type: integer
description: >
Number of days the ticket is valid for.
- name: cipher
type: keyword
description: >
Ticket encryption type.
- name: forwardable
type: boolean
description: >
Forwardable ticket requested.
- name: renewable
type: boolean
description: >
Renewable ticket requested.
- name: ticket
type: group
fields:
- name: auth
type: keyword
description: >
Hash of ticket used to authorize request/transaction.
- name: new
type: keyword
description: >
Hash of ticket returned by the KDC.
- name: cert
type: group
fields:
- name: client
type: group
fields:
- name: value
type: keyword
description: >
Client certificate.
- name: fuid
type: keyword
description: >
File unique ID of client cert.
- name: subject
type: keyword
description: >
Subject of client certificate.
- name: server
type: group
fields:
- name: value
type: keyword
description: >
Server certificate.
- name: fuid
type: keyword
description: >
File unique ID of server certificate.
- name: subject
type: keyword
description: >
Subject of server certificate.
- name: modbus
type: group
description: >
Fields exported by the Zeek modbus log.
fields:
- name: function
type: keyword
description: |
The name of the function message that was sent.
- name: exception
type: keyword
description: |
The exception if the response was a failure.
- name: track_address
type: integer
description: |
Present if policy/protocols/modbus/track-memmap.bro is loaded.
Modbus track address.
- name: mysql
type: group
description: >
Fields exported by the Zeek MySQL log.
fields:
- name: cmd
type: keyword
description: |
The command that was issued.
- name: arg
type: keyword
description: |
The argument issued to the command.
- name: success
type: boolean
description: |
Whether the command succeeded.
- name: rows
type: integer
description: |
The number of affected rows, if any.
- name: response
type: keyword
description: |
Server message, if any.
- name: notice
type: group
description: >
Fields exported by the Zeek Notice log.
fields:
- name: connection_id
type: keyword
description: >
Identifier of the related connection session.
- name: icmp_id
type: keyword
description: >
Identifier of the related ICMP session.
- name: file.id
type: keyword
description: >
An identifier associated with a single file that is related to this notice.
- name: file.parent_id
type: keyword
description: >
Identifier associated with a container file from which this one was extracted.
- name: file.source
type: keyword
description: |
An identification of the source of the file data. E.g. it may be a network protocol
over which it was transferred, or a local file path which was read, or some other
input source.
- name: file.mime_type
type: keyword
description: >
A mime type if the notice is related to a file.
- name: file.is_orig
type: boolean
description: |
If the source of this file is a network connection, this field indicates if the file is
being sent by the originator of the connection or the responder.
- name: file.seen_bytes
type: long
description: >
Number of bytes provided to the file analysis engine for the file.
- name: ffile.total_bytes
type: long
description: >
Total number of bytes that are supposed to comprise the full file.
- name: file.missing_bytes
type: long
description: |
The number of bytes in the file stream that were completely missed during the process
of analysis.
- name: file.overflow_bytes
type: long
description: |
The number of bytes in the file stream that were not delivered to stream file analyzers.
This could be overlapping bytes or bytes that couldn't be reassembled.
- name: fuid
type: keyword
description: >
A file unique ID if this notice is related to a file.
- name: note
type: keyword
description: >
The type of the notice.
- name: msg
type: keyword
description: >
The human readable message for the notice.
- name: sub
type: keyword
description: >
The human readable sub-message.
- name: n
type: long
description: >
Associated count, or a status code.
- name: peer_name
type: keyword
description: >
Name of remote peer that raised this notice.
- name: peer_descr
type: text
description: >
Textual description for the peer that raised this notice.
- name: actions
type: keyword
description: >
The actions which have been applied to this notice.
- name: email_body_sections
type: text
description: |
By adding chunks of text into this element, other scripts can expand on notices
that are being emailed.
- name: email_delay_tokens
type: keyword
description: |
Adding a string token to this set will cause the built-in emailing functionality
to delay sending the email either the token has been removed or the email
has been delayed for the specified time duration.
- name: identifier
type: keyword
description: >
This field is provided when a notice is generated for the purpose of deduplicating notices.
- name: suppress_for
type: double
description: >
This field indicates the length of time that this unique notice should be suppressed.
- name: dropped
type: boolean
description: >
Indicate if the source IP address was dropped and denied network access.
- name: ntlm
type: group
description: >
Fields exported by the Zeek NTLM log.
fields:
- name: domain
type: keyword
description: >
Domain name given by the client.
- name: hostname
type: keyword
description: >
Hostname given by the client.
- name: success
type: boolean
description: >
Indicate whether or not the authentication was successful.
- name: username
type: keyword
description: >
Username given by the client.
- name: server
type: group
fields:
- name: name
type: group
fields:
- name: dns
type: keyword
description: >
DNS name given by the server in a CHALLENGE.
- name: netbios
type: keyword
description: >
NetBIOS name given by the server in a CHALLENGE.
- name: tree
type: keyword
description: >
Tree name given by the server in a CHALLENGE.
- name: ntp
type: group
description: >
Fields exported by the Zeek NTP log.
fields:
- name: version
type: integer
description: >
The NTP version number (1, 2, 3, 4).
- name: mode
type: integer
description: >
The NTP mode being used.
- name: stratum
type: integer
description: >
The stratum (primary server, secondary server, etc.).
- name: poll
type: double
description: >
The maximum interval between successive messages in seconds.
- name: precision
type: double
description: >
The precision of the system clock in seconds.
- name: root_delay
type: double
description: >
Total round-trip delay to the reference clock in seconds.
- name: root_disp
type: double
description: >
Total dispersion to the reference clock in seconds.
- name: ref_id
type: keyword
description: >
For stratum 0, 4 character string used for debugging.
For stratum 1, ID assigned to the reference clock by IANA.
Above stratum 1, when using IPv4, the IP address of the reference clock.
Note that the NTP protocol did not originally specify a large enough field to represent IPv6 addresses,
so they use the first four bytes of the MD5 hash of the reference clock’s IPv6 address
(i.e. an IPv4 address here is not necessarily IPv4).
- name: ref_time
type: date
description: >
Time when the system clock was last set or correct.
- name: org_time
type: date
description: >
Time at the client when the request departed for the NTP server.
- name: rec_time
type: date
description: >
Time at the server when the request arrived from the NTP client.
- name: xmt_time
type: date
description: >
Time at the server when the response departed for the NTP client.
- name: num_exts
type: integer
description: >
Number of extension fields (which are not currently parsed).
- name: ocsp
type: group
description: |
Fields exported by the Zeek OCSP log
Online Certificate Status Protocol (OCSP). Only created if policy script is loaded.
fields:
- name: file_id
type: keyword
description: |
File id of the OCSP reply.
- name: hash
type: group
fields:
- name: algorithm
type: keyword
description: |
Hash algorithm used to generate issuerNameHash and issuerKeyHash.
- name: issuer
type: group
fields:
- name: name
type: keyword
description: |
Hash of the issuer's distingueshed name.
- name: key
type: keyword
description: |
Hash of the issuer's public key.
- name: serial_number
type: keyword
description: |
Serial number of the affected certificate.
- name: status
type: keyword
description: |
Status of the affected certificate.
- name: revoke
type: group
fields:
- name: time
type: date
description: |
Time at which the certificate was revoked.
- name: reason
type: keyword
description: |
Reason for which the certificate was revoked.
- name: update
type: group
fields:
- name: this
type: date
description: |
The time at which the status being shows is known to have been correct.
- name: next
type: date
description: |
The latest time at which new information about the status of the certificate will be available.
- name: pe
type: group
description: >
Fields exported by the Zeek pe log.
fields:
- name: client
type: keyword
description: >
The client's version string.
- name: id
type: keyword
description: >
File id of this portable executable file.
- name: machine
type: keyword
description: >
The target machine that the file was compiled for.
- name: compile_time
type: date
description: >
The time that the file was created at.
- name: os
type: keyword
description: >
The required operating system.
- name: subsystem
type: keyword
description: >
The subsystem that is required to run this file.
- name: is_exe
type: boolean
description: >
Is the file an executable, or just an object file?
- name: is_64bit
type: boolean
description: >
Is the file a 64-bit executable?
- name: uses_aslr
type: boolean
description: >
Does the file support Address Space Layout Randomization?
- name: uses_dep
type: boolean
description: >
Does the file support Data Execution Prevention?
- name: uses_code_integrity
type: boolean
description: >
Does the file enforce code integrity checks?
- name: uses_seh
type: boolean
description: >
Does the file use structured exception handing?
- name: has_import_table
type: boolean
description: >
Does the file have an import table?
- name: has_export_table
type: boolean
description: >
Does the file have an export table?
- name: has_cert_table
type: boolean
description: >
Does the file have an attribute certificate table?
- name: has_debug_data
type: boolean
description: >
Does the file have a debug table?
- name: section_names
type: keyword
description: >
The names of the sections, in order.
- name: radius
type: group
description: >
Fields exported by the Zeek Radius log.
fields:
- name: username
type: keyword
description: |
The username, if present.
- name: mac
type: keyword
description: |
MAC address, if present.
- name: framed_addr
type: ip
description: |
The address given to the network access server, if present. This is only a hint from the RADIUS server and the network access server is not required to honor the address.
- name: remote_ip
type: ip
description: |
Remote IP address, if present. This is collected from the Tunnel-Client-Endpoint attribute.
- name: connect_info
type: keyword
description: |
Connect info, if present.
- name: reply_msg
type: keyword
description: |
Reply message from the server challenge. This is frequently shown to the user authenticating.
- name: result
type: keyword
description: |
Successful or failed authentication.
- name: ttl
type: integer
description: |
The duration between the first request and either the "Access-Accept" message or an error. If the field is empty, it means that either the request or response was not seen.
- name: logged
type: boolean
description: |
Whether this has already been logged and can be ignored.
- name: rdp
type: group
description: >
Fields exported by the Zeek RDP log.
fields:
- name: cookie
type: keyword
description: |
Cookie value used by the client machine. This is typically a username.
- name: result
type: keyword
description: |
Status result for the connection. It's a mix between RDP negotation failure messages and GCC server create response messages.
- name: security_protocol
type: keyword
description: |
Security protocol chosen by the server.
- name: keyboard_layout
type: keyword
description: |
Keyboard layout (language) of the client machine.
- name: client
type: group
fields:
- name: build
type: keyword
description: |
RDP client version used by the client machine.
- name: client_name
type: keyword
description: |
Name of the client machine.
- name: product_id
type: keyword
description: |
Product ID of the client machine.
- name: desktop
type: group
fields:
- name: width
type: integer
description: |
Desktop width of the client machine.
- name: height
type: integer
description: |
Desktop height of the client machine.
- name: color_depth
type: keyword
description: |
The color depth requested by the client in the high_color_depth field.
- name: cert
type: group
fields:
- name: type
type: keyword
description: |
If the connection is being encrypted with native RDP encryption, this is the type of cert being used.
- name: count
type: integer
description: |
The number of certs seen. X.509 can transfer an entire certificate chain.
- name: permanent
type: boolean
description: |
Indicates if the provided certificate or certificate chain is permanent or temporary.
- name: encryption
type: group
fields:
- name: level
type: keyword
description: |
Encryption level of the connection.
- name: method
type: keyword
description: |
Encryption method of the connection.
- name: done
type: boolean
description: |
Track status of logging RDP connections.
- name: ssl
type: boolean
description: |
(present if policy/protocols/rdp/indicate_ssl.bro is loaded)
Flag the connection if it was seen over SSL.
- name: rfb
type: group
description: >
Fields exported by the Zeek RFB log.
fields:
- name: version
type: group
fields:
- name: client
type: group
fields:
- name: major
type: keyword
description: |
Major version of the client.
- name: minor
type: keyword
description: |
Minor version of the client.
- name: server
type: group
fields:
- name: major
type: keyword
description: |
Major version of the server.
- name: minor
type: keyword
description: |
Minor version of the server.
- name: auth
type: group
fields:
- name: success
type: boolean
description: |
Whether or not authentication was successful.
- name: method
type: keyword
description: |
Identifier of authentication method used.
- name: share_flag
type: boolean
description: |
Whether the client has an exclusive or a shared session.
- name: desktop_name
type: keyword
description: |
Name of the screen that is being shared.
- name: width
type: integer
description: |
Width of the screen that is being shared.
- name: height
type: integer
description: |
Height of the screen that is being shared.
- name: signature
type: group
description: >
Fields exported by the Zeek Signature log.
fields:
- name: note
type: keyword
description: >
Notice associated with signature event.
- name: sig_id
type: keyword
description: >
The name of the signature that matched.
- name: event_msg
type: keyword
description: >
A more descriptive message of the signature-matching event.
- name: sub_msg
type: keyword
description: >
Extracted payload data or extra message.
- name: sig_count
type: integer
description: >
Number of sigs, usually from summary count.
- name: host_count
type: integer
description: >
Number of hosts, from a summary count.
- name: sip
type: group
description: >
Fields exported by the Zeek SIP log.
fields:
- name: transaction_depth
type: integer
description: >
Represents the pipelined depth into the connection of this request/response transaction.
- name: sequence
type: group
fields:
- name: method
type: keyword
description: >
Verb used in the SIP request (INVITE, REGISTER etc.).
- name: number
type: keyword
description: >
Contents of the CSeq: header from the client.
- name: uri
type: keyword
description: >
URI used in the request.
- name: date
type: keyword
description: >
Contents of the Date: header from the client.
- name: request
type: group
fields:
- name: from
type: keyword
description: >
Contents of the request From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged.
- name: to
type: keyword
description: >
Contents of the To: header.
- name: path
type: keyword
description: >
The client message transmission path, as extracted from the headers.
- name: body_length
type: long
description: >
Contents of the Content-Length: header from the client.
- name: response
type: group
fields:
- name: from
type: keyword
description: >
Contents of the response From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged.
- name: to
type: keyword
description: >
Contents of the response To: header.
- name: path
type: keyword
description: >
The server message transmission path, as extracted from the headers.
- name: body_length
type: long
description: >
Contents of the Content-Length: header from the server.
- name: reply_to
type: keyword
description: >
Contents of the Reply-To: header.
- name: call_id
type: keyword
description: >
Contents of the Call-ID: header from the client.
- name: subject
type: keyword
description: >
Contents of the Subject: header from the client.
- name: user_agent
type: keyword
description: >
Contents of the User-Agent: header from the client.
- name: status
type: group
fields:
- name: code
type: integer
description: >
Status code returned by the server.
- name: msg
type: keyword
description: >
Status message returned by the server.
- name: warning
type: keyword
description: >
Contents of the Warning: header.
- name: content_type
type: keyword
description: >
Contents of the Content-Type: header from the server.
- name: smb_cmd
type: group
description: >
Fields exported by the Zeek smb_cmd log.
fields:
- name: command
type: keyword
description: |
The command sent by the client.
- name: sub_command
type: keyword
description: |
The subcommand sent by the client, if present.
- name: argument
type: keyword
description: |
Command argument sent by the client, if any.
- name: status
type: keyword
description: |
Server reply to the client's command.
- name: rtt
type: double
description: |
Round trip time from the request to the response.
- name: version
type: keyword
description: |
Version of SMB for the command.
- name: username
type: keyword
description: |
Authenticated username, if available.
- name: tree
type: keyword
description: |
If this is related to a tree, this is the tree that was used for the current command.
- name: tree_service
type: keyword
description: |
The type of tree (disk share, printer share, named pipe, etc.).
- name: file
type: group
description: |
If the command referenced a file, store it here.
fields:
- name: name
type: keyword
description: |
Filename if one was seen.
- name: action
type: keyword
description: |
Action this log record represents.
- name: uid
type: keyword
description: |
UID of the referenced file.
- name: host
type: group
fields:
- name: tx
type: ip
description: |
Address of the transmitting host.
- name: rx
type: ip
description: |
Address of the receiving host.
- name: smb1_offered_dialects
type: keyword
description: |
Present if base/protocols/smb/smb1-main.bro is loaded.
Dialects offered by the client.
- name: smb2_offered_dialects
type: integer
description: |
Present if base/protocols/smb/smb2-main.bro is loaded.
Dialects offered by the client.
- name: smb_files
type: group
description: >
Fields exported by the Zeek SMB Files log.
fields:
- name: action
type: keyword
description: >
Action this log record represents.
- name: fid
type: integer
description: >
ID referencing this file.
- name: name
type: keyword
description: >
Filename if one was seen.
- name: path
type: keyword
description: >
Path pulled from the tree this file was transferred to or from.
- name: previous_name
type: keyword
description: >
If the rename action was seen, this will be the file's previous name.
- name: size
type: long
description: >
Byte size of the file.
- name: times
type: group
description: >
Timestamps of the file.
fields:
- name: accessed
type: date
description: >
The file's access time.
- name: changed
type: date
description: >
The file's change time.
- name: created
type: date
description: >
The file's create time.
- name: modified
type: date
description: >
The file's modify time.
- name: uuid
type: keyword
description: >
UUID referencing this file if DCE/RPC.
- name: smb_mapping
type: group
description: >
Fields exported by the Zeek SMB_Mapping log.
fields:
- name: path
type: keyword
description: >
Name of the tree path.
- name: service
type: keyword
description: >
The type of resource of the tree (disk share, printer share, named pipe, etc.).
- name: native_file_system
type: keyword
description: >
File system of the tree.
- name: share_type
type: keyword
description: |
If this is SMB2, a share type will be included. For SMB1, the type of share
will be deduced and included as well.
- name: smtp
type: group
description: >
Fields exported by the Zeek SMTP log.
fields:
- name: transaction_depth
type: integer
description: >
A count to represent the depth of this message transaction in a single connection where multiple messages were transferred.
- name: helo
type: keyword
description: >
Contents of the Helo header.
- name: mail_from
type: keyword
description: >
Email addresses found in the MAIL FROM header.
- name: rcpt_to
type: keyword
description: >
Email addresses found in the RCPT TO header.
- name: date
type: date
description: >
Contents of the Date header.
- name: from
type: keyword
description: >
Contents of the From header.
- name: to
type: keyword
description: >
Contents of the To header.
- name: cc
type: keyword
description: >
Contents of the CC header.
- name: reply_to
type: keyword
description: >
Contents of the ReplyTo header.
- name: msg_id
type: keyword
description: >
Contents of the MsgID header.
- name: in_reply_to
type: keyword
description: >
Contents of the In-Reply-To header.
- name: subject
type: keyword
description: >
Contents of the Subject header.
- name: x_originating_ip
type: keyword
description: >
Contents of the X-Originating-IP header.
- name: first_received
type: keyword
description: |
Contents of the first Received header.
- name: second_received
type: keyword
description: |
Contents of the second Received header.
- name: last_reply
type: keyword
description: |
The last message that the server sent to the client.
- name: path
type: ip
description: |
The message transmission path, as extracted from the headers.
- name: user_agent
type: keyword
description: |
Value of the User-Agent header from the client.
- name: tls
type: boolean
description: |
Indicates that the connection has switched to using TLS.
- name: process_received_from
type: boolean
description: |
Indicates if the "Received: from" headers should still be processed.
- name: has_client_activity
type: boolean
description: |
Indicates if client activity has been seen, but not yet logged.
- name: fuids
type: keyword
description: |
(present if base/protocols/smtp/files.bro is loaded)
An ordered vector of file unique IDs seen attached to the message.
- name: is_webmail
type: boolean
description: |
Indicates if the message was sent through a webmail interface.
- name: snmp
type: group
description: >
Fields exported by the Zeek SNMP log.
fields:
- name: duration
type: double
description: >
The amount of time between the first packet beloning to the SNMP session and the latest one seen.
- name: version
type: keyword
description: >
The version of SNMP being used.
- name: community
type: keyword
description: >
The community string of the first SNMP packet associated with the session. This is used as part of SNMP's (v1 and v2c) administrative/security framework. See RFC 1157 or RFC 1901.
- name: get
type: group
fields:
- name: requests
type: integer
description: >
The number of variable bindings in GetRequest/GetNextRequest PDUs seen for the session.
- name: bulk_requests
type: integer
description: >
The number of variable bindings in GetBulkRequest PDUs seen for the session.
- name: responses
type: integer
description: >
The number of variable bindings in GetResponse/Response PDUs seen for the session.
- name: set
type: group
fields:
- name: requests
type: integer
description: >
The number of variable bindings in SetRequest PDUs seen for the session.
- name: display_string
type: keyword
description: >
A system description of the SNMP responder endpoint.
- name: up_since
type: date
description: >
The time at which the SNMP responder endpoint claims it's been up since.
- name: socks
type: group
description: >
Fields exported by the Zeek SOCKS log.
fields:
- name: version
type: integer
description: |
Protocol version of SOCKS.
- name: user
type: keyword
description: |
Username used to request a login to the proxy.
- name: password
type: keyword
description: |
Password used to request a login to the proxy.
- name: status
type: keyword
description: |
Server status for the attempt at using the proxy.
- name: request
type: group
fields:
- name: host
type: keyword
description: |
Client requested SOCKS address. Could be an address, a name or both.
- name: port
type: integer
description: |
Client requested port.
- name: bound
type: group
fields:
- name: host
type: keyword
description: |
Server bound address. Could be an address, a name or both.
- name: port
type: integer
description: |
Server bound port.
- name: capture_password
type: boolean
description: |
Determines if the password will be captured for this request.
- name: ssh
type: group
description: >
Fields exported by the Zeek SSH log.
fields:
- name: client
type: keyword
description: >
The client's version string.
- name: direction
type: keyword
description: |
Direction of the connection. If the client was a local host logging into
an external host, this would be OUTBOUND. INBOUND would be set for the
opposite situation.
- name: host_key
type: keyword
description: >
The server's key thumbprint.
- name: server
type: keyword
description: >
The server's version string.
- name: version
type: integer
description: >
SSH major version (1 or 2).
- name: algorithm
type: group
description: >
Cipher algorithms used in this session.
fields:
- name: cipher
type: keyword
description: >
The encryption algorithm in use.
- name: compression
type: keyword
description: >
The compression algorithm in use.
- name: host_key
type: keyword
description: >
The server host key's algorithm.
- name: key_exchange
type: keyword
description: >
The key exchange algorithm in use.
- name: mac
type: keyword
description: >
The signing (MAC) algorithm in use.
- name: auth
type: group
fields:
- name: attempts
type: integer
description: |
The number of authentication attemps we observed. There's always at
least one, since some servers might support no authentication at all.
