# WARNING! Do not edit this file directly, it was generated by the ECS project, # based on ECS version 1.11.0. # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields. - key: ecs title: ECS description: ECS Fields. fields: - name: '@timestamp' level: core required: true type: date description: 'Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.' example: '2016-05-23T08:05:34.853Z' - name: labels level: core type: object object_type: keyword description: 'Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels.' example: '{"application": "foo-bar", "env": "production"}' - name: message level: core type: text description: 'For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.' example: Hello World - name: tags level: core type: keyword ignore_above: 1024 description: List of keywords used to tag each event. example: '["production", "env2"]' - name: agent title: Agent group: 2 description: 'The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.' footnote: 'Examples: In the case of Beats for logs, the agent.name is filebeat. For APM, it is the agent running in the app/service. The agent information does not change if data is sent through queuing systems like Kafka, Redis, or processing systems such as Logstash or APM Server.' type: group fields: - name: build.original level: core type: keyword ignore_above: 1024 description: 'Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required.' example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] default_field: false - name: ephemeral_id level: extended type: keyword ignore_above: 1024 description: 'Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not.' example: 8a4f500f - name: id level: core type: keyword ignore_above: 1024 description: 'Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.' example: 8a4f500d - name: name level: core type: keyword ignore_above: 1024 description: 'Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty.' example: foo - name: type level: core type: keyword ignore_above: 1024 description: 'Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.' example: filebeat - name: version level: core type: keyword ignore_above: 1024 description: Version of the agent. example: 6.0.0-rc2 - name: as title: Autonomous System group: 2 description: An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet. type: group fields: - name: number level: extended type: long description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. example: 15169 - name: organization.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false default_field: false description: Organization name. example: Google LLC - name: client title: Client group: 2 description: 'A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.' type: group fields: - name: address level: extended type: keyword ignore_above: 1024 description: 'Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.' - name: as.number level: extended type: long description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. example: 15169 - name: as.organization.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false default_field: false description: Organization name. example: Google LLC - name: bytes level: core type: long format: bytes description: Bytes sent from the client to the server. example: 184 - name: domain level: core type: keyword ignore_above: 1024 description: Client domain. - name: geo.city_name level: core type: keyword ignore_above: 1024 description: City name. example: Montreal - name: geo.continent_code level: core type: keyword ignore_above: 1024 description: Two-letter code representing continent's name. example: NA default_field: false - name: geo.continent_name level: core type: keyword ignore_above: 1024 description: Name of the continent. example: North America - name: geo.country_iso_code level: core type: keyword ignore_above: 1024 description: Country ISO code. example: CA - name: geo.country_name level: core type: keyword ignore_above: 1024 description: Country name. example: Canada - name: geo.location level: core type: geo_point description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended type: keyword ignore_above: 1024 description: 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.' example: boston-dc - name: geo.postal_code level: core type: keyword ignore_above: 1024 description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 default_field: false - name: geo.region_iso_code level: core type: keyword ignore_above: 1024 description: Region ISO code. example: CA-QC - name: geo.region_name level: core type: keyword ignore_above: 1024 description: Region name. example: Quebec - name: geo.timezone level: core type: keyword ignore_above: 1024 description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires default_field: false - name: ip level: core type: ip description: IP address of the client (IPv4 or IPv6). - name: mac level: core type: keyword ignore_above: 1024 description: 'MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.' example: 00-00-5E-00-53-23 - name: nat.ip level: extended type: ip description: 'Translated IP of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers.' - name: nat.port level: extended type: long format: string description: 'Translated port of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers.' - name: packets level: core type: long description: Packets sent from the client to the server. example: 12 - name: port level: core type: long format: string description: Port of the client. - name: registered_domain level: extended type: keyword ignore_above: 1024 description: 'The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com - name: subdomain level: extended type: keyword ignore_above: 1024 description: 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.' example: east default_field: false - name: top_level_domain level: extended type: keyword ignore_above: 1024 description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk - name: user.domain level: extended type: keyword ignore_above: 1024 description: 'Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.' - name: user.email level: extended type: keyword ignore_above: 1024 description: User email address. - name: user.full_name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false default_field: false description: User's full name, if available. example: Albert Einstein - name: user.group.domain level: extended type: keyword ignore_above: 1024 description: 'Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.' - name: user.group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. - name: user.group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. - name: user.hash level: extended type: keyword ignore_above: 1024 description: 'Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.' - name: user.id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. - name: user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false default_field: false description: Short name or login of the user. example: albert - name: user.roles level: extended type: keyword ignore_above: 1024 description: Array of user roles at the time of the event. example: '["kibana_admin", "reporting_user"]' default_field: false - name: cloud title: Cloud group: 2 description: Fields related to the cloud or infrastructure the events are coming from. footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - name: account.id level: extended type: keyword ignore_above: 1024 description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' example: 666777888999 - name: account.name level: extended type: keyword ignore_above: 1024 description: 'The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name.' example: elastic-dev default_field: false - name: availability_zone level: extended type: keyword ignore_above: 1024 description: Availability zone in which this host, resource, or service is located. example: us-east-1c - name: instance.id level: extended type: keyword ignore_above: 1024 description: Instance ID of the host machine. example: i-1234567890abcdef0 - name: instance.name level: extended type: keyword ignore_above: 1024 description: Instance name of the host machine. - name: machine.type level: extended type: keyword ignore_above: 1024 description: Machine type of the host machine. example: t2.medium - name: project.id level: extended type: keyword ignore_above: 1024 description: 'The cloud project identifier. Examples: Google Cloud Project id, Azure Project id.' example: my-project default_field: false - name: project.name level: extended type: keyword ignore_above: 1024 description: 'The cloud project name. Examples: Google Cloud Project name, Azure Project name.' example: my project default_field: false - name: provider level: extended type: keyword ignore_above: 1024 description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. example: aws - name: region level: extended type: keyword ignore_above: 1024 description: Region in which this host, resource, or service is located. example: us-east-1 - name: service.name level: extended type: keyword ignore_above: 1024 description: 'The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda.' example: lambda default_field: false - name: code_signature title: Code Signature group: 2 description: These fields contain information about binary code signatures. type: group fields: - name: exists level: core type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: signing_id level: extended type: keyword ignore_above: 1024 description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - name: status level: extended type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: subject_name level: core type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: team_id level: extended type: keyword ignore_above: 1024 description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - name: trusted level: extended type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: valid level: extended type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: container title: Container group: 2 description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' type: group fields: - name: id level: core type: keyword ignore_above: 1024 description: Unique container id. - name: image.name level: extended type: keyword ignore_above: 1024 description: Name of the image the container was built on. - name: image.tag level: extended type: keyword ignore_above: 1024 description: Container image tags. - name: labels level: extended type: object object_type: keyword description: Image labels. - name: name level: extended type: keyword ignore_above: 1024 description: Container name. - name: runtime level: extended type: keyword ignore_above: 1024 description: Runtime managing this container. example: docker - name: data_stream title: Data Stream group: 2 description: 'The data_stream fields take part in defining the new data stream naming scheme. In the new data stream naming scheme the value of the data stream fields combine to the name of the actual data stream in the following manner: `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`. This means the fields can only contain characters that are valid as part of names of data streams. More details about this can be found in this https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme[blog post]. An Elasticsearch data stream consists of one or more backing indices, and a data stream name forms part of the backing indices names. Due to this convention, data streams must also follow index naming restrictions. For example, data stream names cannot include `\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, ` ` (space character), `,`, or `#`. Please see the Elasticsearch reference for additional https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html#indices-create-api-path-params[restrictions].' type: group fields: - name: dataset level: extended type: constant_keyword description: "The field can contain anything that makes sense to signify the\ \ source of the data.\nExamples include `nginx.access`, `prometheus`, `endpoint`\ \ etc. For data streams that otherwise fit, but that do not have dataset set\ \ we use the value \"generic\" for the dataset value. `event.dataset` should\ \ have the same value as `data_stream.dataset`.\nBeyond the Elasticsearch\ \ data stream naming criteria noted above, the `dataset` value has additional\ \ restrictions:\n * Must not contain `-`\n * No longer than 100 characters" example: nginx.access default_field: false - name: namespace level: extended type: constant_keyword description: "A user defined namespace. Namespaces are useful to allow grouping\ \ of data.\nMany users already organize their indices this way, and the data\ \ stream naming scheme now provides this best practice as a default. Many\ \ users will populate this field with `default`. If no value is used, it falls\ \ back to `default`.\nBeyond the Elasticsearch index naming criteria noted\ \ above, `namespace` value has the additional restrictions:\n * Must not\ \ contain `-`\n * No longer than 100 characters" example: production default_field: false - name: type level: extended type: constant_keyword description: 'An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.' example: logs default_field: false - name: destination title: Destination group: 2 description: 'Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.' type: group fields: - name: address level: extended type: keyword ignore_above: 1024 description: 'Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.' - name: as.number level: extended type: long description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. example: 15169 - name: as.organization.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false default_field: false description: Organization name. example: Google LLC - name: bytes level: core type: long format: bytes description: Bytes sent from the destination to the source. example: 184 - name: domain level: core type: keyword ignore_above: 1024 description: Destination domain. - name: geo.city_name level: core type: keyword ignore_above: 1024 description: City name. example: Montreal - name: geo.continent_code level: core type: keyword ignore_above: 1024 description: Two-letter code representing continent's name. example: NA default_field: false - name: geo.continent_name level: core type: keyword ignore_above: 1024 description: Name of the continent. example: North America - name: geo.country_iso_code level: core type: keyword ignore_above: 1024 description: Country ISO code. example: CA - name: geo.country_name level: core type: keyword ignore_above: 1024 description: Country name. example: Canada - name: geo.location level: core type: geo_point description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended type: keyword ignore_above: 1024 description: 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.' example: boston-dc - name: geo.postal_code level: core type: keyword ignore_above: 1024 description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 default_field: false - name: geo.region_iso_code level: core type: keyword ignore_above: 1024 description: Region ISO code. example: CA-QC - name: geo.region_name level: core type: keyword ignore_above: 1024 description: Region name. example: Quebec - name: geo.timezone level: core type: keyword ignore_above: 1024 description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires default_field: false - name: ip level: core type: ip description: IP address of the destination (IPv4 or IPv6). - name: mac level: core type: keyword ignore_above: 1024 description: 'MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.' example: 00-00-5E-00-53-23 - name: nat.ip level: extended type: ip description: 'Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers.' - name: nat.port level: extended type: long format: string description: 'Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers.' - name: packets level: core type: long description: Packets sent from the destination to the source. example: 12 - name: port level: core type: long format: string description: Port of the destination. - name: registered_domain level: extended type: keyword ignore_above: 1024 description: 'The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com - name: subdomain level: extended type: keyword ignore_above: 1024 description: 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.' example: east default_field: false - name: top_level_domain level: extended type: keyword ignore_above: 1024 description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk - name: user.domain level: extended type: keyword ignore_above: 1024 description: 'Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.' - name: user.email level: extended type: keyword ignore_above: 1024 description: User email address. - name: user.full_name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false default_field: false description: User's full name, if available. example: Albert Einstein - name: user.group.domain level: extended type: keyword ignore_above: 1024 description: 'Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.' - name: user.group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. - name: user.group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. - name: user.hash level: extended type: keyword ignore_above: 1024 description: 'Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.' - name: user.id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. - name: user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false default_field: false description: Short name or login of the user. example: albert - name: user.roles level: extended type: keyword ignore_above: 1024 description: Array of user roles at the time of the event. example: '["kibana_admin", "reporting_user"]' default_field: false - name: dll title: DLL group: 2 description: 'These fields contain information about code libraries dynamically loaded into processes. Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: * Dynamic-link library (`.dll`) commonly used on Windows * Shared Object (`.so`) commonly used on Unix-like operating systems * Dynamic library (`.dylib`) commonly used on macOS' type: group fields: - name: code_signature.exists level: core type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: code_signature.signing_id level: extended type: keyword ignore_above: 1024 description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - name: code_signature.status level: extended type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: code_signature.subject_name level: core type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: code_signature.team_id level: extended type: keyword ignore_above: 1024 description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - name: code_signature.trusted level: extended type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: code_signature.valid level: extended type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: hash.md5 level: extended type: keyword ignore_above: 1024 description: MD5 hash. default_field: false - name: hash.sha1 level: extended type: keyword ignore_above: 1024 description: SHA1 hash. default_field: false - name: hash.sha256 level: extended type: keyword ignore_above: 1024 description: SHA256 hash. default_field: false - name: hash.sha512 level: extended type: keyword ignore_above: 1024 description: SHA512 hash. default_field: false - name: hash.ssdeep level: extended type: keyword ignore_above: 1024 description: SSDEEP hash. default_field: false - name: name level: core type: keyword ignore_above: 1024 description: 'Name of the library. This generally maps to the name of the file on disk.' example: kernel32.dll default_field: false - name: path level: extended type: keyword ignore_above: 1024 description: Full file path of the library. example: C:\Windows\System32\kernel32.dll default_field: false - name: pe.architecture level: extended type: keyword ignore_above: 1024 description: CPU architecture target for the file. example: x64 default_field: false - name: pe.company level: extended type: keyword ignore_above: 1024 description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - name: pe.description level: extended type: keyword ignore_above: 1024 description: Internal description of the file, provided at compile-time. example: Paint default_field: false - name: pe.file_version level: extended type: keyword ignore_above: 1024 description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false - name: pe.imphash level: extended type: keyword ignore_above: 1024 description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - name: pe.original_file_name level: extended type: keyword ignore_above: 1024 description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false - name: pe.product level: extended type: keyword ignore_above: 1024 description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" default_field: false - name: dns title: DNS group: 2 description: 'Fields describing DNS queries and answers. DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`).' type: group fields: - name: answers level: extended type: object description: 'An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields.' - name: answers.class level: extended type: keyword ignore_above: 1024 description: The class of DNS data contained in this resource record. example: IN - name: answers.data level: extended type: keyword ignore_above: 1024 description: 'The data describing the resource. The meaning of this data depends on the type and class of the resource record.' example: 10.10.10.10 - name: answers.name level: extended type: keyword ignore_above: 1024 description: 'The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer''s `name` should be the one that corresponds with the answer''s `data`. It should not simply be the original `question.name` repeated.' example: www.example.com - name: answers.ttl level: extended type: long description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. example: 180 - name: answers.type level: extended type: keyword ignore_above: 1024 description: The type of data contained in this resource record. example: CNAME - name: header_flags level: extended type: keyword ignore_above: 1024 description: 'Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO.' example: '["RD", "RA"]' - name: id level: extended type: keyword ignore_above: 1024 description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. example: 62111 - name: op_code level: extended type: keyword ignore_above: 1024 description: The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. example: QUERY - name: question.class level: extended type: keyword ignore_above: 1024 description: The class of records being queried. example: IN - name: question.name level: extended type: keyword ignore_above: 1024 description: 'The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.' example: www.example.com - name: question.registered_domain level: extended type: keyword ignore_above: 1024 description: 'The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com - name: question.subdomain level: extended type: keyword ignore_above: 1024 description: 'The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.' example: www - name: question.top_level_domain level: extended type: keyword ignore_above: 1024 description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk - name: question.type level: extended type: keyword ignore_above: 1024 description: The type of record being queried. example: AAAA - name: resolved_ip level: extended type: ip description: 'Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for.' example: '["10.10.10.10", "10.10.10.11"]' - name: response_code level: extended type: keyword ignore_above: 1024 description: The DNS response code. example: NOERROR - name: type level: extended type: keyword ignore_above: 1024 description: 'The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers.' example: answer - name: ecs title: ECS group: 2 description: Meta-information specific to ECS. type: group fields: - name: version level: core required: true type: keyword ignore_above: 1024 description: 'ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.' example: 1.0.0 - name: elf title: ELF Header group: 2 description: These fields contain Linux Executable Linkable Format (ELF) metadata. type: group fields: - name: architecture level: extended type: keyword ignore_above: 1024 description: Machine architecture of the ELF file. example: x86-64 default_field: false - name: byte_order level: extended type: keyword ignore_above: 1024 description: Byte sequence of ELF file. example: Little Endian default_field: false - name: cpu_type level: extended type: keyword ignore_above: 1024 description: CPU type of the ELF file. example: Intel default_field: false - name: creation_date level: extended type: date description: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. default_field: false - name: exports level: extended type: flattened description: List of exported element names and types. default_field: false - name: header.abi_version level: extended type: keyword ignore_above: 1024 description: Version of the ELF Application Binary Interface (ABI). default_field: false - name: header.class level: extended type: keyword ignore_above: 1024 description: Header class of the ELF file. default_field: false - name: header.data level: extended type: keyword ignore_above: 1024 description: Data table of the ELF header. default_field: false - name: header.entrypoint level: extended type: long format: string description: Header entrypoint of the ELF file. default_field: false - name: header.object_version level: extended type: keyword ignore_above: 1024 description: '"0x1" for original ELF files.' default_field: false - name: header.os_abi level: extended type: keyword ignore_above: 1024 description: Application Binary Interface (ABI) of the Linux OS. default_field: false - name: header.type level: extended type: keyword ignore_above: 1024 description: Header type of the ELF file. default_field: false - name: header.version level: extended type: keyword ignore_above: 1024 description: Version of the ELF header. default_field: false - name: imports level: extended type: flattened description: List of imported element names and types. default_field: false - name: sections level: extended type: nested description: 'An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.' default_field: false - name: sections.chi2 level: extended type: long format: number description: Chi-square probability distribution of the section. default_field: false - name: sections.entropy level: extended type: long format: number description: Shannon entropy calculation from the section. default_field: false - name: sections.flags level: extended type: keyword ignore_above: 1024 description: ELF Section List flags. default_field: false - name: sections.name level: extended type: keyword ignore_above: 1024 description: ELF Section List name. default_field: false - name: sections.physical_offset level: extended type: keyword ignore_above: 1024 description: ELF Section List offset. default_field: false - name: sections.physical_size level: extended type: long format: bytes description: ELF Section List physical size. default_field: false - name: sections.type level: extended type: keyword ignore_above: 1024 description: ELF Section List type. default_field: false - name: sections.virtual_address level: extended type: long format: string description: ELF Section List virtual address. default_field: false - name: sections.virtual_size level: extended type: long format: string description: ELF Section List virtual size. default_field: false - name: segments level: extended type: nested description: 'An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.' default_field: false - name: segments.sections level: extended type: keyword ignore_above: 1024 description: ELF object segment sections. default_field: false - name: segments.type level: extended type: keyword ignore_above: 1024 description: ELF object segment type. default_field: false - name: shared_libraries level: extended type: keyword ignore_above: 1024 description: List of shared libraries used by this ELF object. default_field: false - name: telfhash level: extended type: keyword ignore_above: 1024 description: telfhash symbol hash for ELF file. default_field: false - name: error title: Error group: 2 description: 'These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error.' type: group fields: - name: code level: core type: keyword ignore_above: 1024 description: Error code describing the error. - name: id level: core type: keyword ignore_above: 1024 description: Unique identifier for the error. - name: message level: core type: text description: Error message. - name: stack_trace level: extended type: keyword multi_fields: - name: text type: text norms: false default_field: false description: The stack trace of this error in plain text. index: false doc_values: false - name: type level: extended type: keyword ignore_above: 1024 description: The type of the error, for example the class name of the exception. example: java.lang.NullPointerException - name: event title: Event group: 2 description: 'The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events.' type: group fields: - name: action level: core type: keyword ignore_above: 1024 description: 'The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.' example: user-password-change - name: agent_id_status level: extended type: keyword ignore_above: 1024 description: 'Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent''s connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID.' example: verified default_field: false - name: category level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories.' example: authentication - name: code level: extended type: keyword ignore_above: 1024 description: 'Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.' example: 4648 - name: created level: core type: date description: 'event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent''s or pipeline''s ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used.' example: '2016-05-23T08:05:34.857Z' - name: dataset level: core type: keyword ignore_above: 1024 description: 'Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It''s recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.' example: apache.access - name: duration level: core type: long format: duration input_format: nanoseconds output_format: asMilliseconds output_precision: 1 description: 'Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time.' - name: end level: extended type: date description: event.end contains the date when the event ended or when the activity was last observed. - name: hash level: extended type: keyword ignore_above: 1024 description: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. example: 123456789012345678901234567890ABCD - name: id level: core type: keyword ignore_above: 1024 description: Unique ID to describe the event. example: 8a4f500d - name: ingested level: core type: date description: 'Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It''s also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.' example: '2016-05-23T08:05:35.101Z' default_field: false - name: kind level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.' example: alert - name: module level: core type: keyword ignore_above: 1024 description: 'Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module.' example: apache - name: original level: core type: keyword description: 'Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.' example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 index: false doc_values: false - name: outcome level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.' example: success - name: provider level: extended type: keyword ignore_above: 1024 description: 'Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).' example: kernel - name: reason level: extended type: keyword ignore_above: 1024 description: 'Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`).' example: Terminated an unexpected process default_field: false - name: reference level: extended type: keyword ignore_above: 1024 description: 'Reference URL linking to additional information about this event. This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field.' example: https://system.example.com/event/#0001234 default_field: false - name: risk_score level: core type: float description: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. - name: risk_score_norm level: extended type: float description: 'Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems.' - name: sequence level: extended type: long format: string description: 'Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision.' - name: severity level: core type: long format: string description: 'The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It''s up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.' example: 7 - name: start level: extended type: date description: event.start contains the date when the event started or when the activity was first observed. - name: timezone level: extended type: keyword ignore_above: 1024 description: 'This field should be populated when the event''s timestamp does not include timezone information already (e.g. default Syslog timestamps). It''s optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").' - name: type level: core type: keyword ignore_above: 1024 description: 'This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types.' - name: url level: extended type: keyword ignore_above: 1024 description: 'URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field.' example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe default_field: false - name: file title: File group: 2 description: 'A file is defined as a set of information that has been created on, or has existed on a filesystem. File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric.' type: group fields: - name: accessed level: extended type: date description: 'Last time the file was accessed. Note that not all filesystems keep track of access time.' - name: attributes level: extended type: keyword ignore_above: 1024 description: 'Array of file attributes. Attributes names will vary by platform. Here''s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.' example: '["readonly", "system"]' default_field: false - name: code_signature.exists level: core type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: code_signature.signing_id level: extended type: keyword ignore_above: 1024 description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - name: code_signature.status level: extended type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: code_signature.subject_name level: core type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: code_signature.team_id level: extended type: keyword ignore_above: 1024 description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - name: code_signature.trusted level: extended type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: code_signature.valid level: extended type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: created level: extended type: date description: 'File creation time. Note that not all filesystems store the creation time.' - name: ctime level: extended type: date description: 'Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.' - name: device level: extended type: keyword ignore_above: 1024 description: Device that is the source of the file. example: sda - name: directory level: extended type: keyword ignore_above: 1024 description: Directory where the file is located. It should include the drive letter, when appropriate. example: /home/alice - name: drive_letter level: extended type: keyword ignore_above: 1 description: 'Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon.' example: C default_field: false - name: elf.architecture level: extended type: keyword ignore_above: 1024 description: Machine architecture of the ELF file. example: x86-64 default_field: false - name: elf.byte_order level: extended type: keyword ignore_above: 1024 description: Byte sequence of ELF file. example: Little Endian default_field: false - name: elf.cpu_type level: extended type: keyword ignore_above: 1024 description: CPU type of the ELF file. example: Intel default_field: false - name: elf.creation_date level: extended type: date description: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. default_field: false - name: elf.exports level: extended type: flattened description: List of exported element names and types. default_field: false - name: elf.header.abi_version level: extended type: keyword ignore_above: 1024 description: Version of the ELF Application Binary Interface (ABI). default_field: false - name: elf.header.class level: extended type: keyword ignore_above: 1024 description: Header class of the ELF file. default_field: false - name: elf.header.data level: extended type: keyword ignore_above: 1024 description: Data table of the ELF header. default_field: false - name: elf.header.entrypoint level: extended type: long format: string description: Header entrypoint of the ELF file. default_field: false - name: elf.header.object_version level: extended type: keyword ignore_above: 1024 description: '"0x1" for original ELF files.' default_field: false - name: elf.header.os_abi level: extended type: keyword