It's important to note that not all of these are failures, since some
servers require two-factor auth (e.g. password AND pubkey).
- name: success
type: boolean
description: >
Authentication result.
- name: ssl
type: group
description: >
Fields exported by the Zeek SSL log.
fields:
- name: version
type: keyword
description: >
SSL/TLS version that was logged.
- name: cipher
type: keyword
description: >
SSL/TLS cipher suite that was logged.
- name: curve
type: keyword
description: >
Elliptic curve that was logged when using ECDH/ECDHE.
- name: resumed
type: boolean
description: |
Flag to indicate if the session was resumed reusing the key material exchanged in an
earlier connection.
- name: next_protocol
type: keyword
description: >
Next protocol the server chose using the application layer next protocol extension.
- name: established
type: boolean
description: >
Flag to indicate if this ssl session has been established successfully.
- name: validation
type: group
fields:
- name: status
type: keyword
description: >
Result of certificate validation for this connection.
- name: code
type: keyword
description: >
Result of certificate validation for this connection, given as OpenSSL validation code.
- name: last_alert
type: keyword
description: >
Last alert that was seen during the connection.
- name: server
type: group
fields:
- name: name
type: keyword
description: |
Value of the Server Name Indicator SSL/TLS extension. It indicates the server name
that the client was requesting.
- name: cert_chain
type: keyword
description: >
Chain of certificates offered by the server to validate its complete signing chain.
- name: cert_chain_fuids
type: keyword
description: >
An ordered vector of certificate file identifiers for the certificates offered by the server.
- name: issuer
type: group
description: >
Subject of the signer of the X.509 certificate offered by the server.
fields:
- name: common_name
type: keyword
description: >
Common name of the signer of the X.509 certificate offered by the server.
- name: country
type: keyword
description: >
Country code of the signer of the X.509 certificate offered by the server.
- name: locality
type: keyword
description: >
Locality of the signer of the X.509 certificate offered by the server.
- name: organization
type: keyword
description: >
Organization of the signer of the X.509 certificate offered by the server.
- name: organizational_unit
type: keyword
description: >
Organizational unit of the signer of the X.509 certificate offered by the server.
- name: state
type: keyword
description: >
State or province name of the signer of the X.509 certificate offered by the server.
- name: subject
type: group
description: >
Subject of the X.509 certificate offered by the server.
fields:
- name: common_name
type: keyword
description: >
Common name of the X.509 certificate offered by the server.
- name: country
type: keyword
description: >
Country code of the X.509 certificate offered by the server.
- name: locality
type: keyword
description: >
Locality of the X.509 certificate offered by the server.
- name: organization
type: keyword
description: >
Organization of the X.509 certificate offered by the server.
- name: organizational_unit
type: keyword
description: >
Organizational unit of the X.509 certificate offered by the server.
- name: state
type: keyword
description: >
State or province name of the X.509 certificate offered by the server.
- name: client
type: group
fields:
- name: cert_chain
type: keyword
description: >
Chain of certificates offered by the client to validate its complete signing chain.
- name: cert_chain_fuids
type: keyword
description: >
An ordered vector of certificate file identifiers for the certificates offered by the client.
- name: issuer
type: group
description: >
Subject of the signer of the X.509 certificate offered by the client.
fields:
- name: common_name
type: keyword
description: >
Common name of the signer of the X.509 certificate offered by the client.
- name: country
type: keyword
description: >
Country code of the signer of the X.509 certificate offered by the client.
- name: locality
type: keyword
description: >
Locality of the signer of the X.509 certificate offered by the client.
- name: organization
type: keyword
description: >
Organization of the signer of the X.509 certificate offered by the client.
- name: organizational_unit
type: keyword
description: >
Organizational unit of the signer of the X.509 certificate offered by the client.
- name: state
type: keyword
description: >
State or province name of the signer of the X.509 certificate offered by the client.
- name: subject
type: group
description: >
Subject of the X.509 certificate offered by the client.
fields:
- name: common_name
type: keyword
description: >
Common name of the X.509 certificate offered by the client.
- name: country
type: keyword
description: >
Country code of the X.509 certificate offered by the client.
- name: locality
type: keyword
description: >
Locality of the X.509 certificate offered by the client.
- name: organization
type: keyword
description: >
Organization of the X.509 certificate offered by the client.
- name: organizational_unit
type: keyword
description: >
Organizational unit of the X.509 certificate offered by the client.
- name: state
type: keyword
description: >
State or province name of the X.509 certificate offered by the client.
- name: stats
type: group
description: >
Fields exported by the Zeek stats log.
fields:
- name: peer
type: keyword
description: |
Peer that generated this log. Mostly for clusters.
- name: memory
type: integer
description: |
Amount of memory currently in use in MB.
- name: packets
type: group
fields:
- name: processed
type: long
description: |
Number of packets processed since the last stats interval.
- name: dropped
type: long
description: |
Number of packets dropped since the last stats interval if reading live traffic.
- name: received
type: long
description: |
Number of packets seen on the link since the last stats interval if reading live traffic.
- name: bytes
type: group
fields:
- name: received
type: long
description: |
Number of bytes received since the last stats interval if reading live traffic.
- name: connections
type: group
fields:
- name: tcp
type: group
fields:
- name: active
type: integer
description: |
TCP connections currently in memory.
- name: count
type: integer
description: |
TCP connections seen since last stats interval.
- name: udp
type: group
fields:
- name: active
type: integer
description: |
UDP connections currently in memory.
- name: count
type: integer
description: |
UDP connections seen since last stats interval.
- name: icmp
type: group
fields:
- name: active
type: integer
description: |
ICMP connections currently in memory.
- name: count
type: integer
description: |
ICMP connections seen since last stats interval.
- name: events
type: group
fields:
- name: processed
type: integer
description: |
Number of events processed since the last stats interval.
- name: queued
type: integer
description: |
Number of events that have been queued since the last stats interval.
- name: timers
type: group
fields:
- name: count
type: integer
description: |
Number of timers scheduled since last stats interval.
- name: active
type: integer
description: |
Current number of scheduled timers.
- name: files
type: group
fields:
- name: count
type: integer
description: |
Number of files seen since last stats interval.
- name: active
type: integer
description: |
Current number of files actively being seen.
- name: dns_requests
type: group
fields:
- name: count
type: integer
description: |
Number of DNS requests seen since last stats interval.
- name: active
type: integer
description: |
Current number of DNS requests awaiting a reply.
- name: reassembly_size
type: group
fields:
- name: tcp
type: integer
description: |
Current size of TCP data in reassembly.
- name: file
type: integer
description: |
Current size of File data in reassembly.
- name: frag
type: integer
description: |
Current size of packet fragment data in reassembly.
- name: unknown
type: integer
description: |
Current size of unknown data in reassembly (this is only PIA buffer right now).
- name: timestamp_lag
type: integer
description: |
Lag between the wall clock and packet timestamps if reading live traffic.
- name: syslog
type: group
description: >
Fields exported by the Zeek syslog log.
fields:
- name: facility
type: keyword
description: >
Syslog facility for the message.
- name: severity
type: keyword
description: >
Syslog severity for the message.
- name: message
type: keyword
description: >
The plain text message.
- name: tunnel
type: group
description: >
Fields exported by the Zeek SSH log.
fields:
- name: type
type: keyword
description: >
The type of tunnel.
- name: action
type: keyword
description: >
The type of activity that occurred.
- name: weird
type: group
description: >
Fields exported by the Zeek Weird log.
fields:
- name: name
type: keyword
description: |
The name of the weird that occurred.
- name: additional_info
type: keyword
description: |
Additional information accompanying the weird if any.
- name: notice
type: boolean
description: |
Indicate if this weird was also turned into a notice.
- name: peer
type: keyword
description: |
The peer that originated this weird. This is helpful in cluster deployments if a particular cluster node is having trouble to help identify which node is having trouble.
- name: identifier
type: keyword
description: |
This field is to be provided when a weird is generated for the purpose of deduplicating weirds. The identifier string should be unique for a single instance of the weird. This field is used to define when a weird is conceptually a duplicate of a previous weird.
- name: x509
type: group
description: >
Fields exported by the Zeek x509 log.
fields:
- name: id
type: keyword
description: >
File id of this certificate.
- name: certificate
type: group
description: >
Basic information about the certificate.
fields:
- name: version
type: integer
description: >
Version number.
- name: serial
type: keyword
description: >
Serial number.
- name: subject
type: group
description: >
Subject.
fields:
- name: country
type: keyword
description: >
Country provided in the certificate subject.
- name: common_name
type: keyword
description: >
Common name provided in the certificate subject.
- name: locality
type: keyword
description: >
Locality provided in the certificate subject.
- name: organization
type: keyword
description: >
Organization provided in the certificate subject.
- name: organizational_unit
type: keyword
description: >
Organizational unit provided in the certificate subject.
- name: state
type: keyword
description: >
State or province provided in the certificate subject.
- name: issuer
type: group
description: >
Issuer.
fields:
- name: country
type: keyword
description: >
Country provided in the certificate issuer field.
- name: common_name
type: keyword
description: >
Common name provided in the certificate issuer field.
- name: locality
type: keyword
description: >
Locality provided in the certificate issuer field.
- name: organization
type: keyword
description: >
Organization provided in the certificate issuer field.
- name: organizational_unit
type: keyword
description: >
Organizational unit provided in the certificate issuer field.
- name: state
type: keyword
description: >
State or province provided in the certificate issuer field.
- name: common_name
type: keyword
description: >
Last (most specific) common name.
- name: valid
type: group
description: >
Certificate validity timestamps
fields:
- name: from
type: date
description: >
Timestamp before when certificate is not valid.
- name: until
type: date
description: >
Timestamp after when certificate is not valid.
- name: key
type: group
fields:
- name: algorithm
type: keyword
description: >
Name of the key algorithm.
- name: type
type: keyword
description: >
Key type, if key parseable by openssl (either rsa, dsa or ec).
- name: length
type: integer
description: >
Key length in bits.
- name: signature_algorithm
type: keyword
description: >
Name of the signature algorithm.
- name: exponent
type: keyword
description: >
Exponent, if RSA-certificate.
- name: curve
type: keyword
description: >
Curve, if EC-certificate.
- name: san
type: group
description: >
Subject alternative name extension of the certificate.
fields:
- name: dns
type: keyword
description: >
List of DNS entries in SAN.
- name: uri
type: keyword
description: >
List of URI entries in SAN.
- name: email
type: keyword
description: >
List of email entries in SAN.
- name: ip
type: ip
description: >
List of IP entries in SAN.
- name: other_fields
type: boolean
description: >
True if the certificate contained other, not recognized or parsed name fields.
- name: basic_constraints
type: group
description: >
Basic constraints extension of the certificate.
fields:
- name: certificate_authority
type: boolean
description: >
CA flag set or not.
- name: path_length
type: integer
description: >
Maximum path length.
- name: log_cert
type: boolean
description: |
Present if policy/protocols/ssl/log-hostcerts-only.bro is loaded
Logging of certificate is suppressed if set to F.
- key: zookeeper
title: "ZooKeeper"
release: beta
description: >
ZooKeeper Module
fields:
- name: zookeeper
type: group
description: >
fields:
- name: audit
type: group
description: >
ZooKeeper Audit logs.
release: beta
fields:
- name: session
type: keyword
description: >
Client session id
- name: znode
type: keyword
description: >
Path of the znode
- name: znode_type
type: keyword
description: >
Type of znode in case of creation operation
- name: acl
type: keyword
description: >
String representation of znode ACL like cdrwa(create, delete,read, write, admin). This is logged only for setAcl operation
- name: result
type: keyword
description: >
Result of the operation. Possible values are (success/failure/invoked). Result "invoked" is used for serverStop operation because stop is logged before ensuring that server actually stopped.
- name: user
type: keyword
description: >
Comma separated list of users who are associate with a client session
- name: log
type: group
description: >
ZooKeeper logs.
release: beta
fields:
- key: zoom
title: Zoom
description: >
Module for handling incoming Zoom webhook requests
fields:
- name: zoom
type: group
release: ga
description: >
Module for parsing Zoom API Webhooks.
fields:
- name: master_account_id
type: keyword
description: >
Master Account related to a specific Sub Account
- name: sub_account_id
type: keyword
description: >
Related Sub Account
- name: operator_id
type: keyword
description: >
UserID that triggered the event
- name: operator
type: keyword
description: >
Username/Email related to the user that triggered the event
- name: account_id
type: keyword
description: >
Related accountID to the event
- name: timestamp
type: date
description: >
Timestamp related to the event
- name: creation_type
type: keyword
description: >
Creation type
- name: account.owner_id
type: keyword
description: >
UserID of the user whose sub account was created/disassociated
- name: account.email
type: keyword
description: >
Email related to the user the action was performed on
- name: account.owner_email
type: keyword
description: >
Email of the user whose sub account was created/disassociated
- name: account.account_name
type: keyword
description: >
When an account name is updated, this is the new value set
- name: account.account_alias
type: keyword
description: >
When an account alias is updated, this is the new value set
- name: account.account_support_name
type: keyword
description: >
When an account support_name is updated, this is the new value set
- name: account.account_support_email
type: keyword
description: >
When an account support_email is updated, this is the new value set
- name: chat_channel.name
type: keyword
description: >
The name of the channel that has been added/modified/deleted
- name: chat_channel.id
type: keyword
description: >
The ID of the channel that has been added/modified/deleted
- name: chat_channel.type
type: keyword
description: >
Type of channel related to the event. Can be 1(Invite-Only), 2(Private) or 3(Public)
- name: chat_message.id
type: keyword
description: >
Unique ID of the related chat message
- name: chat_message.type
type: keyword
description: >
Type of message, can be either "to_contact" or "to_channel"
- name: chat_message.session_id
type: keyword
description: >
SessionID for the channel related to the message
- name: chat_message.contact_email
type: keyword
description: >
Email address related to the user sending the message
- name: chat_message.contact_id
type: keyword
description: >
UserID belonging to the user receiving a message
- name: chat_message.channel_id
type: keyword
description: >
ChannelID related to the message
- name: chat_message.channel_name
type: keyword
description: >
Channel name related to the message
- name: chat_message.message
type: keyword
description: >
A string containing the full message that was sent
- name: meeting.id
type: keyword
description: >
Unique ID of the related meeting
- name: meeting.uuid
type: keyword
description: >
The UUID of the related meeting
- name: meeting.host_id
type: keyword
description: >
The UserID of the configured meeting host
- name: meeting.topic
type: keyword
description: >
Topic of the related meeting
- name: meeting.type
type: keyword
description: >
Type of meeting created
- name: meeting.start_time
type: date
description: >
Date and time the meeting started
- name: meeting.timezone
type: keyword
description: >
Which timezone is used for the meeting timestamps
- name: meeting.duration
type: long
description: >
The duration of a meeting in minutes
- name: meeting.issues
type: keyword
description: >
When a user reports an issue with the meeting, for example: "Unstable audio quality"
- name: meeting.password
type: keyword
description: >
Password related to the meeting
- name: phone.id
type: keyword
description: >
Unique ID for the phone or conversation
- name: phone.user_id
type: keyword
description: >
UserID for the phone owner related to a Call Log being completed
- name: phone.download_url
type: keyword
description: >
Download URL for the voicemail
- name: phone.ringing_start_time
type: date
description: >
The timestamp when a ringtone was established to the callee
- name: phone.connected_start_time
type: date
description: >
The date and time when a ringtone was established to the callee
- name: phone.answer_start_time
type: date
description: >
The date and time when the call was answered
- name: phone.call_end_time
type: date
description: >
The date and time when the call ended
- name: phone.call_id
type: keyword
description: >
Unique ID of the related call
- name: phone.duration
type: long
description: >
Duration of a voicemail in minutes
- name: phone.caller.id
type: keyword
description: >
UserID of the caller related to the voicemail/call
- name: phone.caller.user_id
type: keyword
description: >
UserID of the person which initiated the call
- name: phone.caller.number_type
type: keyword
description: >
The type of number, can be 1(Internal) or 2(External)
- name: phone.caller.name
type: keyword
description: >
The name of the related callee
- name: phone.caller.phone_number
type: keyword
description: >
Phone Number of the caller related to the call
- name: phone.caller.extension_type
type: keyword
description: >
Extension type of the caller number, can be user, callQueue, autoReceptionist or shareLineGroup
- name: phone.caller.extension_number
type: keyword
description: >
Extension number of the caller
- name: phone.caller.timezone
type: keyword
description: >
Timezone of the caller
- name: phone.caller.device_type
type: keyword
description: >
Device type used by the caller
- name: phone.callee.id
type: keyword
description: >
UserID of the callee related to the voicemail/call
- name: phone.callee.user_id
type: keyword
description: >
UserID of the related callee of a voicemail/call
- name: phone.callee.name
type: keyword
description: >
The name of the related callee
- name: phone.callee.number_type
type: keyword
description: >
The type of number, can be 1(Internal) or 2(External)
- name: phone.callee.phone_number
type: keyword
description: >
Phone Number of the callee related to the call
- name: phone.callee.extension_type
type: keyword
description: >
Extension type of the callee number, can be user, callQueue, autoReceptionist or shareLineGroup
- name: phone.callee.extension_number
type: keyword
description: >
Extension number of the callee related to the call
- name: phone.callee.timezone
type: keyword
description: >
Timezone of the callee related to the call
- name: phone.callee.device_type
type: keyword
description: >
Device type used by the callee related to the call
- name: phone.date_time
type: date
description: >
Date and time of the related phone event
- name: recording.id
type: keyword
description: >
Unique ID of the related recording
- name: recording.uuid
type: keyword
description: >
UUID of the related recording
- name: recording.host_id
type: keyword
description: >
UserID of the host of the meeting that was recorded
- name: recording.topic
type: keyword
description: >
Topic of the meeting related to the recording
- name: recording.type
type: keyword
description: >
Type of recording, can be multiple type of values, please check Zoom documentation
- name: recording.start_time
type: date
description: >
The date and time when the recording started
- name: recording.timezone
type: keyword
description: >
The timezone used for the recording date
- name: recording.duration
type: long
description: >
Duration of the recording in minutes
- name: recording.share_url
type: keyword
description: >
The URL to access the recording
- name: recording.total_size
type: long
description: >
Total size of the recording in bytes
- name: recording.recording_count
type: long
description: >
Number of recording files related to the recording
- name: recording.recording_file.recording_start
type: date
description: >
The date and time the recording started
- name: recording.recording_file.recording_end
type: date
description: >
The date and time the recording finished
- name: recording.host_email
type: keyword
description: >
Email address of the host related to the meeting that was recorded
- name: user.id
type: keyword
description: >
UserID related to the user event
- name: user.first_name
type: keyword
description: >
User first name related to the user event
- name: user.last_name
type: keyword
description: >
User last name related to the user event
- name: user.email
type: keyword
description: >
User email related to the user event
- name: user.type
type: keyword
description: >
User type related to the user event
- name: user.phone_number
type: keyword
description: >
User phone number related to the user event
- name: user.phone_country
type: keyword
description: >
User country code related to the user event
- name: user.company
type: keyword
description: >
User company related to the user event
- name: user.pmi
type: keyword
description: >
User personal meeting ID related to the user event
- name: user.use_pmi
type: boolean
description: >
If a user has PMI enabled
- name: user.pic_url
type: keyword
description: >
Full URL to the profile picture used by the user
- name: user.vanity_name
type: keyword
description: >
Name of the personal meeting room related to the user event
- name: user.timezone
type: keyword
description: >
Timezone configured for the user
- name: user.language
type: keyword
description: >
Language configured for the user
- name: user.host_key
type: keyword
description: >
Host key set for the user
- name: user.role
type: keyword
description: >
The configured role for the user
- name: user.dept
type: keyword
description: >
The configured departement for the user
- name: user.presence_status
type: keyword
description: >
Current presence status of user
- name: user.personal_notes
type: keyword
description: >
Personal notes for the User
- name: user.client_type
type: keyword
description: >
Type of client used by the user. Can be browser, mac, win, iphone or android
- name: user.version
type: keyword
description: >
Version of the client used by the user
- name: webinar.id
type: keyword
description: >
Unique ID for the related webinar
- name: webinar.join_url
type: keyword
description: >
The URL configured to join the webinar
- name: webinar.uuid
type: keyword
description: >
UUID for the related webinar
- name: webinar.host_id
type: keyword
description: >
UserID for the configured host of the webinar
- name: webinar.topic
type: keyword
description: >
Meeting topic of the related webinar
- name: webinar.type
type: keyword
description: >
Type of webinar created. Can be either 5(Webinar), 6(Recurring webinar without fixed time) or 9(Recurring webinar with fixed time)
- name: webinar.start_time
type: date
description: >
The date and time when the webinar started
- name: webinar.timezone
type: keyword
description: >
Timezone used for the dates related to the webinar
- name: webinar.duration
type: long
description: >
Duration of the webinar in minutes
- name: webinar.agenda
type: keyword
description: >
The configured agenda of the webinar
- name: webinar.password
type: keyword
description: >
Password configured to access the webinar
- name: webinar.issues
type: keyword
description: >
Any reported issues about a webinar is reported in this field
- name: zoomroom.id
type: keyword
description: >
Unique ID of the Zoom room
- name: zoomroom.room_name
type: keyword
description: >
The configured name of the Zoom room
- name: zoomroom.calendar_name
type: keyword
description: >
Calendar name of the Zoom room
- name: zoomroom.calendar_id
type: keyword
description: >
Unique ID of the calendar used by the Zoom room
- name: zoomroom.event_id
type: keyword
description: >
Unique ID of the calendar event associated with the Zoom Room
- name: zoomroom.change_key
type: keyword
description: >
Key used by Microsoft products integration that represents a specific version of a calendar
- name: zoomroom.resource_email
type: keyword
description: >
Email address associated with the calendar in use by the Zoom room
- name: zoomroom.email
type: keyword
description: >
Email address associated with the Zoom room itself
- name: zoomroom.issue
type: keyword
description: >
Any reported alerts or issues related to the Zoom room or its equipment
- name: zoomroom.alert_type
type: keyword
description: >
An integer value representing the type of alert. The list of alert types can be found in the Zoom documentation
- name: zoomroom.component
type: keyword
description: >
An integer value representing the type of equipment or component, The list of component types can be found in the Zoom documentation
- name: zoomroom.alert_kind
type: keyword
description: >
An integer value showing if the Zoom room alert has been either 1(Triggered) or 2(Cleared)
- name: registrant.id
type: keyword
description: >
Unique ID of the user registering to a meeting or webinar
- name: registrant.status
type: keyword
description: >
Status of the specific user registration
- name: registrant.email
type: keyword
description: >
Email of the user registering to a meeting or webinar
- name: registrant.first_name
type: keyword
description: >
First name of the user registering to a meeting or webinar
- name: registrant.last_name
type: keyword
description: >
Last name of the user registering to a meeting or webinar
- name: registrant.address
type: keyword
description: >
Address of the user registering to a meeting or webinar
- name: registrant.city
type: keyword
description: >
City of the user registering to a meeting or webinar
- name: registrant.country
type: keyword
description: >
Country of the user registering to a meeting or webinar
- name: registrant.zip
type: keyword
description: >
Zip code of the user registering to a meeting or webinar
- name: registrant.state
type: keyword
description: >
State of the user registering to a meeting or webinar
- name: registrant.phone
type: keyword
description: >
Phone number of the user registering to a meeting or webinar
- name: registrant.industry
type: keyword
description: >
Related industry of the user registering to a meeting or webinar
- name: registrant.org
type: keyword
description: >
Organization related to the user registering to a meeting or webinar
- name: registrant.job_title
type: keyword
description: >
Job title of the user registering to a meeting or webinar
- name: registrant.purchasing_time_frame
type: keyword
description: >
Choosen purchase timeframe of the user registering to a meeting or webinar
- name: registrant.role_in_purchase_process
type: keyword
description: >
Choosen role in a purchase process related to the user registering to a meeting or webinar
- name: registrant.no_of_employees
type: keyword
description: >
Number of employees choosen by the user registering to a meeting or webinar
- name: registrant.comments
type: keyword
description: >
Comments left by the user registering to a meeting or webinar
- name: registrant.join_url
type: keyword
description: >
The URL that the registrant can use to join the webinar
- name: participant.id
type: keyword
description: >
Unique ID of the participant related to a meeting
- name: participant.user_id
type: keyword
description: >
UserID of the participant related to a meeting
- name: participant.user_name
type: keyword
description: >
Username of the participant related to a meeting
- name: participant.join_time
type: date
description: >
The date and time a participant joined a meeting
- name: participant.leave_time
type: date
description: >
The date and time a participant left a meeting
- name: participant.sharing_details.link_source
type: keyword
description: >
Method of sharing with dropbox integration
- name: participant.sharing_details.content
type: keyword
description: >
Type of content that was shared
- name: participant.sharing_details.file_link
type: keyword
description: >
The file link that was shared
- name: participant.sharing_details.date_time
type: keyword
description: >
Timestamp the sharing started
- name: participant.sharing_details.source
type: keyword
description: >
The file source that was share
- name: old_values
type: flattened
description: >
Includes the old values when updating a object like user, meeting, account or webinar
- name: settings
type: flattened
description: >
The current active settings related to a object like user, meeting, account or webinar
- key: zscaler
title: Zscaler NSS
description: >
zscaler fields.
fields:
- name: network.interface.name
overwrite: true
type: keyword
description: >
Name of the network interface where the traffic has been observed.