ignore_above: 1024 description: Application Binary Interface (ABI) of the Linux OS. default_field: false - name: elf.header.type level: extended type: keyword ignore_above: 1024 description: Header type of the ELF file. default_field: false - name: elf.header.version level: extended type: keyword ignore_above: 1024 description: Version of the ELF header. default_field: false - name: elf.imports level: extended type: flattened description: List of imported element names and types. default_field: false - name: elf.sections level: extended type: nested description: 'An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.' default_field: false - name: elf.sections.chi2 level: extended type: long format: number description: Chi-square probability distribution of the section. default_field: false - name: elf.sections.entropy level: extended type: long format: number description: Shannon entropy calculation from the section. default_field: false - name: elf.sections.flags level: extended type: keyword ignore_above: 1024 description: ELF Section List flags. default_field: false - name: elf.sections.name level: extended type: keyword ignore_above: 1024 description: ELF Section List name. default_field: false - name: elf.sections.physical_offset level: extended type: keyword ignore_above: 1024 description: ELF Section List offset. default_field: false - name: elf.sections.physical_size level: extended type: long format: bytes description: ELF Section List physical size. default_field: false - name: elf.sections.type level: extended type: keyword ignore_above: 1024 description: ELF Section List type. default_field: false - name: elf.sections.virtual_address level: extended type: long format: string description: ELF Section List virtual address. default_field: false - name: elf.sections.virtual_size level: extended type: long format: string description: ELF Section List virtual size. default_field: false - name: elf.segments level: extended type: nested description: 'An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.' default_field: false - name: elf.segments.sections level: extended type: keyword ignore_above: 1024 description: ELF object segment sections. default_field: false - name: elf.segments.type level: extended type: keyword ignore_above: 1024 description: ELF object segment type. default_field: false - name: elf.shared_libraries level: extended type: keyword ignore_above: 1024 description: List of shared libraries used by this ELF object. default_field: false - name: elf.telfhash level: extended type: keyword ignore_above: 1024 description: telfhash symbol hash for ELF file. default_field: false - name: extension level: extended type: keyword ignore_above: 1024 description: 'File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").' example: png - name: gid level: extended type: keyword ignore_above: 1024 description: Primary group ID (GID) of the file. example: '1001' - name: group level: extended type: keyword ignore_above: 1024 description: Primary group name of the file. example: alice - name: hash.md5 level: extended type: keyword ignore_above: 1024 description: MD5 hash. - name: hash.sha1 level: extended type: keyword ignore_above: 1024 description: SHA1 hash. - name: hash.sha256 level: extended type: keyword ignore_above: 1024 description: SHA256 hash. - name: hash.sha512 level: extended type: keyword ignore_above: 1024 description: SHA512 hash. - name: hash.ssdeep level: extended type: keyword ignore_above: 1024 description: SSDEEP hash. default_field: false - name: inode level: extended type: keyword ignore_above: 1024 description: Inode representing the file in the filesystem. example: '256383' - name: mime_type level: extended type: keyword ignore_above: 1024 description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. default_field: false - name: mode level: extended type: keyword ignore_above: 1024 description: Mode of the file in octal representation. example: '0640' - name: mtime level: extended type: date description: Last time the file content was modified. - name: name level: extended type: keyword ignore_above: 1024 description: Name of the file including the extension, without the directory. example: example.png - name: owner level: extended type: keyword ignore_above: 1024 description: File owner's username. example: alice - name: path level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false default_field: false description: Full path to the file, including the file name. It should include the drive letter, when appropriate. example: /home/alice/example.png - name: pe.architecture level: extended type: keyword ignore_above: 1024 description: CPU architecture target for the file. example: x64 default_field: false - name: pe.company level: extended type: keyword ignore_above: 1024 description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - name: pe.description level: extended type: keyword ignore_above: 1024 description: Internal description of the file, provided at compile-time. example: Paint default_field: false - name: pe.file_version level: extended type: keyword ignore_above: 1024 description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false - name: pe.imphash level: extended type: keyword ignore_above: 1024 description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - name: pe.original_file_name level: extended type: keyword ignore_above: 1024 description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false - name: pe.product level: extended type: keyword ignore_above: 1024 description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" default_field: false - name: size level: extended type: long description: 'File size in bytes. Only relevant when `file.type` is "file".' example: 16384 - name: target_path level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false default_field: false description: Target path for symlinks. - name: type level: extended type: keyword ignore_above: 1024 description: File type (file, dir, or symlink). example: file - name: uid level: extended type: keyword ignore_above: 1024 description: The user ID (UID) or security identifier (SID) of the file owner. example: '1001' - name: x509.alternative_names level: extended type: keyword ignore_above: 1024 description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. example: '*.elastic.co' default_field: false - name: x509.issuer.common_name level: extended type: keyword ignore_above: 1024 description: List of common name (CN) of issuing certificate authority. example: Example SHA2 High Assurance Server CA default_field: false - name: x509.issuer.country level: extended type: keyword ignore_above: 1024 description: List of country (C) codes example: US default_field: false - name: x509.issuer.distinguished_name level: extended type: keyword ignore_above: 1024 description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA default_field: false - name: x509.issuer.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: Mountain View default_field: false - name: x509.issuer.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of issuing certificate authority. example: Example Inc default_field: false - name: x509.issuer.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of issuing certificate authority. example: www.example.com default_field: false - name: x509.issuer.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: x509.not_after level: extended type: date description: Time at which the certificate is no longer considered valid. example: 2020-07-16 03:15:39+00:00 default_field: false - name: x509.not_before level: extended type: date description: Time at which the certificate is first considered valid. example: 2019-08-16 01:40:25+00:00 default_field: false - name: x509.public_key_algorithm level: extended type: keyword ignore_above: 1024 description: Algorithm used to generate the public key. example: RSA default_field: false - name: x509.public_key_curve level: extended type: keyword ignore_above: 1024 description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. example: nistp521 default_field: false - name: x509.public_key_exponent level: extended type: long description: Exponent used to derive the public key. This is algorithm specific. example: 65537 index: false doc_values: false default_field: false - name: x509.public_key_size level: extended type: long description: The size of the public key space in bits. example: 2048 default_field: false - name: x509.serial_number level: extended type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false - name: x509.signature_algorithm level: extended type: keyword ignore_above: 1024 description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. example: SHA256-RSA default_field: false - name: x509.subject.common_name level: extended type: keyword ignore_above: 1024 description: List of common names (CN) of subject. example: shared.global.example.net default_field: false - name: x509.subject.country level: extended type: keyword ignore_above: 1024 description: List of country (C) code example: US default_field: false - name: x509.subject.distinguished_name level: extended type: keyword ignore_above: 1024 description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false - name: x509.subject.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: San Francisco default_field: false - name: x509.subject.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of subject. example: Example, Inc. default_field: false - name: x509.subject.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of subject. default_field: false - name: x509.subject.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: x509.version_number level: extended type: keyword ignore_above: 1024 description: Version of x509 format. example: 3 default_field: false - name: geo title: Geo group: 2 description: 'Geo fields can carry data about a specific location related to an event. This geolocation information can be derived from techniques such as Geo IP, or be user-supplied.' type: group fields: - name: city_name level: core type: keyword ignore_above: 1024 description: City name. example: Montreal - name: continent_code level: core type: keyword ignore_above: 1024 description: Two-letter code representing continent's name. example: NA default_field: false - name: continent_name level: core type: keyword ignore_above: 1024 description: Name of the continent. example: North America - name: country_iso_code level: core type: keyword ignore_above: 1024 description: Country ISO code. example: CA - name: country_name level: core type: keyword ignore_above: 1024 description: Country name. example: Canada - name: location level: core type: geo_point description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: name level: extended type: keyword ignore_above: 1024 description: 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.' example: boston-dc - name: postal_code level: core type: keyword ignore_above: 1024 description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 default_field: false - name: region_iso_code level: core type: keyword ignore_above: 1024 description: Region ISO code. example: CA-QC - name: region_name level: core type: keyword ignore_above: 1024 description: Region name. example: Quebec - name: timezone level: core type: keyword ignore_above: 1024 description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires default_field: false - name: group title: Group group: 2 description: The group fields are meant to represent groups that are relevant to the event. type: group fields: - name: domain level: extended type: keyword ignore_above: 1024 description: 'Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.' - name: id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. - name: name level: extended type: keyword ignore_above: 1024 description: Name of the group. - name: hash title: Hash group: 2 description: 'The hash fields represent different bitwise hash algorithms and their values. Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). Note that this fieldset is used for common hashes that may be computed over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively).' type: group fields: - name: md5 level: extended type: keyword ignore_above: 1024 description: MD5 hash. - name: sha1 level: extended type: keyword ignore_above: 1024 description: SHA1 hash. - name: sha256 level: extended type: keyword ignore_above: 1024 description: SHA256 hash. - name: sha512 level: extended type: keyword ignore_above: 1024 description: SHA512 hash. - name: ssdeep level: extended type: keyword ignore_above: 1024 description: SSDEEP hash. default_field: false - name: host title: Host group: 2 description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - name: architecture level: core type: keyword ignore_above: 1024 description: Operating system architecture. example: x86_64 - name: cpu.usage level: extended type: scaled_float description: 'Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1.' scaling_factor: 1000 default_field: false - name: disk.read.bytes level: extended type: long description: The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. default_field: false - name: disk.write.bytes level: extended type: long description: The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. default_field: false - name: domain level: extended type: keyword ignore_above: 1024 description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - name: geo.city_name level: core type: keyword ignore_above: 1024 description: City name. example: Montreal - name: geo.continent_code level: core type: keyword ignore_above: 1024 description: Two-letter code representing continent's name. example: NA default_field: false - name: geo.continent_name level: core type: keyword ignore_above: 1024 description: Name of the continent. example: North America - name: geo.country_iso_code level: core type: keyword ignore_above: 1024 description: Country ISO code. example: CA - name: geo.country_name level: core type: keyword ignore_above: 1024 description: Country name. example: Canada - name: geo.location level: core type: geo_point description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended type: keyword ignore_above: 1024 description: 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.' example: boston-dc - name: geo.postal_code level: core type: keyword ignore_above: 1024 description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 default_field: false - name: geo.region_iso_code level: core type: keyword ignore_above: 1024 description: Region ISO code. example: CA-QC - name: geo.region_name level: core type: keyword ignore_above: 1024 description: Region name. example: Quebec - name: geo.timezone level: core type: keyword ignore_above: 1024 description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires default_field: false - name: hostname level: core type: keyword ignore_above: 1024 description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword ignore_above: 1024 description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - name: ip level: core type: ip description: Host ip addresses. - name: mac level: core type: keyword ignore_above: 1024 description: 'Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.' example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' - name: name level: core type: keyword ignore_above: 1024 description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: network.egress.bytes level: extended type: long description: The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. default_field: false - name: network.egress.packets level: extended type: long description: The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. default_field: false - name: network.ingress.bytes level: extended type: long description: The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. default_field: false - name: network.ingress.packets level: extended type: long description: The number of packets (gauge) received on all network interfaces by the host since the last metric collection. default_field: false - name: os.family level: extended type: keyword ignore_above: 1024 description: OS family (such as redhat, debian, freebsd, windows). example: debian - name: os.full level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false default_field: false description: Operating system name, including the version or code name. example: Mac OS Mojave - name: os.kernel level: extended type: keyword ignore_above: 1024 description: Operating system kernel version as a raw string. example: 4.4.0-112-generic - name: os.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false default_field: false description: Operating system name, without the version. example: Mac OS X - name: os.platform level: extended type: keyword ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin - name: os.type level: extended type: keyword ignore_above: 1024 description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you''re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.' example: macos default_field: false - name: os.version level: extended type: keyword ignore_above: 1024 description: Operating system version as a raw string. example: 10.14.1 - name: type level: core type: keyword ignore_above: 1024 description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: uptime level: extended type: long description: Seconds the host has been up. example: 1325 - name: user.domain level: extended type: keyword ignore_above: 1024 description: 'Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.' - name: user.email level: extended type: keyword ignore_above: 1024 description: User email address. - name: user.full_name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false default_field: false description: User's full name, if available. example: Albert Einstein - name: user.group.domain level: extended type: keyword ignore_above: 1024 description: 'Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.' - name: user.group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. - name: user.group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. - name: user.hash level: extended type: keyword ignore_above: 1024 description: 'Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.' - name: user.id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. - name: user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false default_field: false description: Short name or login of the user. example: albert - name: user.roles level: extended type: keyword ignore_above: 1024 description: Array of user roles at the time of the event. example: '["kibana_admin", "reporting_user"]' default_field: false - name: http title: HTTP group: 2 description: Fields related to HTTP activity. Use the `url` field set to store the url of the request. type: group fields: - name: request.body.bytes level: extended type: long format: bytes description: Size in bytes of the request body. example: 887 - name: request.body.content level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false default_field: false description: The full HTTP request body. example: Hello world - name: request.bytes level: extended type: long format: bytes description: Total size in bytes of the request (body and headers). example: 1437 - name: request.id level: extended type: keyword ignore_above: 1024 description: 'A unique identifier for each HTTP request to correlate logs between clients and servers in transactions. The id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`.' example: 123e4567-e89b-12d3-a456-426614174000 default_field: false - name: request.method level: extended type: keyword ignore_above: 1024 description: 'HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: "The field value must be normalized to lowercase for querying." As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0' example: GET, POST, PUT, PoST - name: request.mime_type level: extended type: keyword ignore_above: 1024 description: 'Mime type of the body of the request. This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request''s Content-Type header can be helpful in detecting threats or misconfigured clients.' example: image/gif default_field: false - name: request.referrer level: extended type: keyword ignore_above: 1024 description: Referrer for this HTTP request. example: https://blog.example.com/ - name: response.body.bytes level: extended type: long format: bytes description: Size in bytes of the response body. example: 887 - name: response.body.content level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false default_field: false description: The full HTTP response body. example: Hello world - name: response.bytes level: extended type: long format: bytes description: Total size in bytes of the response (body and headers). example: 1437 - name: response.mime_type level: extended type: keyword ignore_above: 1024 description: 'Mime type of the body of the response. This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response''s Content-Type header can be helpful in detecting misconfigured servers.' example: image/gif default_field: false - name: response.status_code level: extended type: long format: string description: HTTP response status code. example: 404 - name: version level: extended type: keyword ignore_above: 1024 description: HTTP version. example: 1.1 - name: interface title: Interface group: 2 description: The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. type: group fields: - name: alias level: extended type: keyword ignore_above: 1024 description: Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. example: outside default_field: false - name: id level: extended type: keyword ignore_above: 1024 description: Interface ID as reported by an observer (typically SNMP interface ID). example: 10 default_field: false - name: name level: extended type: keyword ignore_above: 1024 description: Interface name as reported by the system. example: eth0 default_field: false - name: log title: Log group: 2 description: 'Details about the event''s logging mechanism or logging transport. The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`. The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields.' type: group fields: - name: file.path level: extended type: keyword ignore_above: 1024 description: 'Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn''t read from a log file, do not populate this field.' example: /var/log/fun-times.log default_field: false - name: level level: core type: keyword ignore_above: 1024 description: 'Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn''t specify one, you may put your event transport''s severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`.' example: error - name: logger level: core type: keyword ignore_above: 1024 description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. example: org.elasticsearch.bootstrap.Bootstrap - name: origin.file.line level: extended type: integer description: The line number of the file containing the source code which originated the log event. example: 42 - name: origin.file.name level: extended type: keyword ignore_above: 1024 description: 'The name of the file containing the source code which originated the log event. Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`.' example: Bootstrap.java - name: origin.function level: extended type: keyword ignore_above: 1024 description: The name of the function or method which originated the log event. example: init - name: original level: core type: keyword description: 'Deprecated for removal in next major version release. This field is superseded by `event.original`. This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can''t be queried but the value can be retrieved from `_source`.' example: Sep 19 08:26:10 localhost My log index: false doc_values: false - name: syslog level: extended type: object description: The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. - name: syslog.facility.code level: extended type: long format: string description: 'The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23.' example: 23 - name: syslog.facility.name level: extended type: keyword ignore_above: 1024 description: The Syslog text-based facility of the log event, if available. example: local7 - name: syslog.priority level: extended type: long format: string description: 'Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191.' example: 135 - name: syslog.severity.code level: extended type: long description: 'The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source''s numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`.' example: 3 - name: syslog.severity.name level: extended type: keyword ignore_above: 1024 description: 'The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source''s text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`.' example: Error - name: network title: Network group: 2 description: 'The network is defined as the communication path over which a host or network event happens. The network.* fields should be populated with details about the network activity associated with an event.' type: group fields: - name: application level: extended type: keyword ignore_above: 1024 description: 'A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".' example: aim - name: bytes level: core type: long format: bytes description: 'Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum.' example: 368 - name: community_id level: extended type: keyword ignore_above: 1024 description: 'A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec.' example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= - name: direction level: core type: keyword ignore_above: 1024 description: "Direction of the network traffic.\nRecommended values are:\n \ \ * ingress\n * egress\n * inbound\n * outbound\n * internal\n * external\n\ \ * unknown\n\nWhen mapping events from a host-based monitoring context,\ \ populate this field from the host's point of view, using the values \"ingress\"\ \ or \"egress\".\nWhen mapping events from a network or perimeter-based monitoring\ \ context, populate this field from the point of view of the network perimeter,\ \ using the values \"inbound\", \"outbound\", \"internal\" or \"external\"\ .\nNote that \"internal\" is not crossing perimeter boundaries, and is meant\ \ to describe communication between two hosts within the perimeter. Note also\ \ that \"external\" is meant to describe traffic between two hosts that are\ \ external to the perimeter. This could for example be useful for ISPs or\ \ VPN service providers." example: inbound - name: forwarded_ip level: core type: ip description: Host IP address when the source IP address is the proxy. example: 192.1.1.2 - name: iana_number level: extended type: keyword ignore_above: 1024 description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. example: 6 - name: inner level: extended type: object description: Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) default_field: false - name: inner.vlan.id level: extended type: keyword ignore_above: 1024 description: VLAN ID as reported by the observer. example: 10 default_field: false - name: inner.vlan.name level: extended type: keyword ignore_above: 1024 description: Optional VLAN name as reported by the observer. example: outside default_field: false - name: name level: extended type: keyword ignore_above: 1024 description: Name given by operators to sections of their network. example: Guest Wifi - name: packets level: core type: long description: 'Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum.' example: 24 - name: protocol level: core type: keyword ignore_above: 1024 description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".' example: http - name: transport level: core type: keyword ignore_above: 1024 description: 'Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".' example: tcp - name: type level: core type: keyword ignore_above: 1024 description: 'In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".' example: ipv4 - name: vlan.id level: extended type: keyword ignore_above: 1024 description: VLAN ID as reported by the observer. example: 10 default_field: false - name: vlan.name level: extended type: keyword ignore_above: 1024 description: Optional VLAN name as reported by the observer. example: outside default_field: false - name: observer title: Observer group: 2 description: 'An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS.' type: group fields: - name: egress level: extended type: object description: Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. default_field: false - name: egress.interface.alias level: extended type: keyword ignore_above: 1024 description: Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. example: outside default_field: false - name: egress.interface.id level: extended type: keyword ignore_above: 1024 description: Interface ID as reported by an observer (typically SNMP interface ID). example: 10 default_field: false - name: egress.interface.name level: extended type: keyword ignore_above: 1024 description: Interface name as reported by the system. example: eth0 default_field: false - name: egress.vlan.id level: extended type: keyword ignore_above: 1024 description: VLAN ID as reported by the observer. example: 10 default_field: false - name: egress.vlan.name level: extended type: keyword ignore_above: 1024 description: Optional VLAN name as reported by the observer. example: outside default_field: false - name: egress.zone level: extended type: keyword ignore_above: 1024 description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. example: Public_Internet default_field: false - name: geo.city_name level: core type: keyword ignore_above: 1024 description: City name. example: Montreal - name: geo.continent_code level: core type: keyword ignore_above: 1024 description: Two-letter code representing continent's name. example: NA default_field: false - name: geo.continent_name level: core type: keyword ignore_above: 1024 description: Name of the continent. example: North America - name: geo.country_iso_code level: core type: keyword ignore_above: 1024 description: Country ISO code. example: CA - name: geo.country_name level: core type: keyword ignore_above: 1024 description: Country name. example: Canada - name: geo.location level: core type: geo_point description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended type: keyword ignore_above: 1024 description: 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.' example: boston-dc - name: geo.postal_code level: core type: keyword ignore_above: 1024 description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 default_field: false - name: geo.region_iso_code level: core type: keyword ignore_above: 1024 description: Region ISO code. example: CA-QC - name: geo.region_name level: core type: keyword ignore_above: 1024 description: Region name. example: Quebec - name: geo.timezone level: core type: keyword ignore_above: 1024 description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires default_field: false - name: hostname level: core type: keyword ignore_above: 1024 description: Hostname of the observer. - name: ingress level: extended type: object description: Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. default_field: false - name: ingress.interface.alias level: extended type: keyword ignore_above: 1024 description: Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. example: outside default_field: false - name: ingress.interface.id level: extended type: keyword ignore_above: 1024 description: Interface ID as reported by an observer (typically SNMP interface ID). example: 10 default_field: false - name: ingress.interface.name level: extended type: keyword ignore_above: 1024 description: Interface name as reported by the system. example: eth0 default_field: false - name: ingress.vlan.id level: extended type: keyword ignore_above: 1024 description: VLAN ID as reported by the observer. example: 10 default_field: false - name: ingress.vlan.name level: extended type: keyword ignore_above: 1024 description: Optional VLAN name as reported by the observer. example: outside default_field: false - name: ingress.zone level: extended type: keyword ignore_above: 1024 description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. example: DMZ default_field: false - name: ip level: core type: ip description: IP addresses of the observer. - name: mac level: core type: keyword ignore_above: 1024 description: 'MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.' example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' - name: name level: extended type: keyword ignore_above: 1024 description: 'Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty.' example: 1_proxySG - name: os.family level: extended type: keyword ignore_above: 1024 description: OS family (such as redhat, debian, freebsd, windows). example: debian - name: os.full level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false default_field: false description: Operating system name, including the version or code name. example: Mac OS Mojave - name: os.kernel level: extended type: keyword ignore_above: 1024 description: Operating system kernel version as a raw string. example: 4.4.0-112-generic - name: os.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false default_field: false description: Operating system name, without the version. example: Mac OS X - name: os.platform level: extended type: keyword ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin - name: os.type level: extended type: keyword ignore_above: 1024 description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you''re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.' example: macos default_field: false - name: os.version level: extended type: keyword ignore_above: 1024 description: Operating system version as a raw string. example: 10.14.1 - name: product level: extended type: keyword ignore_above: 1024 description: The product name of the observer. example: s200 - name: serial_number level: extended type: keyword ignore_above: 1024 description: Observer serial number. - name: type level: core type: keyword ignore_above: 1024 description: 'The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.' example: firewall - name: vendor level: core type: keyword ignore_above: 1024 description: Vendor name of the observer. example: Symantec - name: version level: core type: keyword ignore_above: 1024 description: Observer version. - name: orchestrator title: Orchestrator group: 2 description: Fields that describe the resources which container orchestrators manage or act upon. type: group fields: - name: api_version level: extended type: keyword ignore_above: 1024 description: API version being used to carry out the action example: v1beta1 default_field: false - name: cluster.name level: extended type: keyword ignore_above: 1024 description: Name of the cluster. default_field: false - name: cluster.url level: extended type: keyword ignore_above: 1024 description: URL of the API used to manage the cluster. default_field: false - name: cluster.version level: extended type: keyword ignore_above: 1024 description: The version of the cluster. default_field: false - name: namespace level: extended type: keyword ignore_above: 1024 description: Namespace in which the action is taking place. example: kube-system default_field: false - name: organization level: extended type: keyword ignore_above: 1024 description: Organization affected by the event (for multi-tenant orchestrator setups). example: elastic default_field: false - name: resource.name level: extended type: keyword ignore_above: 1024 description: Name of the resource being acted upon. example: test-pod-cdcws default_field: false - name: resource.type level: extended type: keyword ignore_above: 1024 description: Type of resource being acted upon. example: service default_field: false - name: type level: extended type: keyword ignore_above: 1024 description: Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). example: kubernetes default_field: false - name: organization title: Organization group: 2 description: 'The organization fields enrich data with information about the company or entity the data is associated with. These fields help you arrange or filter data stored in an index by one or multiple organizations.' type: group fields: - name: id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the organization. - name: name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false default_field: false description: Organization name. - name: os title: Operating System group: 2 description: The OS fields contain information about the operating system. type: group fields: - name: family level: extended type: keyword ignore_above: 1024 description: OS family (such as redhat, debian, freebsd, windows). example: debian - name: full level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false default_field: false description: Operating system name, including the version or code name. example: Mac OS Mojave - name: kernel level: extended type: keyword ignore_above: 1024 description: Operating system kernel version as a raw string. example: 4.4.0-112-generic - name: name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false default_field: false description: Operating system name, without the version. example: Mac OS X - name: platform level: extended type: keyword ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin - name: type level: extended type: keyword ignore_above: 1024 description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you''re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.' example: macos default_field: false - name: version level: extended type: keyword ignore_above: 1024 description: Operating system version as a raw string. example: 10.14.1 - name: package title: Package group: 2 description: These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location. type: group fields: - name: architecture level: extended type: keyword ignore_above: 1024 description: Package architecture. example: x86_64 - name: build_version level: extended type: keyword ignore_above: 1024 description: 'Additional information about the build version of the installed package. For example use the commit SHA of a non-released package.' example: 36f4f7e89dd61b0988b12ee000b98966867710cd default_field: false - name: checksum level: extended type: keyword ignore_above: 1024 description: Checksum of the installed package for verification. example: 68b329da9893e34099c7d8ad5cb9c940 - name: description level: extended type: keyword ignore_above: 1024 description: Description of the package. example: Open source programming language to build simple/reliable/efficient software. - name: install_scope level: extended type: keyword ignore_above: 1024 description: Indicating how the package was installed, e.g. user-local, global. example: global - name: installed level: extended type: date description: Time when package was installed. - name: license level: extended type: keyword ignore_above: 1024 description: 'License under which the package was released. Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/).' example: Apache License 2.0 - name: name level: extended type: keyword ignore_above: 1024 description: Package name example: go - name: path level: extended type: keyword ignore_above: 1024 description: Path where the package is installed. example: /usr/local/Cellar/go/1.12.9/ - name: reference level: extended type: keyword ignore_above: 1024 description: Home page or reference URL of the software in this package, if available. example: https://golang.org default_field: false - name: size level: extended type: long format: string description: Package size in bytes. example: 62231 - name: type level: extended type: keyword ignore_above: 1024 description: 'Type of package. This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar.' example: rpm default_field: false - name: version level: extended type: keyword ignore_above: 1024 description: Package version example: 1.12.9 - name: pe title: PE Header group: 2 description: These fields contain Windows Portable Executable (PE) metadata. type: group fields: - name: architecture level: extended type: keyword ignore_above: 1024 description: CPU architecture target for the file. example: x64 default_field: false - name: company level: extended type: keyword ignore_above: 1024 description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - name: description level: extended type: keyword ignore_above: 1024 description: Internal description of the file, provided at compile-time. example: Paint default_field: false - name: file_version level: extended type: keyword ignore_above: 1024 description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false - name: imphash level: extended type: keyword ignore_above: 1024 description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - name: original_file_name level: extended type: keyword ignore_above: 1024 description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false - name: product level: extended type: keyword ignore_above: 1024 description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" default_field: false - name: process title: Process group: 2 description: 'These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation.' type: group fields: - name: args level: extended type: keyword ignore_above: 1024 description: 'Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.' example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' - name: args_count level: extended type: long description: 'Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.' example: 4 default_field: false - name: code_signature.exists level: core type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: code_signature.signing_id level: extended type: keyword ignore_above: 1024 description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - name: code_signature.status level: extended type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: code_signature.subject_name level: core type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: code_signature.team_id level: extended type: keyword ignore_above: 1024 description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - name: code_signature.trusted level: extended type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: code_signature.valid level: extended type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: command_line level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 default_field: false - name: elf.architecture level: extended type: keyword ignore_above: 1024 description: Machine architecture of the ELF file. example: x86-64 default_field: false - name: elf.byte_order level: extended type: keyword ignore_above: 1024 description: Byte sequence of ELF file. example: Little Endian default_field: false - name: elf.cpu_type level: extended type: keyword ignore_above: 1024 description: CPU type of the ELF file. example: Intel default_field: false - name: elf.creation_date level: extended type: date description: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. default_field: false - name: elf.exports level: extended type: flattened description: List of exported element names and types. default_field: false - name: elf.header.abi_version level: extended type: keyword ignore_above: 1024 description: Version of the ELF Application Binary Interface (ABI). default_field: false - name: elf.header.class level: extended type: keyword ignore_above: 1024 description: Header class of the ELF file. default_field: false - name: elf.header.data level: extended type: keyword ignore_above: 1024 description: Data table of the ELF header. default_field: false - name: elf.header.entrypoint level: extended type: long format: string description: Header entrypoint of the ELF file. default_field: false - name: elf.header.object_version level: extended type: keyword ignore_above: 1024 description: '"0x1" for original ELF files.' default_field: false - name: elf.header.os_abi level: extended type: keyword ignore_above: 1024 description: Application Binary Interface (ABI) of the Linux OS. default_field: false - name: elf.header.type level: extended type: keyword ignore_above: 1024 description: Header type of the ELF file. default_field: false - name: elf.header.version level: extended type: keyword ignore_above: 1024 description: Version of the ELF header. default_field: false - name: elf.imports level: extended type: flattened description: List of imported element names and types. default_field: false - name: elf.sections level: extended type: nested description: 'An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.' default_field: false - name: elf.sections.chi2 level: extended type: long format: number description: Chi-square probability distribution of the section. default_field: false - name: elf.sections.entropy level: extended type: long format: number description: Shannon entropy calculation from the section. default_field: false - name: elf.sections.flags level: extended type: keyword ignore_above: 1024 description: ELF Section List flags. default_field: false - name: elf.sections.name level: extended type: keyword ignore_above: 1024 description: ELF Section List name. default_field: false - name: elf.sections.physical_offset level: extended type: keyword ignore_above: 1024 description: ELF Section List offset. default_field: false - name: elf.sections.physical_size level: extended type: long format: bytes description: ELF Section List physical size. default_field: false - name: elf.sections.type level: extended type: keyword ignore_above: 1024 description: ELF Section List type. default_field: false - name: elf.sections.virtual_address level: extended type: long format: string description: ELF Section List virtual address. default_field: false - name: elf.sections.virtual_size level: extended type: long format: string description: ELF Section List virtual size. default_field: false - name: elf.segments level: extended type: nested description: 'An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.' default_field: false - name: elf.segments.sections level: extended type: keyword ignore_above: 1024 description: ELF object segment sections. default_field: false - name: elf.segments.type level: extended type: keyword ignore_above: 1024 description: ELF object segment type. default_field: false - name: elf.shared_libraries level: extended type: keyword ignore_above: 1024 description: List of shared libraries used by this ELF object. default_field: false - name: elf.telfhash level: extended type: keyword ignore_above: 1024 description: telfhash symbol hash for ELF file. default_field: false - name: entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: executable level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false default_field: false description: Absolute path to the process executable. example: /usr/bin/ssh - name: exit_code level: extended type: long description: 'The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start).' example: 137 default_field: false - name: hash.md5 level: extended type: keyword ignore_above: 1024 description: MD5 hash. - name: hash.sha1 level: extended type: keyword ignore_above: 1024 description: SHA1 hash. - name: hash.sha256 level: extended type: keyword ignore_above: 1024 description: SHA256 hash. - name: hash.sha512 level: extended type: keyword ignore_above: 1024 description: SHA512 hash. - name: hash.ssdeep level: extended type: keyword ignore_above: 1024 description: SSDEEP hash. default_field: false - name: name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false default_field: false description: 'Process name. Sometimes called program name or similar.' example: ssh - name: parent.args level: extended type: keyword ignore_above: 1024 description: 'Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.' example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' default_field: false - name: parent.args_count level: extended type: long description: 'Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.' example: 4 default_field: false - name: parent.code_signature.exists level: core type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: parent.code_signature.signing_id level: extended type: keyword ignore_above: 1024 description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - name: parent.code_signature.status level: extended type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: parent.code_signature.subject_name level: core type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: parent.code_signature.team_id level: extended type: keyword ignore_above: 1024 description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - name: parent.code_signature.trusted level: extended type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: parent.code_signature.valid level: extended type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: parent.command_line level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 default_field: false - name: parent.elf.architecture level: extended type: keyword ignore_above: 1024 description: Machine architecture of the ELF file. example: x86-64 default_field: false - name: parent.elf.byte_order level: extended type: keyword ignore_above: 1024 description: Byte sequence of ELF file. example: Little Endian default_field: false - name: parent.elf.cpu_type level: extended type: keyword ignore_above: 1024 description: CPU type of the ELF file. example: Intel default_field: false - name: parent.elf.creation_date level: extended type: date description: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. default_field: false - name: parent.elf.exports level: extended type: flattened description: List of exported element names and types. default_field: false - name: parent.elf.header.abi_version level: extended type: keyword ignore_above: 1024 description: Version of the ELF Application Binary Interface (ABI). default_field: false - name: parent.elf.header.class level: extended type: keyword ignore_above: 1024 description: Header class of the ELF file. default_field: false - name: parent.elf.header.data level: extended type: keyword ignore_above: 1024 description: Data table of the ELF header. default_field: false - name: parent.elf.header.entrypoint level: extended type: long format: string description: Header entrypoint of the ELF file. default_field: false - name: parent.elf.header.object_version level: extended type: keyword ignore_above: 1024 description: '"0x1" for original ELF files.' default_field: false - name: parent.elf.header.os_abi level: extended type: keyword ignore_above: 1024 description: Application Binary Interface (ABI) of the Linux OS. default_field: false - name: parent.elf.header.type level: extended type: keyword ignore_above: 1024 description: Header type of the ELF file. default_field: false - name: parent.elf.header.version level: extended type: keyword ignore_above: 1024 description: Version of the ELF header. default_field: false - name: parent.elf.imports level: extended type: flattened description: List of imported element names and types. default_field: false - name: parent.elf.sections level: extended type: nested description: 'An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.' default_field: false - name: parent.elf.sections.chi2 level: extended type: long format: number description: Chi-square probability distribution of the section. default_field: false - name: parent.elf.sections.entropy level: extended type: long format: number description: Shannon entropy calculation from the section. default_field: false - name: parent.elf.sections.flags level: extended type: keyword ignore_above: 1024 description: ELF Section List flags. default_field: false - name: parent.elf.sections.name level: extended type: keyword ignore_above: 1024 description: ELF Section List name. default_field: false - name: parent.elf.sections.physical_offset level: extended type: keyword ignore_above: 1024 description: ELF Section List offset. default_field: false - name: parent.elf.sections.physical_size level: extended type: long format: bytes description: ELF Section List physical size. default_field: false - name: parent.elf.sections.type level: extended type: keyword ignore_above: 1024 description: ELF Section List type. default_field: false - name: parent.elf.sections.virtual_address level: extended type: long format: string description: ELF Section List virtual address. default_field: false - name: parent.elf.sections.virtual_size level: extended type: long format: string description: ELF Section List virtual size. default_field: false - name: parent.elf.segments level: extended type: nested description: 'An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.' default_field: false - name: parent.elf.segments.sections level: extended type: keyword ignore_above: 1024 description: ELF object segment sections. default_field: false - name: parent.elf.segments.type level: extended type: keyword ignore_above: 1024 description: ELF object segment type. default_field: false - name: parent.elf.shared_libraries level: extended type: keyword ignore_above: 1024 description: List of shared libraries used by this ELF object. default_field: false - name: parent.elf.telfhash level: extended type: keyword ignore_above: 1024 description: telfhash symbol hash for ELF file. default_field: false - name: parent.entity_id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d default_field: false - name: parent.executable level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false description: Absolute path to the process executable. example: /usr/bin/ssh default_field: false - name: parent.exit_code level: extended type: long description: 'The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start).' example: 137 default_field: false - name: parent.hash.md5 level: extended type: keyword ignore_above: 1024 description: MD5 hash. default_field: false - name: parent.hash.sha1 level: extended type: keyword ignore_above: 1024 description: SHA1 hash. default_field: false - name: parent.hash.sha256 level: extended type: keyword ignore_above: 1024 description: SHA256 hash. default_field: false - name: parent.hash.sha512 level: extended type: keyword ignore_above: 1024 description: SHA512 hash. default_field: false - name: parent.hash.ssdeep level: extended type: keyword ignore_above: 1024 description: SSDEEP hash. default_field: false - name: parent.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false description: 'Process name. Sometimes called program name or similar.' example: ssh default_field: false - name: parent.pe.architecture level: extended type: keyword ignore_above: 1024 description: CPU architecture target for the file. example: x64 default_field: false - name: parent.pe.company level: extended type: keyword ignore_above: 1024 description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - name: parent.pe.description level: extended type: keyword ignore_above: 1024 description: Internal description of the file, provided at compile-time. example: Paint default_field: false - name: parent.pe.file_version level: extended type: keyword ignore_above: 1024 description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false - name: parent.pe.imphash level: extended type: keyword ignore_above: 1024 description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - name: parent.pe.original_file_name level: extended type: keyword ignore_above: 1024 description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false - name: parent.pe.product level: extended type: keyword ignore_above: 1024 description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" default_field: false - name: parent.pgid level: extended type: long format: string description: Identifier of the group of processes the process belongs to. default_field: false - name: parent.pid level: core type: long format: string description: Process id. example: 4242 default_field: false - name: parent.ppid level: extended type: long format: string description: Parent process' pid. example: 4241 default_field: false - name: parent.start level: extended type: date description: The time the process started. example: '2016-05-23T08:05:34.853Z' default_field: false - name: parent.thread.id level: extended type: long format: string description: Thread ID. example: 4242 default_field: false - name: parent.thread.name level: extended type: keyword ignore_above: 1024 description: Thread name. example: thread-0 default_field: false - name: parent.title level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false description: 'Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.' default_field: false - name: parent.uptime level: extended type: long description: Seconds the process has been up. example: 1325 default_field: false - name: parent.working_directory level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false description: The working directory of the process. example: /home/alice default_field: false - name: pe.architecture level: extended type: keyword ignore_above: 1024 description: CPU architecture target for the file. example: x64 default_field: false - name: pe.company level: extended type: keyword ignore_above: 1024 description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - name: pe.description level: extended type: keyword ignore_above: 1024 description: Internal description of the file, provided at compile-time. example: Paint default_field: false - name: pe.file_version level: extended type: keyword ignore_above: 1024 description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false - name: pe.imphash level: extended type: keyword ignore_above: 1024 description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - name: pe.original_file_name level: extended type: keyword ignore_above: 1024 description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false - name: pe.product level: extended type: keyword ignore_above: 1024 description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" default_field: false - name: pgid level: extended type: long format: string description: Identifier of the group of processes the process belongs to. - name: pid level: core type: long format: string description: Process id. example: 4242 - name: ppid level: extended type: long format: string description: Parent process' pid. example: 4241 - name: start level: extended type: date description: The time the process started. example: '2016-05-23T08:05:34.853Z' - name: thread.id level: extended type: long format: string description: Thread ID. example: 4242 - name: thread.name level: extended type: keyword ignore_above: 1024 description: Thread name. example: thread-0 - name: title level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false default_field: false description: 'Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.' - name: uptime level: extended type: long description: Seconds the process has been up. example: 1325 - name: working_directory level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false default_field: false description: The working directory of the process. example: /home/alice - name: registry title: Registry group: 2 description: Fields related to Windows Registry operations. type: group fields: - name: data.bytes level: extended type: keyword ignore_above: 1024 description: 'Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.' example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= default_field: false - name: data.strings level: core type: keyword ignore_above: 1024 description: 'Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).' example: '["C:\rta\red_ttp\bin\myapp.exe"]' default_field: false - name: data.type level: core type: keyword ignore_above: 1024 description: Standard registry type for encoding contents example: REG_SZ default_field: false - name: hive level: core type: keyword ignore_above: 1024 description: Abbreviated name for the hive. example: HKLM default_field: false - name: key level: core type: keyword ignore_above: 1024 description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe default_field: false - name: path level: core type: keyword ignore_above: 1024 description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger default_field: false - name: value level: core type: keyword ignore_above: 1024 description: Name of the value written. example: Debugger default_field: false - name: related title: Related group: 2 description: 'This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`.' type: group fields: - name: hash level: extended type: keyword ignore_above: 1024 description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). default_field: false - name: hosts level: extended type: keyword ignore_above: 1024 description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. default_field: false - name: ip level: extended type: ip description: All of the IPs seen on your event. - name: user level: extended type: keyword ignore_above: 1024 description: All the user names or other user identifiers seen on the event. default_field: false - name: rule title: Rule group: 2 description: 'Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc.' type: group fields: - name: author level: extended type: keyword ignore_above: 1024 description: Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. example: '["Star-Lord"]' default_field: false - name: category level: extended type: keyword ignore_above: 1024 description: A categorization value keyword used by the entity using the rule for detection of this event. example: Attempted Information Leak default_field: false - name: description level: extended type: keyword ignore_above: 1024 description: The description of the rule generating the event. example: Block requests to public DNS over HTTPS / TLS protocols default_field: false - name: id level: extended type: keyword ignore_above: 1024 description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. example: 101 default_field: false - name: license level: extended type: keyword ignore_above: 1024 description: Name of the license under which the rule used to generate this event is made available. example: Apache 2.0 default_field: false - name: name level: extended type: keyword ignore_above: 1024 description: The name of the rule or signature generating the event. example: BLOCK_DNS_over_TLS default_field: false - name: reference level: extended type: keyword ignore_above: 1024 description: 'Reference URL to additional information about the rule used to generate this event. The URL can point to the vendor''s documentation about the rule. If that''s not available, it can also be a link to a more general page describing this type of alert.' example: https://en.wikipedia.org/wiki/DNS_over_TLS default_field: false - name: ruleset level: extended type: keyword ignore_above: 1024 description: Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. example: Standard_Protocol_Filters default_field: false - name: uuid level: extended type: keyword ignore_above: 1024 description: A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. example: 1100110011 default_field: false - name: version level: extended type: keyword ignore_above: 1024 description: The version / revision of the rule being used for analysis. example: 1.1 default_field: false - name: server title: Server group: 2 description: 'A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.' type: group fields: - name: address level: extended type: keyword ignore_above: 1024 description: 'Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.' - name: as.number level: extended type: long description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. example: 15169 - name: as.organization.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false default_field: false description: Organization name. example: Google LLC - name: bytes level: core type: long format: bytes description: Bytes sent from the server to the client. example: 184 - name: domain level: core type: keyword ignore_above: 1024 description: Server domain. - name: geo.city_name level: core type: keyword ignore_above: 1024 description: City name. example: Montreal - name: geo.continent_code level: core type: keyword ignore_above: 1024 description: Two-letter code representing continent's name. example: NA default_field: false - name: geo.continent_name level: core type: keyword ignore_above: 1024 description: Name of the continent. example: North America - name: geo.country_iso_code level: core type: keyword ignore_above: 1024 description: Country ISO code. example: CA - name: geo.country_name level: core type: keyword ignore_above: 1024 description: Country name. example: Canada - name: geo.location level: core type: geo_point description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended type: keyword ignore_above: 1024 description: 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.' example: boston-dc - name: geo.postal_code level: core type: keyword ignore_above: 1024 description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 default_field: false - name: geo.region_iso_code level: core type: keyword ignore_above: 1024 description: Region ISO code. example: CA-QC - name: geo.region_name level: core type: keyword ignore_above: 1024 description: Region name. example: Quebec - name: geo.timezone level: core type: keyword ignore_above: 1024 description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires default_field: false - name: ip level: core type: ip description: IP address of the server (IPv4 or IPv6). - name: mac level: core type: keyword ignore_above: 1024 description: 'MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.' example: 00-00-5E-00-53-23 - name: nat.ip level: extended type: ip description: 'Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers.' - name: nat.port level: extended type: long format: string description: 'Translated port of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers.' - name: packets level: core type: long description: Packets sent from the server to the client. example: 12 - name: port level: core type: long format: string description: Port of the server. - name: registered_domain level: extended type: keyword ignore_above: 1024 description: 'The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com - name: subdomain level: extended type: keyword ignore_above: 1024 description: 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.' example: east default_field: false - name: top_level_domain level: extended type: keyword ignore_above: 1024 description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk - name: user.domain level: extended type: keyword ignore_above: 1024 description: 'Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.' - name: user.email level: extended type: keyword ignore_above: 1024 description: User email address. - name: user.full_name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false default_field: false description: User's full name, if available. example: Albert Einstein - name: user.group.domain level: extended type: keyword ignore_above: 1024 description: 'Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.' - name: user.group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. - name: user.group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. - name: user.hash level: extended type: keyword ignore_above: 1024 description: 'Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.' - name: user.id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. - name: user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false default_field: false description: Short name or login of the user. example: albert - name: user.roles level: extended type: keyword ignore_above: 1024 description: Array of user roles at the time of the event. example: '["kibana_admin", "reporting_user"]' default_field: false - name: service title: Service group: 2 description: 'The service fields describe the service for or from which the data was collected. These fields help you find and correlate logs for a specific service and version.' type: group fields: - name: ephemeral_id level: extended type: keyword ignore_above: 1024 description: 'Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but `service.id` does not.' example: 8a4f500f - name: id level: core type: keyword ignore_above: 1024 description: 'Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.' example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 - name: name level: core type: keyword ignore_above: 1024 description: 'Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.' example: elasticsearch-metrics - name: node.name level: extended type: keyword ignore_above: 1024 description: 'Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn''t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.' example: instance-0000000016 - name: state level: core type: keyword ignore_above: 1024 description: Current state of the service. - name: type level: core type: keyword ignore_above: 1024 description: 'The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.' example: elasticsearch - name: version level: core type: keyword ignore_above: 1024 description: 'Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service.' example: 3.2.4 - name: source title: Source group: 2 description: 'Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.' type: group fields: - name: address level: extended type: keyword ignore_above: 1024 description: 'Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.' - name: as.number level: extended type: long description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. example: 15169 - name: as.organization.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false default_field: false description: Organization name. example: Google LLC - name: bytes level: core type: long format: bytes description: Bytes sent from the source to the destination. example: 184 - name: domain level: core type: keyword ignore_above: 1024 description: Source domain. - name: geo.city_name level: core type: keyword ignore_above: 1024 description: City name. example: Montreal - name: geo.continent_code level: core type: keyword ignore_above: 1024 description: Two-letter code representing continent's name. example: NA default_field: false - name: geo.continent_name level: core type: keyword ignore_above: 1024 description: Name of the continent. example: North America - name: geo.country_iso_code level: core type: keyword ignore_above: 1024 description: Country ISO code. example: CA - name: geo.country_name level: core type: keyword ignore_above: 1024 description: Country name. example: Canada - name: geo.location level: core type: geo_point description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended type: keyword ignore_above: 1024 description: 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.' example: boston-dc - name: geo.postal_code level: core type: keyword ignore_above: 1024 description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 default_field: false - name: geo.region_iso_code level: core type: keyword ignore_above: 1024 description: Region ISO code. example: CA-QC - name: geo.region_name level: core type: keyword ignore_above: 1024 description: Region name. example: Quebec - name: geo.timezone level: core type: keyword ignore_above: 1024 description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires default_field: false - name: ip level: core type: ip description: IP address of the source (IPv4 or IPv6). - name: mac level: core type: keyword ignore_above: 1024 description: 'MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.' example: 00-00-5E-00-53-23 - name: nat.ip level: extended type: ip description: 'Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers.' - name: nat.port level: extended type: long format: string description: 'Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers.' - name: packets level: core type: long description: Packets sent from the source to the destination. example: 12 - name: port level: core type: long format: string description: Port of the source. - name: registered_domain level: extended type: keyword ignore_above: 1024 description: 'The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com - name: subdomain level: extended type: keyword ignore_above: 1024 description: 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.' example: east default_field: false - name: top_level_domain level: extended type: keyword ignore_above: 1024 description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk - name: user.domain level: extended type: keyword ignore_above: 1024 description: 'Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.' - name: user.email level: extended type: keyword ignore_above: 1024 description: User email address. - name: user.full_name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false default_field: false description: User's full name, if available. example: Albert Einstein - name: user.group.domain level: extended type: keyword ignore_above: 1024 description: 'Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.' - name: user.group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. - name: user.group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. - name: user.hash level: extended type: keyword ignore_above: 1024 description: 'Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.' - name: user.id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. - name: user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false default_field: false description: Short name or login of the user. example: albert - name: user.roles level: extended type: keyword ignore_above: 1024 description: Array of user roles at the time of the event. example: '["kibana_admin", "reporting_user"]' default_field: false - name: threat title: Threat group: 2 description: "Fields to classify events and alerts according to a threat taxonomy\ \ such as the MITRE ATT&CK\xAE framework.\nThese fields are for users to classify\ \ alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy.\ \ The threat.tactic.* are meant to capture the high level category of the threat\ \ (e.g. \"impact\"). The threat.technique.* fields are meant to capture which\ \ kind of approach is used by this detected threat, to accomplish the goal (e.g.\ \ \"endpoint denial of service\")." type: group fields: - name: enrichments level: extended type: nested description: A list of associated indicators objects enriching the event, and the context of that association/enrichment. default_field: false - name: enrichments.indicator level: extended type: object description: Object containing associated indicators enriching the event. default_field: false - name: enrichments.indicator.as.number level: extended type: long description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. example: 15169 default_field: false - name: enrichments.indicator.as.organization.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false description: Organization name. example: Google LLC default_field: false - name: enrichments.indicator.confidence level: extended type: keyword ignore_above: 1024 description: "Identifies\_the\_confidence\_rating\_assigned\_by\_the\_provider\_\ using\_STIX\_confidence scales. Expected values:\n * Not Specified, None,\ \ Low, Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ \ * WEP Scale (Impossible - Certain)" example: High default_field: false - name: enrichments.indicator.description level: extended type: keyword ignore_above: 1024 description: Describes the type of action conducted by the threat. example: IP x.x.x.x was observed delivering the Angler EK. default_field: false - name: enrichments.indicator.email.address level: extended type: keyword ignore_above: 1024 description: Identifies a threat indicator as an email address (irrespective of direction). example: phish@example.com default_field: false - name: enrichments.indicator.file.accessed level: extended type: date description: 'Last time the file was accessed. Note that not all filesystems keep track of access time.' default_field: false - name: enrichments.indicator.file.attributes level: extended type: keyword ignore_above: 1024 description: 'Array of file attributes. Attributes names will vary by platform. Here''s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.' example: '["readonly", "system"]' default_field: false - name: enrichments.indicator.file.code_signature.exists level: core type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: enrichments.indicator.file.code_signature.signing_id level: extended type: keyword ignore_above: 1024 description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - name: enrichments.indicator.file.code_signature.status level: extended type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: enrichments.indicator.file.code_signature.subject_name level: core type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: enrichments.indicator.file.code_signature.team_id level: extended type: keyword ignore_above: 1024 description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - name: enrichments.indicator.file.code_signature.trusted level: extended type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: enrichments.indicator.file.code_signature.valid level: extended type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: enrichments.indicator.file.created level: extended type: date description: 'File creation time. Note that not all filesystems store the creation time.' default_field: false - name: enrichments.indicator.file.ctime level: extended type: date description: 'Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.' default_field: false - name: enrichments.indicator.file.device level: extended type: keyword ignore_above: 1024 description: Device that is the source of the file. example: sda default_field: false - name: enrichments.indicator.file.directory level: extended type: keyword ignore_above: 1024 description: Directory where the file is located. It should include the drive letter, when appropriate. example: /home/alice default_field: false - name: enrichments.indicator.file.drive_letter level: extended type: keyword ignore_above: 1 description: 'Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon.' example: C default_field: false - name: enrichments.indicator.file.elf.architecture level: extended type: keyword ignore_above: 1024 description: Machine architecture of the ELF file. example: x86-64 default_field: false - name: enrichments.indicator.file.elf.byte_order level: extended type: keyword ignore_above: 1024 description: Byte sequence of ELF file. example: Little Endian default_field: false - name: enrichments.indicator.file.elf.cpu_type level: extended type: keyword ignore_above: 1024 description: CPU type of the ELF file. example: Intel default_field: false - name: enrichments.indicator.file.elf.creation_date level: extended type: date description: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. default_field: false - name: enrichments.indicator.file.elf.exports level: extended type: flattened description: List of exported element names and types. default_field: false - name: enrichments.indicator.file.elf.header.abi_version level: extended type: keyword ignore_above: 1024 description: Version of the ELF Application Binary Interface (ABI). default_field: false - name: enrichments.indicator.file.elf.header.class level: extended type: keyword ignore_above: 1024 description: Header class of the ELF file. default_field: false - name: enrichments.indicator.file.elf.header.data level: extended type: keyword ignore_above: 1024 description: Data table of the ELF header. default_field: false - name: enrichments.indicator.file.elf.header.entrypoint level: extended type: long format: string description: Header entrypoint of the ELF file. default_field: false - name: enrichments.indicator.file.elf.header.object_version level: extended type: keyword ignore_above: 1024 description: '"0x1" for original ELF files.' default_field: false - name: enrichments.indicator.file.elf.header.os_abi level: extended type: keyword ignore_above: 1024 description: Application Binary Interface (ABI) of the Linux OS. default_field: false - name: enrichments.indicator.file.elf.header.type level: extended type: keyword ignore_above: 1024 description: Header type of the ELF file. default_field: false - name: enrichments.indicator.file.elf.header.version level: extended type: keyword ignore_above: 1024 description: Version of the ELF header. default_field: false - name: enrichments.indicator.file.elf.imports level: extended type: flattened description: List of imported element names and types. default_field: false - name: enrichments.indicator.file.elf.sections level: extended type: nested description: 'An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.' default_field: false - name: enrichments.indicator.file.elf.sections.chi2 level: extended type: long format: number description: Chi-square probability distribution of the section. default_field: false - name: enrichments.indicator.file.elf.sections.entropy level: extended type: long format: number description: Shannon entropy calculation from the section. default_field: false - name: enrichments.indicator.file.elf.sections.flags level: extended type: keyword ignore_above: 1024 description: ELF Section List flags. default_field: false - name: enrichments.indicator.file.elf.sections.name level: extended type: keyword ignore_above: 1024 description: ELF Section List name. default_field: false - name: enrichments.indicator.file.elf.sections.physical_offset level: extended type: keyword ignore_above: 1024 description: ELF Section List offset. default_field: false - name: enrichments.indicator.file.elf.sections.physical_size level: extended type: long format: bytes description: ELF Section List physical size. default_field: false - name: enrichments.indicator.file.elf.sections.type level: extended type: keyword ignore_above: 1024 description: ELF Section List type. default_field: false - name: enrichments.indicator.file.elf.sections.virtual_address level: extended type: long format: string description: ELF Section List virtual address. default_field: false - name: enrichments.indicator.file.elf.sections.virtual_size level: extended type: long format: string description: ELF Section List virtual size. default_field: false - name: enrichments.indicator.file.elf.segments level: extended type: nested description: 'An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.' default_field: false - name: enrichments.indicator.file.elf.segments.sections level: extended type: keyword ignore_above: 1024 description: ELF object segment sections. default_field: false - name: enrichments.indicator.file.elf.segments.type level: extended type: keyword ignore_above: 1024 description: ELF object segment type. default_field: false - name: enrichments.indicator.file.elf.shared_libraries level: extended type: keyword ignore_above: 1024 description: List of shared libraries used by this ELF object. default_field: false - name: enrichments.indicator.file.elf.telfhash level: extended type: keyword ignore_above: 1024 description: telfhash symbol hash for ELF file. default_field: false - name: enrichments.indicator.file.extension level: extended type: keyword ignore_above: 1024 description: 'File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").' example: png default_field: false - name: enrichments.indicator.file.gid level: extended type: keyword ignore_above: 1024 description: Primary group ID (GID) of the file. example: '1001' default_field: false - name: enrichments.indicator.file.group level: extended type: keyword ignore_above: 1024 description: Primary group name of the file. example: alice default_field: false - name: enrichments.indicator.file.inode level: extended type: keyword ignore_above: 1024 description: Inode representing the file in the filesystem. example: '256383' default_field: false - name: enrichments.indicator.file.mime_type level: extended type: keyword ignore_above: 1024 description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. default_field: false - name: enrichments.indicator.file.mode level: extended type: keyword ignore_above: 1024 description: Mode of the file in octal representation. example: '0640' default_field: false - name: enrichments.indicator.file.mtime level: extended type: date description: Last time the file content was modified. default_field: false - name: enrichments.indicator.file.name level: extended type: keyword ignore_above: 1024 description: Name of the file including the extension, without the directory. example: example.png default_field: false - name: enrichments.indicator.file.owner level: extended type: keyword ignore_above: 1024 description: File owner's username. example: alice default_field: false - name: enrichments.indicator.file.path level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false description: Full path to the file, including the file name. It should include the drive letter, when appropriate. example: /home/alice/example.png default_field: false - name: enrichments.indicator.file.size level: extended type: long description: 'File size in bytes. Only relevant when `file.type` is "file".' example: 16384 default_field: false - name: enrichments.indicator.file.target_path level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false description: Target path for symlinks. default_field: false - name: enrichments.indicator.file.type level: extended type: keyword ignore_above: 1024 description: File type (file, dir, or symlink). example: file default_field: false - name: enrichments.indicator.file.uid level: extended type: keyword ignore_above: 1024 description: The user ID (UID) or security identifier (SID) of the file owner. example: '1001' default_field: false - name: enrichments.indicator.first_seen level: extended type: date description: The date and time when intelligence source first reported sighting this indicator. example: '2020-11-05T17:25:47.000Z' default_field: false - name: enrichments.indicator.geo.city_name level: core type: keyword ignore_above: 1024 description: City name. example: Montreal default_field: false - name: enrichments.indicator.geo.continent_code level: core type: keyword ignore_above: 1024 description: Two-letter code representing continent's name. example: NA default_field: false - name: enrichments.indicator.geo.continent_name level: core type: keyword ignore_above: 1024 description: Name of the continent. example: North America default_field: false - name: enrichments.indicator.geo.country_iso_code level: core type: keyword ignore_above: 1024 description: Country ISO code. example: CA default_field: false - name: enrichments.indicator.geo.country_name level: core type: keyword ignore_above: 1024 description: Country name. example: Canada default_field: false - name: enrichments.indicator.geo.location level: core type: geo_point description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' default_field: false - name: enrichments.indicator.geo.name level: extended type: keyword ignore_above: 1024 description: 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.' example: boston-dc default_field: false - name: enrichments.indicator.geo.postal_code level: core type: keyword ignore_above: 1024 description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 default_field: false - name: enrichments.indicator.geo.region_iso_code level: core type: keyword ignore_above: 1024 description: Region ISO code. example: CA-QC default_field: false - name: enrichments.indicator.geo.region_name level: core type: keyword ignore_above: 1024 description: Region name. example: Quebec default_field: false - name: enrichments.indicator.geo.timezone level: core type: keyword ignore_above: 1024 description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires default_field: false - name: enrichments.indicator.hash.md5 level: extended type: keyword ignore_above: 1024 description: MD5 hash. default_field: false - name: enrichments.indicator.hash.sha1 level: extended type: keyword ignore_above: 1024 description: SHA1 hash. default_field: false - name: enrichments.indicator.hash.sha256 level: extended type: keyword ignore_above: 1024 description: SHA256 hash. default_field: false - name: enrichments.indicator.hash.sha512 level: extended type: keyword ignore_above: 1024 description: SHA512 hash. default_field: false - name: enrichments.indicator.hash.ssdeep level: extended type: keyword ignore_above: 1024 description: SSDEEP hash. default_field: false - name: enrichments.indicator.ip level: extended type: ip description: Identifies a threat indicator as an IP address (irrespective of direction). example: 1.2.3.4 default_field: false - name: enrichments.indicator.last_seen level: extended type: date description: The date and time when intelligence source last reported sighting this indicator. example: '2020-11-05T17:25:47.000Z' default_field: false - name: enrichments.indicator.marking.tlp level: extended type: keyword ignore_above: 1024 description: "Traffic Light Protocol sharing markings. Recommended values are:\n\ \ * WHITE\n * GREEN\n * AMBER\n * RED" example: White default_field: false - name: enrichments.indicator.modified_at level: extended type: date description: The date and time when intelligence source last modified information for this indicator. example: '2020-11-05T17:25:47.000Z' default_field: false - name: enrichments.indicator.pe.architecture level: extended type: keyword ignore_above: 1024 description: CPU architecture target for the file. example: x64 default_field: false - name: enrichments.indicator.pe.company level: extended type: keyword ignore_above: 1024 description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - name: enrichments.indicator.pe.description level: extended type: keyword ignore_above: 1024 description: Internal description of the file, provided at compile-time. example: Paint default_field: false - name: enrichments.indicator.pe.file_version level: extended type: keyword ignore_above: 1024 description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false - name: enrichments.indicator.pe.imphash level: extended type: keyword ignore_above: 1024 description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - name: enrichments.indicator.pe.original_file_name level: extended type: keyword ignore_above: 1024 description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false - name: enrichments.indicator.pe.product level: extended type: keyword ignore_above: 1024 description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" default_field: false - name: enrichments.indicator.port level: extended type: long description: Identifies a threat indicator as a port number (irrespective of direction). example: 443 default_field: false - name: enrichments.indicator.provider level: extended type: keyword ignore_above: 1024 description: The name of the indicator's provider. example: lrz_urlhaus default_field: false - name: enrichments.indicator.reference level: extended type: keyword ignore_above: 1024 description: Reference URL linking to additional information about this indicator. example: https://system.example.com/indicator/0001234 default_field: false - name: enrichments.indicator.registry.data.bytes level: extended type: keyword ignore_above: 1024 description: 'Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.' example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= default_field: false - name: enrichments.indicator.registry.data.strings level: core type: keyword ignore_above: 1024 description: 'Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).' example: '["C:\rta\red_ttp\bin\myapp.exe"]' default_field: false - name: enrichments.indicator.registry.data.type level: core type: keyword ignore_above: 1024 description: Standard registry type for encoding contents example: REG_SZ default_field: false - name: enrichments.indicator.registry.hive level: core type: keyword ignore_above: 1024 description: Abbreviated name for the hive. example: HKLM default_field: false - name: enrichments.indicator.registry.key level: core type: keyword ignore_above: 1024 description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe default_field: false - name: enrichments.indicator.registry.path level: core type: keyword ignore_above: 1024 description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger default_field: false - name: enrichments.indicator.registry.value level: core type: keyword ignore_above: 1024 description: Name of the value written. example: Debugger default_field: false - name: enrichments.indicator.scanner_stats level: extended type: long description: Count of AV/EDR vendors that successfully detected malicious file or URL. example: 4 default_field: false - name: enrichments.indicator.sightings level: extended type: long description: Number of times this indicator was observed conducting threat activity. example: 20 default_field: false - name: enrichments.indicator.type level: extended type: keyword ignore_above: 1024 description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\ \ Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ \ * user-account\n * windows-registry-key\n * x509-certificate" example: ipv4-addr default_field: false - name: enrichments.indicator.url.domain level: extended type: keyword ignore_above: 1024 description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.' example: www.elastic.co default_field: false - name: enrichments.indicator.url.extension level: extended type: keyword ignore_above: 1024 description: 'The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").' example: png default_field: false - name: enrichments.indicator.url.fragment level: extended type: keyword ignore_above: 1024 description: 'Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.' default_field: false - name: enrichments.indicator.url.full level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. example: https://www.elastic.co:443/search?q=elasticsearch#top default_field: false - name: enrichments.indicator.url.original level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false description: 'Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.' example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch default_field: false - name: enrichments.indicator.url.password level: extended type: keyword ignore_above: 1024 description: Password of the request. default_field: false - name: enrichments.indicator.url.path level: extended type: keyword ignore_above: 1024 description: Path of the request, such as "/search". default_field: false - name: enrichments.indicator.url.port level: extended type: long format: string description: Port of the request, such as 443. example: 443 default_field: false - name: enrichments.indicator.url.query level: extended type: keyword ignore_above: 1024 description: 'The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.' default_field: false - name: enrichments.indicator.url.registered_domain level: extended type: keyword ignore_above: 1024 description: 'The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com default_field: false - name: enrichments.indicator.url.scheme level: extended type: keyword ignore_above: 1024 description: 'Scheme of the request, such as "https". Note: The `:` is not part of the scheme.' example: https default_field: false - name: enrichments.indicator.url.subdomain level: extended type: keyword ignore_above: 1024 description: 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.' example: east default_field: false - name: enrichments.indicator.url.top_level_domain level: extended type: keyword ignore_above: 1024 description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk default_field: false - name: enrichments.indicator.url.username level: extended type: keyword ignore_above: 1024 description: Username of the request. default_field: false - name: enrichments.indicator.x509.alternative_names level: extended type: keyword ignore_above: 1024 description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. example: '*.elastic.co' default_field: false - name: enrichments.indicator.x509.issuer.common_name level: extended type: keyword ignore_above: 1024 description: List of common name (CN) of issuing certificate authority. example: Example SHA2 High Assurance Server CA default_field: false - name: enrichments.indicator.x509.issuer.country level: extended type: keyword ignore_above: 1024 description: List of country (C) codes example: US default_field: false - name: enrichments.indicator.x509.issuer.distinguished_name level: extended type: keyword ignore_above: 1024 description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA default_field: false - name: enrichments.indicator.x509.issuer.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: Mountain View default_field: false - name: enrichments.indicator.x509.issuer.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of issuing certificate authority. example: Example Inc default_field: false - name: enrichments.indicator.x509.issuer.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of issuing certificate authority. example: www.example.com default_field: false - name: enrichments.indicator.x509.issuer.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: enrichments.indicator.x509.not_after level: extended type: date description: Time at which the certificate is no longer considered valid. example: 2020-07-16 03:15:39+00:00 default_field: false - name: enrichments.indicator.x509.not_before level: extended type: date description: Time at which the certificate is first considered valid. example: 2019-08-16 01:40:25+00:00 default_field: false - name: enrichments.indicator.x509.public_key_algorithm level: extended type: keyword ignore_above: 1024 description: Algorithm used to generate the public key. example: RSA default_field: false - name: enrichments.indicator.x509.public_key_curve level: extended type: keyword ignore_above: 1024 description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. example: nistp521 default_field: false - name: enrichments.indicator.x509.public_key_exponent level: extended type: long description: Exponent used to derive the public key. This is algorithm specific. example: 65537 index: false doc_values: false default_field: false - name: enrichments.indicator.x509.public_key_size level: extended type: long description: The size of the public key space in bits. example: 2048 default_field: false - name: enrichments.indicator.x509.serial_number level: extended type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false - name: enrichments.indicator.x509.signature_algorithm level: extended type: keyword ignore_above: 1024 description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. example: SHA256-RSA default_field: false - name: enrichments.indicator.x509.subject.common_name level: extended type: keyword ignore_above: 1024 description: List of common names (CN) of subject. example: shared.global.example.net default_field: false - name: enrichments.indicator.x509.subject.country level: extended type: keyword ignore_above: 1024 description: List of country (C) code example: US default_field: false - name: enrichments.indicator.x509.subject.distinguished_name level: extended type: keyword ignore_above: 1024 description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false - name: enrichments.indicator.x509.subject.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: San Francisco default_field: false - name: enrichments.indicator.x509.subject.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of subject. example: Example, Inc. default_field: false - name: enrichments.indicator.x509.subject.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of subject. default_field: false - name: enrichments.indicator.x509.subject.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: enrichments.indicator.x509.version_number level: extended type: keyword ignore_above: 1024 description: Version of x509 format. example: 3 default_field: false - name: enrichments.matched.atomic level: extended type: keyword ignore_above: 1024 description: Identifies the atomic indicator value that matched a local environment endpoint or network event. example: bad-domain.com default_field: false - name: enrichments.matched.field level: extended type: keyword ignore_above: 1024 description: Identifies the field of the atomic indicator that matched a local environment endpoint or network event. example: file.hash.sha256 default_field: false - name: enrichments.matched.id level: extended type: keyword ignore_above: 1024 description: Identifies the _id of the indicator document enriching the event. example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 default_field: false - name: enrichments.matched.index level: extended type: keyword ignore_above: 1024 description: Identifies the _index of the indicator document enriching the event. example: filebeat-8.0.0-2021.05.23-000011 default_field: false - name: enrichments.matched.type level: extended type: keyword ignore_above: 1024 description: Identifies the type of match that caused the event to be enriched with the given indicator example: indicator_match_rule default_field: false - name: framework level: extended type: keyword ignore_above: 1024 description: Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. example: MITRE ATT&CK - name: group.alias level: extended type: keyword ignore_above: 1024 description: "The alias(es) of the group for a set of related intrusion activity\ \ that are tracked by a common name in the security community. While not required,\ \ you can use a MITRE ATT&CK\xAE group alias(es)." example: '[ "Magecart Group 6" ]' default_field: false - name: group.id level: extended type: keyword ignore_above: 1024 description: "The id of the group for a set of related intrusion activity that\ \ are tracked by a common name in the security community. While not required,\ \ you can use a MITRE ATT&CK\xAE group id." example: G0037 default_field: false - name: group.name level: extended type: keyword ignore_above: 1024 description: "The name of the group for a set of related intrusion activity\ \ that are tracked by a common name in the security community. While not required,\ \ you can use a MITRE ATT&CK\xAE group name." example: FIN6 default_field: false - name: group.reference level: extended type: keyword ignore_above: 1024 description: "The reference URL of the group for a set of related intrusion\ \ activity that are tracked by a common name in the security community. While\ \ not required, you can use a MITRE ATT&CK\xAE group reference URL." example: https://attack.mitre.org/groups/G0037/ default_field: false - name: indicator.as.number level: extended type: long description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. example: 15169 default_field: false - name: indicator.as.organization.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false description: Organization name. example: Google LLC default_field: false - name: indicator.confidence level: extended type: keyword ignore_above: 1024 description: "Identifies the confidence rating assigned by the provider using\ \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ \ * WEP Scale (Impossible - Certain)" example: High default_field: false - name: indicator.description level: extended type: keyword ignore_above: 1024 description: Describes the type of action conducted by the threat. example: IP x.x.x.x was observed delivering the Angler EK. default_field: false - name: indicator.email.address level: extended type: keyword ignore_above: 1024 description: Identifies a threat indicator as an email address (irrespective of direction). example: phish@example.com default_field: false - name: indicator.file.accessed level: extended type: date description: 'Last time the file was accessed. Note that not all filesystems keep track of access time.' default_field: false - name: indicator.file.attributes level: extended type: keyword ignore_above: 1024 description: 'Array of file attributes. Attributes names will vary by platform. Here''s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.' example: '["readonly", "system"]' default_field: false - name: indicator.file.code_signature.exists level: core type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: indicator.file.code_signature.signing_id level: extended type: keyword ignore_above: 1024 description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - name: indicator.file.code_signature.status level: extended type: keyword ignore_above: 1024 description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: indicator.file.code_signature.subject_name level: core type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: indicator.file.code_signature.team_id level: extended type: keyword ignore_above: 1024 description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - name: indicator.file.code_signature.trusted level: extended type: boolean description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: indicator.file.code_signature.valid level: extended type: boolean description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: indicator.file.created level: extended type: date description: 'File creation time. Note that not all filesystems store the creation time.' default_field: false - name: indicator.file.ctime level: extended type: date description: 'Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.' default_field: false - name: indicator.file.device level: extended type: keyword ignore_above: 1024 description: Device that is the source of the file. example: sda default_field: false - name: indicator.file.directory level: extended type: keyword ignore_above: 1024 description: Directory where the file is located. It should include the drive letter, when appropriate. example: /home/alice default_field: false - name: indicator.file.drive_letter level: extended type: keyword ignore_above: 1 description: 'Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon.' example: C default_field: false - name: indicator.file.elf.architecture level: extended type: keyword ignore_above: 1024 description: Machine architecture of the ELF file. example: x86-64 default_field: false - name: indicator.file.elf.byte_order level: extended type: keyword ignore_above: 1024 description: Byte sequence of ELF file. example: Little Endian default_field: false - name: indicator.file.elf.cpu_type level: extended type: keyword ignore_above: 1024 description: CPU type of the ELF file. example: Intel default_field: false - name: indicator.file.elf.creation_date level: extended type: date description: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. default_field: false - name: indicator.file.elf.exports level: extended type: flattened description: List of exported element names and types. default_field: false - name: indicator.file.elf.header.abi_version level: extended type: keyword ignore_above: 1024 description: Version of the ELF Application Binary Interface (ABI). default_field: false - name: indicator.file.elf.header.class level: extended type: keyword ignore_above: 1024 description: Header class of the ELF file. default_field: false - name: indicator.file.elf.header.data level: extended type: keyword ignore_above: 1024 description: Data table of the ELF header. default_field: false - name: indicator.file.elf.header.entrypoint level: extended type: long format: string description: Header entrypoint of the ELF file. default_field: false - name: indicator.file.elf.header.object_version level: extended type: keyword ignore_above: 1024 description: '"0x1" for original ELF files.' default_field: false - name: indicator.file.elf.header.os_abi level: extended type: keyword ignore_above: 1024 description: Application Binary Interface (ABI) of the Linux OS. default_field: false - name: indicator.file.elf.header.type level: extended type: keyword ignore_above: 1024 description: Header type of the ELF file. default_field: false - name: indicator.file.elf.header.version level: extended type: keyword ignore_above: 1024 description: Version of the ELF header. default_field: false - name: indicator.file.elf.imports level: extended type: flattened description: List of imported element names and types. default_field: false - name: indicator.file.elf.sections level: extended type: nested description: 'An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.' default_field: false - name: indicator.file.elf.sections.chi2 level: extended type: long format: number description: Chi-square probability distribution of the section. default_field: false - name: indicator.file.elf.sections.entropy level: extended type: long format: number description: Shannon entropy calculation from the section. default_field: false - name: indicator.file.elf.sections.flags level: extended type: keyword ignore_above: 1024 description: ELF Section List flags. default_field: false - name: indicator.file.elf.sections.name level: extended type: keyword ignore_above: 1024 description: ELF Section List name. default_field: false - name: indicator.file.elf.sections.physical_offset level: extended type: keyword ignore_above: 1024 description: ELF Section List offset. default_field: false - name: indicator.file.elf.sections.physical_size level: extended type: long format: bytes description: ELF Section List physical size. default_field: false - name: indicator.file.elf.sections.type level: extended type: keyword ignore_above: 1024 description: ELF Section List type. default_field: false - name: indicator.file.elf.sections.virtual_address level: extended type: long format: string description: ELF Section List virtual address. default_field: false - name: indicator.file.elf.sections.virtual_size level: extended type: long format: string description: ELF Section List virtual size. default_field: false - name: indicator.file.elf.segments level: extended type: nested description: 'An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.' default_field: false - name: indicator.file.elf.segments.sections level: extended type: keyword ignore_above: 1024 description: ELF object segment sections. default_field: false - name: indicator.file.elf.segments.type level: extended type: keyword ignore_above: 1024 description: ELF object segment type. default_field: false - name: indicator.file.elf.shared_libraries level: extended type: keyword ignore_above: 1024 description: List of shared libraries used by this ELF object. default_field: false - name: indicator.file.elf.telfhash level: extended type: keyword ignore_above: 1024 description: telfhash symbol hash for ELF file. default_field: false - name: indicator.file.extension level: extended type: keyword ignore_above: 1024 description: 'File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").' example: png default_field: false - name: indicator.file.gid level: extended type: keyword ignore_above: 1024 description: Primary group ID (GID) of the file. example: '1001' default_field: false - name: indicator.file.group level: extended type: keyword ignore_above: 1024 description: Primary group name of the file. example: alice default_field: false - name: indicator.file.inode level: extended type: keyword ignore_above: 1024 description: Inode representing the file in the filesystem. example: '256383' default_field: false - name: indicator.file.mime_type level: extended type: keyword ignore_above: 1024 description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. default_field: false - name: indicator.file.mode level: extended type: keyword ignore_above: 1024 description: Mode of the file in octal representation. example: '0640' default_field: false - name: indicator.file.mtime level: extended type: date description: Last time the file content was modified. default_field: false - name: indicator.file.name level: extended type: keyword ignore_above: 1024 description: Name of the file including the extension, without the directory. example: example.png default_field: false - name: indicator.file.owner level: extended type: keyword ignore_above: 1024 description: File owner's username. example: alice default_field: false - name: indicator.file.path level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false description: Full path to the file, including the file name. It should include the drive letter, when appropriate. example: /home/alice/example.png default_field: false - name: indicator.file.size