- name: rsa
overwrite: true
type: group
fields:
- name: internal
overwrite: true
type: group
fields:
- name: msg
overwrite: true
type: keyword
description: This key is used to capture the raw message that comes into the
Log Decoder
- name: messageid
overwrite: true
type: keyword
- name: event_desc
overwrite: true
type: keyword
- name: message
overwrite: true
type: keyword
description: This key captures the contents of instant messages
- name: time
overwrite: true
type: date
description: This is the time at which a session hits a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness.
- name: level
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: msg_id
overwrite: true
type: keyword
description: This is the Message ID1 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: msg_vid
overwrite: true
type: keyword
description: This is the Message ID2 value that identifies the exact log parser
definition which parses a particular log session. This key should never be
used to parse Meta data from a session (Logs/Packets) Directly, this is a
Reserved key in NetWitness
- name: data
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_server
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_val
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: resource
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: obj_id
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: statement
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: audit_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: entry
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: hcode
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: inode
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: resource_class
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: dead
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: feed_desc
overwrite: true
type: keyword
description: This is used to capture the description of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: feed_name
overwrite: true
type: keyword
description: This is used to capture the name of the feed. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: cid
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Concentrator.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_class
overwrite: true
type: keyword
description: This is the Classification of the Log Event Source under a predefined
fixed set of Event Source Classifications. This key should never be used to
parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
key in NetWitness
- name: device_group
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_host
overwrite: true
type: keyword
description: This is the Hostname of the log Event Source sending the logs to
NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ip
overwrite: true
type: ip
description: This is the IPv4 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_ipv6
overwrite: true
type: ip
description: This is the IPv6 address of the Log Event Source sending the logs
to NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: device_type
overwrite: true
type: keyword
description: This is the name of the log parser which parsed a given session.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: device_type_id
overwrite: true
type: long
description: Deprecated key defined only in table map.
- name: did
overwrite: true
type: keyword
description: This is the unique identifier used to identify a NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: entropy_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: entropy_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the Meta Type can
be either UInt16 or Float32 based on the configuration
- name: event_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: feed_category
overwrite: true
type: keyword
description: This is used to capture the category of the feed. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: forward_ip
overwrite: true
type: ip
description: This key should be used to capture the IPV4 address of a relay
system which forwarded the events from the original system to NetWitness.
- name: forward_ipv6
overwrite: true
type: ip
description: This key is used to capture the IPV6 address of a relay system
which forwarded the events from the original system to NetWitness. This key
should never be used to parse Meta data from a session (Logs/Packets) Directly,
this is a Reserved key in NetWitness
- name: header_id
overwrite: true
type: keyword
description: This is the Header ID value that identifies the exact log parser
header definition that parses a particular log session. This key should never
be used to parse Meta data from a session (Logs/Packets) Directly, this is
a Reserved key in NetWitness
- name: lc_cid
overwrite: true
type: keyword
description: This is a unique Identifier of a Log Collector. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: lc_ctime
overwrite: true
type: date
description: This is the time at which a log is collected in a NetWitness Log
Collector. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: mcb_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
request is simply which byte for each side (0 thru 255) was seen the most
- name: mcb_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
response is simply which byte for each side (0 thru 255) was seen the most
- name: mcbc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: mcbc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the most common byte
count is the number of times the most common byte (above) was seen in the
session streams
- name: medium
overwrite: true
type: long
description: "This key is used to identify if it\u2019s a log/packet session\
\ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
\ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
\ 32 = log, 33 = correlation session, < 32 is packet session"
- name: node_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: nwe_callback_id
overwrite: true
type: keyword
description: This key denotes that event is endpoint related
- name: parse_error
overwrite: true
type: keyword
description: This is a special key that stores any Meta key validation error
found while parsing a log session. This key should never be used to parse
Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
NetWitness
- name: payload_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: payload_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, the payload size metrics
are the payload sizes of each session side at the time of parsing. However,
in order to keep
- name: process_vid_dst
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the target process.
- name: process_vid_src
overwrite: true
type: keyword
description: Endpoint generates and uses a unique virtual ID to identify any
similar group of process. This ID represents the source process.
- name: rid
overwrite: true
type: long
description: This is a special ID of the Remote Session created by NetWitness
Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: session_split
overwrite: true
type: keyword
description: This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: site
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: size
overwrite: true
type: long
description: This is the size of the session as seen by the NetWitness Decoder.
This key should never be used to parse Meta data from a session (Logs/Packets)
Directly, this is a Reserved key in NetWitness
- name: sourcefile
overwrite: true
type: keyword
description: This is the name of the log file or PCAPs that can be imported
into NetWitness. This key should never be used to parse Meta data from a session
(Logs/Packets) Directly, this is a Reserved key in NetWitness
- name: ubc_req
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: ubc_res
overwrite: true
type: long
description: This key is only used by the Entropy Parser, Unique byte count
is the number of unique bytes seen in each stream. 256 would mean all byte
values of 0 thru 255 were seen at least once
- name: word
overwrite: true
type: keyword
description: This is used by the Word Parsing technology to capture the first
5 character of every word in an unparsed log
- name: time
overwrite: true
type: group
fields:
- name: event_time
overwrite: true
type: date
description: This key is used to capture the time mentioned in a raw session
that represents the actual time an event occured in a standard normalized
form
- name: duration_time
overwrite: true
type: double
description: This key is used to capture the normalized duration/lifetime in
seconds.
- name: event_time_str
overwrite: true
type: keyword
description: This key is used to capture the incomplete time mentioned in a
session as a string
- name: starttime
overwrite: true
type: date
description: This key is used to capture the Start time mentioned in a session
in a standard form
- name: month
overwrite: true
type: keyword
- name: day
overwrite: true
type: keyword
- name: endtime
overwrite: true
type: date
description: This key is used to capture the End time mentioned in a session
in a standard form
- name: timezone
overwrite: true
type: keyword
description: This key is used to capture the timezone of the Event Time
- name: duration_str
overwrite: true
type: keyword
description: A text string version of the duration
- name: date
overwrite: true
type: keyword
- name: year
overwrite: true
type: keyword
- name: recorded_time
overwrite: true
type: date
description: The event time as recorded by the system the event is collected
from. The usage scenario is a multi-tier application where the management
layer of the system records it's own timestamp at the time of collection from
its child nodes. Must be in timestamp format.
- name: datetime
overwrite: true
type: keyword
- name: effective_time
overwrite: true
type: date
description: This key is the effective time referenced by an individual event
in a Standard Timestamp format
- name: expire_time
overwrite: true
type: date
description: This key is the timestamp that explicitly refers to an expiration.
- name: process_time
overwrite: true
type: keyword
description: Deprecated, use duration.time
- name: hour
overwrite: true
type: keyword
- name: min
overwrite: true
type: keyword
- name: timestamp
overwrite: true
type: keyword
- name: event_queue_time
overwrite: true
type: date
description: This key is the Time that the event was queued.
- name: p_time1
overwrite: true
type: keyword
- name: tzone
overwrite: true
type: keyword
- name: eventtime
overwrite: true
type: keyword
- name: gmtdate
overwrite: true
type: keyword
- name: gmttime
overwrite: true
type: keyword
- name: p_date
overwrite: true
type: keyword
- name: p_month
overwrite: true
type: keyword
- name: p_time
overwrite: true
type: keyword
- name: p_time2
overwrite: true
type: keyword
- name: p_year
overwrite: true
type: keyword
- name: expire_time_str
overwrite: true
type: keyword
description: This key is used to capture incomplete timestamp that explicitly
refers to an expiration.
- name: stamp
overwrite: true
type: date
description: Deprecated key defined only in table map.
- name: misc
overwrite: true
type: group
fields:
- name: action
overwrite: true
type: keyword
- name: result
overwrite: true
type: keyword
description: This key is used to capture the outcome/result string value of
an action in a session.
- name: severity
overwrite: true
type: keyword
description: This key is used to capture the severity given the session
- name: event_type
overwrite: true
type: keyword
description: This key captures the event category type as specified by the event
source.
- name: reference_id
overwrite: true
type: keyword
description: This key is used to capture an event id from the session directly
- name: version
overwrite: true
type: keyword
description: This key captures Version of the application or OS which is generating
the event.
- name: disposition
overwrite: true
type: keyword
description: This key captures the The end state of an action.
- name: result_code
overwrite: true
type: keyword
description: This key is used to capture the outcome/result numeric value of
an action in a session
- name: category
overwrite: true
type: keyword
description: This key is used to capture the category of an event given by the
vendor in the session
- name: obj_name
overwrite: true
type: keyword
description: This is used to capture name of object
- name: obj_type
overwrite: true
type: keyword
description: This is used to capture type of object
- name: event_source
overwrite: true
type: keyword
description: "This key captures Source of the event that\u2019s not a hostname"
- name: log_session_id
overwrite: true
type: keyword
description: This key is used to capture a sessionid from the session directly
- name: group
overwrite: true
type: keyword
description: This key captures the Group Name value
- name: policy_name
overwrite: true
type: keyword
description: This key is used to capture the Policy Name only.
- name: rule_name
overwrite: true
type: keyword
description: This key captures the Rule Name
- name: context
overwrite: true
type: keyword
description: This key captures Information which adds additional context to
the event.
- name: change_new
overwrite: true
type: keyword
description: "This key is used to capture the new values of the attribute that\u2019\
s changing in a session"
- name: space
overwrite: true
type: keyword
- name: client
overwrite: true
type: keyword
description: This key is used to capture only the name of the client application
requesting resources of the server. See the user.agent meta key for capture
of the specific user agent identifier or browser identification string.
- name: msgIdPart1
overwrite: true
type: keyword
- name: msgIdPart2
overwrite: true
type: keyword
- name: change_old
overwrite: true
type: keyword
description: "This key is used to capture the old value of the attribute that\u2019\
s changing in a session"
- name: operation_id
overwrite: true
type: keyword
description: An alert number or operation number. The values should be unique
and non-repeating.
- name: event_state
overwrite: true
type: keyword
description: This key captures the current state of the object/item referenced
within the event. Describing an on-going event.
- name: group_object
overwrite: true
type: keyword
description: This key captures a collection/grouping of entities. Specific usage
- name: node
overwrite: true
type: keyword
description: Common use case is the node name within a cluster. The cluster
name is reflected by the host name.
- name: rule
overwrite: true
type: keyword
description: This key captures the Rule number
- name: device_name
overwrite: true
type: keyword
description: 'This is used to capture name of the Device associated with the
node Like: a physical disk, printer, etc'
- name: param
overwrite: true
type: keyword
description: This key is the parameters passed as part of a command or application,
etc.
- name: change_attrib
overwrite: true
type: keyword
description: "This key is used to capture the name of the attribute that\u2019\
s changing in a session"
- name: event_computer
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
fully qualified domain name in a windows log.
- name: reference_id1
overwrite: true
type: keyword
description: This key is for Linked ID to be used as an addition to "reference.id"
- name: event_log
overwrite: true
type: keyword
description: This key captures the Name of the event log
- name: OS
overwrite: true
type: keyword
description: This key captures the Name of the Operating System
- name: terminal
overwrite: true
type: keyword
description: This key captures the Terminal Names only
- name: msgIdPart3
overwrite: true
type: keyword
- name: filter
overwrite: true
type: keyword
description: This key captures Filter used to reduce result set
- name: serial_number
overwrite: true
type: keyword
description: This key is the Serial number associated with a physical asset.
- name: checksum
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the entity
such as a file or process. Checksum should be used over checksum.src or checksum.dst
when it is unclear whether the entity is a source or target of an action.
- name: event_user
overwrite: true
type: keyword
description: This key is a windows only concept, where this key is used to capture
combination of domain name and username in a windows log.
- name: virusname
overwrite: true
type: keyword
description: This key captures the name of the virus
- name: content_type
overwrite: true
type: keyword
description: This key is used to capture Content Type only.
- name: group_id
overwrite: true
type: keyword
description: This key captures Group ID Number (related to the group name)
- name: policy_id
overwrite: true
type: keyword
description: This key is used to capture the Policy ID only, this should be
a numeric value, use policy.name otherwise
- name: vsys
overwrite: true
type: keyword
description: This key captures Virtual System Name
- name: connection_id
overwrite: true
type: keyword
description: This key captures the Connection ID
- name: reference_id2
overwrite: true
type: keyword
description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
or "reference.id1" value but should not be used unless the other two variables
are in play.
- name: sensor
overwrite: true
type: keyword
description: This key captures Name of the sensor. Typically used in IDS/IPS
based devices
- name: sig_id
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID
- name: port_name
overwrite: true
type: keyword
description: 'This key is used for Physical or logical port connection but does
NOT include a network port. (Example: Printer port name).'
- name: rule_group
overwrite: true
type: keyword
description: This key captures the Rule group name
- name: risk_num
overwrite: true
type: double
description: This key captures a Numeric Risk value
- name: trigger_val
overwrite: true
type: keyword
description: This key captures the Value of the trigger or threshold condition.
- name: log_session_id1
overwrite: true
type: keyword
description: This key is used to capture a Linked (Related) Session ID from
the session directly
- name: comp_version
overwrite: true
type: keyword
description: This key captures the Version level of a sub-component of a product.
- name: content_version
overwrite: true
type: keyword
description: This key captures Version level of a signature or database content.
- name: hardware_id
overwrite: true
type: keyword
description: This key is used to capture unique identifier for a device or system
(NOT a Mac address)
- name: risk
overwrite: true
type: keyword
description: This key captures the non-numeric risk value
- name: event_id
overwrite: true
type: keyword
- name: reason
overwrite: true
type: keyword
- name: status
overwrite: true
type: keyword
- name: mail_id
overwrite: true
type: keyword
description: This key is used to capture the mailbox id/name
- name: rule_uid
overwrite: true
type: keyword
description: This key is the Unique Identifier for a rule.
- name: trigger_desc
overwrite: true
type: keyword
description: This key captures the Description of the trigger or threshold condition.
- name: inout
overwrite: true
type: keyword
- name: p_msgid
overwrite: true
type: keyword
- name: data_type
overwrite: true
type: keyword
- name: msgIdPart4
overwrite: true
type: keyword
- name: error
overwrite: true
type: keyword
description: This key captures All non successful Error codes or responses
- name: index
overwrite: true
type: keyword
- name: listnum
overwrite: true
type: keyword
description: This key is used to capture listname or listnumber, primarily for
collecting access-list
- name: ntype
overwrite: true
type: keyword
- name: observed_val
overwrite: true
type: keyword
description: This key captures the Value observed (from the perspective of the
device generating the log).
- name: policy_value
overwrite: true
type: keyword
description: This key captures the contents of the policy. This contains details
about the policy
- name: pool_name
overwrite: true
type: keyword
description: This key captures the name of a resource pool
- name: rule_template
overwrite: true
type: keyword
description: A default set of parameters which are overlayed onto a rule (or
rulename) which efffectively constitutes a template
- name: count
overwrite: true
type: keyword
- name: number
overwrite: true
type: keyword
- name: sigcat
overwrite: true
type: keyword
- name: type
overwrite: true
type: keyword
- name: comments
overwrite: true
type: keyword
description: Comment information provided in the log message
- name: doc_number
overwrite: true
type: long
description: This key captures File Identification number
- name: expected_val
overwrite: true
type: keyword
description: This key captures the Value expected (from the perspective of the
device generating the log).
- name: job_num
overwrite: true
type: keyword
description: This key captures the Job Number
- name: spi_dst
overwrite: true
type: keyword
description: Destination SPI Index
- name: spi_src
overwrite: true
type: keyword
description: Source SPI Index
- name: code
overwrite: true
type: keyword
- name: agent_id
overwrite: true
type: keyword
description: This key is used to capture agent id
- name: message_body
overwrite: true
type: keyword
description: This key captures the The contents of the message body.
- name: phone
overwrite: true
type: keyword
- name: sig_id_str
overwrite: true
type: keyword
description: This key captures a string object of the sigid variable.
- name: cmd
overwrite: true
type: keyword
- name: misc
overwrite: true
type: keyword
- name: name
overwrite: true
type: keyword
- name: cpu
overwrite: true
type: long
description: This key is the CPU time used in the execution of the event being
recorded.
- name: event_desc
overwrite: true
type: keyword
description: This key is used to capture a description of an event available
directly or inferred
- name: sig_id1
overwrite: true
type: long
description: This key captures IDS/IPS Int Signature ID. This must be linked
to the sig.id
- name: im_buddyid
overwrite: true
type: keyword
- name: im_client
overwrite: true
type: keyword
- name: im_userid
overwrite: true
type: keyword
- name: pid
overwrite: true
type: keyword
- name: priority
overwrite: true
type: keyword
- name: context_subject
overwrite: true
type: keyword
description: This key is to be used in an audit context where the subject is
the object being identified
- name: context_target
overwrite: true
type: keyword
- name: cve
overwrite: true
type: keyword
description: This key captures CVE (Common Vulnerabilities and Exposures) -
an identifier for known information security vulnerabilities.
- name: fcatnum
overwrite: true
type: keyword
description: This key captures Filter Category Number. Legacy Usage
- name: library
overwrite: true
type: keyword
description: This key is used to capture library information in mainframe devices
- name: parent_node
overwrite: true
type: keyword
description: This key captures the Parent Node Name. Must be related to node
variable.
- name: risk_info
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: tcp_flags
overwrite: true
type: long
description: This key is captures the TCP flags set in any packet of session
- name: tos
overwrite: true
type: long
description: This key describes the type of service
- name: vm_target
overwrite: true
type: keyword
description: VMWare Target **VMWARE** only varaible.
- name: workspace
overwrite: true
type: keyword
description: This key captures Workspace Description
- name: command
overwrite: true
type: keyword
- name: event_category
overwrite: true
type: keyword
- name: facilityname
overwrite: true
type: keyword
- name: forensic_info
overwrite: true
type: keyword
- name: jobname
overwrite: true
type: keyword
- name: mode
overwrite: true
type: keyword
- name: policy
overwrite: true
type: keyword
- name: policy_waiver
overwrite: true
type: keyword
- name: second
overwrite: true
type: keyword
- name: space1
overwrite: true
type: keyword
- name: subcategory
overwrite: true
type: keyword
- name: tbdstr2
overwrite: true
type: keyword
- name: alert_id
overwrite: true
type: keyword
description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: checksum_dst
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the the target
entity such as a process or file.
- name: checksum_src
overwrite: true
type: keyword
description: This key is used to capture the checksum or hash of the source
entity such as a file or process.