level: extended type: long description: 'File size in bytes. Only relevant when `file.type` is "file".' example: 16384 default_field: false - name: indicator.file.target_path level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false description: Target path for symlinks. default_field: false - name: indicator.file.type level: extended type: keyword ignore_above: 1024 description: File type (file, dir, or symlink). example: file default_field: false - name: indicator.file.uid level: extended type: keyword ignore_above: 1024 description: The user ID (UID) or security identifier (SID) of the file owner. example: '1001' default_field: false - name: indicator.first_seen level: extended type: date description: The date and time when intelligence source first reported sighting this indicator. example: '2020-11-05T17:25:47.000Z' default_field: false - name: indicator.geo.city_name level: core type: keyword ignore_above: 1024 description: City name. example: Montreal default_field: false - name: indicator.geo.continent_code level: core type: keyword ignore_above: 1024 description: Two-letter code representing continent's name. example: NA default_field: false - name: indicator.geo.continent_name level: core type: keyword ignore_above: 1024 description: Name of the continent. example: North America default_field: false - name: indicator.geo.country_iso_code level: core type: keyword ignore_above: 1024 description: Country ISO code. example: CA default_field: false - name: indicator.geo.country_name level: core type: keyword ignore_above: 1024 description: Country name. example: Canada default_field: false - name: indicator.geo.location level: core type: geo_point description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' default_field: false - name: indicator.geo.name level: extended type: keyword ignore_above: 1024 description: 'User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.' example: boston-dc default_field: false - name: indicator.geo.postal_code level: core type: keyword ignore_above: 1024 description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 default_field: false - name: indicator.geo.region_iso_code level: core type: keyword ignore_above: 1024 description: Region ISO code. example: CA-QC default_field: false - name: indicator.geo.region_name level: core type: keyword ignore_above: 1024 description: Region name. example: Quebec default_field: false - name: indicator.geo.timezone level: core type: keyword ignore_above: 1024 description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires default_field: false - name: indicator.hash.md5 level: extended type: keyword ignore_above: 1024 description: MD5 hash. default_field: false - name: indicator.hash.sha1 level: extended type: keyword ignore_above: 1024 description: SHA1 hash. default_field: false - name: indicator.hash.sha256 level: extended type: keyword ignore_above: 1024 description: SHA256 hash. default_field: false - name: indicator.hash.sha512 level: extended type: keyword ignore_above: 1024 description: SHA512 hash. default_field: false - name: indicator.hash.ssdeep level: extended type: keyword ignore_above: 1024 description: SSDEEP hash. default_field: false - name: indicator.ip level: extended type: ip description: Identifies a threat indicator as an IP address (irrespective of direction). example: 1.2.3.4 default_field: false - name: indicator.last_seen level: extended type: date description: The date and time when intelligence source last reported sighting this indicator. example: '2020-11-05T17:25:47.000Z' default_field: false - name: indicator.marking.tlp level: extended type: keyword ignore_above: 1024 description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ \ * WHITE\n * GREEN\n * AMBER\n * RED" example: WHITE default_field: false - name: indicator.modified_at level: extended type: date description: The date and time when intelligence source last modified information for this indicator. example: '2020-11-05T17:25:47.000Z' default_field: false - name: indicator.pe.architecture level: extended type: keyword ignore_above: 1024 description: CPU architecture target for the file. example: x64 default_field: false - name: indicator.pe.company level: extended type: keyword ignore_above: 1024 description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - name: indicator.pe.description level: extended type: keyword ignore_above: 1024 description: Internal description of the file, provided at compile-time. example: Paint default_field: false - name: indicator.pe.file_version level: extended type: keyword ignore_above: 1024 description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false - name: indicator.pe.imphash level: extended type: keyword ignore_above: 1024 description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - name: indicator.pe.original_file_name level: extended type: keyword ignore_above: 1024 description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false - name: indicator.pe.product level: extended type: keyword ignore_above: 1024 description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" default_field: false - name: indicator.port level: extended type: long description: Identifies a threat indicator as a port number (irrespective of direction). example: 443 default_field: false - name: indicator.provider level: extended type: keyword ignore_above: 1024 description: The name of the indicator's provider. example: lrz_urlhaus default_field: false - name: indicator.reference level: extended type: keyword ignore_above: 1024 description: Reference URL linking to additional information about this indicator. example: https://system.example.com/indicator/0001234 default_field: false - name: indicator.registry.data.bytes level: extended type: keyword ignore_above: 1024 description: 'Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.' example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= default_field: false - name: indicator.registry.data.strings level: core type: keyword ignore_above: 1024 description: 'Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).' example: '["C:\rta\red_ttp\bin\myapp.exe"]' default_field: false - name: indicator.registry.data.type level: core type: keyword ignore_above: 1024 description: Standard registry type for encoding contents example: REG_SZ default_field: false - name: indicator.registry.hive level: core type: keyword ignore_above: 1024 description: Abbreviated name for the hive. example: HKLM default_field: false - name: indicator.registry.key level: core type: keyword ignore_above: 1024 description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe default_field: false - name: indicator.registry.path level: core type: keyword ignore_above: 1024 description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger default_field: false - name: indicator.registry.value level: core type: keyword ignore_above: 1024 description: Name of the value written. example: Debugger default_field: false - name: indicator.scanner_stats level: extended type: long description: Count of AV/EDR vendors that successfully detected malicious file or URL. example: 4 default_field: false - name: indicator.sightings level: extended type: long description: Number of times this indicator was observed conducting threat activity. example: 20 default_field: false - name: indicator.type level: extended type: keyword ignore_above: 1024 description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ \ * user-account\n * windows-registry-key\n * x509-certificate" example: ipv4-addr default_field: false - name: indicator.url.domain level: extended type: keyword ignore_above: 1024 description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.' example: www.elastic.co default_field: false - name: indicator.url.extension level: extended type: keyword ignore_above: 1024 description: 'The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").' example: png default_field: false - name: indicator.url.fragment level: extended type: keyword ignore_above: 1024 description: 'Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.' default_field: false - name: indicator.url.full level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. example: https://www.elastic.co:443/search?q=elasticsearch#top default_field: false - name: indicator.url.original level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false description: 'Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.' example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch default_field: false - name: indicator.url.password level: extended type: keyword ignore_above: 1024 description: Password of the request. default_field: false - name: indicator.url.path level: extended type: keyword ignore_above: 1024 description: Path of the request, such as "/search". default_field: false - name: indicator.url.port level: extended type: long format: string description: Port of the request, such as 443. example: 443 default_field: false - name: indicator.url.query level: extended type: keyword ignore_above: 1024 description: 'The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.' default_field: false - name: indicator.url.registered_domain level: extended type: keyword ignore_above: 1024 description: 'The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com default_field: false - name: indicator.url.scheme level: extended type: keyword ignore_above: 1024 description: 'Scheme of the request, such as "https". Note: The `:` is not part of the scheme.' example: https default_field: false - name: indicator.url.subdomain level: extended type: keyword ignore_above: 1024 description: 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.' example: east default_field: false - name: indicator.url.top_level_domain level: extended type: keyword ignore_above: 1024 description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk default_field: false - name: indicator.url.username level: extended type: keyword ignore_above: 1024 description: Username of the request. default_field: false - name: indicator.x509.alternative_names level: extended type: keyword ignore_above: 1024 description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. example: '*.elastic.co' default_field: false - name: indicator.x509.issuer.common_name level: extended type: keyword ignore_above: 1024 description: List of common name (CN) of issuing certificate authority. example: Example SHA2 High Assurance Server CA default_field: false - name: indicator.x509.issuer.country level: extended type: keyword ignore_above: 1024 description: List of country (C) codes example: US default_field: false - name: indicator.x509.issuer.distinguished_name level: extended type: keyword ignore_above: 1024 description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA default_field: false - name: indicator.x509.issuer.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: Mountain View default_field: false - name: indicator.x509.issuer.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of issuing certificate authority. example: Example Inc default_field: false - name: indicator.x509.issuer.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of issuing certificate authority. example: www.example.com default_field: false - name: indicator.x509.issuer.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: indicator.x509.not_after level: extended type: date description: Time at which the certificate is no longer considered valid. example: 2020-07-16 03:15:39+00:00 default_field: false - name: indicator.x509.not_before level: extended type: date description: Time at which the certificate is first considered valid. example: 2019-08-16 01:40:25+00:00 default_field: false - name: indicator.x509.public_key_algorithm level: extended type: keyword ignore_above: 1024 description: Algorithm used to generate the public key. example: RSA default_field: false - name: indicator.x509.public_key_curve level: extended type: keyword ignore_above: 1024 description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. example: nistp521 default_field: false - name: indicator.x509.public_key_exponent level: extended type: long description: Exponent used to derive the public key. This is algorithm specific. example: 65537 index: false doc_values: false default_field: false - name: indicator.x509.public_key_size level: extended type: long description: The size of the public key space in bits. example: 2048 default_field: false - name: indicator.x509.serial_number level: extended type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false - name: indicator.x509.signature_algorithm level: extended type: keyword ignore_above: 1024 description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. example: SHA256-RSA default_field: false - name: indicator.x509.subject.common_name level: extended type: keyword ignore_above: 1024 description: List of common names (CN) of subject. example: shared.global.example.net default_field: false - name: indicator.x509.subject.country level: extended type: keyword ignore_above: 1024 description: List of country (C) code example: US default_field: false - name: indicator.x509.subject.distinguished_name level: extended type: keyword ignore_above: 1024 description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false - name: indicator.x509.subject.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: San Francisco default_field: false - name: indicator.x509.subject.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of subject. example: Example, Inc. default_field: false - name: indicator.x509.subject.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of subject. default_field: false - name: indicator.x509.subject.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: indicator.x509.version_number level: extended type: keyword ignore_above: 1024 description: Version of x509 format. example: 3 default_field: false - name: software.id level: extended type: keyword ignore_above: 1024 description: "The id of the software used by this threat to conduct behavior\ \ commonly modeled using MITRE ATT&CK\xAE. While not required, you can use\ \ a MITRE ATT&CK\xAE software id." example: S0552 default_field: false - name: software.name level: extended type: keyword ignore_above: 1024 description: "The name of the software used by this threat to conduct behavior\ \ commonly modeled using MITRE ATT&CK\xAE. While not required, you can use\ \ a MITRE ATT&CK\xAE software name." example: AdFind default_field: false - name: software.platforms level: extended type: keyword ignore_above: 1024 description: "The platforms of the software used by this threat to conduct behavior\ \ commonly modeled using MITRE ATT&CK\xAE. While not required, you can use\ \ a MITRE ATT&CK\xAE software platforms.\nRecommended Values:\n * AWS\n \ \ * Azure\n * Azure AD\n * GCP\n * Linux\n * macOS\n * Network\n * Office\ \ 365\n * SaaS\n * Windows" example: '[ "Windows" ]' default_field: false - name: software.reference level: extended type: keyword ignore_above: 1024 description: "The reference URL of the software used by this threat to conduct\ \ behavior commonly modeled using MITRE ATT&CK\xAE. While not required, you\ \ can use a MITRE ATT&CK\xAE software reference URL." example: https://attack.mitre.org/software/S0552/ default_field: false - name: software.type level: extended type: keyword ignore_above: 1024 description: "The type of software used by this threat to conduct behavior commonly\ \ modeled using MITRE ATT&CK\xAE. While not required, you can use a MITRE\ \ ATT&CK\xAE software type.\nRecommended values\n * Malware\n * Tool" example: Tool default_field: false - name: tactic.id level: extended type: keyword ignore_above: 1024 description: "The id of tactic used by this threat. You can use a MITRE ATT&CK\xAE\ \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )" example: TA0002 - name: tactic.name level: extended type: keyword ignore_above: 1024 description: "Name of the type of tactic used by this threat. You can use a\ \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)" example: Execution - name: tactic.reference level: extended type: keyword ignore_above: 1024 description: "The reference url of tactic used by this threat. You can use a\ \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/\ \ )" example: https://attack.mitre.org/tactics/TA0002/ - name: technique.id level: extended type: keyword ignore_above: 1024 description: "The id of technique used by this threat. You can use a MITRE ATT&CK\xAE\ \ technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" example: T1059 - name: technique.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false default_field: false description: "The name of technique used by this threat. You can use a MITRE\ \ ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" example: Command and Scripting Interpreter - name: technique.reference level: extended type: keyword ignore_above: 1024 description: "The reference url of technique used by this threat. You can use\ \ a MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" example: https://attack.mitre.org/techniques/T1059/ - name: technique.subtechnique.id level: extended type: keyword ignore_above: 1024 description: "The full id of subtechnique used by this threat. You can use a\ \ MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" example: T1059.001 default_field: false - name: technique.subtechnique.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false description: "The name of subtechnique used by this threat. You can use a MITRE\ \ ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" example: PowerShell default_field: false - name: technique.subtechnique.reference level: extended type: keyword ignore_above: 1024 description: "The reference url of subtechnique used by this threat. You can\ \ use a MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" example: https://attack.mitre.org/techniques/T1059/001/ default_field: false - name: tls title: TLS group: 2 description: Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files. type: group fields: - name: cipher level: extended type: keyword ignore_above: 1024 description: String indicating the cipher used during the current connection. example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 default_field: false - name: client.certificate level: extended type: keyword ignore_above: 1024 description: PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. example: MII... default_field: false - name: client.certificate_chain level: extended type: keyword ignore_above: 1024 description: Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. example: '["MII...", "MII..."]' default_field: false - name: client.hash.md5 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC default_field: false - name: client.hash.sha1 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 9E393D93138888D288266C2D915214D1D1CCEB2A default_field: false - name: client.hash.sha256 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 default_field: false - name: client.issuer level: extended type: keyword ignore_above: 1024 description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com default_field: false - name: client.ja3 level: extended type: keyword ignore_above: 1024 description: A hash that identifies clients based on how they perform an SSL/TLS handshake. example: d4e5b18d6b55c71272893221c96ba240 default_field: false - name: client.not_after level: extended type: date description: Date/Time indicating when client certificate is no longer considered valid. example: '2021-01-01T00:00:00.000Z' default_field: false - name: client.not_before level: extended type: date description: Date/Time indicating when client certificate is first considered valid. example: '1970-01-01T00:00:00.000Z' default_field: false - name: client.server_name level: extended type: keyword ignore_above: 1024 description: Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. example: www.elastic.co default_field: false - name: client.subject level: extended type: keyword ignore_above: 1024 description: Distinguished name of subject of the x.509 certificate presented by the client. example: CN=myclient, OU=Documentation Team, DC=example, DC=com default_field: false - name: client.supported_ciphers level: extended type: keyword ignore_above: 1024 description: Array of ciphers offered by the client during the client hello. example: '["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "..."]' default_field: false - name: client.x509.alternative_names level: extended type: keyword ignore_above: 1024 description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. example: '*.elastic.co' default_field: false - name: client.x509.issuer.common_name level: extended type: keyword ignore_above: 1024 description: List of common name (CN) of issuing certificate authority. example: Example SHA2 High Assurance Server CA default_field: false - name: client.x509.issuer.country level: extended type: keyword ignore_above: 1024 description: List of country (C) codes example: US default_field: false - name: client.x509.issuer.distinguished_name level: extended type: keyword ignore_above: 1024 description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA default_field: false - name: client.x509.issuer.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: Mountain View default_field: false - name: client.x509.issuer.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of issuing certificate authority. example: Example Inc default_field: false - name: client.x509.issuer.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of issuing certificate authority. example: www.example.com default_field: false - name: client.x509.issuer.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: client.x509.not_after level: extended type: date description: Time at which the certificate is no longer considered valid. example: 2020-07-16 03:15:39+00:00 default_field: false - name: client.x509.not_before level: extended type: date description: Time at which the certificate is first considered valid. example: 2019-08-16 01:40:25+00:00 default_field: false - name: client.x509.public_key_algorithm level: extended type: keyword ignore_above: 1024 description: Algorithm used to generate the public key. example: RSA default_field: false - name: client.x509.public_key_curve level: extended type: keyword ignore_above: 1024 description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. example: nistp521 default_field: false - name: client.x509.public_key_exponent level: extended type: long description: Exponent used to derive the public key. This is algorithm specific. example: 65537 index: false doc_values: false default_field: false - name: client.x509.public_key_size level: extended type: long description: The size of the public key space in bits. example: 2048 default_field: false - name: client.x509.serial_number level: extended type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false - name: client.x509.signature_algorithm level: extended type: keyword ignore_above: 1024 description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. example: SHA256-RSA default_field: false - name: client.x509.subject.common_name level: extended type: keyword ignore_above: 1024 description: List of common names (CN) of subject. example: shared.global.example.net default_field: false - name: client.x509.subject.country level: extended type: keyword ignore_above: 1024 description: List of country (C) code example: US default_field: false - name: client.x509.subject.distinguished_name level: extended type: keyword ignore_above: 1024 description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false - name: client.x509.subject.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: San Francisco default_field: false - name: client.x509.subject.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of subject. example: Example, Inc. default_field: false - name: client.x509.subject.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of subject. default_field: false - name: client.x509.subject.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: client.x509.version_number level: extended type: keyword ignore_above: 1024 description: Version of x509 format. example: 3 default_field: false - name: curve level: extended type: keyword ignore_above: 1024 description: String indicating the curve used for the given cipher, when applicable. example: secp256r1 default_field: false - name: established level: extended type: boolean description: Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. default_field: false - name: next_protocol level: extended type: keyword ignore_above: 1024 description: String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. example: http/1.1 default_field: false - name: resumed level: extended type: boolean description: Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. default_field: false - name: server.certificate level: extended type: keyword ignore_above: 1024 description: PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. example: MII... default_field: false - name: server.certificate_chain level: extended type: keyword ignore_above: 1024 description: Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. example: '["MII...", "MII..."]' default_field: false - name: server.hash.md5 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC default_field: false - name: server.hash.sha1 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 9E393D93138888D288266C2D915214D1D1CCEB2A default_field: false - name: server.hash.sha256 level: extended type: keyword ignore_above: 1024 description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 default_field: false - name: server.issuer level: extended type: keyword ignore_above: 1024 description: Subject of the issuer of the x.509 certificate presented by the server. example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com default_field: false - name: server.ja3s level: extended type: keyword ignore_above: 1024 description: A hash that identifies servers based on how they perform an SSL/TLS handshake. example: 394441ab65754e2207b1e1b457b3641d default_field: false - name: server.not_after level: extended type: date description: Timestamp indicating when server certificate is no longer considered valid. example: '2021-01-01T00:00:00.000Z' default_field: false - name: server.not_before level: extended type: date description: Timestamp indicating when server certificate is first considered valid. example: '1970-01-01T00:00:00.000Z' default_field: false - name: server.subject level: extended type: keyword ignore_above: 1024 description: Subject of the x.509 certificate presented by the server. example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com default_field: false - name: server.x509.alternative_names level: extended type: keyword ignore_above: 1024 description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. example: '*.elastic.co' default_field: false - name: server.x509.issuer.common_name level: extended type: keyword ignore_above: 1024 description: List of common name (CN) of issuing certificate authority. example: Example SHA2 High Assurance Server CA default_field: false - name: server.x509.issuer.country level: extended type: keyword ignore_above: 1024 description: List of country (C) codes example: US default_field: false - name: server.x509.issuer.distinguished_name level: extended type: keyword ignore_above: 1024 description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA default_field: false - name: server.x509.issuer.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: Mountain View default_field: false - name: server.x509.issuer.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of issuing certificate authority. example: Example Inc default_field: false - name: server.x509.issuer.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of issuing certificate authority. example: www.example.com default_field: false - name: server.x509.issuer.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: server.x509.not_after level: extended type: date description: Time at which the certificate is no longer considered valid. example: 2020-07-16 03:15:39+00:00 default_field: false - name: server.x509.not_before level: extended type: date description: Time at which the certificate is first considered valid. example: 2019-08-16 01:40:25+00:00 default_field: false - name: server.x509.public_key_algorithm level: extended type: keyword ignore_above: 1024 description: Algorithm used to generate the public key. example: RSA default_field: false - name: server.x509.public_key_curve level: extended type: keyword ignore_above: 1024 description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. example: nistp521 default_field: false - name: server.x509.public_key_exponent level: extended type: long description: Exponent used to derive the public key. This is algorithm specific. example: 65537 index: false doc_values: false default_field: false - name: server.x509.public_key_size level: extended type: long description: The size of the public key space in bits. example: 2048 default_field: false - name: server.x509.serial_number level: extended type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false - name: server.x509.signature_algorithm level: extended type: keyword ignore_above: 1024 description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. example: SHA256-RSA default_field: false - name: server.x509.subject.common_name level: extended type: keyword ignore_above: 1024 description: List of common names (CN) of subject. example: shared.global.example.net default_field: false - name: server.x509.subject.country level: extended type: keyword ignore_above: 1024 description: List of country (C) code example: US default_field: false - name: server.x509.subject.distinguished_name level: extended type: keyword ignore_above: 1024 description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false - name: server.x509.subject.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: San Francisco default_field: false - name: server.x509.subject.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of subject. example: Example, Inc. default_field: false - name: server.x509.subject.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of subject. default_field: false - name: server.x509.subject.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: server.x509.version_number level: extended type: keyword ignore_above: 1024 description: Version of x509 format. example: 3 default_field: false - name: version level: extended type: keyword ignore_above: 1024 description: Numeric part of the version parsed from the original string. example: '1.2' default_field: false - name: version_protocol level: extended type: keyword ignore_above: 1024 description: Normalized lowercase protocol name parsed from original string. example: tls default_field: false - name: span.id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier of the span within the scope of its trace. A span represents an operation within a transaction, such as a request to another service, or a database query.' example: 3ff9a8981b7ccd5a default_field: false - name: trace.id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier of the trace. A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services.' example: 4bf92f3577b34da6a3ce929d0e0e4736 - name: transaction.id level: extended type: keyword ignore_above: 1024 description: 'Unique identifier of the transaction within the scope of its trace. A transaction is the highest level of work measured within a service, such as a request to a server.' example: 00f067aa0ba902b7 - name: url title: URL group: 2 description: URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. type: group fields: - name: domain level: extended type: keyword ignore_above: 1024 description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.' example: www.elastic.co - name: extension level: extended type: keyword ignore_above: 1024 description: 'The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").' example: png - name: fragment level: extended type: keyword ignore_above: 1024 description: 'Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.' - name: full level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false default_field: false description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. example: https://www.elastic.co:443/search?q=elasticsearch#top - name: original level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false default_field: false description: 'Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.' example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch - name: password level: extended type: keyword ignore_above: 1024 description: Password of the request. - name: path level: extended type: keyword ignore_above: 1024 description: Path of the request, such as "/search". - name: port level: extended type: long format: string description: Port of the request, such as 443. example: 443 - name: query level: extended type: keyword ignore_above: 1024 description: 'The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.' - name: registered_domain level: extended type: keyword ignore_above: 1024 description: 'The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com - name: scheme level: extended type: keyword ignore_above: 1024 description: 'Scheme of the request, such as "https". Note: The `:` is not part of the scheme.' example: https - name: subdomain level: extended type: keyword ignore_above: 1024 description: 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.' example: east default_field: false - name: top_level_domain level: extended type: keyword ignore_above: 1024 description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk - name: username level: extended type: keyword ignore_above: 1024 description: Username of the request. - name: user title: User group: 2 description: 'The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.' type: group fields: - name: changes.domain level: extended type: keyword ignore_above: 1024 description: 'Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.' default_field: false - name: changes.email level: extended type: keyword ignore_above: 1024 description: User email address. default_field: false - name: changes.full_name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false description: User's full name, if available. example: Albert Einstein default_field: false - name: changes.group.domain level: extended type: keyword ignore_above: 1024 description: 'Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.' default_field: false - name: changes.group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: changes.group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: changes.hash level: extended type: keyword ignore_above: 1024 description: 'Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.' default_field: false - name: changes.id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. default_field: false - name: changes.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false description: Short name or login of the user. example: albert default_field: false - name: changes.roles level: extended type: keyword ignore_above: 1024 description: Array of user roles at the time of the event. example: '["kibana_admin", "reporting_user"]' default_field: false - name: domain level: extended type: keyword ignore_above: 1024 description: 'Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.' - name: effective.domain level: extended type: keyword ignore_above: 1024 description: 'Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.' default_field: false - name: effective.email level: extended type: keyword ignore_above: 1024 description: User email address. default_field: false - name: effective.full_name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false description: User's full name, if available. example: Albert Einstein default_field: false - name: effective.group.domain level: extended type: keyword ignore_above: 1024 description: 'Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.' default_field: false - name: effective.group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: effective.group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: effective.hash level: extended type: keyword ignore_above: 1024 description: 'Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.' default_field: false - name: effective.id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. default_field: false - name: effective.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false description: Short name or login of the user. example: albert default_field: false - name: effective.roles level: extended type: keyword ignore_above: 1024 description: Array of user roles at the time of the event. example: '["kibana_admin", "reporting_user"]' default_field: false - name: email level: extended type: keyword ignore_above: 1024 description: User email address. - name: full_name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false default_field: false description: User's full name, if available. example: Albert Einstein - name: group.domain level: extended type: keyword ignore_above: 1024 description: 'Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.' - name: group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. - name: group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. - name: hash level: extended type: keyword ignore_above: 1024 description: 'Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.' - name: id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. - name: name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false default_field: false description: Short name or login of the user. example: albert - name: roles level: extended type: keyword ignore_above: 1024 description: Array of user roles at the time of the event. example: '["kibana_admin", "reporting_user"]' default_field: false - name: target.domain level: extended type: keyword ignore_above: 1024 description: 'Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.' default_field: false - name: target.email level: extended type: keyword ignore_above: 1024 description: User email address. default_field: false - name: target.full_name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false description: User's full name, if available. example: Albert Einstein default_field: false - name: target.group.domain level: extended type: keyword ignore_above: 1024 description: 'Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.' default_field: false - name: target.group.id level: extended type: keyword ignore_above: 1024 description: Unique identifier for the group on the system/platform. default_field: false - name: target.group.name level: extended type: keyword ignore_above: 1024 description: Name of the group. default_field: false - name: target.hash level: extended type: keyword ignore_above: 1024 description: 'Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.' default_field: false - name: target.id level: core type: keyword ignore_above: 1024 description: Unique identifier of the user. default_field: false - name: target.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false description: Short name or login of the user. example: albert default_field: false - name: target.roles level: extended type: keyword ignore_above: 1024 description: Array of user roles at the time of the event. example: '["kibana_admin", "reporting_user"]' default_field: false - name: user_agent title: User agent group: 2 description: 'The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string.' type: group fields: - name: device.name level: extended type: keyword ignore_above: 1024 description: Name of the device. example: iPhone - name: name level: extended type: keyword ignore_above: 1024 description: Name of the user agent. example: Safari - name: original level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false description: Unparsed user_agent string. example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 - name: os.family level: extended type: keyword ignore_above: 1024 description: OS family (such as redhat, debian, freebsd, windows). example: debian - name: os.full level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false default_field: false description: Operating system name, including the version or code name. example: Mac OS Mojave - name: os.kernel level: extended type: keyword ignore_above: 1024 description: Operating system kernel version as a raw string. example: 4.4.0-112-generic - name: os.name level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false default_field: false description: Operating system name, without the version. example: Mac OS X - name: os.platform level: extended type: keyword ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin - name: os.type level: extended type: keyword ignore_above: 1024 description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you''re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.' example: macos default_field: false - name: os.version level: extended type: keyword ignore_above: 1024 description: Operating system version as a raw string. example: 10.14.1 - name: version level: extended type: keyword ignore_above: 1024 description: Version of the user agent. example: 12.0 - name: vlan title: VLAN group: 2 description: 'The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers.' type: group fields: - name: id level: extended type: keyword ignore_above: 1024 description: VLAN ID as reported by the observer. example: 10 default_field: false - name: name level: extended type: keyword ignore_above: 1024 description: Optional VLAN name as reported by the observer. example: outside default_field: false - name: vulnerability title: Vulnerability group: 2 description: The vulnerability fields describe information about a vulnerability that is relevant to an event. type: group fields: - name: category level: extended type: keyword ignore_above: 1024 description: 'The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) This field must be an array.' example: '["Firewall"]' default_field: false - name: classification level: extended type: keyword ignore_above: 1024 description: The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) example: CVSS default_field: false - name: description level: extended type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false description: The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) example: In macOS before 2.12.6, there is a vulnerability in the RPC... default_field: false - name: enumeration level: extended type: keyword ignore_above: 1024 description: The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) example: CVE default_field: false - name: id level: extended type: keyword ignore_above: 1024 description: The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] example: CVE-2019-00001 default_field: false - name: reference level: extended type: keyword ignore_above: 1024 description: A resource that provides additional information, context, and mitigations for the identified vulnerability. example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 default_field: false - name: report_id level: extended type: keyword ignore_above: 1024 description: The report or scan identification number. example: 20191018.0001 default_field: false - name: scanner.vendor level: extended type: keyword ignore_above: 1024 description: The name of the vulnerability scanner vendor. example: Tenable default_field: false - name: score.base level: extended type: float description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document)' example: 5.5 default_field: false - name: score.environmental level: extended type: float description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document)' example: 5.5 default_field: false - name: score.temporal level: extended type: float description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document)' default_field: false - name: score.version level: extended type: keyword ignore_above: 1024 description: 'The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss)' example: 2.0 default_field: false - name: severity level: extended type: keyword ignore_above: 1024 description: The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) example: Critical default_field: false - name: x509 title: x509 Certificate group: 2 description: 'This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). Events that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`.' type: group fields: - name: alternative_names level: extended type: keyword ignore_above: 1024 description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. example: '*.elastic.co' default_field: false - name: issuer.common_name level: extended type: keyword ignore_above: 1024 description: List of common name (CN) of issuing certificate authority. example: Example SHA2 High Assurance Server CA default_field: false - name: issuer.country level: extended type: keyword ignore_above: 1024 description: List of country (C) codes example: US default_field: false - name: issuer.distinguished_name level: extended type: keyword ignore_above: 1024 description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA default_field: false - name: issuer.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: Mountain View default_field: false - name: issuer.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of issuing certificate authority. example: Example Inc default_field: false - name: issuer.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of issuing certificate authority. example: www.example.com default_field: false - name: issuer.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: not_after level: extended type: date description: Time at which the certificate is no longer considered valid. example: 2020-07-16 03:15:39+00:00 default_field: false - name: not_before level: extended type: date description: Time at which the certificate is first considered valid. example: 2019-08-16 01:40:25+00:00 default_field: false - name: public_key_algorithm level: extended type: keyword ignore_above: 1024 description: Algorithm used to generate the public key. example: RSA default_field: false - name: public_key_curve level: extended type: keyword ignore_above: 1024 description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. example: nistp521 default_field: false - name: public_key_exponent level: extended type: long description: Exponent used to derive the public key. This is algorithm specific. example: 65537 index: false doc_values: false default_field: false - name: public_key_size level: extended type: long description: The size of the public key space in bits. example: 2048 default_field: false - name: serial_number level: extended type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false - name: signature_algorithm level: extended type: keyword ignore_above: 1024 description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. example: SHA256-RSA default_field: false - name: subject.common_name level: extended type: keyword ignore_above: 1024 description: List of common names (CN) of subject. example: shared.global.example.net default_field: false - name: subject.country level: extended type: keyword ignore_above: 1024 description: List of country (C) code example: US default_field: false - name: subject.distinguished_name level: extended type: keyword ignore_above: 1024 description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false - name: subject.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: San Francisco default_field: false - name: subject.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of subject. example: Example, Inc. default_field: false - name: subject.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of subject. default_field: false - name: subject.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - name: version_number level: extended type: keyword ignore_above: 1024 description: Version of x509 format. example: 3 default_field: false - key: beat anchor: beat-common title: Beat description: > Contains common beat fields available in all event types. fields: - name: agent.hostname type: keyword description: > Deprecated - use agent.name or agent.id to identify an agent. Hostname of the agent. - name: beat.timezone type: alias path: event.timezone migration: true - name: fields type: object object_type: keyword description: > Contains user configurable fields. - name: beat.name type: alias path: host.name migration: true - name: beat.hostname type: alias path: agent.hostname migration: true - name: timeseries.instance type: keyword description: Time series instance id - key: cloud title: Cloud provider metadata description: > Metadata from cloud providers added by the add_cloud_metadata processor. fields: - name: cloud.image.id example: ami-abcd1234 description: > Image ID for the cloud instance. # Alias for old fields - name: meta.cloud.provider type: alias path: cloud.provider migration: true - name: meta.cloud.instance_id type: alias path: cloud.instance.id migration: true - name: meta.cloud.instance_name type: alias path: cloud.instance.name migration: true - name: meta.cloud.machine_type type: alias path: cloud.machine.type migration: true - name: meta.cloud.availability_zone type: alias path: cloud.availability_zone migration: true - name: meta.cloud.project_id type: alias path: cloud.project.id migration: true - name: meta.cloud.region type: alias path: cloud.region migration: true - key: docker title: Docker description: > Docker stats collected from Docker. short_config: false anchor: docker-processor fields: - name: docker type: group fields: - name: container.id type: alias path: container.id migration: true - name: container.image type: alias path: container.image.name migration: true - name: container.name type: alias path: container.name migration: true - name: container.labels # TODO: How to map these? type: object object_type: keyword description: > Image labels. - key: host title: Host description: > Info collected for the host machine. anchor: host-processor fields: # ECS fields are in fields.ecs.yml. # These are the non-ECS fields. - name: host type: group fields: - name: containerized type: boolean description: > If the host is a container. - name: os.build type: keyword example: "18D109" description: > OS build information. - name: os.codename type: keyword example: "stretch" description: > OS codename, if any. - key: kubernetes title: Kubernetes description: > Kubernetes metadata added by the kubernetes processor short_config: false anchor: kubernetes-processor fields: - name: kubernetes type: group fields: - name: pod.name type: keyword description: > Kubernetes pod name - name: pod.uid type: keyword description: > Kubernetes Pod UID - name: pod.ip type: ip description: > Kubernetes Pod IP - name: namespace type: keyword description: > Kubernetes namespace - name: node.name type: keyword description: > Kubernetes node name - name: node.hostname type: keyword description: > Kubernetes hostname as reported by the node’s kernel - name: labels.* type: object object_type: keyword object_type_mapping_type: "*" description: > Kubernetes labels map - name: annotations.* type: object object_type: keyword object_type_mapping_type: "*" description: > Kubernetes annotations map - name: selectors.* type: object object_type: keyword object_type_mapping_type: "*" description: > Kubernetes selectors map - name: replicaset.name type: keyword description: > Kubernetes replicaset name - name: deployment.name type: keyword description: > Kubernetes deployment name - name: statefulset.name type: keyword description: > Kubernetes statefulset name - name: container.name type: keyword description: > Kubernetes container name (different than the name from the runtime) - name: container.image type: alias path: container.image.name description: > Kubernetes container image - key: process title: Process description: > Process metadata fields fields: - name: process type: group fields: - name: exe type: alias path: process.executable migration: true - key: jolokia-autodiscover title: Jolokia Discovery autodiscover provider description: > Metadata from Jolokia Discovery added by the jolokia provider. fields: - name: jolokia.agent.version type: keyword description: > Version number of jolokia agent. - name: jolokia.agent.id type: keyword description: > Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type. - name: jolokia.server.product type: keyword description: > The container product if detected. - name: jolokia.server.version type: keyword description: > The container's version (if detected). - name: jolokia.server.vendor type: keyword description: > The vendor of the container the agent is running in. - name: jolokia.url type: keyword description: > The URL how this agent can be contacted. - name: jolokia.secured type: boolean description: > Whether the agent was configured for authentication or not. - key: log title: Log file content description: > Contains log file lines. fields: - name: log.source.address type: keyword required: false description: > Source address from which the log event was read / sent from. - name: log.offset type: long required: false description: > The file offset the reported line starts at. - name: stream type: keyword required: false description: > Log stream when reading container logs, can be 'stdout' or 'stderr' - name: input.type required: true description: > The input type from which the event was generated. This field is set to the value specified for the `type` option in the input section of the Filebeat config file. - name: syslog.facility type: long required: false description: > The facility extracted from the priority. - name: syslog.priority type: long required: false description: > The priority of the syslog event. - name: syslog.severity_label type: keyword required: false description: > The human readable severity. - name: syslog.facility_label type: keyword required: false description: > The human readable facility. - name: process.program type: keyword required: false description: > The name of the program. - name: log.flags description: > This field contains the flags of the event. - name: http.response.content_length type: alias path: http.response.body.bytes migration: true - name: user_agent type: group fields: - name: os type: group fields: - name: full_name type: keyword - name: fileset.name type: keyword description: > The Filebeat fileset that generated this event. - name: fileset.module type: alias path: event.module migration: true - name: read_timestamp type: alias path: event.created migration: true - name: docker.attrs type: object object_type: keyword description: > docker.attrs contains labels and environment variables written by docker's JSON File logging driver. These fields are only available when they are configured in the logging driver options. - name: icmp.code type: keyword description: > ICMP code. - name: icmp.type type: keyword description: > ICMP type. - name: igmp.type type: keyword description: > IGMP type. - name: azure type: group fields: - name: eventhub type: keyword description: > Name of the eventhub. - name: offset type: long description: > The offset. - name: enqueued_time type: date description: > The enqueued time. - name: partition_id type: long description: > The partition id. - name: consumer_group type: keyword description: > The consumer group. - name: sequence_number type: long description: > The sequence number. - name: kafka type: group fields: - name: topic type: keyword description: > Kafka topic - name: partition type: long description: > Kafka partition number - name: offset type: long description: > Kafka offset of this message - name: key type: keyword description: > Kafka key, corresponding to the Kafka value stored in the message - name: block_timestamp type: date description: > Kafka outer (compressed) block timestamp - name: headers type: array description: > An array of Kafka header strings for this message, in the form ": ". - key: apache title: "Apache" description: > Apache Module short_config: true fields: - name: apache2 type: group description: > Aliases for backward compatibility with old apache2 fields fields: - name: access type: group fields: - name: remote_ip type: alias path: source.address migration: true - name: ssl.protocol type: alias path: apache.access.ssl.protocol migration: true - name: ssl.cipher type: alias path: apache.access.ssl.cipher migration: true - name: body_sent.bytes type: alias path: http.response.body.bytes migration: true - name: user_name type: alias path: user.name migration: true - name: method type: alias path: http.request.method migration: true - name: url type: alias path: url.original migration: true - name: http_version type: alias path: http.version migration: true - name: response_code type: alias path: http.response.status_code migration: true - name: referrer type: alias path: http.request.referrer migration: true - name: agent type: alias path: user_agent.original migration: true - name: user_agent type: group fields: - name: device type: alias path: user_agent.device.name migration: true - name: name type: alias path: user_agent.name migration: true - name: os type: alias path: user_agent.os.full_name migration: true - name: os_name type: alias path: user_agent.os.name migration: true - name: original type: alias path: user_agent.original migration: true - name: geoip type: group fields: - name: continent_name type: alias path: source.geo.continent_name migration: true - name: country_iso_code type: alias path: source.geo.country_iso_code migration: true - name: location type: alias path: source.geo.location migration: true - name: region_name type: alias path: source.geo.region_name migration: true - name: city_name type: alias path: source.geo.city_name migration: true - name: region_iso_code type: alias path: source.geo.region_iso_code migration: true - name: error type: group fields: - name: level type: alias path: log.level migration: true - name: message type: alias path: message migration: true - name: pid type: alias path: process.pid migration: true - name: tid type: alias path: process.thread.id migration: true - name: module type: alias path: apache.error.module migration: true - name: apache type: group description: > Apache fields. fields: - name: access type: group description: > Contains fields for the Apache HTTP Server access logs. fields: - name: ssl.protocol type: keyword description: > SSL protocol version. - name: ssl.cipher type: keyword description: > SSL cipher name. - name: error type: group description: > Fields from the Apache error logs. fields: - name: module type: keyword description: > The module producing the logged message. - key: auditd title: "Auditd" description: > Module for parsing auditd logs. short_config: true fields: - name: user type: group fields: - name: terminal type: keyword description: > Terminal or tty device on which the user is performing the observed activity. - name: audit type: group fields: - name: id type: keyword description: > One or multiple unique identifiers of the user. - name: name type: keyword example: albert description: > Short name or login of the user. - name: group.id type: keyword description: > Unique identifier for the group on the system/platform. - name: group.name type: keyword description: > Name of the group. - name: filesystem type: group fields: - name: id type: keyword description: > One or multiple unique identifiers of the user. - name: name type: keyword example: albert description: > Short name or login of the user. - name: group.id type: keyword description: > Unique identifier for the group on the system/platform. - name: group.name type: keyword description: > Name of the group. - name: owner type: group fields: - name: id type: keyword description: > One or multiple unique identifiers of the user. - name: name type: keyword example: albert description: > Short name or login of the user. - name: group.id type: keyword description: > Unique identifier for the group on the system/platform. - name: group.name type: keyword description: > Name of the group. - name: saved type: group fields: - name: id type: keyword description: > One or multiple unique identifiers of the user. - name: name type: keyword example: albert description: > Short name or login of the user. - name: group.id type: keyword description: > Unique identifier for the group on the system/platform. - name: group.name type: keyword description: > Name of the group. - name: auditd type: group description: > Fields from the auditd logs. fields: - name: log type: group description: > Fields from the Linux audit log. Not all fields are documented here because they are dynamic and vary by audit event type. fields: - name: old_auid description: > For login events this is the old audit ID used for the user prior to this login. - name: new_auid description: > For login events this is the new audit ID. The audit ID can be used to trace future events to the user even if their identity changes (like becoming root). - name: old_ses description: > For login events this is the old session ID used for the user prior to this login. - name: new_ses description: > For login events this is the new session ID. It can be used to tie a user to future events by session ID. - name: sequence type: long description: > The audit event sequence number. - name: items description: > The number of items in an event. - name: item description: > The item field indicates which item out of the total number of items. This number is zero-based; a value of 0 means it is the first item. - name: tty type: keyword definition: > TTY udevice the user is running programs on. - name: a0 description: > The first argument to the system call. - name: addr type: ip definition: > Remote address that the user is connecting from. - name: rport type: long definition: > Remote port number. - name: laddr type: ip definition: > Local network address. - name: lport type: long definition: > Local port number. - name: acct type: alias path: user.name migration: true - name: pid type: alias path: process.pid migration: true - name: ppid type: alias path: process.ppid migration: true - name: res type: alias path: event.outcome migration: true - name: record_type type: alias path: event.action migration: true - name: geoip type: group fields: - name: continent_name type: alias path: source.geo.continent_name migration: true - name: country_iso_code type: alias path: source.geo.country_iso_code migration: true - name: location type: alias path: source.geo.location migration: true - name: region_name type: alias path: source.geo.region_name migration: true - name: city_name type: alias path: source.geo.city_name migration: true - name: region_iso_code type: alias path: source.geo.region_iso_code migration: true # Fields below were not defined in 6.x but were still being populated. - name: arch type: alias path: host.architecture migration: true - name: gid type: alias path: user.group.id migration: true - name: uid type: alias path: user.id migration: true - name: agid type: alias path: user.audit.group.id migration: true - name: auid type: alias path: user.audit.id migration: true - name: fsgid type: alias path: user.filesystem.group.id migration: true - name: fsuid type: alias path: user.filesystem.id migration: true - name: egid type: alias path: user.effective.group.id migration: true - name: euid type: alias path: user.effective.id migration: true - name: sgid type: alias path: user.saved.group.id migration: true - name: suid type: alias path: user.saved.id migration: true - name: ogid type: alias path: user.owner.group.id migration: true - name: ouid type: alias path: user.owner.id migration: true - name: comm type: alias path: process.name migration: true - name: exe type: alias path: process.executable migration: true - name: terminal type: alias path: user.terminal migration: true - name: msg type: alias path: message migration: true - name: src type: alias path: source.address migration: true - name: dst type: alias path: destination.address migration: true - key: elasticsearch title: "Elasticsearch" release: ga description: > elasticsearch Module fields: - name: elasticsearch type: group description: > fields: - name: component description: "Elasticsearch component from where the log event originated" example: "o.e.c.m.MetaDataCreateIndexService" type: keyword - name: cluster.uuid description: "UUID of the cluster" example: "GmvrbHlNTiSVYiPf8kxg9g" type: keyword - name: cluster.name description: "Name of the cluster" example: "docker-cluster" type: keyword - name: node.id description: "ID of the node" example: "DSiWcTyeThWtUXLB9J0BMw" type: keyword - name: node.name description: "Name of the node" example: "vWNJsZ3" type: keyword - name: index.name description: "Index name" example: "filebeat-test-input" type: keyword - name: index.id description: "Index id" example: "aOGgDwbURfCV57AScqbCgw" type: keyword - name: shard.id description: "Id of the shard" example: "0" type: keyword - name: audit type: group fields: - name: layer description: "The layer from which this event originated: rest, transport or ip_filter" example: "rest" type: keyword - name: event_type description: "The type of event that occurred: anonymous_access_denied, authentication_failed, access_denied, access_granted, connection_granted, connection_denied, tampered_request, run_as_granted, run_as_denied" example: "access_granted" type: keyword - name: origin.type description: "Where the request originated: rest (request originated from a REST API request), transport (request was received on the transport channel), local_node (the local node issued the request)" example: "local_node" type: keyword - name: realm description: "The authentication realm the authentication was validated against" example": "default_file" type: keyword - name: user.realm description: "The user's authentication realm, if authenticated" example": "active_directory" type: keyword - name: user.roles description: "Roles to which the principal belongs" example: [ "kibana_admin", "beats_admin" ] type: keyword - name: user.run_as.name type: keyword - name: user.run_as.realm type: keyword - name: component type: keyword - name: action description: "The name of the action that was executed" example: "cluster:monitor/main" type: keyword - name: url.params description: "REST URI parameters" example: "{username=jacknich2}" - name: indices description: "Indices accessed by action" example: [ "foo-2019.01.04", "foo-2019.01.03", "foo-2019.01.06" ] type: keyword - name: request.id description: "Unique ID of request" example: "WzL_kb6VSvOhAq0twPvHOQ" type: keyword - name: request.name description: "The type of request that was executed" example: "ClearScrollRequest" type: keyword - name: request_body type: alias path: http.request.body.content migration: true - name: origin_address type: alias path: source.ip migration: true - name: uri type: alias path: url.original migration: true - name: principal type: alias path: user.name migration: true - name: message type: text - name: invalidate.apikeys.owned_by_authenticated_user type: boolean - name: deprecation type: group description: > fields: - name: gc type: group description: > GC fileset fields. fields: - name: phase type: group description: > Fields specific to GC phase. fields: - name: name type: keyword description: > Name of the GC collection phase. - name: duration_sec type: float description: > Collection phase duration according to the Java virtual machine. - name: scrub_symbol_table_time_sec type: float description: > Pause time in seconds cleaning up symbol tables. - name: scrub_string_table_time_sec type: float description: > Pause time in seconds cleaning up string tables. - name: weak_refs_processing_time_sec type: float description: > Time spent processing weak references in seconds. - name: parallel_rescan_time_sec type: float description: > Time spent in seconds marking live objects while application is stopped. - name: class_unload_time_sec type: float description: > Time spent unloading unused classes in seconds. - name: cpu_time type: group description: > Process CPU time spent performing collections. fields: - name: user_sec type: float description: > CPU time spent outside the kernel. - name: sys_sec type: float description: > CPU time spent inside the kernel. - name: real_sec type: float description: > Total elapsed CPU time spent to complete the collection from start to finish. - name: jvm_runtime_sec type: float description: > The time from JVM start up in seconds, as a floating point number. - name: threads_total_stop_time_sec type: float description: > Garbage collection threads total stop time seconds. - name: stopping_threads_time_sec type: float description: > Time took to stop threads seconds. - name: tags type: keyword description: > GC logging tags. - name: heap type: group description: > Heap allocation and total size. fields: - name: size_kb type: integer description: > Total heap size in kilobytes. - name: used_kb type: integer description: > Used heap in kilobytes. - name: old_gen type: group description: > Old generation occupancy and total size. fields: - name: size_kb type: integer description: > Total size of old generation in kilobytes. - name: used_kb type: integer description: > Old generation occupancy in kilobytes. - name: young_gen type: group description: > Young generation occupancy and total size. fields: - name: size_kb type: integer description: > Total size of young generation in kilobytes. - name: used_kb type: integer description: > Young generation occupancy in kilobytes. - name: server description: "Server log file" type: group fields: - name: stacktrace description": Stack trace in case of errors index: false - name: gc description: "GC log" type: group fields: - name: young description: "Young GC" example: "" type: group fields: - name: one description: "" example: "" type: long - name: two description: "" example: "" type: long - name: overhead_seq description: "Sequence number" example: 3449992 type: long - name: collection_duration.ms description: "Time spent in GC, in milliseconds" example: 1600 type: float - name: observation_duration.ms description: "Total time over which collection was observed, in milliseconds" example: 1800 type: float - name: slowlog description: "Slowlog events from Elasticsearch" example: "[2018-06-29T10:06:14,933][INFO ][index.search.slowlog.query] [v_VJhjV] [metricbeat-6.3.0-2018.06.26][0] took[4.5ms], took_millis[4], total_hits[19435], types[], stats[], search_type[QUERY_THEN_FETCH], total_shards[1], source[{\"query\":{\"match_all\":{\"boost\":1.0}}}]," type: group fields: - name: logger description: "Logger name" example: "index.search.slowlog.fetch" type: keyword - name: took description: "Time it took to execute the query" example: "300ms" type: keyword - name: types description: "Types" example: "" type: keyword - name: stats description: "Stats groups" example: "group1" type: keyword - name: search_type description: "Search type" example: "QUERY_THEN_FETCH" type: keyword - name: source_query description: "Slow query" example: "{\"query\":{\"match_all\":{\"boost\":1.0}}}" type: keyword - name: extra_source description: "Extra source information" example: "" type: keyword - name: total_hits description: "Total hits" example: 42 type: keyword - name: total_shards description: "Total queried shards" example: 22 type: keyword - name: routing description: "Routing" example: "s01HZ2QBk9jw4gtgaFtn" type: keyword - name: id description: Id example: "" type: keyword - name: type description: "Type" example: "doc" type: keyword - name: source description: Source of document that was indexed type: keyword - key: haproxy title: "HAProxy" description: > haproxy Module fields: - name: haproxy type: group description: > fields: - name: frontend_name description: Name of the frontend (or listener) which received and processed the connection. - name: backend_name description: Name of the backend (or listener) which was selected to manage the connection to the server. - name: server_name description: Name of the last server to which the connection was sent. - name: total_waiting_time_ms description: Total time in milliseconds spent waiting in the various queues type: long - name: connection_wait_time_ms description: Total time in milliseconds spent waiting for the connection to establish to the final server type: long - name: bytes_read description: Total number of bytes transmitted to the client when the log is emitted. type: long - name: time_queue description: Total time in milliseconds spent waiting in the various queues. type: long - name: time_backend_connect description: Total time in milliseconds spent waiting for the connection to establish to the final server, including retries. type: long - name: server_queue description: Total number of requests which were processed before this one in the server queue. type: long - name: backend_queue description: Total number of requests which were processed before this one in the backend's global queue. type: long - name: bind_name description: Name of the listening address which received the connection. - name: error_message description: Error message logged by HAProxy in case of error. type: text - name: source type: keyword description: The HAProxy source of the log - name: termination_state description: Condition the session was in when the session ended. - name: mode type: keyword description: mode that the frontend is operating (TCP or HTTP) - name: connections description: Contains various counts of connections active in the process. type: group fields: - name: active description: Total number of concurrent connections on the process when the session was logged. type: long - name: frontend description: Total number of concurrent connections on the frontend when the session was logged. type: long - name: backend description: Total number of concurrent connections handled by the backend when the session was logged. type: long - name: server description: Total number of concurrent connections still active on the server when the session was logged. type: long - name: retries description: Number of connection retries experienced by this session when trying to connect to the server. type: long - name: client description: Information about the client doing the request type: group fields: - name: ip type: alias path: source.address migration: true - name: port type: alias path: source.port migration: true - name: process_name type: alias path: process.name migration: true - name: pid type: alias path: process.pid migration: true - name: destination description: Destination information type: group fields: - name: port type: alias path: destination.port migration: true - name: ip type: alias path: destination.ip migration: true - name: geoip type: group description: > Contains GeoIP information gathered based on