- name: fresult
overwrite: true
type: long
description: This key captures the Filter Result
- name: payload_dst
overwrite: true
type: keyword
description: This key is used to capture destination payload
- name: payload_src
overwrite: true
type: keyword
description: This key is used to capture source payload
- name: pool_id
overwrite: true
type: keyword
description: This key captures the identifier (typically numeric field) of a
resource pool
- name: process_id_val
overwrite: true
type: keyword
description: This key is a failure key for Process ID when it is not an integer
value
- name: risk_num_comm
overwrite: true
type: double
description: This key captures Risk Number Community
- name: risk_num_next
overwrite: true
type: double
description: This key captures Risk Number NextGen
- name: risk_num_sand
overwrite: true
type: double
description: This key captures Risk Number SandBox
- name: risk_num_static
overwrite: true
type: double
description: This key captures Risk Number Static
- name: risk_suspicious
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: risk_warning
overwrite: true
type: keyword
description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- name: snmp_oid
overwrite: true
type: keyword
description: SNMP Object Identifier
- name: sql
overwrite: true
type: keyword
description: This key captures the SQL query
- name: vuln_ref
overwrite: true
type: keyword
description: This key captures the Vulnerability Reference details
- name: acl_id
overwrite: true
type: keyword
- name: acl_op
overwrite: true
type: keyword
- name: acl_pos
overwrite: true
type: keyword
- name: acl_table
overwrite: true
type: keyword
- name: admin
overwrite: true
type: keyword
- name: alarm_id
overwrite: true
type: keyword
- name: alarmname
overwrite: true
type: keyword
- name: app_id
overwrite: true
type: keyword
- name: audit
overwrite: true
type: keyword
- name: audit_object
overwrite: true
type: keyword
- name: auditdata
overwrite: true
type: keyword
- name: benchmark
overwrite: true
type: keyword
- name: bypass
overwrite: true
type: keyword
- name: cache
overwrite: true
type: keyword
- name: cache_hit
overwrite: true
type: keyword
- name: cefversion
overwrite: true
type: keyword
- name: cfg_attr
overwrite: true
type: keyword
- name: cfg_obj
overwrite: true
type: keyword
- name: cfg_path
overwrite: true
type: keyword
- name: changes
overwrite: true
type: keyword
- name: client_ip
overwrite: true
type: keyword
- name: clustermembers
overwrite: true
type: keyword
- name: cn_acttimeout
overwrite: true
type: keyword
- name: cn_asn_src
overwrite: true
type: keyword
- name: cn_bgpv4nxthop
overwrite: true
type: keyword
- name: cn_ctr_dst_code
overwrite: true
type: keyword
- name: cn_dst_tos
overwrite: true
type: keyword
- name: cn_dst_vlan
overwrite: true
type: keyword
- name: cn_engine_id
overwrite: true
type: keyword
- name: cn_engine_type
overwrite: true
type: keyword
- name: cn_f_switch
overwrite: true
type: keyword
- name: cn_flowsampid
overwrite: true
type: keyword
- name: cn_flowsampintv
overwrite: true
type: keyword
- name: cn_flowsampmode
overwrite: true
type: keyword
- name: cn_inacttimeout
overwrite: true
type: keyword
- name: cn_inpermbyts
overwrite: true
type: keyword
- name: cn_inpermpckts
overwrite: true
type: keyword
- name: cn_invalid
overwrite: true
type: keyword
- name: cn_ip_proto_ver
overwrite: true
type: keyword
- name: cn_ipv4_ident
overwrite: true
type: keyword
- name: cn_l_switch
overwrite: true
type: keyword
- name: cn_log_did
overwrite: true
type: keyword
- name: cn_log_rid
overwrite: true
type: keyword
- name: cn_max_ttl
overwrite: true
type: keyword
- name: cn_maxpcktlen
overwrite: true
type: keyword
- name: cn_min_ttl
overwrite: true
type: keyword
- name: cn_minpcktlen
overwrite: true
type: keyword
- name: cn_mpls_lbl_1
overwrite: true
type: keyword
- name: cn_mpls_lbl_10
overwrite: true
type: keyword
- name: cn_mpls_lbl_2
overwrite: true
type: keyword
- name: cn_mpls_lbl_3
overwrite: true
type: keyword
- name: cn_mpls_lbl_4
overwrite: true
type: keyword
- name: cn_mpls_lbl_5
overwrite: true
type: keyword
- name: cn_mpls_lbl_6
overwrite: true
type: keyword
- name: cn_mpls_lbl_7
overwrite: true
type: keyword
- name: cn_mpls_lbl_8
overwrite: true
type: keyword
- name: cn_mpls_lbl_9
overwrite: true
type: keyword
- name: cn_mplstoplabel
overwrite: true
type: keyword
- name: cn_mplstoplabip
overwrite: true
type: keyword
- name: cn_mul_dst_byt
overwrite: true
type: keyword
- name: cn_mul_dst_pks
overwrite: true
type: keyword
- name: cn_muligmptype
overwrite: true
type: keyword
- name: cn_sampalgo
overwrite: true
type: keyword
- name: cn_sampint
overwrite: true
type: keyword
- name: cn_seqctr
overwrite: true
type: keyword
- name: cn_spackets
overwrite: true
type: keyword
- name: cn_src_tos
overwrite: true
type: keyword
- name: cn_src_vlan
overwrite: true
type: keyword
- name: cn_sysuptime
overwrite: true
type: keyword
- name: cn_template_id
overwrite: true
type: keyword
- name: cn_totbytsexp
overwrite: true
type: keyword
- name: cn_totflowexp
overwrite: true
type: keyword
- name: cn_totpcktsexp
overwrite: true
type: keyword
- name: cn_unixnanosecs
overwrite: true
type: keyword
- name: cn_v6flowlabel
overwrite: true
type: keyword
- name: cn_v6optheaders
overwrite: true
type: keyword
- name: comp_class
overwrite: true
type: keyword
- name: comp_name
overwrite: true
type: keyword
- name: comp_rbytes
overwrite: true
type: keyword
- name: comp_sbytes
overwrite: true
type: keyword
- name: cpu_data
overwrite: true
type: keyword
- name: criticality
overwrite: true
type: keyword
- name: cs_agency_dst
overwrite: true
type: keyword
- name: cs_analyzedby
overwrite: true
type: keyword
- name: cs_av_other
overwrite: true
type: keyword
- name: cs_av_primary
overwrite: true
type: keyword
- name: cs_av_secondary
overwrite: true
type: keyword
- name: cs_bgpv6nxthop
overwrite: true
type: keyword
- name: cs_bit9status
overwrite: true
type: keyword
- name: cs_context
overwrite: true
type: keyword
- name: cs_control
overwrite: true
type: keyword
- name: cs_data
overwrite: true
type: keyword
- name: cs_datecret
overwrite: true
type: keyword
- name: cs_dst_tld
overwrite: true
type: keyword
- name: cs_eth_dst_ven
overwrite: true
type: keyword
- name: cs_eth_src_ven
overwrite: true
type: keyword
- name: cs_event_uuid
overwrite: true
type: keyword
- name: cs_filetype
overwrite: true
type: keyword
- name: cs_fld
overwrite: true
type: keyword
- name: cs_if_desc
overwrite: true
type: keyword
- name: cs_if_name
overwrite: true
type: keyword
- name: cs_ip_next_hop
overwrite: true
type: keyword
- name: cs_ipv4dstpre
overwrite: true
type: keyword
- name: cs_ipv4srcpre
overwrite: true
type: keyword
- name: cs_lifetime
overwrite: true
type: keyword
- name: cs_log_medium
overwrite: true
type: keyword
- name: cs_loginname
overwrite: true
type: keyword
- name: cs_modulescore
overwrite: true
type: keyword
- name: cs_modulesign
overwrite: true
type: keyword
- name: cs_opswatresult
overwrite: true
type: keyword
- name: cs_payload
overwrite: true
type: keyword
- name: cs_registrant
overwrite: true
type: keyword
- name: cs_registrar
overwrite: true
type: keyword
- name: cs_represult
overwrite: true
type: keyword
- name: cs_rpayload
overwrite: true
type: keyword
- name: cs_sampler_name
overwrite: true
type: keyword
- name: cs_sourcemodule
overwrite: true
type: keyword
- name: cs_streams
overwrite: true
type: keyword
- name: cs_targetmodule
overwrite: true
type: keyword
- name: cs_v6nxthop
overwrite: true
type: keyword
- name: cs_whois_server
overwrite: true
type: keyword
- name: cs_yararesult
overwrite: true
type: keyword
- name: description
overwrite: true
type: keyword
- name: devvendor
overwrite: true
type: keyword
- name: distance
overwrite: true
type: keyword
- name: dstburb
overwrite: true
type: keyword
- name: edomain
overwrite: true
type: keyword
- name: edomaub
overwrite: true
type: keyword
- name: euid
overwrite: true
type: keyword
- name: facility
overwrite: true
type: keyword
- name: finterface
overwrite: true
type: keyword
- name: flags
overwrite: true
type: keyword
- name: gaddr
overwrite: true
type: keyword
- name: id3
overwrite: true
type: keyword
- name: im_buddyname
overwrite: true
type: keyword
- name: im_croomid
overwrite: true
type: keyword
- name: im_croomtype
overwrite: true
type: keyword
- name: im_members
overwrite: true
type: keyword
- name: im_username
overwrite: true
type: keyword
- name: ipkt
overwrite: true
type: keyword
- name: ipscat
overwrite: true
type: keyword
- name: ipspri
overwrite: true
type: keyword
- name: latitude
overwrite: true
type: keyword
- name: linenum
overwrite: true
type: keyword
- name: list_name
overwrite: true
type: keyword
- name: load_data
overwrite: true
type: keyword
- name: location_floor
overwrite: true
type: keyword
- name: location_mark
overwrite: true
type: keyword
- name: log_id
overwrite: true
type: keyword
- name: log_type
overwrite: true
type: keyword
- name: logid
overwrite: true
type: keyword
- name: logip
overwrite: true
type: keyword
- name: logname
overwrite: true
type: keyword
- name: longitude
overwrite: true
type: keyword
- name: lport
overwrite: true
type: keyword
- name: mbug_data
overwrite: true
type: keyword
- name: misc_name
overwrite: true
type: keyword
- name: msg_type
overwrite: true
type: keyword
- name: msgid
overwrite: true
type: keyword
- name: netsessid
overwrite: true
type: keyword
- name: num
overwrite: true
type: keyword
- name: number1
overwrite: true
type: keyword
- name: number2
overwrite: true
type: keyword
- name: nwwn
overwrite: true
type: keyword
- name: object
overwrite: true
type: keyword
- name: operation
overwrite: true
type: keyword
- name: opkt
overwrite: true
type: keyword
- name: orig_from
overwrite: true
type: keyword
- name: owner_id
overwrite: true
type: keyword
- name: p_action
overwrite: true
type: keyword
- name: p_filter
overwrite: true
type: keyword
- name: p_group_object
overwrite: true
type: keyword
- name: p_id
overwrite: true
type: keyword
- name: p_msgid1
overwrite: true
type: keyword
- name: p_msgid2
overwrite: true
type: keyword
- name: p_result1
overwrite: true
type: keyword
- name: password_chg
overwrite: true
type: keyword
- name: password_expire
overwrite: true
type: keyword
- name: permgranted
overwrite: true
type: keyword
- name: permwanted
overwrite: true
type: keyword
- name: pgid
overwrite: true
type: keyword
- name: policyUUID
overwrite: true
type: keyword
- name: prog_asp_num
overwrite: true
type: keyword
- name: program
overwrite: true
type: keyword
- name: real_data
overwrite: true
type: keyword
- name: rec_asp_device
overwrite: true
type: keyword
- name: rec_asp_num
overwrite: true
type: keyword
- name: rec_library
overwrite: true
type: keyword
- name: recordnum
overwrite: true
type: keyword
- name: ruid
overwrite: true
type: keyword
- name: sburb
overwrite: true
type: keyword
- name: sdomain_fld
overwrite: true
type: keyword
- name: sec
overwrite: true
type: keyword
- name: sensorname
overwrite: true
type: keyword
- name: seqnum
overwrite: true
type: keyword
- name: session
overwrite: true
type: keyword
- name: sessiontype
overwrite: true
type: keyword
- name: sigUUID
overwrite: true
type: keyword
- name: spi
overwrite: true
type: keyword
- name: srcburb
overwrite: true
type: keyword
- name: srcdom
overwrite: true
type: keyword
- name: srcservice
overwrite: true
type: keyword
- name: state
overwrite: true
type: keyword
- name: status1
overwrite: true
type: keyword
- name: svcno
overwrite: true
type: keyword
- name: system
overwrite: true
type: keyword
- name: tbdstr1
overwrite: true
type: keyword
- name: tgtdom
overwrite: true
type: keyword
- name: tgtdomain
overwrite: true
type: keyword
- name: threshold
overwrite: true
type: keyword
- name: type1
overwrite: true
type: keyword
- name: udb_class
overwrite: true
type: keyword
- name: url_fld
overwrite: true
type: keyword
- name: user_div
overwrite: true
type: keyword
- name: userid
overwrite: true
type: keyword
- name: username_fld
overwrite: true
type: keyword
- name: utcstamp
overwrite: true
type: keyword
- name: v_instafname
overwrite: true
type: keyword
- name: virt_data
overwrite: true
type: keyword
- name: vpnid
overwrite: true
type: keyword
- name: autorun_type
overwrite: true
type: keyword
description: This is used to capture Auto Run type
- name: cc_number
overwrite: true
type: long
description: Valid Credit Card Numbers only
- name: content
overwrite: true
type: keyword
description: This key captures the content type from protocol headers
- name: ein_number
overwrite: true
type: long
description: Employee Identification Numbers only
- name: found
overwrite: true
type: keyword
description: This is used to capture the results of regex match
- name: language
overwrite: true
type: keyword
description: This is used to capture list of languages the client support and
what it prefers
- name: lifetime
overwrite: true
type: long
description: This key is used to capture the session lifetime in seconds.
- name: link
overwrite: true
type: keyword
description: This key is used to link the sessions together. This key should
never be used to parse Meta data from a session (Logs/Packets) Directly, this
is a Reserved key in NetWitness
- name: match
overwrite: true
type: keyword
description: This key is for regex match name from search.ini
- name: param_dst
overwrite: true
type: keyword
description: This key captures the command line/launch argument of the target
process or file
- name: param_src
overwrite: true
type: keyword
description: This key captures source parameter
- name: search_text
overwrite: true
type: keyword
description: This key captures the Search Text used
- name: sig_name
overwrite: true
type: keyword
description: This key is used to capture the Signature Name only.
- name: snmp_value
overwrite: true
type: keyword
description: SNMP set request value
- name: streams
overwrite: true
type: long
description: This key captures number of streams in session
- name: db
overwrite: true
type: group
fields:
- name: index
overwrite: true
type: keyword
description: This key captures IndexID of the index.
- name: instance
overwrite: true
type: keyword
description: This key is used to capture the database server instance name
- name: database
overwrite: true
type: keyword
description: This key is used to capture the name of a database or an instance
as seen in a session
- name: transact_id
overwrite: true
type: keyword
description: This key captures the SQL transantion ID of the current session
- name: permissions
overwrite: true
type: keyword
description: This key captures permission or privilege level assigned to a resource.
- name: table_name
overwrite: true
type: keyword
description: This key is used to capture the table name
- name: db_id
overwrite: true
type: keyword
description: This key is used to capture the unique identifier for a database
- name: db_pid
overwrite: true
type: long
description: This key captures the process id of a connection with database
server
- name: lread
overwrite: true
type: long
description: This key is used for the number of logical reads
- name: lwrite
overwrite: true
type: long
description: This key is used for the number of logical writes
- name: pread
overwrite: true
type: long
description: This key is used for the number of physical writes
- name: network
overwrite: true
type: group
fields:
- name: alias_host
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
that isnt ad.computer.
- name: domain
overwrite: true
type: keyword
- name: host_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Hostname"
- name: network_service
overwrite: true
type: keyword
description: This is used to capture layer 7 protocols/service names
- name: interface
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of an interface is not clear
- name: network_port
overwrite: true
type: long
description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
- name: eth_host
overwrite: true
type: keyword
description: Deprecated, use alias.mac
- name: sinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Interface"
- name: dinterface
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Interface"
- name: vlan
overwrite: true
type: long
description: This key should only be used to capture the ID of the Virtual LAN
- name: zone_src
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Source Zone."
- name: zone
overwrite: true
type: keyword
description: This key should be used when the source or destination context
of a Zone is not clear
- name: zone_dst
overwrite: true
type: keyword
description: "This key should only be used when it\u2019s a Destination Zone."
- name: gateway
overwrite: true
type: keyword
description: This key is used to capture the IP Address of the gateway
- name: icmp_type
overwrite: true
type: long
description: This key is used to capture the ICMP type only
- name: mask
overwrite: true
type: keyword
description: This key is used to capture the device network IPmask.
- name: icmp_code
overwrite: true
type: long
description: This key is used to capture the ICMP code only
- name: protocol_detail
overwrite: true
type: keyword
description: This key should be used to capture additional protocol information
- name: dmask
overwrite: true
type: keyword
description: This key is used for Destionation Device network mask
- name: port
overwrite: true
type: long
description: This key should only be used to capture a Network Port when the
directionality is not clear
- name: smask
overwrite: true
type: keyword
description: This key is used for capturing source Network Mask
- name: netname
overwrite: true
type: keyword
description: This key is used to capture the network name associated with an
IP range. This is configured by the end user.
- name: paddr
overwrite: true
type: ip
description: Deprecated
- name: faddr
overwrite: true
type: keyword
- name: lhost
overwrite: true
type: keyword
- name: origin
overwrite: true
type: keyword
- name: remote_domain_id
overwrite: true
type: keyword
- name: addr
overwrite: true
type: keyword
- name: dns_a_record
overwrite: true
type: keyword
- name: dns_ptr_record
overwrite: true
type: keyword
- name: fhost
overwrite: true
type: keyword
- name: fport
overwrite: true
type: keyword
- name: laddr
overwrite: true
type: keyword
- name: linterface
overwrite: true
type: keyword
- name: phost
overwrite: true
type: keyword
- name: ad_computer_dst
overwrite: true
type: keyword
description: Deprecated, use host.dst
- name: eth_type
overwrite: true
type: long
description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
Only
- name: ip_proto
overwrite: true
type: long
description: This key should be used to capture the Protocol number, all the
protocol nubers are converted into string in UI
- name: dns_cname_record
overwrite: true
type: keyword
- name: dns_id
overwrite: true
type: keyword
- name: dns_opcode
overwrite: true
type: keyword
- name: dns_resp
overwrite: true
type: keyword
- name: dns_type
overwrite: true
type: keyword
- name: domain1
overwrite: true
type: keyword
- name: host_type
overwrite: true
type: keyword
- name: packet_length
overwrite: true
type: keyword
- name: host_orig
overwrite: true
type: keyword
description: This is used to capture the original hostname in case of a Forwarding
Agent or a Proxy in between.
- name: rpayload
overwrite: true
type: keyword
description: This key is used to capture the total number of payload bytes seen
in the retransmitted packets.
- name: vlan_name
overwrite: true
type: keyword
description: This key should only be used to capture the name of the Virtual
LAN
- name: investigations
overwrite: true
type: group
fields:
- name: ec_activity
overwrite: true
type: keyword
description: This key captures the particular event activity(Ex:Logoff)
- name: ec_theme
overwrite: true
type: keyword
description: This key captures the Theme of a particular Event(Ex:Authentication)
- name: ec_subject
overwrite: true
type: keyword
description: This key captures the Subject of a particular Event(Ex:User)
- name: ec_outcome
overwrite: true
type: keyword
description: This key captures the outcome of a particular Event(Ex:Success)
- name: event_cat
overwrite: true
type: long
description: This key captures the Event category number
- name: event_cat_name
overwrite: true
type: keyword
description: This key captures the event category name corresponding to the
event cat code
- name: event_vcat
overwrite: true
type: keyword
description: This is a vendor supplied category. This should be used in situations
where the vendor has adopted their own event_category taxonomy.
- name: analysis_file
overwrite: true
type: keyword
description: This is used to capture all indicators used in a File Analysis.
This key should be used to capture an analysis of a file
- name: analysis_service
overwrite: true
type: keyword
description: This is used to capture all indicators used in a Service Analysis.
This key should be used to capture an analysis of a service
- name: analysis_session
overwrite: true
type: keyword
description: This is used to capture all indicators used for a Session Analysis.
This key should be used to capture an analysis of a session
- name: boc
overwrite: true
type: keyword
description: This is used to capture behaviour of compromise
- name: eoc
overwrite: true
type: keyword
description: This is used to capture Enablers of Compromise
- name: inv_category
overwrite: true
type: keyword
description: This used to capture investigation category
- name: inv_context
overwrite: true
type: keyword
description: This used to capture investigation context
- name: ioc
overwrite: true
type: keyword
description: This is key capture indicator of compromise
- name: counters
overwrite: true
type: group
fields:
- name: dclass_c1
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c1.str only
- name: dclass_c2
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c2.str only
- name: event_counter
overwrite: true
type: long
description: This is used to capture the number of times an event repeated
- name: dclass_r1
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r1.str only
- name: dclass_c3
overwrite: true
type: long
description: This is a generic counter key that should be used with the label
dclass.c3.str only
- name: dclass_c1_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c1 only
- name: dclass_c2_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c2 only
- name: dclass_r1_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r1 only
- name: dclass_r2
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r2.str only
- name: dclass_c3_str
overwrite: true
type: keyword
description: This is a generic counter string key that should be used with the
label dclass.c3 only
- name: dclass_r3
overwrite: true
type: keyword
description: This is a generic ratio key that should be used with the label
dclass.r3.str only
- name: dclass_r2_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r2 only
- name: dclass_r3_str
overwrite: true
type: keyword
description: This is a generic ratio string key that should be used with the
label dclass.r3 only
- name: identity
overwrite: true
type: group
fields:
- name: auth_method
overwrite: true
type: keyword
description: This key is used to capture authentication methods used only
- name: user_role
overwrite: true
type: keyword
description: This key is used to capture the Role of a user only
- name: dn
overwrite: true
type: keyword
description: X.500 (LDAP) Distinguished Name
- name: logon_type
overwrite: true
type: keyword
description: This key is used to capture the type of logon method used.
- name: profile
overwrite: true
type: keyword
description: This key is used to capture the user profile
- name: accesses
overwrite: true
type: keyword
description: This key is used to capture actual privileges used in accessing
an object
- name: realm
overwrite: true
type: keyword
description: Radius realm or similar grouping of accounts
- name: user_sid_dst
overwrite: true
type: keyword
description: This key captures Destination User Session ID
- name: dn_src
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that is used in a context that
indicates a Source dn
- name: org
overwrite: true
type: keyword
description: This key captures the User organization
- name: dn_dst
overwrite: true
type: keyword
description: An X.500 (LDAP) Distinguished name that used in a context that
indicates a Destination dn
- name: firstname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: lastname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: user_dept
overwrite: true
type: keyword
description: User's Department Names only
- name: user_sid_src
overwrite: true
type: keyword
description: This key captures Source User Session ID
- name: federated_sp
overwrite: true
type: keyword
description: This key is the Federated Service Provider. This is the application
requesting authentication.
- name: federated_idp
overwrite: true
type: keyword
description: This key is the federated Identity Provider. This is the server
providing the authentication.
- name: logon_type_desc
overwrite: true
type: keyword
description: This key is used to capture the textual description of an integer
logon type as stored in the meta key 'logon.type'.
- name: middlename
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: password
overwrite: true
type: keyword
description: This key is for Passwords seen in any session, plain text or encrypted
- name: host_role
overwrite: true
type: keyword
description: This key should only be used to capture the role of a Host Machine
- name: ldap
overwrite: true
type: keyword
description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
t have a clear query or response context"
- name: ldap_query
overwrite: true
type: keyword
description: This key is the Search criteria from an LDAP search
- name: ldap_response
overwrite: true
type: keyword
description: This key is to capture Results from an LDAP search
- name: owner
overwrite: true
type: keyword
description: This is used to capture username the process or service is running
as, the author of the task
- name: service_account
overwrite: true
type: keyword
description: This key is a windows specific key, used for capturing name of
the account a service (referenced in the event) is running under. Legacy Usage
- name: email
overwrite: true
type: group
fields:
- name: email_dst
overwrite: true
type: keyword
description: This key is used to capture the Destination email address only,
when the destination context is not clear use email
- name: email_src
overwrite: true
type: keyword
description: This key is used to capture the source email address only, when
the source context is not clear use email
- name: subject
overwrite: true
type: keyword
description: This key is used to capture the subject string from an Email only.
- name: email
overwrite: true
type: keyword
description: This key is used to capture a generic email address where the source
or destination context is not clear
- name: trans_from
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: trans_to
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: file
overwrite: true
type: group
fields:
- name: privilege
overwrite: true
type: keyword
description: Deprecated, use permissions
- name: attachment
overwrite: true
type: keyword
description: This key captures the attachment file name
- name: filesystem
overwrite: true
type: keyword
- name: binary
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: filename_dst
overwrite: true
type: keyword
description: This is used to capture name of the file targeted by the action
- name: filename_src
overwrite: true
type: keyword
description: This is used to capture name of the parent filename, the file which
performed the action
- name: filename_tmp
overwrite: true
type: keyword
- name: directory_dst
overwrite: true
type: keyword
description: <span>This key is used to capture the directory of the target process
or file</span>
- name: directory_src
overwrite: true
type: keyword
description: This key is used to capture the directory of the source process
or file
- name: file_entropy
overwrite: true
type: double
description: This is used to capture entropy vale of a file
- name: file_vendor
overwrite: true
type: keyword
description: This is used to capture Company name of file located in version_info
- name: task_name
overwrite: true
type: keyword
description: This is used to capture name of the task
- name: web
overwrite: true
type: group
fields:
- name: fqdn
overwrite: true
type: keyword
description: Fully Qualified Domain Names
- name: web_cookie
overwrite: true
type: keyword
description: This key is used to capture the Web cookies specifically.
- name: alias_host
overwrite: true
type: keyword
- name: reputation_num
overwrite: true
type: double
description: Reputation Number of an entity. Typically used for Web Domains
- name: web_ref_domain
overwrite: true
type: keyword
description: Web referer's domain
- name: web_ref_query
overwrite: true
type: keyword
description: This key captures Web referer's query portion of the URL
- name: remote_domain
overwrite: true
type: keyword
- name: web_ref_page
overwrite: true
type: keyword
description: This key captures Web referer's page information
- name: web_ref_root
overwrite: true
type: keyword
description: Web referer's root URL path
- name: cn_asn_dst
overwrite: true
type: keyword
- name: cn_rpackets
overwrite: true
type: keyword
- name: urlpage
overwrite: true
type: keyword
- name: urlroot
overwrite: true
type: keyword
- name: p_url
overwrite: true
type: keyword
- name: p_user_agent
overwrite: true
type: keyword
- name: p_web_cookie
overwrite: true
type: keyword
- name: p_web_method
overwrite: true
type: keyword
- name: p_web_referer
overwrite: true
type: keyword
- name: web_extension_tmp
overwrite: true
type: keyword
- name: web_page
overwrite: true
type: keyword
- name: threat
overwrite: true
type: group
fields:
- name: threat_category
overwrite: true
type: keyword
description: This key captures Threat Name/Threat Category/Categorization of
alert
- name: threat_desc
overwrite: true
type: keyword
description: This key is used to capture the threat description from the session
directly or inferred
- name: alert
overwrite: true
type: keyword
description: This key is used to capture name of the alert
- name: threat_source
overwrite: true
type: keyword
description: This key is used to capture source of the threat
- name: crypto
overwrite: true
type: group
fields:
- name: crypto
overwrite: true
type: keyword
description: This key is used to capture the Encryption Type or Encryption Key
only
- name: cipher_src
overwrite: true
type: keyword
description: This key is for Source (Client) Cipher
- name: cert_subject
overwrite: true
type: keyword
description: This key is used to capture the Certificate organization only
- name: peer
overwrite: true
type: keyword
description: This key is for Encryption peer's IP Address
- name: cipher_size_src
overwrite: true
type: long
description: This key captures Source (Client) Cipher Size
- name: ike
overwrite: true
type: keyword
description: IKE negotiation phase.
- name: scheme
overwrite: true
type: keyword
description: This key captures the Encryption scheme used
- name: peer_id
overwrite: true
type: keyword
description: "This key is for Encryption peer\u2019s identity"
- name: sig_type
overwrite: true
type: keyword
description: This key captures the Signature Type
- name: cert_issuer
overwrite: true
type: keyword
- name: cert_host_name
overwrite: true
type: keyword
description: Deprecated key defined only in table map.
- name: cert_error
overwrite: true
type: keyword
description: This key captures the Certificate Error String
- name: cipher_dst
overwrite: true
type: keyword
description: This key is for Destination (Server) Cipher
- name: cipher_size_dst
overwrite: true
type: long
description: This key captures Destination (Server) Cipher Size
- name: ssl_ver_src
overwrite: true
type: keyword
description: Deprecated, use version
- name: d_certauth
overwrite: true
type: keyword
- name: s_certauth
overwrite: true
type: keyword
- name: ike_cookie1
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
- name: ike_cookie2
overwrite: true
type: keyword
description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
- name: cert_checksum
overwrite: true
type: keyword
- name: cert_host_cat
overwrite: true
type: keyword
description: This key is used for the hostname category value of a certificate
- name: cert_serial
overwrite: true
type: keyword
description: This key is used to capture the Certificate serial number only
- name: cert_status
overwrite: true
type: keyword
description: This key captures Certificate validation status
- name: ssl_ver_dst
overwrite: true
type: keyword
description: Deprecated, use version
- name: cert_keysize
overwrite: true
type: keyword
- name: cert_username
overwrite: true
type: keyword
- name: https_insact
overwrite: true
type: keyword
- name: https_valid
overwrite: true
type: keyword
- name: cert_ca
overwrite: true
type: keyword
description: This key is used to capture the Certificate signing authority only
- name: cert_common
overwrite: true
type: keyword
description: This key is used to capture the Certificate common name only
- name: wireless
overwrite: true
type: group
fields:
- name: wlan_ssid
overwrite: true
type: keyword
description: This key is used to capture the ssid of a Wireless Session
- name: access_point
overwrite: true
type: keyword
description: This key is used to capture the access point name.
- name: wlan_channel
overwrite: true
type: long
description: This is used to capture the channel names
- name: wlan_name
overwrite: true
type: keyword
description: This key captures either WLAN number/name
- name: storage
overwrite: true
type: group
fields:
- name: disk_volume
overwrite: true
type: keyword
description: A unique name assigned to logical units (volumes) within a physical
disk
- name: lun
overwrite: true
type: keyword
description: Logical Unit Number.This key is a very useful concept in Storage.
- name: pwwn
overwrite: true
type: keyword
description: This uniquely identifies a port on a HBA.
- name: physical
overwrite: true
type: group
fields:
- name: org_dst
overwrite: true
type: keyword
description: This is used to capture the destination organization based on the
GEOPIP Maxmind database.
- name: org_src
overwrite: true
type: keyword
description: This is used to capture the source organization based on the GEOPIP
Maxmind database.
- name: healthcare
overwrite: true
type: group
fields:
- name: patient_fname
overwrite: true
type: keyword
description: This key is for First Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_id
overwrite: true
type: keyword
description: This key captures the unique ID for a patient
- name: patient_lname
overwrite: true
type: keyword
description: This key is for Last Names only, this is used for Healthcare predominantly
to capture Patients information
- name: patient_mname
overwrite: true
type: keyword
description: This key is for Middle Names only, this is used for Healthcare
predominantly to capture Patients information
- name: endpoint
overwrite: true
type: group
fields:
- name: host_state
overwrite: true
type: keyword
description: This key is used to capture the current state of the machine, such
as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
disabled</strong> and so on
- name: registry_key
overwrite: true
type: keyword
description: This key captures the path to the registry key
- name: registry_value
overwrite: true
type: keyword
description: This key captures values or decorators used within a registry entry
- key: aws-cloudwatch
title: "AWS CloudWatch"
description: >
Fields from AWS CloudWatch logs.
fields:
- name: awscloudwatch
deprecated: 9.0.0
default_field: true
type: group
description: >
Fields from AWS CloudWatch logs.
Deprecated: Use aws.cloudwatch.* instead
fields:
- name: log_group
type: keyword
description: >
The name of the log group to which this event belongs.
Deprecated: Use aws.cloudwatch.log_group instead
- name: log_stream
type: keyword
description: >
The name of the log stream to which this event belongs.
Deprecated: Use aws.cloudwatch.log_stream instead
- name: ingestion_time
type: keyword
description: >
The time the event was ingested in AWS CloudWatch.
Deprecated: Use aws.cloudwatch.ingestion_time instead
- name: aws.cloudwatch
default_field: true
type: group
description: >
Fields from AWS CloudWatch logs.
fields:
- name: log_group
type: keyword
description: The name of the log group to which this event belongs.
- name: log_stream
type: keyword
description: The name of the log stream to which this event belongs.
- name: ingestion_time
type: keyword
description: The time the event was ingested in AWS CloudWatch.
- key: s3
title: "s3"
description: >
S3 fields from s3 input.
release: ga
fields:
- name: bucket.name
default_field: true
type: keyword
description: >
Name of the S3 bucket that this log retrieved from.
- name: bucket.arn
default_field: true
type: keyword
description: >
ARN of the S3 bucket that this log retrieved from.
- name: object.key
default_field: true
type: keyword
description: >
Name of the S3 object that this log retrieved from.
- name: metadata
default_field: true
type: flattened
description:
AWS S3 object metadata values.
- key: lumberjack
title: "Lumberjack"
description: >
Fields from Lumberjack input.
fields:
- name: lumberjack
type: flattened
description: >
Structured data received in an event sent over the Lumberjack protocol.
########################################
# This file is generated. Do not modify.
########################################
- key: netflow
title: "NetFlow"
description: >
Fields from NetFlow and IPFIX flows.
fields:
- name: netflow
type: group
description: >
Fields from NetFlow and IPFIX.
fields:
- name: type
type: keyword
description: >
The type of NetFlow record described by this event.
- name: exporter
type: group
description: >
Metadata related to the exporter device that generated this record.
fields:
- name: address
type: keyword
description: >
Exporter's network address in IP:port format.
- name: source_id
type: long
description: >
Observation domain ID to which this record belongs.
- name: timestamp
type: date
description: >
Time and date of export.
- name: uptime_millis
type: long
description: >
How long the exporter process has been running, in milliseconds.
- name: version
type: integer
description: >
NetFlow version used.
- name: absolute_error
type: double
- name: address_pool_high_threshold
type: long
- name: address_pool_low_threshold
type: long
- name: address_port_mapping_high_threshold
type: long
- name: address_port_mapping_low_threshold
type: long
- name: address_port_mapping_per_user_high_threshold
type: long
- name: afc_protocol
type: integer
- name: afc_protocol_name
type: keyword
- name: anonymization_flags
type: integer
- name: anonymization_technique
type: integer
- name: application_business-relevance
type: long
- name: application_category_name
type: keyword
- name: application_description
type: keyword
- name: application_group_name
type: keyword
- name: application_http_uri_statistics
type: short
- name: application_http_user-agent
type: short
- name: application_id
type: short
- name: application_name
type: keyword
- name: application_sub_category_name
type: keyword
- name: application_traffic-class
type: long
- name: art_client_network_time_maximum
type: long
- name: art_client_network_time_minimum
type: long
- name: art_client_network_time_sum
type: long
- name: art_clientpackets
type: long
- name: art_count_late_responses
type: long
- name: art_count_new_connections
type: long
- name: art_count_responses
type: long
- name: art_count_responses_histogram_bucket1
type: long
- name: art_count_responses_histogram_bucket2
type: long
- name: art_count_responses_histogram_bucket3
type: long
- name: art_count_responses_histogram_bucket4
type: long
- name: art_count_responses_histogram_bucket5
type: long
- name: art_count_responses_histogram_bucket6
type: long
- name: art_count_responses_histogram_bucket7
type: long
- name: art_count_retransmissions
type: long
- name: art_count_transactions
type: long
- name: art_network_time_maximum
type: long
- name: art_network_time_minimum
type: long
- name: art_network_time_sum
type: long
- name: art_response_time_maximum
type: long
- name: art_response_time_minimum
type: long
- name: art_response_time_sum
type: long
- name: art_server_network_time_maximum
type: long
- name: art_server_network_time_minimum
type: long
- name: art_server_network_time_sum
type: long
- name: art_server_response_time_maximum
type: long
- name: art_server_response_time_minimum
type: long
- name: art_server_response_time_sum
type: long
- name: art_serverpackets
type: long
- name: art_total_response_time_maximum
type: long
- name: art_total_response_time_minimum
type: long
- name: art_total_response_time_sum
type: long
- name: art_total_transaction_time_maximum
type: long
- name: art_total_transaction_time_minimum
type: long
- name: art_total_transaction_time_sum
type: long
- name: assembled_fragment_count
type: long
- name: audit_counter
type: long
- name: average_interarrival_time
type: long
- name: bgp_destination_as_number
type: long
- name: bgp_next_adjacent_as_number
type: long
- name: bgp_next_hop_ipv4_address
type: ip
- name: bgp_next_hop_ipv6_address
type: ip
- name: bgp_prev_adjacent_as_number
type: long
- name: bgp_source_as_number
type: long
- name: bgp_validity_state
type: short
- name: biflow_direction
type: short
- name: bind_ipv4_address
type: ip
- name: bind_transport_port
type: integer
- name: class_id
type: long
- name: class_name
type: keyword
- name: classification_engine_id
type: short
- name: collection_time_milliseconds
type: date
- name: collector_certificate
type: short
- name: collector_ipv4_address
type: ip
- name: collector_ipv6_address
type: ip
- name: collector_transport_port
type: integer
- name: common_properties_id
type: long
- name: confidence_level
type: double
- name: conn_ipv4_address
type: ip
- name: conn_transport_port
type: integer
- name: connection_sum_duration_seconds
type: long
- name: connection_transaction_id
type: long
- name: conntrack_id
type: long
- name: data_byte_count
type: long
- name: data_link_frame_section
type: short
- name: data_link_frame_size
type: integer
- name: data_link_frame_type
type: integer
- name: data_records_reliability
type: boolean
- name: delta_flow_count
type: long
- name: destination_ipv4_address
type: ip
- name: destination_ipv4_prefix
type: ip
- name: destination_ipv4_prefix_length
type: short
- name: destination_ipv6_address
type: ip
- name: destination_ipv6_prefix
type: ip
- name: destination_ipv6_prefix_length
type: short
- name: destination_mac_address
type: keyword
- name: destination_transport_port
type: integer
- name: digest_hash_value
type: long
- name: distinct_count_of_destination_ip_address
type: long
- name: distinct_count_of_destination_ipv4_address
type: long
- name: distinct_count_of_destination_ipv6_address
type: long
- name: distinct_count_of_source_ip_address
type: long
- name: distinct_count_of_source_ipv4_address
type: long
- name: distinct_count_of_source_ipv6_address
type: long
- name: dns_authoritative
type: short
- name: dns_cname
type: keyword
- name: dns_id
type: integer
- name: dns_mx_exchange
type: keyword
- name: dns_mx_preference
type: integer
- name: dns_nsd_name
type: keyword
- name: dns_nx_domain
type: short
- name: dns_ptrd_name
type: keyword
- name: dns_qname
type: keyword
- name: dns_qr_type
type: integer
- name: dns_query_response
type: short
- name: dns_rr_section
type: short
- name: dns_soa_expire
type: long
- name: dns_soa_minimum
type: long
- name: dns_soa_refresh
type: long
- name: dns_soa_retry
type: long
- name: dns_soa_serial
type: long
- name: dns_soam_name
type: keyword
- name: dns_soar_name
type: keyword
- name: dns_srv_port
type: integer
- name: dns_srv_priority
type: integer
- name: dns_srv_target
type: integer
- name: dns_srv_weight
type: integer
- name: dns_ttl
type: long
- name: dns_txt_data
type: keyword
- name: dot1q_customer_dei
type: boolean
- name: dot1q_customer_destination_mac_address
type: keyword
- name: dot1q_customer_priority
type: short
- name: dot1q_customer_source_mac_address
type: keyword
- name: dot1q_customer_vlan_id
type: integer
- name: dot1q_dei
type: boolean
- name: dot1q_priority
type: short
- name: dot1q_service_instance_id
type: long
- name: dot1q_service_instance_priority
type: short
- name: dot1q_service_instance_tag
type: short
- name: dot1q_vlan_id
type: integer
- name: dropped_layer2_octet_delta_count
type: long
- name: dropped_layer2_octet_total_count
type: long
- name: dropped_octet_delta_count
type: long
- name: dropped_octet_total_count
type: long
- name: dropped_packet_delta_count
type: long
- name: dropped_packet_total_count
type: long
- name: dst_traffic_index
type: long
- name: egress_broadcast_packet_total_count
type: long
- name: egress_interface
type: long
- name: egress_interface_type
type: long
- name: egress_physical_interface
type: long
- name: egress_unicast_packet_total_count
type: long
- name: egress_vrfid
type: long
- name: encrypted_technology
type: keyword
- name: engine_id
type: short
- name: engine_type
type: short
- name: ethernet_header_length
type: short
- name: ethernet_payload_length
type: integer
- name: ethernet_total_length
type: integer
- name: ethernet_type
type: integer
- name: expired_fragment_count
type: long
- name: export_interface
type: long
- name: export_protocol_version
type: short
- name: export_sctp_stream_id
type: integer
- name: export_transport_protocol
type: short
- name: exported_flow_record_total_count
type: long
- name: exported_message_total_count
type: long
- name: exported_octet_total_count
type: long
- name: exporter_certificate
type: short
- name: exporter_ipv4_address
type: ip
- name: exporter_ipv6_address
type: ip
- name: exporter_transport_port
type: integer
- name: exporting_process_id
type: long
- name: external_address_realm
type: short
- name: firewall_event
type: short
- name: first_eight_non_empty_packet_directions
type: short
- name: first_non_empty_packet_size
type: integer
- name: first_packet_banner
type: keyword
- name: flags_and_sampler_id
type: long
- name: flow_active_timeout
type: integer
- name: flow_attributes
type: integer
- name: flow_direction
type: short
- name: flow_duration_microseconds
type: long
- name: flow_duration_milliseconds
type: long
- name: flow_end_delta_microseconds
type: long
- name: flow_end_microseconds
type: date
- name: flow_end_milliseconds
type: date
- name: flow_end_nanoseconds
type: date
- name: flow_end_reason
type: short
- name: flow_end_seconds
type: date
- name: flow_end_sys_up_time
type: long
- name: flow_id
type: long
- name: flow_idle_timeout
type: integer
- name: flow_key_indicator
type: long
- name: flow_label_ipv6
type: long
- name: flow_sampling_time_interval
type: long
- name: flow_sampling_time_spacing
type: long
- name: flow_selected_flow_delta_count
type: long
- name: flow_selected_octet_delta_count
type: long
- name: flow_selected_packet_delta_count
type: long
- name: flow_selector_algorithm
type: integer
- name: flow_start_delta_microseconds
type: long
- name: flow_start_microseconds
type: date
- name: flow_start_milliseconds
type: date
- name: flow_start_nanoseconds
type: date
- name: flow_start_seconds
type: date
- name: flow_start_sys_up_time
type: long
- name: flow_table_flush_event_count
type: long
- name: flow_table_peak_count
type: long
- name: forwarding_status
type: short
- name: fragment_flags
type: short
- name: fragment_identification
type: long
- name: fragment_offset
type: integer
- name: fw_blackout_secs
type: long
- name: fw_configured_value
type: long
- name: fw_cts_src_sgt
type: long
- name: fw_event_level
type: long
- name: fw_event_level_id
type: long
- name: fw_ext_event
type: integer
- name: fw_ext_event_alt
type: long
- name: fw_ext_event_desc
type: keyword
- name: fw_half_open_count
type: long
- name: fw_half_open_high
type: long
- name: fw_half_open_rate
type: long
- name: fw_max_sessions
type: long
- name: fw_rule
type: keyword
- name: fw_summary_pkt_count
type: long
- name: fw_zone_pair_id
type: long
- name: fw_zone_pair_name
type: long
- name: global_address_mapping_high_threshold
type: long
- name: gre_key
type: long
- name: hash_digest_output
type: boolean
- name: hash_flow_domain
type: integer
- name: hash_initialiser_value
type: long
- name: hash_ip_payload_offset
type: long
- name: hash_ip_payload_size
type: long
- name: hash_output_range_max
type: long
- name: hash_output_range_min
type: long
- name: hash_selected_range_max
type: long
- name: hash_selected_range_min
type: long
- name: http_content_type
type: keyword
- name: http_message_version
type: keyword
- name: http_reason_phrase
type: keyword
- name: http_request_host
type: keyword
- name: http_request_method
type: keyword
- name: http_request_target
type: keyword
- name: http_status_code
type: integer
- name: http_user_agent
type: keyword
- name: icmp_code_ipv4
type: short
- name: icmp_code_ipv6
type: short
- name: icmp_type_code_ipv4
type: integer
- name: icmp_type_code_ipv6
type: integer
- name: icmp_type_ipv4
type: short
- name: icmp_type_ipv6
type: short