the client.ip field. Only present if the GeoIP Elasticsearch plugin is available and used. fields: - name: continent_name type: alias path: source.geo.continent_name migration: true - name: country_iso_code type: alias path: source.geo.country_iso_code migration: true - name: location type: alias path: source.geo.location migration: true - name: region_name type: alias path: source.geo.region_name migration: true - name: city_name type: alias path: source.geo.city_name migration: true - name: region_iso_code type: alias path: source.geo.region_iso_code migration: true - name: http description: Please add description type: group fields: - name: response description: Fields related to the HTTP response type: group fields: - name: captured_cookie description: > Optional "name=value" entry indicating that the client had this cookie in the response. - name: captured_headers description: > List of headers captured in the response due to the presence of the "capture response header" statement in the frontend. type: keyword - name: status_code type: alias path: http.response.status_code migration: true - name: request description: Fields related to the HTTP request type: group fields: - name: captured_cookie description: > Optional "name=value" entry indicating that the server has returned a cookie with its request. - name: captured_headers description: > List of headers captured in the request due to the presence of the "capture request header" statement in the frontend. type: keyword - name: raw_request_line description: Complete HTTP request line, including the method, request and HTTP version string. type: keyword - name: time_wait_without_data_ms description: Total time in milliseconds spent waiting for the server to send a full HTTP response, not counting data. type: long - name: time_wait_ms description: Total time in milliseconds spent waiting for a full HTTP request from the client (not counting body) after the first byte was received. type: long - name: tcp description: TCP log format type: group fields: - name: connection_waiting_time_ms type: long description: Total time in milliseconds elapsed between the accept and the last close - key: icinga title: "Icinga" description: > Icinga Module fields: - name: icinga type: group description: > fields: - name: debug type: group description: > Contains fields for the Icinga debug logs. fields: - name: facility type: keyword description: > Specifies what component of Icinga logged the message. - name: severity type: alias path: log.level migration: true - name: message type: alias path: message migration: true - name: main type: group description: > Contains fields for the Icinga main logs. fields: - name: facility type: keyword description: > Specifies what component of Icinga logged the message. - name: severity type: alias path: log.level migration: true - name: message type: alias path: message migration: true - name: startup type: group description: > Contains fields for the Icinga startup logs. fields: - name: facility type: keyword description: > Specifies what component of Icinga logged the message. - name: severity type: alias path: log.level migration: true - name: message type: alias path: message migration: true - key: iis title: "IIS" description: > Module for parsing IIS log files. fields: - name: iis type: group description: > Fields from IIS log files. fields: - name: access type: group description: > Contains fields for IIS access logs. fields: - name: sub_status type: long description: > The HTTP substatus code. - name: win32_status type: long description: > The Windows status code. - name: site_name type: keyword description: > The site name and instance number. - name: server_name type: keyword description: > The name of the server on which the log file entry was generated. - name: cookie type: keyword description: > The content of the cookie sent or received, if any. - name: body_received.bytes type: alias path: http.request.body.bytes migration: true - name: body_sent.bytes type: alias path: http.response.body.bytes migration: true - name: server_ip type: alias path: destination.address migration: true - name: method type: alias path: http.request.method migration: true - name: url type: alias path: url.path migration: true - name: query_string type: alias path: url.query migration: true - name: port type: alias path: destination.port migration: true - name: user_name type: alias path: user.name migration: true - name: remote_ip type: alias path: source.address migration: true - name: referrer type: alias path: http.request.referrer migration: true - name: response_code type: alias path: http.response.status_code migration: true - name: http_version type: alias path: http.version migration: true - name: hostname type: alias path: host.hostname migration: true - name: user_agent type: group fields: - name: device type: alias path: user_agent.device.name migration: true - name: name type: alias path: user_agent.name migration: true - name: os type: alias path: user_agent.os.full_name migration: true - name: os_name type: alias path: user_agent.os.name migration: true - name: original type: alias path: user_agent.original migration: true - name: geoip type: group fields: - name: continent_name type: alias path: source.geo.continent_name migration: true - name: country_iso_code type: alias path: source.geo.country_iso_code migration: true - name: location type: alias path: source.geo.location migration: true - name: region_name type: alias path: source.geo.region_name migration: true - name: city_name type: alias path: source.geo.city_name migration: true - name: region_iso_code type: alias path: source.geo.region_iso_code migration: true - name: error type: group description: > Contains fields for IIS error logs. fields: - name: reason_phrase type: keyword description: > The HTTP reason phrase. - name: queue_name type: keyword description: > The IIS application pool name. - name: remote_ip type: alias path: source.address migration: true - name: remote_port type: alias path: source.port migration: true - name: server_ip type: alias path: destination.address migration: true - name: server_port type: alias path: destination.port migration: true - name: http_version type: alias path: http.version migration: true - name: method type: alias path: http.request.method migration: true - name: url type: alias path: url.original migration: true - name: response_code type: alias path: http.response.status_code migration: true - name: geoip type: group fields: - name: continent_name type: alias path: source.geo.continent_name migration: true - name: country_iso_code type: alias path: source.geo.country_iso_code migration: true - name: location type: alias path: source.geo.location migration: true - name: region_name type: alias path: source.geo.region_name migration: true - name: city_name type: alias path: source.geo.city_name migration: true - name: region_iso_code type: alias path: source.geo.region_iso_code migration: true - key: kafka title: "Kafka" description: > Kafka module fields: - name: kafka type: group description: > fields: - name: log type: group description: > Kafka log lines. fields: - name: level type: alias path: log.level migration: true - name: message type: alias path: message migration: true - name: component type: keyword description: > Component the log is coming from. - name: class type: keyword description: > Java class the log is coming from. - name: thread type: keyword description: > Thread name the log is coming from. - name: trace type: group description: > Trace in the log line. fields: - name: class type: keyword description: > Java class the trace is coming from. - name: message type: text description: > Message part of the trace. - key: kibana title: "kibana" release: ga description: > kibana Module fields: - name: kibana type: group description: > Module for parsing Kibana logs. fields: - name: session_id description: The ID of the user session associated with this event. Each login attempt results in a unique session id. example: "123e4567-e89b-12d3-a456-426614174000" type: keyword - name: space_id description: "The id of the space associated with this event." example: "default" type: keyword - name: saved_object.type description: "The type of the saved object associated with this event." example: "dashboard" type: keyword - name: saved_object.id description: "The id of the saved object associated with this event." example: "6295bdd0-0a0e-11e7-825f-6748cda7d858" type: keyword - name: add_to_spaces description: "The set of space ids that a saved object was shared to." example: "['default', 'marketing']" type: keyword - name: delete_from_spaces description: "The set of space ids that a saved object was removed from." example: "['default', 'marketing']" type: keyword - name: authentication_provider description: "The authentication provider associated with a login event." example: "basic1" type: keyword - name: authentication_type description: "The authentication provider type associated with a login event." example: "basic" type: keyword - name: authentication_realm description: "The Elasticsearch authentication realm name which fulfilled a login event." example: "native" type: keyword - name: lookup_realm description: "The Elasticsearch lookup realm which fulfilled a login event." example: "native" type: keyword - name: log type: group description: > Kafka log lines. fields: - name: tags type: keyword description: > Kibana logging tags. - name: state type: keyword description: > Current state of Kibana. - name: meta type: object object_type: keyword - name: kibana.log.meta.req.headers.referer type: alias path: http.request.referrer migration: true - name: kibana.log.meta.req.referer type: alias path: http.request.referrer migration: true - name: kibana.log.meta.req.headers.user-agent type: alias path: user_agent.original migration: true - name: kibana.log.meta.req.remoteAddress type: alias path: source.address migration: true - name: kibana.log.meta.req.url type: alias path: url.original migration: true - name: kibana.log.meta.statusCode type: alias path: http.response.status_code migration: true - name: kibana.log.meta.method type: alias path: http.request.method migration: true - key: logstash title: "logstash" release: ga description: > logstash Module fields: - name: logstash type: group description: > fields: - name: log title: "Logstash" type: group description: > Fields from the Logstash logs. fields: - name: module type: keyword description: > The module or class where the event originate. - name: thread type: keyword description: > Information about the running thread where the log originate. multi_fields: - name: text type: text - name: log_event type: object description: > key and value debugging information. - name: log_event.action type: keyword - name: pipeline_id type: keyword example: main description: > The ID of the pipeline. - name: message type: alias path: message migration: true - name: level type: alias path: log.level migration: true - name: slowlog type: group description: > slowlog fields: - name: module type: keyword description: > The module or class where the event originate. - name: thread type: keyword description: > Information about the running thread where the log originate. multi_fields: - name: text type: text - name: event type: keyword description: > Raw dump of the original event multi_fields: - name: text type: text - name: plugin_name type: keyword description: > Name of the plugin - name: plugin_type type: keyword description: > Type of the plugin: Inputs, Filters, Outputs or Codecs. - name: took_in_millis type: long description: > Execution time for the plugin in milliseconds. - name: plugin_params type: keyword description: > String value of the plugin configuration multi_fields: - name: text type: text - name: plugin_params_object type: object description: > key -> value of the configuration used by the plugin. - name: level type: alias path: log.level migration: true - name: took_in_nanos type: alias path: event.duration migration: true - key: mongodb title: "mongodb" description: > Module for parsing MongoDB log files. fields: - name: mongodb type: group description: > Fields from MongoDB logs. fields: - name: log type: group description: > Contains fields from MongoDB logs. fields: - name: component description: > Functional categorization of message example: COMMAND type: keyword - name: context description: > Context of message example: initandlisten type: keyword - name: severity type: alias path: log.level migration: true - name: message type: alias path: message migration: true - name: id description: > Integer representing the unique identifier of the log statement example: 4615611 type: long - key: mysql title: "MySQL" description: > Module for parsing the MySQL log files. short_config: true fields: - name: mysql type: group description: > Fields from the MySQL log files. fields: - name: thread_id type: long description: > The connection or thread ID for the query. - name: error type: group description: > Contains fields from the MySQL error logs. fields: - name: thread_id type: alias path: mysql.thread_id migration: true - name: level type: alias path: log.level migration: true - name: message type: alias path: message migration: true - name: slowlog type: group description: > Contains fields from the MySQL slow logs. fields: - name: lock_time.sec type: float description: > The amount of time the query waited for the lock to be available. The value is in seconds, as a floating point number. - name: rows_sent type: long description: > The number of rows returned by the query. - name: rows_examined type: long description: > The number of rows scanned by the query. - name: rows_affected type: long description: > The number of rows modified by the query. - name: bytes_sent type: long format: bytes description: > The number of bytes sent to client. - name: bytes_received type: long format: bytes description: > The number of bytes received from client. - name: query description: > The slow query. - name: id type: alias path: mysql.thread_id migration: true - name: schema type: keyword description: > The schema where the slow query was executed. - name: current_user type: keyword description: > Current authenticated user, used to determine access privileges. Can differ from the value for user. - name: last_errno type: keyword description: > Last SQL error seen. - name: killed type: keyword description: > Code of the reason if the query was killed. - name: query_cache_hit type: boolean description: > Whether the query cache was hit. - name: tmp_table type: boolean description: > Whether a temporary table was used to resolve the query. - name: tmp_table_on_disk type: boolean description: > Whether the query needed temporary tables on disk. - name: tmp_tables type: long description: > Number of temporary tables created for this query - name: tmp_disk_tables type: long description: > Number of temporary tables created on disk for this query. - name: tmp_table_sizes type: long format: bytes description: Size of temporary tables created for this query. - name: filesort type: boolean description: > Whether filesort optimization was used. - name: filesort_on_disk type: boolean description: > Whether filesort optimization was used and it needed temporary tables on disk. - name: priority_queue type: boolean description: > Whether a priority queue was used for filesort. - name: full_scan type: boolean description: > Whether a full table scan was needed for the slow query. - name: full_join type: boolean description: > Whether a full join was needed for the slow query (no indexes were used for joins). - name: merge_passes type: long description: > Number of merge passes executed for the query. - name: sort_merge_passes type: long description: > Number of merge passes that the sort algorithm has had to do. - name: sort_range_count type: long description: > Number of sorts that were done using ranges. - name: sort_rows type: long description: > Number of sorted rows. - name: sort_scan_count type: long description: > Number of sorts that were done by scanning the table. - name: log_slow_rate_type type: keyword description: > Type of slow log rate limit, it can be `session` if the rate limit is applied per session, or `query` if it applies per query. - name: log_slow_rate_limit type: keyword description: > Slow log rate limit, a value of 100 means that one in a hundred queries or sessions are being logged. - name: read_first type: long description: > The number of times the first entry in an index was read. - name: read_last type: long description: > The number of times the last key in an index was read. - name: read_key type: long description: > The number of requests to read a row based on a key. - name: read_next type: long description: > The number of requests to read the next row in key order. - name: read_prev type: long description: > The number of requests to read the previous row in key order. - name: read_rnd type: long description: > The number of requests to read a row based on a fixed position. - name: read_rnd_next type: long description: > The number of requests to read the next row in the data file. # https://www.percona.com/doc/percona-server/5.7/diagnostics/slow_extended.html - name: innodb type: group description: > Contains fields relative to InnoDB engine fields: - name: trx_id type: keyword description: > Transaction ID - name: io_r_ops type: long description: > Number of page read operations. - name: io_r_bytes type: long format: bytes description: > Bytes read during page read operations. - name: io_r_wait.sec type: long description: > How long it took to read all needed data from storage. - name: rec_lock_wait.sec type: long description: > How long the query waited for locks. - name: queue_wait.sec type: long description: > How long the query waited to enter the InnoDB queue and to be executed once in the queue. - name: pages_distinct type: long description: > Approximated count of pages accessed to execute the query. - name: user type: alias path: user.name migration: true - name: host type: alias path: source.domain migration: true - name: ip type: alias path: source.ip migration: true - key: nats title: "NATS" description: > Module for parsing NATS log files. release: beta fields: - name: nats type: group description: > Fields from NATS logs. fields: - name: log type: group description: > Nats log files release: beta fields: - name: client type: group description: > Fields from NATS logs client. fields: - name: id type: integer description: > The id of the client - name: msg type: group description: > Fields from NATS logs message. fields: - name: bytes type: long format: bytes description: > Size of the payload in bytes - name: type type: keyword description: > The protocol message type - name: subject type: keyword description: > Subject name this message was received on - name: sid type: integer description: > The unique alphanumeric subscription ID of the subject - name: reply_to type: keyword description: > The inbox subject on which the publisher is listening for responses - name: max_messages type: integer description: > An optional number of messages to wait for before automatically unsubscribing - name: error.message type: text description: > Details about the error occurred - name: queue_group type: text description: > The queue group which subscriber will join - key: nginx title: "Nginx" description: > Module for parsing the Nginx log files. short_config: true fields: - name: nginx type: group description: > Fields from the Nginx log files. fields: - name: access type: group description: > Contains fields for the Nginx access logs. fields: - name: remote_ip_list type: array description: > An array of remote IP addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like `X-Forwarded-For`. Real source IP is restored to `source.ip`. - name: body_sent.bytes type: alias path: http.response.body.bytes migration: true - name: user_name type: alias path: user.name migration: true - name: method type: alias path: http.request.method migration: true - name: url type: alias path: url.original migration: true - name: http_version type: alias path: http.version migration: true - name: response_code type: alias path: http.response.status_code migration: true - name: referrer type: alias path: http.request.referrer migration: true - name: agent type: alias path: user_agent.original migration: true - name: user_agent type: group fields: - name: device type: alias path: user_agent.device.name migration: true - name: name type: alias path: user_agent.name migration: true - name: os type: alias path: user_agent.os.full_name migration: true - name: os_name type: alias path: user_agent.os.name migration: true - name: original type: alias path: user_agent.original migration: true - name: geoip type: group fields: - name: continent_name type: alias path: source.geo.continent_name migration: true - name: country_iso_code type: alias path: source.geo.country_iso_code migration: true - name: location type: alias path: source.geo.location migration: true - name: region_name type: alias path: source.geo.region_name migration: true - name: city_name type: alias path: source.geo.city_name migration: true - name: region_iso_code type: alias path: source.geo.region_iso_code migration: true - name: error type: group description: > Contains fields for the Nginx error logs. fields: - name: connection_id type: long description: > Connection identifier. - name: level type: alias path: log.level migration: true - name: pid type: alias path: process.pid migration: true - name: tid type: alias path: process.thread.id migration: true - name: message type: alias path: message migration: true - name: ingress_controller type: group description: > Contains fields for the Ingress Nginx controller access logs. fields: - name: remote_ip_list type: array description: > An array of remote IP addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like `X-Forwarded-For`. Real source IP is restored to `source.ip`. # ingress-controller specific fields - name: upstream_address_list type: keyword description: > An array of the upstream addresses. It is a list because it is common that several upstream servers were contacted during request processing. - name: upstream.response.length_list type: keyword description: > An array of upstream response lengths. It is a list because it is common that several upstream servers were contacted during request processing. - name: upstream.response.time_list type: keyword description: > An array of upstream response durations. It is a list because it is common that several upstream servers were contacted during request processing. - name: upstream.response.status_code_list type: keyword description: > An array of upstream response status codes. It is a list because it is common that several upstream servers were contacted during request processing. - name: http.request.length type: long format: bytes description: > The request length (including request line, header, and request body) - name: http.request.time type: double format: duration description: > Time elapsed since the first bytes were read from the client - name: upstream.name type: keyword description: > The name of the upstream. - name: upstream.alternative_name type: keyword description: > The name of the alternative upstream. - name: upstream.response.length type: long format: bytes description: > The length of the response obtained from the upstream server. If several servers were contacted during request process, the summary of the multiple response lengths is stored. - name: upstream.response.time type: double format: duration description: > The time spent on receiving the response from the upstream as seconds with millisecond resolution. If several servers were contacted during request process, the summary of the multiple response times is stored. - name: upstream.response.status_code type: long description: > The status code of the response obtained from the upstream server. If several servers were contacted during request process, only the status code of the response from the last one is stored in this field. - name: upstream.ip type: ip description: > The IP address of the upstream server. If several servers were contacted during request process, only the last one is stored in this field. - name: upstream.port type: long description: > The port of the upstream server. If several servers were contacted during request process, only the last one is stored in this field. - name: http.request.id type: keyword description: > The randomly generated ID of the request - name: body_sent.bytes type: alias path: http.response.body.bytes migration: true - name: user_name type: alias path: user.name migration: true - name: method type: alias path: http.request.method migration: true - name: url type: alias path: url.original migration: true - name: http_version type: alias path: http.version migration: true - name: response_code type: alias path: http.response.status_code migration: true - name: referrer type: alias path: http.request.referrer migration: true - name: agent type: alias path: user_agent.original migration: true - name: user_agent type: group fields: - name: device type: alias path: user_agent.device.name migration: true - name: name type: alias path: user_agent.name migration: true - name: os type: alias path: user_agent.os.full_name migration: true - name: os_name type: alias path: user_agent.os.name migration: true - name: original type: alias path: user_agent.original migration: true - name: geoip type: group fields: - name: continent_name type: alias path: source.geo.continent_name migration: true - name: country_iso_code type: alias path: source.geo.country_iso_code migration: true - name: location type: alias path: source.geo.location migration: true - name: region_name type: alias path: source.geo.region_name migration: true - name: city_name type: alias path: source.geo.city_name migration: true - name: region_iso_code type: alias path: source.geo.region_iso_code migration: true - key: osquery title: "Osquery" description: > Fields exported by the `osquery` module fields: - name: osquery type: group description: > fields: - name: result type: group description: > Common fields exported by the result metricset. fields: - name: name type: keyword description: > The name of the query that generated this event. - name: action type: keyword description: > For incremental data, marks whether the entry was added or removed. It can be one of "added", "removed", or "snapshot". - name: host_identifier type: keyword description: > The identifier for the host on which the osquery agent is running. Normally the hostname. - name: unix_time type: long description: > Unix timestamp of the event, in seconds since the epoch. Used for computing the `@timestamp` column. - name: calendar_time type: keyword description: > String representation of the collection time, as formatted by osquery. - key: pensando title: Pensando description: > pensando Module fields: - name: pensando type: group description: > Fields from Pensando logs. fields: - name: dfw type: group release: beta default_field: false description: > Fields for Pensando DFW fields: - name: action type: keyword description: > Action on the flow. - name: app_id type: integer description: > Application ID - name: destination_address type: keyword description: > Address of destination. - name: destination_port type: integer description: > Port of destination. - name: direction type: keyword description: > Direction of the flow - name: protocol type: keyword description: > Protocol of the flow - name: rule_id type: keyword description: > Rule ID that was matched. - name: session_id type: integer description: > Session ID of the flow - name: session_state type: keyword description: > Session state of the flow. - name: source_address type: keyword description: > Source address of the flow. - name: source_port type: integer description: > Source port of the flow. - name: timestamp type: date description: > Timestamp of the log. - key: postgresql title: "PostgreSQL" description: > Module for parsing the PostgreSQL log files. short_config: true fields: - name: postgresql type: group description: > Fields from PostgreSQL logs. fields: - name: log type: group description: > Fields from the PostgreSQL log files. fields: - name: timestamp deprecated: 7.3.0 description: > The timestamp from the log line. - name: core_id type: alias path: postgresql.log.session_line_number description: > Core id. (deprecated, there is no core_id in PostgreSQL logs, this is actually session_line_number). deprecated: 8.0.0 - name: client_addr example: "127.0.0.1" description: > Host where the connection originated from. - name: client_port example: "59700" description: > Port where the connection originated from. - name: session_id description: > PostgreSQL session. example: "5ff1dd98.22" - name: session_line_number type: long description: > Line number inside a session. (%l in `log_line_prefix`). - name: database example: "postgres" description: > Name of database. - name: query example: "SELECT * FROM users;" description: > Query statement. In the case of CSV parse, look at command_tag to get more context. - name: query_step example: "parse" description: > Statement step when using extended query protocol (one of statement, parse, bind or execute). - name: query_name example: "pdo_stmt_00000001" description: > Name given to a query when using extended query protocol. If it is "", or not present, this field is ignored. - name: command_tag example: "SELECT" description: > Type of session's current command. The complete list can be found at: src/include/tcop/cmdtaglist.h - name: session_start_time type: date description: > Time when this session started. - name: virtual_transaction_id description: > Backend local transaction id. - name: transaction_id type: long description: > The id of current transaction. - name: sql_state_code # This code is not a number. type: keyword description: > State code returned by Postgres (if any). See also https://www.postgresql.org/docs/current/errcodes-appendix.html - name: detail description: > More information about the message, parameters in case of a parametrized query. e.g. 'Role \"user\" does not exist.', 'parameters: $1 = 42', etc. - name: hint description: > A possible solution to solve an error. - name: internal_query description: > Internal query that led to the error (if any). - name: internal_query_pos type: long description: > Character count of the internal query (if any). - name: context description: > Error context. - name: query_pos type: long description: > Character count of the error position (if any). - name: location description: > Location of the error in the PostgreSQL source code (if log_error_verbosity is set to verbose). - name: application_name description: > Name of the application of this event. It is defined by the client. - name: backend_type example: "client backend" description: > Type of backend of this event. Possible types are autovacuum launcher, autovacuum worker, logical replication launcher, logical replication worker, parallel worker, background writer, client backend, checkpointer, startup, walreceiver, walsender and walwriter. In addition, background workers registered by extensions may have additional types. - name: error.code type: alias path: postgresql.log.sql_state_code description: > Error code returned by Postgres (if any). Deprecated: errors can have letters. Use sql_state_code instead. deprecated: 8.0.0 - name: timezone type: alias path: event.timezone migration: true - name: user type: alias path: user.name migration: true - name: level type: alias example: "LOG" description: > Valid values are DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1, INFO, NOTICE, WARNING, ERROR, LOG, FATAL, and PANIC. path: log.level migration: true - name: message type: alias path: message migration: true - key: redis title: "Redis" description: > Redis Module fields: - name: redis type: group description: > fields: - name: log type: group description: > Redis log files fields: - name: role type: keyword description: > The role of the Redis instance. Can be one of `master`, `slave`, `child` (for RDF/AOF writing child), or `sentinel`. - name: pid type: alias path: process.pid migration: true - name: level type: alias path: log.level migration: true - name: message type: alias path: message migration: true - name: slowlog type: group description: > Slow logs are retrieved from Redis via a network connection. fields: - name: cmd type: keyword description: > The command executed. - name: duration.us type: long description: > How long it took to execute the command in microseconds. - name: id type: long description: > The ID of the query. - name: key type: keyword description: > The key on which the command was executed. - name: args type: keyword description: > The arguments with which the command was called. - key: santa title: "Google Santa" description: > Santa Module fields: - name: santa type: group description: > fields: - name: action type: keyword example: EXEC description: Action - name: decision type: keyword example: ALLOW description: Decision that santad took. - name: reason type: keyword example: CERT description: Reason for the decsision. - name: mode type: keyword example: M description: Operating mode of Santa. - name: disk type: group description: Fields for DISKAPPEAR actions. fields: - name: volume description: The volume name. - name: bus description: The disk bus protocol. - name: serial description: The disk serial number. - name: bsdname example: disk1s3 description: The disk BSD name. - name: model example: APPLE SSD SM0512L description: The disk model. - name: fs example: apfs description: The disk volume kind (filesystem type). - name: mount description: The disk volume path. - name: certificate.common_name type: keyword description: Common name from code signing certificate. - name: certificate.sha256 type: keyword description: SHA256 hash of code signing certificate. - key: system title: "System" description: > Module for parsing system log files. short_config: true fields: - name: system type: group description: > Fields from the system log files. fields: - name: auth type: group description: > Fields from the Linux authorization logs. fields: - name: timestamp type: alias path: '@timestamp' migration: true - name: hostname type: alias path: host.hostname migration: true - name: program type: alias path: process.name migration: true - name: pid type: alias path: process.pid migration: true - name: message type: alias path: message migration: true - name: user type: alias path: user.name migration: true - name: ssh type: group fields: - name: method description: > The SSH authentication method. Can be one of "password" or "publickey". - name: signature description: > The signature of the client public key. - name: dropped_ip type: ip description: > The client IP from SSH connections that are open and immediately dropped. - name: event example: Accepted description: > The SSH event as found in the logs (Accepted, Invalid, Failed, etc.) - name: ip type: alias path: source.ip migration: true - name: port type: alias path: source.port migration: true - name: geoip type: group fields: - name: continent_name type: alias path: source.geo.continent_name migration: true - name: country_iso_code type: alias path: source.geo.country_iso_code migration: true - name: location type: alias path: source.geo.location migration: true - name: region_name type: alias path: source.geo.region_name migration: true - name: city_name type: alias path: source.geo.city_name migration: true - name: region_iso_code type: alias path: source.geo.region_iso_code migration: true - name: sudo type: group description: > Fields specific to events created by the `sudo` command. fields: - name: error example: user NOT in sudoers description: > The error message in case the sudo command failed. - name: tty description: > The TTY where the sudo command is executed. - name: pwd description: > The current directory where the sudo command is executed. - name: user example: root description: > The target user to which the sudo command is switching. - name: command description: > The command executed via sudo. - name: useradd type: group description: > Fields specific to events created by the `useradd` command. fields: - name: home description: The home folder for the new user. - name: shell description: The default shell for the new user. - name: name type: alias path: user.name migration: true - name: uid type: alias path: user.id migration: true - name: gid type: alias path: group.id migration: true - name: groupadd type: group description: > Fields specific to events created by the `groupadd` command. fields: - name: name type: alias path: group.name migration: true - name: gid type: alias path: group.id migration: true - name: syslog type: group description: > Contains fields from the syslog system logs. fields: - name: timestamp type: alias path: '@timestamp' migration: true - name: hostname type: alias path: host.hostname migration: true - name: program type: alias path: process.name migration: true - name: pid type: alias path: process.pid migration: true - name: message type: alias path: message migration: true - key: traefik title: "Traefik" description: > Module for parsing the Traefik log files. fields: - name: traefik type: group description: > Fields from the Traefik