- name: igmp_type
type: short
- name: ignored_data_record_total_count
type: long
- name: ignored_layer2_frame_total_count
type: long
- name: ignored_layer2_octet_total_count
type: long
- name: ignored_octet_total_count
type: long
- name: ignored_packet_total_count
type: long
- name: information_element_data_type
type: short
- name: information_element_description
type: keyword
- name: information_element_id
type: integer
- name: information_element_index
type: integer
- name: information_element_name
type: keyword
- name: information_element_range_begin
type: long
- name: information_element_range_end
type: long
- name: information_element_semantics
type: short
- name: information_element_units
type: integer
- name: ingress_broadcast_packet_total_count
type: long
- name: ingress_interface
type: long
- name: ingress_interface_type
type: long
- name: ingress_multicast_packet_total_count
type: long
- name: ingress_physical_interface
type: long
- name: ingress_unicast_packet_total_count
type: long
- name: ingress_vrfid
type: long
- name: initial_tcp_flags
type: short
- name: initiator_octets
type: long
- name: initiator_packets
type: long
- name: interface_description
type: keyword
- name: interface_name
type: keyword
- name: intermediate_process_id
type: long
- name: internal_address_realm
type: short
- name: ip_class_of_service
type: short
- name: ip_diff_serv_code_point
type: short
- name: ip_header_length
type: short
- name: ip_header_packet_section
type: short
- name: ip_next_hop_ipv4_address
type: ip
- name: ip_next_hop_ipv6_address
type: ip
- name: ip_payload_length
type: long
- name: ip_payload_packet_section
type: short
- name: ip_precedence
type: short
- name: ip_sec_spi
type: long
- name: ip_total_length
type: long
- name: ip_ttl
type: short
- name: ip_version
type: short
- name: ipv4_ihl
type: short
- name: ipv4_options
type: long
- name: ipv4_router_sc
type: ip
- name: ipv6_extension_headers
type: long
- name: is_multicast
type: short
- name: ixia_browser_id
type: short
- name: ixia_browser_name
type: keyword
- name: ixia_device_id
type: short
- name: ixia_device_name
type: keyword
- name: ixia_dns_answer
type: keyword
- name: ixia_dns_classes
type: keyword
- name: ixia_dns_query
type: keyword
- name: ixia_dns_record_txt
type: keyword
- name: ixia_dst_as_name
type: keyword
- name: ixia_dst_city_name
type: keyword
- name: ixia_dst_country_code
type: keyword
- name: ixia_dst_country_name
type: keyword
- name: ixia_dst_latitude
type: float
- name: ixia_dst_longitude
type: float
- name: ixia_dst_region_code
type: keyword
- name: ixia_dst_region_node
type: keyword
- name: ixia_encrypt_cipher
type: keyword
- name: ixia_encrypt_key_length
type: integer
- name: ixia_encrypt_type
type: keyword
- name: ixia_http_host_name
type: keyword
- name: ixia_http_uri
type: keyword
- name: ixia_http_user_agent
type: keyword
- name: ixia_imsi_subscriber
type: keyword
- name: ixia_l7_app_id
type: long
- name: ixia_l7_app_name
type: keyword
- name: ixia_latency
type: long
- name: ixia_rev_octet_delta_count
type: long
- name: ixia_rev_packet_delta_count
type: long
- name: ixia_src_as_name
type: keyword
- name: ixia_src_city_name
type: keyword
- name: ixia_src_country_code
type: keyword
- name: ixia_src_country_name
type: keyword
- name: ixia_src_latitude
type: float
- name: ixia_src_longitude
type: float
- name: ixia_src_region_code
type: keyword
- name: ixia_src_region_name
type: keyword
- name: ixia_threat_ipv4
type: ip
- name: ixia_threat_ipv6
type: ip
- name: ixia_threat_type
type: keyword
- name: large_packet_count
type: long
- name: layer2_frame_delta_count
type: long
- name: layer2_frame_total_count
type: long
- name: layer2_octet_delta_count
type: long
- name: layer2_octet_delta_sum_of_squares
type: long
- name: layer2_octet_total_count
type: long
- name: layer2_octet_total_sum_of_squares
type: long
- name: layer2_segment_id
type: long
- name: layer2packet_section_data
type: short
- name: layer2packet_section_offset
type: integer
- name: layer2packet_section_size
type: integer
- name: line_card_id
type: long
- name: log_op
type: short
- name: lower_ci_limit
type: double
- name: mark
type: long
- name: max_bib_entries
type: long
- name: max_entries_per_user
type: long
- name: max_export_seconds
type: date
- name: max_flow_end_microseconds
type: date
- name: max_flow_end_milliseconds
type: date
- name: max_flow_end_nanoseconds
type: date
- name: max_flow_end_seconds
type: date
- name: max_fragments_pending_reassembly
type: long
- name: max_packet_size
type: integer
- name: max_session_entries
type: long
- name: max_subscribers
type: long
- name: maximum_ip_total_length
type: long
- name: maximum_layer2_total_length
type: long
- name: maximum_ttl
type: short
- name: mean_flow_rate
type: long
- name: mean_packet_rate
type: long
- name: message_md5_checksum
type: short
- name: message_scope
type: short
- name: metering_process_id
type: long
- name: metro_evc_id
type: keyword
- name: metro_evc_type
type: short
- name: mib_capture_time_semantics
type: short
- name: mib_context_engine_id
type: short
- name: mib_context_name
type: keyword
- name: mib_index_indicator
type: long
- name: mib_module_name
type: keyword
- name: mib_object_description
type: keyword
- name: mib_object_identifier
type: short
- name: mib_object_name
type: keyword
- name: mib_object_syntax
type: keyword
- name: mib_object_value_bits
type: short
- name: mib_object_value_counter
type: long
- name: mib_object_value_gauge
type: long
- name: mib_object_value_integer
type: integer
- name: mib_object_value_ip_address
type: ip
- name: mib_object_value_octet_string
type: short
- name: mib_object_value_oid
type: short
- name: mib_object_value_time_ticks
type: long
- name: mib_object_value_unsigned
type: long
- name: mib_sub_identifier
type: long
- name: min_export_seconds
type: date
- name: min_flow_start_microseconds
type: date
- name: min_flow_start_milliseconds
type: date
- name: min_flow_start_nanoseconds
type: date
- name: min_flow_start_seconds
type: date
- name: minimum_ip_total_length
type: long
- name: minimum_layer2_total_length
type: long
- name: minimum_ttl
type: short
- name: mobile_imsi
type: keyword
- name: mobile_msisdn
type: keyword
- name: monitoring_interval_end_milli_seconds
type: date
- name: monitoring_interval_start_milli_seconds
type: date
- name: mpls_label_stack_depth
type: long
- name: mpls_label_stack_length
type: long
- name: mpls_label_stack_section
type: short
- name: mpls_label_stack_section10
type: short
- name: mpls_label_stack_section2
type: short
- name: mpls_label_stack_section3
type: short
- name: mpls_label_stack_section4
type: short
- name: mpls_label_stack_section5
type: short
- name: mpls_label_stack_section6
type: short
- name: mpls_label_stack_section7
type: short
- name: mpls_label_stack_section8
type: short
- name: mpls_label_stack_section9
type: short
- name: mpls_payload_length
type: long
- name: mpls_payload_packet_section
type: short
- name: mpls_top_label_exp
type: short
- name: mpls_top_label_ipv4_address
type: ip
- name: mpls_top_label_ipv6_address
type: ip
- name: mpls_top_label_prefix_length
type: short
- name: mpls_top_label_stack_section
type: short
- name: mpls_top_label_ttl
type: short
- name: mpls_top_label_type
type: short
- name: mpls_vpn_route_distinguisher
type: short
- name: mptcp_address_id
type: short
- name: mptcp_flags
type: short
- name: mptcp_initial_data_sequence_number
type: long
- name: mptcp_maximum_segment_size
type: integer
- name: mptcp_receiver_token
type: long
- name: multicast_replication_factor
type: long
- name: nat_event
type: short
- name: nat_inside_svcid
type: integer
- name: nat_instance_id
type: long
- name: nat_originating_address_realm
type: short
- name: nat_outside_svcid
type: integer
- name: nat_pool_id
type: long
- name: nat_pool_name
type: keyword
- name: nat_quota_exceeded_event
type: long
- name: nat_sub_string
type: keyword
- name: nat_threshold_event
type: long
- name: nat_type
type: short
- name: netscale_ica_client_version
type: keyword
- name: netscaler_aaa_username
type: keyword
- name: netscaler_app_name
type: keyword
- name: netscaler_app_name_app_id
type: long
- name: netscaler_app_name_incarnation_number
type: long
- name: netscaler_app_template_name
type: keyword
- name: netscaler_app_unit_name_app_id
type: long
- name: netscaler_application_startup_duration
type: long
- name: netscaler_application_startup_time
type: long
- name: netscaler_cache_redir_client_connection_core_id
type: long
- name: netscaler_cache_redir_client_connection_transaction_id
type: long
- name: netscaler_client_rtt
type: long
- name: netscaler_connection_chain_hop_count
type: long
- name: netscaler_connection_chain_id
type: short
- name: netscaler_connection_id
type: long
- name: netscaler_current_license_consumed
type: long
- name: netscaler_db_clt_host_name
type: keyword
- name: netscaler_db_database_name
type: keyword
- name: netscaler_db_login_flags
type: long
- name: netscaler_db_protocol_name
type: short
- name: netscaler_db_req_string
type: keyword
- name: netscaler_db_req_type
type: short
- name: netscaler_db_resp_length
type: long
- name: netscaler_db_resp_status
type: long
- name: netscaler_db_resp_status_string
type: keyword
- name: netscaler_db_user_name
type: keyword
- name: netscaler_flow_flags
type: long
- name: netscaler_http_client_interaction_end_time
type: keyword
- name: netscaler_http_client_interaction_start_time
type: keyword
- name: netscaler_http_client_render_end_time
type: keyword
- name: netscaler_http_client_render_start_time
type: keyword
- name: netscaler_http_content_type
type: keyword
- name: netscaler_http_domain_name
type: keyword
- name: netscaler_http_req_authorization
type: keyword
- name: netscaler_http_req_cookie
type: keyword
- name: netscaler_http_req_forw_fb
type: long
- name: netscaler_http_req_forw_lb
type: long
- name: netscaler_http_req_host
type: keyword
- name: netscaler_http_req_method
type: keyword
- name: netscaler_http_req_rcv_fb
type: long
- name: netscaler_http_req_rcv_lb
type: long
- name: netscaler_http_req_referer
type: keyword
- name: netscaler_http_req_url
type: keyword
- name: netscaler_http_req_user_agent
type: keyword
- name: netscaler_http_req_via
type: keyword
- name: netscaler_http_req_xforwarded_for
type: keyword
- name: netscaler_http_res_forw_fb
type: long
- name: netscaler_http_res_forw_lb
type: long
- name: netscaler_http_res_location
type: keyword
- name: netscaler_http_res_rcv_fb
type: long
- name: netscaler_http_res_rcv_lb
type: long
- name: netscaler_http_res_set_cookie
type: keyword
- name: netscaler_http_res_set_cookie2
type: keyword
- name: netscaler_http_rsp_len
type: long
- name: netscaler_http_rsp_status
type: integer
- name: netscaler_ica_app_module_path
type: keyword
- name: netscaler_ica_app_process_id
type: long
- name: netscaler_ica_application_name
type: keyword
- name: netscaler_ica_application_termination_time
type: long
- name: netscaler_ica_application_termination_type
type: integer
- name: netscaler_ica_channel_id1
type: long
- name: netscaler_ica_channel_id1_bytes
type: long
- name: netscaler_ica_channel_id2
type: long
- name: netscaler_ica_channel_id2_bytes
type: long
- name: netscaler_ica_channel_id3
type: long
- name: netscaler_ica_channel_id3_bytes
type: long
- name: netscaler_ica_channel_id4
type: long
- name: netscaler_ica_channel_id4_bytes
type: long
- name: netscaler_ica_channel_id5
type: long
- name: netscaler_ica_channel_id5_bytes
type: long
- name: netscaler_ica_client_host_name
type: keyword
- name: netscaler_ica_client_ip
type: ip
- name: netscaler_ica_client_launcher
type: integer
- name: netscaler_ica_client_side_rto_count
type: integer
- name: netscaler_ica_client_side_window_size
type: integer
- name: netscaler_ica_client_type
type: integer
- name: netscaler_ica_clientside_delay
type: long
- name: netscaler_ica_clientside_jitter
type: long
- name: netscaler_ica_clientside_packets_retransmit
type: integer
- name: netscaler_ica_clientside_rtt
type: long
- name: netscaler_ica_clientside_rx_bytes
type: long
- name: netscaler_ica_clientside_srtt
type: long
- name: netscaler_ica_clientside_tx_bytes
type: long
- name: netscaler_ica_connection_priority
type: integer
- name: netscaler_ica_device_serial_no
type: long
- name: netscaler_ica_domain_name
type: keyword
- name: netscaler_ica_flags
type: long
- name: netscaler_ica_host_delay
type: long
- name: netscaler_ica_l7_client_latency
type: long
- name: netscaler_ica_l7_server_latency
type: long
- name: netscaler_ica_launch_mechanism
type: integer
- name: netscaler_ica_network_update_end_time
type: long
- name: netscaler_ica_network_update_start_time
type: long
- name: netscaler_ica_rtt
type: long
- name: netscaler_ica_server_name
type: keyword
- name: netscaler_ica_server_side_rto_count
type: integer
- name: netscaler_ica_server_side_window_size
type: integer
- name: netscaler_ica_serverside_delay
type: long
- name: netscaler_ica_serverside_jitter
type: long
- name: netscaler_ica_serverside_packets_retransmit
type: integer
- name: netscaler_ica_serverside_rtt
type: long
- name: netscaler_ica_serverside_srtt
type: long
- name: netscaler_ica_session_end_time
type: long
- name: netscaler_ica_session_guid
type: short
- name: netscaler_ica_session_reconnects
type: short
- name: netscaler_ica_session_setup_time
type: long
- name: netscaler_ica_session_update_begin_sec
type: long
- name: netscaler_ica_session_update_end_sec
type: long
- name: netscaler_ica_username
type: keyword
- name: netscaler_license_type
type: short
- name: netscaler_main_page_core_id
type: long
- name: netscaler_main_page_id
type: long
- name: netscaler_max_license_count
type: long
- name: netscaler_msi_client_cookie
type: short
- name: netscaler_round_trip_time
type: long
- name: netscaler_server_ttfb
type: long
- name: netscaler_server_ttlb
type: long
- name: netscaler_syslog_message
type: keyword
- name: netscaler_syslog_priority
type: short
- name: netscaler_syslog_timestamp
type: long
- name: netscaler_transaction_id
type: long
- name: netscaler_unknown270
type: long
- name: netscaler_unknown271
type: long
- name: netscaler_unknown272
type: long
- name: netscaler_unknown273
type: long
- name: netscaler_unknown274
type: long
- name: netscaler_unknown275
type: long
- name: netscaler_unknown276
type: long
- name: netscaler_unknown277
type: long
- name: netscaler_unknown278
type: long
- name: netscaler_unknown279
type: long
- name: netscaler_unknown280
type: long
- name: netscaler_unknown281
type: long
- name: netscaler_unknown282
type: long
- name: netscaler_unknown283
type: long
- name: netscaler_unknown284
type: long
- name: netscaler_unknown285
type: long
- name: netscaler_unknown286
type: long
- name: netscaler_unknown287
type: long
- name: netscaler_unknown288
type: long
- name: netscaler_unknown289
type: long
- name: netscaler_unknown290
type: long
- name: netscaler_unknown291
type: long
- name: netscaler_unknown292
type: long
- name: netscaler_unknown293
type: long
- name: netscaler_unknown294
type: long
- name: netscaler_unknown295
type: long
- name: netscaler_unknown296
type: long
- name: netscaler_unknown297
type: long
- name: netscaler_unknown298
type: long
- name: netscaler_unknown299
type: long
- name: netscaler_unknown300
type: long
- name: netscaler_unknown301
type: long
- name: netscaler_unknown302
type: long
- name: netscaler_unknown303
type: long
- name: netscaler_unknown304
type: long
- name: netscaler_unknown305
type: long
- name: netscaler_unknown306
type: long
- name: netscaler_unknown307
type: long
- name: netscaler_unknown308
type: long
- name: netscaler_unknown309
type: long
- name: netscaler_unknown310
type: long
- name: netscaler_unknown311
type: long
- name: netscaler_unknown312
type: long
- name: netscaler_unknown313
type: long
- name: netscaler_unknown314
type: long
- name: netscaler_unknown315
type: long
- name: netscaler_unknown316
type: keyword
- name: netscaler_unknown317
type: long
- name: netscaler_unknown318
type: long
- name: netscaler_unknown319
type: keyword
- name: netscaler_unknown320
type: integer
- name: netscaler_unknown321
type: long
- name: netscaler_unknown322
type: long
- name: netscaler_unknown323
type: integer
- name: netscaler_unknown324
type: integer
- name: netscaler_unknown325
type: integer
- name: netscaler_unknown326
type: integer
- name: netscaler_unknown327
type: long
- name: netscaler_unknown328
type: integer
- name: netscaler_unknown329
type: integer
- name: netscaler_unknown330
type: integer
- name: netscaler_unknown331
type: integer
- name: netscaler_unknown332
type: long
- name: netscaler_unknown333
type: keyword
- name: netscaler_unknown334
type: keyword
- name: netscaler_unknown335
type: long
- name: netscaler_unknown336
type: long
- name: netscaler_unknown337
type: long
- name: netscaler_unknown338
type: long
- name: netscaler_unknown339
type: long
- name: netscaler_unknown340
type: long
- name: netscaler_unknown341
type: long
- name: netscaler_unknown342
type: long
- name: netscaler_unknown343
type: long
- name: netscaler_unknown344
type: long
- name: netscaler_unknown345
type: long
- name: netscaler_unknown346
type: long
- name: netscaler_unknown347
type: long
- name: netscaler_unknown348
type: integer
- name: netscaler_unknown349
type: keyword
- name: netscaler_unknown350
type: keyword
- name: netscaler_unknown351
type: keyword
- name: netscaler_unknown352
type: integer
- name: netscaler_unknown353
type: long
- name: netscaler_unknown354
type: long
- name: netscaler_unknown355
type: long
- name: netscaler_unknown356
type: long
- name: netscaler_unknown357
type: long
- name: netscaler_unknown363
type: short
- name: netscaler_unknown383
type: short
- name: netscaler_unknown391
type: long
- name: netscaler_unknown398
type: long
- name: netscaler_unknown404
type: long
- name: netscaler_unknown405
type: long
- name: netscaler_unknown427
type: long
- name: netscaler_unknown429
type: short
- name: netscaler_unknown432
type: short
- name: netscaler_unknown433
type: short
- name: netscaler_unknown453
type: long
- name: netscaler_unknown465
type: long
- name: new_connection_delta_count
type: long
- name: next_header_ipv6
type: short
- name: non_empty_packet_count
type: long
- name: not_sent_flow_total_count
type: long
- name: not_sent_layer2_octet_total_count
type: long
- name: not_sent_octet_total_count
type: long
- name: not_sent_packet_total_count
type: long
- name: observation_domain_id
type: long
- name: observation_domain_name
type: keyword
- name: observation_point_id
type: long
- name: observation_point_type
type: short
- name: observation_time_microseconds
type: date
- name: observation_time_milliseconds
type: date
- name: observation_time_nanoseconds
type: date
- name: observation_time_seconds
type: date
- name: observed_flow_total_count
type: long
- name: octet_delta_count
type: long
- name: octet_delta_sum_of_squares
type: long
- name: octet_total_count
type: long
- name: octet_total_sum_of_squares
type: long
- name: opaque_octets
type: short
- name: original_exporter_ipv4_address
type: ip
- name: original_exporter_ipv6_address
type: ip
- name: original_flows_completed
type: long
- name: original_flows_initiated
type: long
- name: original_flows_present
type: long
- name: original_observation_domain_id
type: long
- name: os_finger_print
type: keyword
- name: os_name
type: keyword
- name: os_version
type: keyword
- name: p2p_technology
type: keyword
- name: packet_delta_count
type: long
- name: packet_total_count
type: long
- name: padding_octets
type: short
- name: payload
type: keyword
- name: payload_entropy
type: short
- name: payload_length_ipv6
type: integer
- name: policy_qos_classification_hierarchy
type: long
- name: policy_qos_queue_index
type: long
- name: policy_qos_queuedrops
type: long
- name: policy_qos_queueindex
type: long
- name: port_id
type: long
- name: port_range_end
type: integer
- name: port_range_num_ports
type: integer
- name: port_range_start
type: integer
- name: port_range_step_size
type: integer
- name: post_destination_mac_address
type: keyword
- name: post_dot1q_customer_vlan_id
type: integer
- name: post_dot1q_vlan_id
type: integer
- name: post_ip_class_of_service
type: short
- name: post_ip_diff_serv_code_point
type: short
- name: post_ip_precedence
type: short
- name: post_layer2_octet_delta_count
type: long
- name: post_layer2_octet_total_count
type: long
- name: post_mcast_layer2_octet_delta_count
type: long
- name: post_mcast_layer2_octet_total_count
type: long
- name: post_mcast_octet_delta_count
type: long
- name: post_mcast_octet_total_count
type: long
- name: post_mcast_packet_delta_count
type: long
- name: post_mcast_packet_total_count
type: long
- name: post_mpls_top_label_exp
type: short
- name: post_napt_destination_transport_port
type: integer
- name: post_napt_source_transport_port
type: integer
- name: post_nat_destination_ipv4_address
type: ip
- name: post_nat_destination_ipv6_address
type: ip
- name: post_nat_source_ipv4_address
type: ip
- name: post_nat_source_ipv6_address
type: ip
- name: post_octet_delta_count
type: long
- name: post_octet_total_count
type: long
- name: post_packet_delta_count
type: long
- name: post_packet_total_count
type: long
- name: post_source_mac_address
type: keyword
- name: post_vlan_id
type: integer
- name: private_enterprise_number
type: long
- name: procera_apn
type: keyword
- name: procera_base_service
type: keyword
- name: procera_content_categories
type: keyword
- name: procera_device_id
type: long
- name: procera_external_rtt
type: integer
- name: procera_flow_behavior
type: keyword
- name: procera_ggsn
type: keyword
- name: procera_http_content_type
type: keyword
- name: procera_http_file_length
type: long
- name: procera_http_language
type: keyword
- name: procera_http_location
type: keyword
- name: procera_http_referer
type: keyword
- name: procera_http_request_method
type: keyword
- name: procera_http_request_version
type: keyword
- name: procera_http_response_status
type: integer
- name: procera_http_url
type: keyword
- name: procera_http_user_agent
type: keyword
- name: procera_imsi
type: long
- name: procera_incoming_octets
type: long
- name: procera_incoming_packets
type: long
- name: procera_incoming_shaping_drops
type: long
- name: procera_incoming_shaping_latency
type: integer
- name: procera_internal_rtt
type: integer
- name: procera_local_ipv4_host
type: ip
- name: procera_local_ipv6_host
type: ip
- name: procera_msisdn
type: long
- name: procera_outgoing_octets
type: long
- name: procera_outgoing_packets
type: long
- name: procera_outgoing_shaping_drops
type: long
- name: procera_outgoing_shaping_latency
type: integer
- name: procera_property
type: keyword
- name: procera_qoe_incoming_external
type: float
- name: procera_qoe_incoming_internal
type: float
- name: procera_qoe_outgoing_external
type: float
- name: procera_qoe_outgoing_internal
type: float
- name: procera_rat
type: keyword
- name: procera_remote_ipv4_host
type: ip
- name: procera_remote_ipv6_host
type: ip
- name: procera_rnc
type: integer
- name: procera_server_hostname
type: keyword
- name: procera_service
type: keyword
- name: procera_sgsn
type: keyword
- name: procera_subscriber_identifier
type: keyword
- name: procera_template_name
type: keyword
- name: procera_user_location_information
type: keyword
- name: protocol_identifier
type: short
- name: pseudo_wire_control_word
type: long
- name: pseudo_wire_destination_ipv4_address
type: ip
- name: pseudo_wire_id
type: long
- name: pseudo_wire_type
type: integer
- name: reason
type: long
- name: reason_text
type: keyword
- name: relative_error
type: double
- name: responder_octets
type: long
- name: responder_packets
type: long
- name: reverse_absolute_error
type: double
- name: reverse_anonymization_flags
type: integer
- name: reverse_anonymization_technique
type: integer
- name: reverse_application_category_name
type: keyword
- name: reverse_application_description
type: keyword
- name: reverse_application_group_name
type: keyword
- name: reverse_application_id
type: keyword
- name: reverse_application_name
type: keyword
- name: reverse_application_sub_category_name
type: keyword
- name: reverse_average_interarrival_time
type: long
- name: reverse_bgp_destination_as_number
type: long
- name: reverse_bgp_next_adjacent_as_number
type: long
- name: reverse_bgp_next_hop_ipv4_address
type: ip
- name: reverse_bgp_next_hop_ipv6_address
type: ip
- name: reverse_bgp_prev_adjacent_as_number
type: long
- name: reverse_bgp_source_as_number
type: long
- name: reverse_bgp_validity_state
type: short
- name: reverse_class_id
type: short
- name: reverse_class_name
type: keyword
- name: reverse_classification_engine_id
type: short
- name: reverse_collection_time_milliseconds
type: long
- name: reverse_collector_certificate
type: keyword
- name: reverse_confidence_level
type: double
- name: reverse_connection_sum_duration_seconds
type: long
- name: reverse_connection_transaction_id
type: long
- name: reverse_data_byte_count
type: long
- name: reverse_data_link_frame_section
type: keyword
- name: reverse_data_link_frame_size
type: integer
- name: reverse_data_link_frame_type
type: integer
- name: reverse_data_records_reliability
type: short
- name: reverse_delta_flow_count
type: long
- name: reverse_destination_ipv4_address
type: ip
- name: reverse_destination_ipv4_prefix
type: ip
- name: reverse_destination_ipv4_prefix_length
type: short
- name: reverse_destination_ipv6_address
type: ip
- name: reverse_destination_ipv6_prefix
type: ip
- name: reverse_destination_ipv6_prefix_length
type: short
- name: reverse_destination_mac_address
type: keyword
- name: reverse_destination_transport_port
type: integer
- name: reverse_digest_hash_value
type: long
- name: reverse_distinct_count_of_destination_ip_address
type: long
- name: reverse_distinct_count_of_destination_ipv4_address
type: long
- name: reverse_distinct_count_of_destination_ipv6_address
type: long
- name: reverse_distinct_count_of_source_ip_address
type: long
- name: reverse_distinct_count_of_source_ipv4_address
type: long
- name: reverse_distinct_count_of_source_ipv6_address
type: long
- name: reverse_dot1q_customer_dei
type: short
- name: reverse_dot1q_customer_destination_mac_address
type: keyword
- name: reverse_dot1q_customer_priority
type: short
- name: reverse_dot1q_customer_source_mac_address
type: keyword
- name: reverse_dot1q_customer_vlan_id
type: integer
- name: reverse_dot1q_dei
type: short
- name: reverse_dot1q_priority
type: short
- name: reverse_dot1q_service_instance_id
type: long
- name: reverse_dot1q_service_instance_priority
type: short
- name: reverse_dot1q_service_instance_tag
type: keyword
- name: reverse_dot1q_vlan_id
type: integer
- name: reverse_dropped_layer2_octet_delta_count
type: long
- name: reverse_dropped_layer2_octet_total_count
type: long
- name: reverse_dropped_octet_delta_count
type: long
- name: reverse_dropped_octet_total_count
type: long
- name: reverse_dropped_packet_delta_count
type: long
- name: reverse_dropped_packet_total_count
type: long
- name: reverse_dst_traffic_index
type: long
- name: reverse_egress_broadcast_packet_total_count
type: long
- name: reverse_egress_interface
type: long
- name: reverse_egress_interface_type
type: long
- name: reverse_egress_physical_interface
type: long
- name: reverse_egress_unicast_packet_total_count
type: long
- name: reverse_egress_vrfid
type: long
- name: reverse_encrypted_technology
type: keyword
- name: reverse_engine_id
type: short
- name: reverse_engine_type
type: short
- name: reverse_ethernet_header_length
type: short
- name: reverse_ethernet_payload_length
type: integer
- name: reverse_ethernet_total_length
type: integer
- name: reverse_ethernet_type
type: integer
- name: reverse_export_sctp_stream_id
type: integer
- name: reverse_exporter_certificate
type: keyword
- name: reverse_exporting_process_id
type: long
- name: reverse_firewall_event
type: short
- name: reverse_first_non_empty_packet_size
type: integer
- name: reverse_first_packet_banner
type: keyword
- name: reverse_flags_and_sampler_id
type: long
- name: reverse_flow_active_timeout
type: integer
- name: reverse_flow_attributes
type: integer
- name: reverse_flow_delta_milliseconds
type: long
- name: reverse_flow_direction
type: short
- name: reverse_flow_duration_microseconds
type: long
- name: reverse_flow_duration_milliseconds
type: long
- name: reverse_flow_end_delta_microseconds
type: long
- name: reverse_flow_end_microseconds
type: long
- name: reverse_flow_end_milliseconds
type: long
- name: reverse_flow_end_nanoseconds
type: long
- name: reverse_flow_end_reason
type: short
- name: reverse_flow_end_seconds
type: long
- name: reverse_flow_end_sys_up_time
type: long
- name: reverse_flow_idle_timeout
type: integer
- name: reverse_flow_label_ipv6
type: long
- name: reverse_flow_sampling_time_interval
type: long
- name: reverse_flow_sampling_time_spacing
type: long
- name: reverse_flow_selected_flow_delta_count
type: long
- name: reverse_flow_selected_octet_delta_count
type: long
- name: reverse_flow_selected_packet_delta_count
type: long
- name: reverse_flow_selector_algorithm
type: integer
- name: reverse_flow_start_delta_microseconds
type: long
- name: reverse_flow_start_microseconds
type: long
- name: reverse_flow_start_milliseconds
type: long
- name: reverse_flow_start_nanoseconds
type: long
- name: reverse_flow_start_seconds
type: long
- name: reverse_flow_start_sys_up_time
type: long
- name: reverse_forwarding_status
type: long
- name: reverse_fragment_flags
type: short
- name: reverse_fragment_identification
type: long
- name: reverse_fragment_offset
type: integer
- name: reverse_gre_key
type: long
- name: reverse_hash_digest_output
type: short
- name: reverse_hash_flow_domain
type: integer
- name: reverse_hash_initialiser_value
type: long
- name: reverse_hash_ip_payload_offset
type: long
- name: reverse_hash_ip_payload_size
type: long
- name: reverse_hash_output_range_max
type: long
- name: reverse_hash_output_range_min
type: long
- name: reverse_hash_selected_range_max
type: long
- name: reverse_hash_selected_range_min
type: long
- name: reverse_icmp_code_ipv4
type: short
- name: reverse_icmp_code_ipv6
type: short
- name: reverse_icmp_type_code_ipv4
type: integer
- name: reverse_icmp_type_code_ipv6
type: integer
- name: reverse_icmp_type_ipv4
type: short
- name: reverse_icmp_type_ipv6
type: short
- name: reverse_igmp_type
type: short
- name: reverse_ignored_data_record_total_count
type: long
- name: reverse_ignored_layer2_frame_total_count
type: long
- name: reverse_ignored_layer2_octet_total_count
type: long
- name: reverse_information_element_data_type
type: short
- name: reverse_information_element_description
type: keyword
- name: reverse_information_element_id
type: integer
- name: reverse_information_element_index
type: integer
- name: reverse_information_element_name
type: keyword
- name: reverse_information_element_range_begin
type: long
- name: reverse_information_element_range_end
type: long
- name: reverse_information_element_semantics
type: short
- name: reverse_information_element_units
type: integer
- name: reverse_ingress_broadcast_packet_total_count
type: long
- name: reverse_ingress_interface
type: long
- name: reverse_ingress_interface_type
type: long
- name: reverse_ingress_multicast_packet_total_count
type: long
- name: reverse_ingress_physical_interface
type: long
- name: reverse_ingress_unicast_packet_total_count
type: long
- name: reverse_ingress_vrfid
type: long
- name: reverse_initial_tcp_flags
type: short
- name: reverse_initiator_octets
type: long
- name: reverse_initiator_packets
type: long
- name: reverse_interface_description
type: keyword
- name: reverse_interface_name
type: keyword
- name: reverse_intermediate_process_id
type: long
- name: reverse_ip_class_of_service
type: short
- name: reverse_ip_diff_serv_code_point
type: short
- name: reverse_ip_header_length
type: short
- name: reverse_ip_header_packet_section
type: keyword
- name: reverse_ip_next_hop_ipv4_address
type: ip
- name: reverse_ip_next_hop_ipv6_address
type: ip
- name: reverse_ip_payload_length
type: long
- name: reverse_ip_payload_packet_section
type: keyword
- name: reverse_ip_precedence
type: short
- name: reverse_ip_sec_spi
type: long
- name: reverse_ip_total_length
type: long
- name: reverse_ip_ttl
type: short
- name: reverse_ip_version
type: short
- name: reverse_ipv4_ihl
type: short
- name: reverse_ipv4_options
type: long
- name: reverse_ipv4_router_sc
type: ip
- name: reverse_ipv6_extension_headers
type: long
- name: reverse_is_multicast
type: short
- name: reverse_large_packet_count
type: long
- name: reverse_layer2_frame_delta_count
type: long
- name: reverse_layer2_frame_total_count
type: long
- name: reverse_layer2_octet_delta_count
type: long
- name: reverse_layer2_octet_delta_sum_of_squares
type: long
- name: reverse_layer2_octet_total_count
type: long
- name: reverse_layer2_octet_total_sum_of_squares
type: long
- name: reverse_layer2_segment_id
type: long
- name: reverse_layer2packet_section_data
type: keyword
- name: reverse_layer2packet_section_offset
type: integer
- name: reverse_layer2packet_section_size
type: integer
- name: reverse_line_card_id
type: long
- name: reverse_lower_ci_limit
type: double
- name: reverse_max_export_seconds
type: long
- name: reverse_max_flow_end_microseconds
type: long
- name: reverse_max_flow_end_milliseconds
type: long
- name: reverse_max_flow_end_nanoseconds
type: long
- name: reverse_max_flow_end_seconds
type: long
- name: reverse_max_packet_size
type: integer
- name: reverse_maximum_ip_total_length
type: long
- name: reverse_maximum_layer2_total_length
type: long
- name: reverse_maximum_ttl
type: short
- name: reverse_message_md5_checksum
type: keyword
- name: reverse_message_scope
type: short
- name: reverse_metering_process_id
type: long
- name: reverse_metro_evc_id
type: keyword
- name: reverse_metro_evc_type
type: short
- name: reverse_min_export_seconds
type: long
- name: reverse_min_flow_start_microseconds
type: long
- name: reverse_min_flow_start_milliseconds
type: long
- name: reverse_min_flow_start_nanoseconds
type: long
- name: reverse_min_flow_start_seconds
type: long
- name: reverse_minimum_ip_total_length
type: long
- name: reverse_minimum_layer2_total_length
type: long
- name: reverse_minimum_ttl
type: short
- name: reverse_monitoring_interval_end_milli_seconds
type: long
- name: reverse_monitoring_interval_start_milli_seconds
type: long
- name: reverse_mpls_label_stack_depth
type: long
- name: reverse_mpls_label_stack_length
type: long
- name: reverse_mpls_label_stack_section
type: keyword
- name: reverse_mpls_label_stack_section10
type: keyword
- name: reverse_mpls_label_stack_section2
type: keyword
- name: reverse_mpls_label_stack_section3
type: keyword
- name: reverse_mpls_label_stack_section4
type: keyword
- name: reverse_mpls_label_stack_section5
type: keyword
- name: reverse_mpls_label_stack_section6
type: keyword
- name: reverse_mpls_label_stack_section7
type: keyword
- name: reverse_mpls_label_stack_section8
type: keyword
- name: reverse_mpls_label_stack_section9
type: keyword
- name: reverse_mpls_payload_length
type: long
- name: reverse_mpls_payload_packet_section
type: keyword
- name: reverse_mpls_top_label_exp
type: short
- name: reverse_mpls_top_label_ipv4_address
type: ip
- name: reverse_mpls_top_label_ipv6_address
type: ip
- name: reverse_mpls_top_label_prefix_length
type: short
- name: reverse_mpls_top_label_stack_section
type: keyword
- name: reverse_mpls_top_label_ttl
type: short
- name: reverse_mpls_top_label_type
type: short
- name: reverse_mpls_vpn_route_distinguisher
type: keyword
- name: reverse_multicast_replication_factor
type: long
- name: reverse_nat_event
type: short
- name: reverse_nat_originating_address_realm
type: short
- name: reverse_nat_pool_id
type: long
- name: reverse_nat_pool_name
type: keyword
- name: reverse_nat_type
type: short
- name: reverse_new_connection_delta_count
type: long
- name: reverse_next_header_ipv6
type: short
- name: reverse_non_empty_packet_count
type: long
- name: reverse_not_sent_layer2_octet_total_count
type: long
- name: reverse_observation_domain_name
type: keyword
- name: reverse_observation_point_id
type: long
- name: reverse_observation_point_type
type: short
- name: reverse_observation_time_microseconds
type: long
- name: reverse_observation_time_milliseconds
type: long
- name: reverse_observation_time_nanoseconds
type: long
- name: reverse_observation_time_seconds
type: long
- name: reverse_octet_delta_count
type: long
- name: reverse_octet_delta_sum_of_squares
type: long
- name: reverse_octet_total_count
type: long
- name: reverse_octet_total_sum_of_squares
type: long
- name: reverse_opaque_octets
type: keyword
- name: reverse_original_exporter_ipv4_address
type: ip
- name: reverse_original_exporter_ipv6_address
type: ip
- name: reverse_original_flows_completed
type: long
- name: reverse_original_flows_initiated
type: long
- name: reverse_original_flows_present
type: long
- name: reverse_original_observation_domain_id
type: long
- name: reverse_os_finger_print
type: keyword
- name: reverse_os_name
type: keyword
- name: reverse_os_version
type: keyword
- name: reverse_p2p_technology
type: keyword
- name: reverse_packet_delta_count
type: long
- name: reverse_packet_total_count
type: long
- name: reverse_payload
type: keyword
- name: reverse_payload_entropy
type: short
- name: reverse_payload_length_ipv6
type: integer
- name: reverse_port_id
type: long
- name: reverse_port_range_end
type: integer
- name: reverse_port_range_num_ports
type: integer
- name: reverse_port_range_start
type: integer
- name: reverse_port_range_step_size
type: integer
- name: reverse_post_destination_mac_address
type: keyword
- name: reverse_post_dot1q_customer_vlan_id
type: integer
- name: reverse_post_dot1q_vlan_id
type: integer
- name: reverse_post_ip_class_of_service
type: short
- name: reverse_post_ip_diff_serv_code_point
type: short
- name: reverse_post_ip_precedence
type: short
- name: reverse_post_layer2_octet_delta_count
type: long
- name: reverse_post_layer2_octet_total_count
type: long
- name: reverse_post_mcast_layer2_octet_delta_count
type: long
- name: reverse_post_mcast_layer2_octet_total_count
type: long
- name: reverse_post_mcast_octet_delta_count
type: long
- name: reverse_post_mcast_octet_total_count
type: long
- name: reverse_post_mcast_packet_delta_count
type: long
- name: reverse_post_mcast_packet_total_count
type: long
- name: reverse_post_mpls_top_label_exp
type: short
- name: reverse_post_napt_destination_transport_port
type: integer
- name: reverse_post_napt_source_transport_port
type: integer
- name: reverse_post_nat_destination_ipv4_address
type: ip
- name: reverse_post_nat_destination_ipv6_address
type: ip
- name: reverse_post_nat_source_ipv4_address
type: ip
- name: reverse_post_nat_source_ipv6_address
type: ip
- name: reverse_post_octet_delta_count
type: long
- name: reverse_post_octet_total_count
type: long
- name: reverse_post_packet_delta_count
type: long
- name: reverse_post_packet_total_count
type: long
- name: reverse_post_source_mac_address
type: keyword
- name: reverse_post_vlan_id
type: integer
- name: reverse_private_enterprise_number
type: long
- name: reverse_protocol_identifier
type: short
- name: reverse_pseudo_wire_control_word
type: long
- name: reverse_pseudo_wire_destination_ipv4_address
type: ip
- name: reverse_pseudo_wire_id
type: long
- name: reverse_pseudo_wire_type
type: integer
- name: reverse_relative_error
type: double
- name: reverse_responder_octets
type: long
- name: reverse_responder_packets
type: long
- name: reverse_rfc3550_jitter_microseconds
type: long
- name: reverse_rfc3550_jitter_milliseconds
type: long
- name: reverse_rfc3550_jitter_nanoseconds
type: long
- name: reverse_rtp_payload_type
type: short
- name: reverse_rtp_sequence_number
type: integer
- name: reverse_sampler_id
type: short
- name: reverse_sampler_mode
type: short
- name: reverse_sampler_name
type: keyword
- name: reverse_sampler_random_interval
type: long
- name: reverse_sampling_algorithm
type: short
- name: reverse_sampling_flow_interval
type: long
- name: reverse_sampling_flow_spacing
type: long
- name: reverse_sampling_interval
type: long
- name: reverse_sampling_packet_interval
type: long
- name: reverse_sampling_packet_space
type: long
- name: reverse_sampling_population
type: long
- name: reverse_sampling_probability
type: double
- name: reverse_sampling_size
type: long
- name: reverse_sampling_time_interval
type: long
- name: reverse_sampling_time_space
type: long
- name: reverse_second_packet_banner
type: keyword
- name: reverse_section_exported_octets
type: integer
- name: reverse_section_offset
type: integer
- name: reverse_selection_sequence_id
type: long
- name: reverse_selector_algorithm
type: integer
- name: reverse_selector_id
type: long
- name: reverse_selector_id_total_flows_observed
type: long
- name: reverse_selector_id_total_flows_selected
type: long
- name: reverse_selector_id_total_pkts_observed
type: long
- name: reverse_selector_id_total_pkts_selected
type: long
- name: reverse_selector_name
type: keyword
- name: reverse_session_scope
type: short
- name: reverse_small_packet_count
type: long
- name: reverse_source_ipv4_address
type: ip
- name: reverse_source_ipv4_prefix
type: ip
- name: reverse_source_ipv4_prefix_length
type: short
- name: reverse_source_ipv6_address
type: ip
- name: reverse_source_ipv6_prefix
type: ip
- name: reverse_source_ipv6_prefix_length
type: short
- name: reverse_source_mac_address
type: keyword
- name: reverse_source_transport_port
type: integer
- name: reverse_src_traffic_index
type: long
- name: reverse_sta_ipv4_address
type: ip
- name: reverse_sta_mac_address
type: keyword
- name: reverse_standard_deviation_interarrival_time
type: long
- name: reverse_standard_deviation_payload_length
type: integer
- name: reverse_system_init_time_milliseconds
type: long
- name: reverse_tcp_ack_total_count
type: long
- name: reverse_tcp_acknowledgement_number
type: long
- name: reverse_tcp_control_bits
type: integer
- name: reverse_tcp_destination_port
type: integer
- name: reverse_tcp_fin_total_count
type: long
- name: reverse_tcp_header_length
type: short
- name: reverse_tcp_options
type: long
- name: reverse_tcp_psh_total_count
type: long
- name: reverse_tcp_rst_total_count
type: long
- name: reverse_tcp_sequence_number
type: long
- name: reverse_tcp_source_port
type: integer
- name: reverse_tcp_syn_total_count
type: long
- name: reverse_tcp_urg_total_count
type: long
- name: reverse_tcp_urgent_pointer
type: integer
- name: reverse_tcp_window_scale
type: integer
- name: reverse_tcp_window_size
type: integer
- name: reverse_total_length_ipv4
type: integer
- name: reverse_transport_octet_delta_count
type: long
- name: reverse_transport_packet_delta_count
type: long
- name: reverse_tunnel_technology
type: keyword
- name: reverse_udp_destination_port
type: integer
- name: reverse_udp_message_length
type: integer
- name: reverse_udp_source_port
type: integer
- name: reverse_union_tcp_flags
type: short
- name: reverse_upper_ci_limit
type: double
- name: reverse_user_name
type: keyword
- name: reverse_value_distribution_method
type: short
- name: reverse_virtual_station_interface_id
type: keyword
- name: reverse_virtual_station_interface_name
type: keyword
- name: reverse_virtual_station_name
type: keyword
- name: reverse_virtual_station_uuid
type: keyword
- name: reverse_vlan_id
type: integer
- name: reverse_vr_fname
type: keyword
- name: reverse_wlan_channel_id
type: short
- name: reverse_wlan_ssid
type: keyword
- name: reverse_wtp_mac_address
type: keyword
- name: rfc3550_jitter_microseconds
type: long
- name: rfc3550_jitter_milliseconds
type: long
- name: rfc3550_jitter_nanoseconds
type: long
- name: rtp_payload_type
type: short
- name: rtp_sequence_number
type: integer
- name: sampler_id
type: short
- name: sampler_mode
type: short
- name: sampler_name
type: keyword
- name: sampler_random_interval
type: long
- name: sampling_algorithm
type: short
- name: sampling_flow_interval
type: long
- name: sampling_flow_spacing
type: long
- name: sampling_interval
type: long
- name: sampling_packet_interval
type: long
- name: sampling_packet_space
type: long
- name: sampling_population
type: long
- name: sampling_probability
type: double
- name: sampling_size
type: long
- name: sampling_time_interval
type: long
- name: sampling_time_space
type: long
- name: second_packet_banner
type: keyword
- name: section_exported_octets
type: integer
- name: section_offset
type: integer
- name: selection_sequence_id
type: long
- name: selector_algorithm
type: integer
- name: selector_id
type: long
- name: selector_id_total_flows_observed
type: long
- name: selector_id_total_flows_selected
type: long
- name: selector_id_total_pkts_observed
type: long
- name: selector_id_total_pkts_selected
type: long
- name: selector_name
type: keyword
- name: service_name
type: keyword
- name: session_scope
type: short
- name: silk_app_label
type: integer
- name: small_packet_count
type: long
- name: source_ipv4_address
type: ip
- name: source_ipv4_prefix
type: ip
- name: source_ipv4_prefix_length
type: short
- name: source_ipv6_address
type: ip
- name: source_ipv6_prefix
type: ip
- name: source_ipv6_prefix_length
type: short
- name: source_mac_address
type: keyword
- name: source_transport_port
type: integer
- name: source_transport_ports_limit
type: integer
- name: src_traffic_index
type: long
- name: ssl_cert_serial_number
type: keyword
- name: ssl_cert_signature
type: keyword
- name: ssl_cert_validity_not_after
type: keyword
- name: ssl_cert_validity_not_before
type: keyword
- name: ssl_cert_version
type: short
- name: ssl_certificate_hash
type: keyword
- name: ssl_cipher
type: keyword
- name: ssl_client_version
type: short
- name: ssl_compression_method
type: short
- name: ssl_object_type
type: keyword
- name: ssl_object_value
type: keyword
- name: ssl_public_key_algorithm
type: keyword
- name: ssl_public_key_length
type: keyword
- name: ssl_server_cipher
type: long
- name: ssl_server_name
type: keyword
- name: sta_ipv4_address
type: ip
- name: sta_mac_address
type: keyword
- name: standard_deviation_interarrival_time
type: long
- name: standard_deviation_payload_length
type: short
- name: system_init_time_milliseconds
type: date
- name: tcp_ack_total_count
type: long
- name: tcp_acknowledgement_number
type: long
- name: tcp_control_bits
type: integer
- name: tcp_destination_port
type: integer
- name: tcp_fin_total_count
type: long
- name: tcp_header_length
type: short
- name: tcp_options
type: long
- name: tcp_psh_total_count
type: long
- name: tcp_rst_total_count
type: long
- name: tcp_sequence_number
type: long
- name: tcp_source_port
type: integer
- name: tcp_syn_total_count
type: long
- name: tcp_urg_total_count
type: long
- name: tcp_urgent_pointer
type: integer
- name: tcp_window_scale
type: integer
- name: tcp_window_size
type: integer
- name: template_id
type: integer
- name: tftp_filename
type: keyword
- name: tftp_mode
type: keyword
- name: timestamp
type: long
- name: timestamp_absolute_monitoring-interval
type: long
- name: total_length_ipv4
type: integer
- name: traffic_type
type: short
- name: transport_octet_delta_count
type: long
- name: transport_packet_delta_count
type: long
- name: tunnel_technology
type: keyword
- name: udp_destination_port
type: integer
- name: udp_message_length
type: integer
- name: udp_source_port
type: integer
- name: union_tcp_flags
type: short
- name: upper_ci_limit
type: double
- name: user_name
type: keyword
- name: username
type: keyword
- name: value_distribution_method
type: short
- name: viptela_vpn_id
type: long
- name: virtual_station_interface_id
type: short
- name: virtual_station_interface_name
type: keyword
- name: virtual_station_name
type: keyword
- name: virtual_station_uuid
type: short
- name: vlan_id
type: integer
- name: vmware_egress_interface_attr
type: integer
- name: vmware_ingress_interface_attr
type: integer
- name: vmware_tenant_dest_ipv4
type: ip
- name: vmware_tenant_dest_ipv6
type: ip
- name: vmware_tenant_dest_port
type: integer
- name: vmware_tenant_protocol
type: short
- name: vmware_tenant_source_ipv4
type: ip
- name: vmware_tenant_source_ipv6
type: ip
- name: vmware_tenant_source_port
type: integer
- name: vmware_vxlan_export_role
type: short
- name: vpn_identifier
type: short
- name: vr_fname
type: keyword
- name: waasoptimization_segment
type: short
- name: wlan_channel_id
type: short
- name: wlan_ssid
type: keyword
- name: wtp_mac_address
type: keyword
- name: xlate_destination_address_ip_v4
type: ip
- name: xlate_destination_port
type: integer
- name: xlate_source_address_ip_v4
type: ip
- name: xlate_source_port
type: integer
- key: cef
title: Decode CEF processor fields
description: >
Common Event Format (CEF) data.
fields:
- name: cef
type: group
description: >
By default the `decode_cef` processor writes all data from the CEF
message to this `cef` object. It contains the CEF header fields and the
extension data.
fields:
- name: version
type: keyword
description: >
Version of the CEF specification used by the message.
- name: device.vendor
type: keyword
description: >
Vendor of the device that produced the message.
- name: device.product
type: keyword
description: >
Product of the device that produced the message.
- name: device.version
type: keyword
description: >
Version of the product that produced the message.
- name: device.event_class_id
type: keyword
description: >
Unique identifier of the event type.
- name: severity
type: keyword
example: Very-High
description: >
Importance of the event. The valid string values are Unknown, Low,
Medium, High, and Very-High. The valid integer values are 0-3=Low,
4-6=Medium, 7- 8=High, and 9-10=Very-High.
- name: name
type: keyword
description: >
Short description of the event.
- name: extensions
type: group
description: >
Collection of key-value pairs carried in the CEF extension field.
fields:
- name: agentAddress
type: ip
description: The IP address of the ArcSight connector that processed the event.
- name: agentDnsDomain
type: keyword
description: The DNS domain name of the ArcSight connector that processed the event.
- name: agentHostName
type: keyword
description: The hostname of the ArcSight connector that processed the event.
- name: agentId
type: keyword
description: The agent ID of the ArcSight connector that processed the event.
- name: agentMacAddress
type: keyword
description: The MAC address of the ArcSight connector that processed the event.
- name: agentNtDomain
type: keyword
description:
- name: agentReceiptTime
type: date
description: The time at which information about the event was received by the ArcSight connector.
- name: agentTimeZone
type: keyword
description: The agent time zone of the ArcSight connector that processed the event.
- name: agentTranslatedAddress
type: ip
description:
- name: agentTranslatedZoneExternalID
type: keyword
description:
- name: agentTranslatedZoneURI
type: keyword
description:
- name: agentType
type: keyword
description: The agent type of the ArcSight connector that processed the event
- name: agentVersion
type: keyword
description: The version of the ArcSight connector that processed the event.
- name: agentZoneExternalID
type: keyword
description:
- name: agentZoneURI
type: keyword
description:
- name: applicationProtocol
type: keyword
description: Application level protocol, example values are HTTP, HTTPS, SSHv2, Telnet, POP, IMPA, IMAPS, and so on.
- name: baseEventCount
type: long
description: A count associated with this event. How many times was this same event observed? Count can be omitted if it is 1.
- name: bytesIn
type: long
description: Number of bytes transferred inbound, relative to the source to destination relationship, meaning that data was flowing from source to destination.
- name: bytesOut
type: long
description: Number of bytes transferred outbound relative to the source to destination relationship. For example, the byte number of data flowing from the destination to the source.
- name: customerExternalID
type: keyword
description:
- name: customerURI
type: keyword
description:
- name: destinationAddress
type: ip
description: Identifies the destination address that the event refers to in an IP network. The format is an IPv4 address.
- name: destinationDnsDomain
type: keyword
description: The DNS domain part of the complete fully qualified domain name (FQDN).
- name: destinationGeoLatitude
type: double
description: The latitudinal value from which the destination's IP address belongs.
- name: destinationGeoLongitude
type: double
description: The longitudinal value from which the destination's IP address belongs.
- name: destinationHostName
type: keyword
description: Identifies the destination that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the destination node, when a node is available.
- name: destinationMacAddress
type: keyword
description: Six colon-seperated hexadecimal numbers.
- name: destinationNtDomain
type: keyword
description: The Windows domain name of the destination address.
- name: destinationPort
type: long
description: The valid port numbers are between 0 and 65535.
- name: destinationProcessId
type: long
description: Provides the ID of the destination process associated with the event. For example, if an event contains process ID 105, "105" is the process ID.
- name: destinationProcessName
type: keyword
description: The name of the event's destination process.
- name: destinationServiceName
type: keyword
description: The service targeted by this event.
- name: destinationTranslatedAddress
type: ip
description: Identifies the translated destination that the event refers to in an IP network.
- name: destinationTranslatedPort
type: long
description: Port after it was translated; for example, a firewall. Valid port numbers are 0 to 65535.
- name: destinationTranslatedZoneExternalID
type: keyword
description:
- name: destinationTranslatedZoneURI
type: keyword
description: The URI for the Translated Zone that the destination asset has been assigned to in ArcSight.
- name: destinationUserId
type: keyword
description: Identifies the destination user by ID. For example, in UNIX, the root user is generally associated with user ID 0.
- name: destinationUserName
type: keyword
description: Identifies the destination user by name. This is the user associated with the event's destination. Email addresses are often mapped into the UserName fields. The recipient is a candidate to put into this field.
- name: destinationUserPrivileges
type: keyword
description: The typical values are "Administrator", "User", and "Guest". This identifies the destination user's privileges. In UNIX, for example, activity executed on the root user would be identified with destinationUser Privileges of "Administrator".
- name: destinationZoneExternalID
type: keyword
description:
- name: destinationZoneURI
type: keyword
description: The URI for the Zone that the destination asset has been assigned to in ArcSight.
- name: deviceAction
type: keyword
description: Action taken by the device.
- name: deviceAddress
type: ip
description: Identifies the device address that an event refers to in an IP network.
- name: deviceCustomFloatingPoint1Label
type: keyword
description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
- name: deviceCustomFloatingPoint3Label
type: keyword
description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
- name: deviceCustomFloatingPoint4Label
type: keyword
description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
- name: deviceCustomDate1
type: date
description: One of two timestamp fields available to map fields that do not apply to any other in this dictionary.
- name: deviceCustomDate1Label
type: keyword
description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
- name: deviceCustomDate2
type: date
description: One of two timestamp fields available to map fields that do not apply to any other in this dictionary.
- name: deviceCustomDate2Label
type: keyword
description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
- name: deviceCustomFloatingPoint1
type: double
description: One of four floating point fields available to map fields that do not apply to any other in this dictionary.
- name: deviceCustomFloatingPoint2
type: double
description: One of four floating point fields available to map fields that do not apply to any other in this dictionary.
- name: deviceCustomFloatingPoint2Label
type: keyword
description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
- name: deviceCustomFloatingPoint3
type: double
description: One of four floating point fields available to map fields that do not apply to any other in this dictionary.
- name: deviceCustomFloatingPoint4
type: double
description: One of four floating point fields available to map fields that do not apply to any other in this dictionary.
- name: deviceCustomIPv6Address1
type: ip
description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.
- name: deviceCustomIPv6Address1Label
type: keyword
description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
- name: deviceCustomIPv6Address2
type: ip
description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.
- name: deviceCustomIPv6Address2Label
type: keyword
description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
- name: deviceCustomIPv6Address3
type: ip
description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.
- name: deviceCustomIPv6Address3Label
type: keyword
description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
- name: deviceCustomIPv6Address4
type: ip
description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.
- name: deviceCustomIPv6Address4Label
type: keyword
description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
- name: deviceCustomNumber1
type: long
description: One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
- name: deviceCustomNumber1Label
type: keyword
description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
- name: deviceCustomNumber2
type: long
description: One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
- name: deviceCustomNumber2Label
type: keyword
description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
- name: deviceCustomNumber3
type: long
description: One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
- name: deviceCustomNumber3Label
type: keyword
description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
- name: deviceCustomString1
type: keyword
description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
- name: deviceCustomString1Label
type: keyword
description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
- name: deviceCustomString2
type: keyword
description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
- name: deviceCustomString2Label
type: keyword
description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
- name: deviceCustomString3
type: keyword
description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
- name: deviceCustomString3Label
type: keyword
description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
- name: deviceCustomString4
type: keyword
description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
- name: deviceCustomString4Label
type: keyword
description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
- name: deviceCustomString5
type: keyword
description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
- name: deviceCustomString5Label
type: keyword
description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
- name: deviceCustomString6
type: keyword
description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
- name: deviceCustomString6Label
type: keyword
description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
- name: deviceDirection
type: long
description: Any information about what direction the observed communication has taken. The following values are supported - "0" for inbound or "1" for outbound.
- name: deviceDnsDomain
type: keyword
description: The DNS domain part of the complete fully qualified domain name (FQDN).
- name: deviceEventCategory
type: keyword
description: Represents the category assigned by the originating device. Devices often use their own categorization schema to classify event. Example "/Monitor/Disk/Read".
- name: deviceExternalId
type: keyword
description: A name that uniquely identifies the device generating this event.
- name: deviceFacility
type: keyword
description: The facility generating this event. For example, Syslog has an explicit facility associated with every event.
- name: deviceFlexNumber1
type: long
description: One of two alternative number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
- name: deviceFlexNumber1Label
type: keyword
description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
- name: deviceFlexNumber2
type: long
description: One of two alternative number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
- name: deviceFlexNumber2Label
type: keyword
description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
- name: deviceHostName
type: keyword
description: The format should be a fully qualified domain name (FQDN) associated with the device node, when a node is available.
- name: deviceInboundInterface
type: keyword
description: Interface on which the packet or data entered the device.
- name: deviceMacAddress
type: keyword
description: Six colon-separated hexadecimal numbers.
- name: deviceNtDomain
type: keyword
description: The Windows domain name of the device address.
- name: deviceOutboundInterface
type: keyword
description: Interface on which the packet or data left the device.
- name: devicePayloadId
type: keyword
description: Unique identifier for the payload associated with the event.
- name: deviceProcessId
type: long
description: Provides the ID of the process on the device generating the event.
- name: deviceProcessName
type: keyword
description: Process name associated with the event. An example might be the process generating the syslog entry in UNIX.
- name: deviceReceiptTime
type: date
description: The time at which the event related to the activity was received. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970)
- name: deviceTimeZone
type: keyword
description: The time zone for the device generating the event.
- name: deviceTranslatedAddress
type: ip
description: Identifies the translated device address that the event refers to in an IP network.
- name: deviceTranslatedZoneExternalID
type: keyword
description:
- name: deviceTranslatedZoneURI
type: keyword
description: The URI for the Translated Zone that the device asset has been assigned to in ArcSight.
- name: deviceZoneExternalID
type: keyword
description:
- name: deviceZoneURI
type: keyword
description: Thee URI for the Zone that the device asset has been assigned to in ArcSight.
- name: endTime
type: date
description: The time at which the activity related to the event ended. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st1970). An example would be reporting the end of a session.
- name: eventId
type: long
description: This is a unique ID that ArcSight assigns to each event.
- name: eventOutcome
type: keyword
description: Displays the outcome, usually as 'success' or 'failure'.
- name: externalId
type: keyword
description: The ID used by an originating device. They are usually increasing numbers, associated with events.
- name: fileCreateTime
type: date
description: Time when the file was created.
- name: fileHash
type: keyword
description: Hash of a file.
- name: fileId
type: keyword
description: An ID associated with a file could be the inode.
- name: fileModificationTime
type: date
description: Time when the file was last modified.
- name: filename
type: keyword
description: Name of the file only (without its path).
- name: filePath
type: keyword
description: Full path to the file, including file name itself.
- name: filePermission
type: keyword
description: Permissions of the file.
- name: fileSize
type: long
description: Size of the file.
- name: fileType
type: keyword
description: Type of file (pipe, socket, etc.)
- name: flexDate1
type: date
description: A timestamp field available to map a timestamp that does not apply to any other defined timestamp field in this dictionary. Use all flex fields sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary.
- name: flexDate1Label
type: keyword
description: The label field is a string and describes the purpose of the flex field.
- name: flexString1
type: keyword
description: One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary.
- name: flexString2
type: keyword
description: One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary.
- name: flexString1Label
type: keyword
description: The label field is a string and describes the purpose of the flex field.
- name: flexString2Label
type: keyword
description: The label field is a string and describes the purpose of the flex field.
- name: message
type: keyword
description: An arbitrary message giving more details about the event. Multi-line entries can be produced by using \n as the new line separator.
- name: oldFileCreateTime
type: date
description: Time when old file was created.
- name: oldFileHash
type: keyword
description: Hash of the old file.
- name: oldFileId
type: keyword
description: An ID associated with the old file could be the inode.
- name: oldFileModificationTime
type: date
description: Time when old file was last modified.
- name: oldFileName
type: keyword
description: Name of the old file.
- name: oldFilePath
type: keyword
description: Full path to the old file, including the file name itself.
- name: oldFilePermission
type: keyword
description: Permissions of the old file.
- name: oldFileSize
type: long
description: Size of the old file.
- name: oldFileType
type: keyword
description: Type of the old file (pipe, socket, etc.)
- name: rawEvent
type: keyword
description:
- name: Reason
type: keyword
description: The reason an audit event was generated. For example "bad password" or "unknown user". This could also be an error or return code. Example "0x1234".
- name: requestClientApplication
type: keyword
description: The User-Agent associated with the request.
- name: requestContext
type: keyword
description: Description of the content from which the request originated (for example, HTTP Referrer)
- name: requestCookies
type: keyword
description: Cookies associated with the request.
- name: requestMethod
type: keyword
description: The HTTP method used to access a URL.
- name: requestUrl
type: keyword
description: In the case of an HTTP request, this field contains the URL accessed. The URL should contain the protocol as well.
- name: sourceAddress
type: ip
description: Identifies the source that an event refers to in an IP network.
- name: sourceDnsDomain
type: keyword
description: The DNS domain part of the complete fully qualified domain name (FQDN).
- name: sourceGeoLatitude
type: double
description:
- name: sourceGeoLongitude
type: double
description:
- name: sourceHostName
type: keyword
description: >
Identifies the source that an event refers to in an IP network.
The format should be a fully qualified domain name (FQDN) associated with the source node, when a
mode is available. Examples: 'host' or 'host.domain.com'.
- name: sourceMacAddress
type: keyword
example: "00:0d:60:af:1b:61"
description: Six colon-separated hexadecimal numbers.
- name: sourceNtDomain
type: keyword
description: The Windows domain name for the source address.
- name: sourcePort
type: long
description: The valid port numbers are 0 to 65535.
- name: sourceProcessId
type: long
description: The ID of the source process associated with the event.
- name: sourceProcessName
type: keyword
description: The name of the event's source process.
- name: sourceServiceName
type: keyword
description: The service that is responsible for generating this event.
- name: sourceTranslatedAddress
type: ip
description: Identifies the translated source that the event refers to in an IP network.
- name: sourceTranslatedPort
type: long
description: A port number after being translated by, for example, a firewall. Valid port numbers are 0 to 65535.
- name: sourceTranslatedZoneExternalID
type: keyword
description:
- name: sourceTranslatedZoneURI
type: keyword
description: The URI for the Translated Zone that the destination asset has been assigned to in ArcSight.
- name: sourceUserId
type: keyword
description: Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0.
- name: sourceUserName
type: keyword
description: Identifies the source user by name. Email addresses are also mapped into the UserName fields. The sender is a candidate to put into this field.
- name: sourceUserPrivileges
type: keyword
description: The typical values are "Administrator", "User", and "Guest". It identifies the source user's privileges. In UNIX, for example, activity executed by the root user would be identified with "Administrator".
- name: sourceZoneExternalID
type: keyword
description:
- name: sourceZoneURI
type: keyword
description: The URI for the Zone that the source asset has been assigned to in ArcSight.
- name: startTime
type: date
description: The time when the activity the event referred to started. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970)
- name: transportProtocol
type: keyword
description: Identifies the Layer-4 protocol used. The possible values are protocols such as TCP or UDP.
- name: type
type: long
description: 0 means base event, 1 means aggregated, 2 means correlation, and 3 means action. This field can be omitted for base events (type 0).
# ArcSight fields.
- name: categoryDeviceType
type: keyword
description: Device type. Examples - Proxy, IDS, Web Server
- name: categoryObject
type: keyword
description: Object that the event is about. For example it can be an operating sytem, database, file, etc.
- name: categoryBehavior
type: keyword
description: Action or a behavior associated with an event. It's what is being done to the object.
- name: categoryTechnique
type: keyword
description: Technique being used (e.g. /DoS).
- name: categoryDeviceGroup
type: keyword
description: General device group like Firewall.
- name: categorySignificance
type: keyword
description: Characterization of the importance of the event.
- name: categoryOutcome
type: keyword
description: Outcome of the event (e.g. sucess, failure, or attempt).
- name: managerReceiptTime
type: date
description: When the Arcsight ESM received the event.
- name: source.service.name
type: keyword
description:
Service that is the source of the event.
- name: destination.service.name
type: keyword
description:
Service that is the target of the event.