log files. fields: - name: access type: group description: > Contains fields for the Traefik access logs. fields: - name: user_identifier type: keyword description: > Is the RFC 1413 identity of the client - name: request_count type: long description: > The number of requests - name: frontend_name type: keyword description: > The name of the frontend used - name: backend_url type: keyword description: The url of the backend where request is forwarded - name: body_sent.bytes type: alias path: http.response.body.bytes migration: true - name: remote_ip type: alias path: source.address migration: true - name: user_name type: alias path: user.name migration: true - name: method type: alias path: http.request.method migration: true - name: url type: alias path: url.original migration: true - name: http_version type: alias path: http.version migration: true - name: response_code type: alias path: http.response.status_code migration: true - name: referrer type: alias path: http.request.referrer migration: true - name: agent type: alias path: user_agent.original migration: true - name: user_agent type: group fields: - name: name type: alias path: user_agent.name - name: os type: alias path: user_agent.os.full_name - name: os_name type: alias path: user_agent.os.name - name: original type: alias path: user_agent.original - name: geoip type: group fields: - name: continent_name type: alias path: source.geo.continent_name - name: country_iso_code type: alias path: source.geo.country_iso_code - name: location type: alias path: source.geo.location - name: region_name type: alias path: source.geo.region_name - name: city_name type: alias path: source.geo.city_name - name: region_iso_code type: alias path: source.geo.region_iso_code - key: activemq title: "ActiveMQ" release: ga description: > Module for parsing ActiveMQ log files. fields: - name: activemq type: group description: > fields: - name: caller type: keyword description: > Name of the caller issuing the logging request (class or resource). - name: thread type: keyword description: > Thread that generated the logging event. - name: user type: keyword description: > User that generated the logging event. - name: audit type: group description: > Fields from ActiveMQ audit logs. fields: - name: log type: group description: > Fields from ActiveMQ application logs. fields: - name: stack_trace type: keyword - key: aws title: AWS release: ga description: > Module for handling logs from AWS. fields: - name: aws type: group description: > Fields from AWS logs. fields: - name: cloudtrail type: group release: ga default_field: false description: > Fields for AWS CloudTrail logs. fields: - name: event_version type: keyword description: > The CloudTrail version of the log event format. - name: user_identity type: group description: >- The userIdentity element contains details about the type of IAM identity that made the request, and which credentials were used. If temporary credentials were used, the element shows how the credentials were obtained. fields: - name: type type: keyword description: > The type of the identity - name: arn type: keyword description: >- The Amazon Resource Name (ARN) of the principal that made the call. - name: access_key_id type: keyword description: >- The access key ID that was used to sign the request. - name: session_context type: group description: >- If the request was made with temporary security credentials, an element that provides information about the session that was created for those credentials fields: - name: mfa_authenticated type: keyword description: >- The value is true if the root user or IAM user whose credentials were used for the request also was authenticated with an MFA device; otherwise, false. - name: creation_date type: date description: >- The date and time when the temporary security credentials were issued. - name: session_issuer type: group description: >- If the request was made with temporary security credentials, an element that provides information about how the credentials were obtained. fields: - name: type type: keyword description: >- The source of the temporary security credentials, such as Root, IAMUser, or Role. - name: principal_id type: keyword description: >- The internal ID of the entity that was used to get credentials. - name: arn type: keyword description: >- The ARN of the source (account, IAM user, or role) that was used to get temporary security credentials. - name: account_id type: keyword description: >- The account that owns the entity that was used to get credentials. - name: invoked_by type: keyword description: >- The name of the AWS service that made the request, such as Amazon EC2 Auto Scaling or AWS Elastic Beanstalk. - name: error_code type: keyword description: >- The AWS service error if the request returns an error. - name: error_message type: keyword description: >- If the request returns an error, the description of the error. - name: request_parameters type: keyword description: >- The parameters, if any, that were sent with the request. multi_fields: - name: text type: text default_field: false - name: response_elements type: keyword description: >- The response element for actions that make changes (create, update, or delete actions). multi_fields: - name: text type: text default_field: false - name: additional_eventdata type: keyword description: >- Additional data about the event that was not part of the request or response. multi_fields: - name: text type: text default_field: false - name: request_id type: keyword description: >- The value that identifies the request. The service being called generates this value. - name: event_type type: keyword description: >- Identifies the type of event that generated the event record. - name: api_version type: keyword description: >- Identifies the API version associated with the AwsApiCall eventType value. - name: management_event type: keyword description: >- A Boolean value that identifies whether the event is a management event. - name: read_only type: keyword description: >- Identifies whether this operation is a read-only operation. - name: resources type: group description: >- A list of resources accessed in the event. fields: - name: arn type: keyword description: >- Resource ARNs - name: account_id type: keyword description: >- Account ID of the resource owner - name: type type: keyword description: >- Resource type identifier in the format: AWS::aws-service-name::data-type-name - name: recipient_account_id type: keyword description: >- Represents the account ID that received this event. - name: service_event_details type: keyword description: >- Identifies the service event, including what triggered the event and the result. multi_fields: - name: text type: text default_field: false - name: shared_event_id type: keyword description: >- GUID generated by CloudTrail to uniquely identify CloudTrail events from the same AWS action that is sent to different AWS accounts. - name: vpc_endpoint_id type: keyword description: >- Identifies the VPC endpoint in which requests were made from a VPC to another AWS service, such as Amazon S3. - name: event_category type: keyword description: |- Shows the event category that is used in LookupEvents calls. - For management events, the value is management. - For data events, the value is data. - For Insights events, the value is insight. - name: console_login type: group description: >- Fields specific to ConsoleLogin events fields: - name: additional_eventdata type: group description: > Additional Event Data for ConsoleLogin events fields: - name: mobile_version type: boolean description: >- Identifies whether ConsoleLogin was from mobile version - name: login_to type: keyword description: >- URL for ConsoleLogin - name: mfa_used type: boolean description: >- Identifies whether multi factor authentication was used during ConsoleLogin - name: flattened type: group description: >- ES flattened datatype for objects where the subfields aren't known in advance. fields: - name: additional_eventdata type: flattened description: > Additional data about the event that was not part of the request or response. - name: request_parameters type: flattened description: >- The parameters, if any, that were sent with the request. - name: response_elements type: flattened description: >- The response element for actions that make changes (create, update, or delete actions). - name: service_event_details type: flattened description: >- Identifies the service event, including what triggered the event and the result. - name: digest type: group description: >- Fields from Cloudtrail Digest Logs fields: - name: log_files type: nested description: >- A list of Logfiles contained in the digest. - name: start_time type: date description: >- The starting UTC time range that the digest file covers, taking as a reference the time in which log files have been delivered by CloudTrail. - name: end_time type: date description: >- The ending UTC time range that the digest file covers, taking as a reference the time in which log files have been delivered by CloudTrail. - name: s3_bucket type: keyword description: >- The name of the Amazon S3 bucket to which the current digest file has been delivered. - name: s3_object type: keyword description: >- The Amazon S3 object key (that is, the Amazon S3 bucket location) of the current digest file. - name: newest_event_time type: date description: >- The UTC time of the most recent event among all of the events in the log files in the digest. - name: oldest_event_time type: date description: >- The UTC time of the oldest event among all of the events in the log files in the digest. - name: previous_s3_bucket type: keyword description: >- The Amazon S3 bucket to which the previous digest file was delivered. - name: previous_hash_algorithm type: keyword description: >- The name of the hash algorithm that was used to hash the previous digest file. - name: public_key_fingerprint type: keyword description: >- The hexadecimal encoded fingerprint of the public key that matches the private key used to sign this digest file. - name: signature_algorithm type: keyword description: >- The algorithm used to sign the digest file. - name: insight_details type: flattened description: >- Shows information about the underlying triggers of an Insights event, such as event source, user agent, statistics, API name, and whether the event is the start or end of the Insights event. - name: cloudwatch type: group release: ga default_field: false description: > Fields for AWS CloudWatch logs. fields: - name: message type: text description: > CloudWatch log message. - name: ec2 type: group release: ga default_field: false description: > Fields for AWS EC2 logs in CloudWatch. fields: - name: ip_address type: keyword description: > The internet address of the requester. - name: elb type: group release: ga default_field: false description: > Fields for AWS ELB logs. fields: - name: name type: keyword description: > The name of the load balancer. - name: type type: keyword description: > The type of the load balancer for v2 Load Balancers. - name: target_group.arn type: keyword description: > The ARN of the target group handling the request. - name: listener type: keyword description: > The ELB listener that received the connection. - name: protocol type: keyword description: > The protocol of the load balancer (http or tcp). - name: request_processing_time.sec type: float description: > The total time in seconds since the connection or request is received until it is sent to a registered backend. - name: backend_processing_time.sec type: float description: > The total time in seconds since the connection is sent to the backend till the backend starts responding. - name: response_processing_time.sec type: float description: > The total time in seconds since the response is received from the backend till it is sent to the client. - name: connection_time.ms type: long description: > The total time of the connection in milliseconds, since it is opened till it is closed. - name: tls_handshake_time.ms type: long description: > The total time for the TLS handshake to complete in milliseconds once the connection has been established. - name: backend.ip type: keyword description: > The IP address of the backend processing this connection. - name: backend.port type: keyword description: > The port in the backend processing this connection. - name: backend.http.response.status_code type: keyword description: > The status code from the backend (status code sent to the client from ELB is stored in `http.response.status_code` - name: ssl_cipher type: keyword description: > The SSL cipher used in TLS/SSL connections. - name: ssl_protocol type: keyword description: > The SSL protocol used in TLS/SSL connections. - name: chosen_cert.arn type: keyword description: > The ARN of the chosen certificate presented to the client in TLS/SSL connections. - name: chosen_cert.serial type: keyword description: > The serial number of the chosen certificate presented to the client in TLS/SSL connections. - name: incoming_tls_alert type: keyword description: > The integer value of TLS alerts received by the load balancer from the client, if present. - name: tls_named_group type: keyword description: > The TLS named group. - name: trace_id type: keyword description: > The contents of the `X-Amzn-Trace-Id` header. - name: matched_rule_priority type: keyword description: > The priority value of the rule that matched the request, if a rule matched. - name: action_executed type: keyword description: > The action executed when processing the request (forward, fixed-response, authenticate...). It can contain several values. - name: redirect_url type: keyword description: > The URL used if a redirection action was executed. - name: error.reason type: keyword description: > The error reason if the executed action failed. - name: target_port type: keyword description: > List of IP addresses and ports for the targets that processed this request. - name: target_status_code type: keyword description: > List of status codes from the responses of the targets. - name: classification type: keyword description: > The classification for desync mitigation. - name: classification_reason type: keyword description: > The classification reason code. - name: s3access type: group release: ga default_field: false description: > Fields for AWS S3 server access logs. fields: - name: bucket_owner type: keyword description: > The canonical user ID of the owner of the source bucket. - name: bucket type: keyword description: > The name of the bucket that the request was processed against. - name: remote_ip type: ip description: > The apparent internet address of the requester. - name: requester type: keyword description: > The canonical user ID of the requester, or a - for unauthenticated requests. - name: request_id type: keyword description: > A string generated by Amazon S3 to uniquely identify each request. - name: operation type: keyword description: > The operation listed here is declared as SOAP.operation, REST.HTTP_method.resource_type, WEBSITE.HTTP_method.resource_type, or BATCH.DELETE.OBJECT. - name: key type: keyword description: > The "key" part of the request, URL encoded, or "-" if the operation does not take a key parameter. - name: request_uri type: keyword description: > The Request-URI part of the HTTP request message. - name: http_status type: long description: > The numeric HTTP status code of the response. - name: error_code type: keyword description: > The Amazon S3 Error Code, or "-" if no error occurred. - name: bytes_sent type: long description: > The number of response bytes sent, excluding HTTP protocol overhead, or "-" if zero. - name: object_size type: long description: > The total size of the object in question. - name: total_time type: long description: > The number of milliseconds the request was in flight from the server's perspective. - name: turn_around_time type: long description: > The number of milliseconds that Amazon S3 spent processing your request. - name: referrer type: keyword description: > The value of the HTTP Referrer header, if present. - name: user_agent type: keyword description: > The value of the HTTP User-Agent header. - name: version_id type: keyword description: > The version ID in the request, or "-" if the operation does not take a versionId parameter. - name: host_id type: keyword description: > The x-amz-id-2 or Amazon S3 extended request ID. - name: signature_version type: keyword description: > The signature version, SigV2 or SigV4, that was used to authenticate the request or a - for unauthenticated requests. - name: cipher_suite type: keyword description: > The Secure Sockets Layer (SSL) cipher that was negotiated for HTTPS request or a - for HTTP. - name: authentication_type type: keyword description: > The type of request authentication used, AuthHeader for authentication headers, QueryString for query string (pre-signed URL) or a - for unauthenticated requests. - name: host_header type: keyword description: > The endpoint used to connect to Amazon S3. - name: tls_version type: keyword description: > The Transport Layer Security (TLS) version negotiated by the client. - name: vpcflow type: group release: ga default_field: false description: > Fields for AWS VPC flow logs. fields: - name: version type: keyword description: > The VPC Flow Logs version. If you use the default format, the version is 2. If you specify a custom format, the version is 3. - name: account_id type: keyword description: > The AWS account ID for the flow log. - name: interface_id type: keyword description: > The ID of the network interface for which the traffic is recorded. - name: action type: keyword description: > The action that is associated with the traffic, ACCEPT or REJECT. - name: log_status type: keyword description: > The logging status of the flow log, OK, NODATA or SKIPDATA. - name: instance_id type: keyword description: > The ID of the instance that's associated with network interface for which the traffic is recorded, if the instance is owned by you. - name: pkt_srcaddr type: ip description: > The packet-level (original) source IP address of the traffic. - name: pkt_dstaddr type: ip description: > The packet-level (original) destination IP address for the traffic. - name: vpc_id type: keyword description: > The ID of the VPC that contains the network interface for which the traffic is recorded. - name: subnet_id type: keyword description: > The ID of the subnet that contains the network interface for which the traffic is recorded. - name: tcp_flags type: keyword description: > The bitmask value for the following TCP flags: 2=SYN,18=SYN-ACK,1=FIN,4=RST - name: tcp_flags_array type: keyword description: > List of TCP flags: 'fin, syn, rst, psh, ack, urg' - name: type type: keyword description: > The type of traffic: IPv4, IPv6, or EFA. - key: awsfargate title: AWS Fargate release: beta description: > Module for collecting container logs from Amazon ECS Fargate. fields: - name: awsfargate type: group description: > Fields from Amazon ECS Fargate logs. fields: - name: log type: group release: beta default_field: false description: > Fields for Amazon Fargate container logs. fields: - key: azure title: "Azure" release: ga description: > Azure Module fields: - name: azure type: group description: > fields: - name: subscription_id type: keyword description: > Azure subscription ID - name: correlation_id type: keyword description: > Correlation ID - name: tenant_id type: keyword description: > tenant ID - name: resource type: group description: > Resource fields: - name: id type: keyword description: > Resource ID - name: group type: keyword description: > Resource group - name: provider type: keyword description: > Resource type/namespace - name: namespace type: keyword description: > Resource type/namespace - name: name type: keyword description: > Name - name: authorization_rule type: keyword description: > Authorization rule - name: activitylogs type: group release: ga default_field: false description: > Fields for Azure activity logs. fields: - name: identity type: group description: > Identity fields: - name: claims_initiated_by_user type: group description: > Claims initiated by user fields: - name: name type: keyword description: > Name - name: givenname type: keyword description: > Givenname - name: surname type: keyword description: > Surname - name: fullname type: keyword description: > Fullname - name: schema type: keyword description: > Schema - name: claims.* type: object object_type: keyword object_type_mapping_type: "*" description: > Claims - name: authorization type: group description: > Authorization fields: - name: scope type: keyword description: > Scope - name: action type: keyword description: > Action - name: evidence type: group description: > Evidence fields: - name: role_assignment_scope type: keyword description: > Role assignment scope - name: role_definition_id type: keyword description: > Role definition ID - name: role type: keyword description: > Role - name: role_assignment_id type: keyword description: > Role assignment ID - name: principal_id type: keyword description: > Principal ID - name: principal_type type: keyword description: > Principal type - name: operation_name type: keyword description: > Operation name - name: result_type type: keyword description: > Result type - name: result_signature type: keyword description: > Result signature - name: category type: keyword description: > Category - name: event_category type: keyword description: > Event Category - name: properties type: flattened description: > Properties - name: auditlogs type: group release: ga description: > Fields for Azure audit logs. default_field: false fields: - name: category type: keyword description: > The category of the operation. Currently, Audit is the only supported value. - name: operation_name type: keyword description: > The operation name - name: operation_version type: keyword description: > The operation version - name: identity type: keyword description: > Identity - name: tenant_id type: keyword description: > Tenant ID - name: result_signature type: keyword description: > Result signature - name: properties type: group description: > The audit log properties fields: - name: result type: keyword description: > Log result - name: activity_display_name type: keyword description: > Activity display name - name: result_reason type: keyword description: > Reason for the log result - name: correlation_id type: keyword description: > Correlation ID - name: logged_by_service type: keyword description: > Logged by service - name: operation_type type: keyword description: > Operation type - name: id type: keyword description: > ID - name: activity_datetime type: date description: > Activity timestamp - name: category type: keyword description: > category - name: target_resources.* type: group object_type_mapping_type: "*" description: > Target resources fields: - name: display_name type: keyword description: > Display name - name: id type: keyword description: > ID - name: type type: keyword description: > Type - name: ip_address type: keyword description: > ip Address - name: user_principal_name type: keyword description: > User principal name - name: modified_properties.* type: group object_type: keyword object_type_mapping_type: "*" description: > Modified properties fields: - name: new_value type: keyword description: > New value - name: display_name type: keyword description: > Display value - name: old_value type: keyword description: > Old value - name: initiated_by type: group description: > Information regarding the initiator fields: - name: app type: group description: > App fields: - name: servicePrincipalName type: keyword description: > Service principal name - name: displayName type: keyword description: > Display name - name: appId type: keyword description: > App ID - name: servicePrincipalId type: keyword description: > Service principal ID - name: user type: group description: > User fields: - name: userPrincipalName type: keyword description: > User principal name - name: displayName type: keyword description: > Display name - name: id type: keyword description: > ID - name: ipAddress type: keyword description: > ip Address - name: platformlogs type: group release: ga default_field: false description: > Fields for Azure platform logs. fields: - name: operation_name type: keyword description: > Operation name - name: result_type type: keyword description: > Result type - name: result_signature type: keyword description: > Result signature - name: category type: keyword description: > Category - name: event_category type: keyword description: > Event Category - name: status type: keyword description: > Status - name: ccpNamespace type: keyword description: > ccpNamespace - name: Cloud type: keyword description: > Cloud - name: Environment type: keyword description: > Environment - name: EventTimeString type: keyword description: > EventTimeString - name: Caller type: keyword description: > Caller - name: ScaleUnit type: keyword description: > ScaleUnit - name: ActivityId type: keyword description: > ActivityId - name: properties type: flattened description: > Event inner properties - name: signinlogs type: group release: ga description: > Fields for Azure sign-in logs. default_field: false fields: - name: operation_name type: keyword description: > The operation name - name: operation_version type: keyword description: > The operation version - name: tenant_id type: keyword description: > Tenant ID - name: result_signature type: keyword description: > Result signature - name: result_description type: keyword description: > Result description - name: result_type type: keyword description: > Result type - name: identity type: keyword description: > Identity - name: category type: keyword description: > Category - name: properties type: group description: > The signin log properties fields: - name: id type: keyword description: > ID - name: created_at type: date description: > Created date time - name: user_display_name type: keyword description: > User display name - name: correlation_id type: keyword description: > Correlation ID - name: user_principal_name type: keyword description: > User principal name - name: user_id type: keyword description: > User ID - name: app_id type: keyword description: > App ID - name: app_display_name type: keyword description: > App display name - name: ip_address type: keyword description: > Ip address - name: client_app_used type: keyword description: > Client app used - name: conditional_access_status type: keyword description: > Conditional access status - name: original_request_id type: keyword description: > Original request ID - name: is_interactive type: keyword description: > Is interactive - name: token_issuer_name type: keyword description: > Token issuer name - name: token_issuer_type type: keyword description: > Token issuer type - name: processing_time_ms type: float description: > Processing time in milliseconds - name: risk_detail type: keyword description: > Risk detail - name: risk_level_aggregated type: keyword description: > Risk level aggregated - name: risk_level_during_signin type: keyword description: > Risk level during signIn - name: risk_state type: keyword description: > Risk state - name: resource_display_name type: keyword description: > Resource display name - name: status type: group description: > Status fields: - name: error_code type: keyword description: > Error code - name: device_detail type: group description: > Status fields: - name: device_id type: keyword description: > Device ID - name: operating_system type: keyword description: > Operating system - name: browser type: keyword description: > Browser - name: display_name type: keyword description: > Display name - name: trust_type type: keyword description: > Trust type - name: service_principal_id type: keyword description: > Status - key: barracuda title: Barracuda Web Application Firewall description: > barracuda fields. fields: - name: network.interface.name overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa overwrite: true type: group default_field: false fields: - name: internal overwrite: true type: group fields: - name: msg overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid overwrite: true type: keyword - name: event_desc overwrite: true type: keyword - name: message overwrite: true type: keyword description: This key captures the contents of instant messages - name: time overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id overwrite: true type: long description: Deprecated key defined only in table map. - name: did overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time overwrite: true type: group fields: - name: event_time overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month overwrite: true type: keyword - name: day overwrite: true type: keyword - name: endtime overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str overwrite: true type: keyword description: A text string version of the duration - name: date overwrite: true type: keyword - name: year overwrite: true type: keyword - name: recorded_time overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime overwrite: true type: keyword - name: effective_time overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time overwrite: true type: keyword description: Deprecated, use duration.time - name: hour overwrite: true type: keyword - name: min overwrite: true type: keyword - name: timestamp overwrite: true type: keyword - name: event_queue_time overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 overwrite: true type: keyword - name: tzone overwrite: true type: keyword - name: eventtime overwrite: true type: keyword - name: gmtdate overwrite: true type: keyword - name: gmttime overwrite: true type: keyword - name: p_date overwrite: true type: keyword - name: p_month overwrite: true type: keyword - name: p_time overwrite: true type: keyword - name: p_time2 overwrite: true type: keyword - name: p_year overwrite: true type: keyword - name: expire_time_str overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp overwrite: true type: date description: Deprecated key defined only in table map. - name: misc overwrite: true type: group fields: - name: action overwrite: true type: keyword - name: result overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name overwrite: true type: keyword description: This is used to capture name of object - name: obj_type overwrite: true type: keyword description: This is used to capture type of object - name: event_source overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name overwrite: true type: keyword description: This key captures the Rule Name - name: context overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space overwrite: true type: keyword - name: client overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 overwrite: true type: keyword - name: msgIdPart2 overwrite: true type: keyword - name: change_old overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule overwrite: true type: keyword description: This key captures the Rule number - name: device_name overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log overwrite: true type: keyword description: This key captures the Name of the event log - name: OS overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 overwrite: true type: keyword - name: filter overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname overwrite: true type: keyword description: This key captures the name of the virus - name: content_type overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id overwrite: true type: keyword - name: reason overwrite: true type: keyword - name: status overwrite: true type: keyword - name: mail_id overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout overwrite: true type: keyword - name: p_msgid overwrite: true type: keyword - name: data_type overwrite: true type: keyword - name: msgIdPart4 overwrite: true type: keyword - name: error overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index overwrite: true type: keyword - name: listnum overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype overwrite: true type: keyword - name: observed_val overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count overwrite: true type: keyword - name: number overwrite: true type: keyword - name: sigcat overwrite: true type: keyword - name: type overwrite: true type: keyword - name: comments overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number overwrite: true type: long description: This key captures File Identification number - name: expected_val overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst overwrite: true type: keyword description: Destination SPI Index - name: spi_src overwrite: true type: keyword description: Source SPI Index - name: code overwrite: true type: keyword - name: agent_id overwrite: true type: keyword description: This key is used to capture agent id - name: message_body overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone overwrite: true type: keyword - name: sig_id_str overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd overwrite: true type: keyword - name: misc overwrite: true type: keyword - name: name overwrite: true type: keyword - name: cpu overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid overwrite: true type: keyword - name: im_client overwrite: true type: keyword - name: im_userid overwrite: true type: keyword - name: pid overwrite: true type: keyword - name: priority overwrite: true type: keyword - name: context_subject overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target overwrite: true type: keyword - name: cve overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos overwrite: true type: long description: This key describes the type of service - name: vm_target overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace overwrite: true type: keyword description: This key captures Workspace Description - name: command overwrite: true type: keyword - name: event_category overwrite: true type: keyword - name: facilityname overwrite: true type: keyword - name: forensic_info overwrite: true type: keyword - name: jobname overwrite: true type: keyword - name: mode overwrite: true type: keyword - name: policy overwrite: true type: keyword - name: policy_waiver overwrite: true type: keyword - name: second overwrite: true type: keyword - name: space1 overwrite: true type: keyword - name: subcategory overwrite: true type: keyword - name: tbdstr2 overwrite: true type: keyword - name: alert_id overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult overwrite: true type: long description: This key captures the Filter Result - name: payload_dst overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid overwrite: true type: keyword description: SNMP Object Identifier - name: sql overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id overwrite: true type: keyword - name: acl_op overwrite: true type: keyword - name: acl_pos overwrite: true type: keyword - name: acl_table overwrite: true type: keyword - name: admin overwrite: true type: keyword - name: alarm_id overwrite: true type: keyword - name: alarmname overwrite: true type: keyword - name: app_id overwrite: true type: keyword - name: audit overwrite: true type: keyword - name: audit_object overwrite: true type: keyword - name: auditdata overwrite: true type: keyword - name: benchmark overwrite: true type: keyword - name: bypass overwrite: true type: keyword - name: cache overwrite: true type: keyword - name: cache_hit overwrite: true type: keyword - name: cefversion overwrite: true type: keyword - name: cfg_attr overwrite: true type: keyword - name: cfg_obj overwrite: true type: keyword - name: cfg_path overwrite: true type: keyword - name: changes overwrite: true type: keyword - name: client_ip overwrite: true type: keyword - name: clustermembers overwrite: true type: keyword - name: cn_acttimeout overwrite: true type: keyword - name: cn_asn_src overwrite: true type: keyword - name: cn_bgpv4nxthop overwrite: true type: keyword - name: cn_ctr_dst_code overwrite: true type: keyword - name: cn_dst_tos overwrite: true type: keyword - name: cn_dst_vlan overwrite: true type: keyword - name: cn_engine_id overwrite: true type: keyword - name: cn_engine_type overwrite: true type: keyword - name: cn_f_switch overwrite: true type: keyword - name: cn_flowsampid overwrite: true type: keyword - name: cn_flowsampintv overwrite: true type: keyword - name: cn_flowsampmode overwrite: true type: keyword - name: cn_inacttimeout overwrite: true type: keyword - name: cn_inpermbyts overwrite: true type: keyword - name: cn_inpermpckts overwrite: true type: keyword - name: cn_invalid overwrite: true type: keyword - name: cn_ip_proto_ver overwrite: true type: keyword - name: cn_ipv4_ident overwrite: true type: keyword - name: cn_l_switch overwrite: true type: keyword - name: cn_log_did overwrite: true type: keyword - name: cn_log_rid overwrite: true type: keyword - name: cn_max_ttl overwrite: true type: keyword - name: cn_maxpcktlen overwrite: true type: keyword - name: cn_min_ttl overwrite: true type: keyword - name: cn_minpcktlen overwrite: true type: keyword - name: cn_mpls_lbl_1 overwrite: true type: keyword - name: cn_mpls_lbl_10 overwrite: true type: keyword - name: cn_mpls_lbl_2 overwrite: true type: keyword - name: cn_mpls_lbl_3 overwrite: true type: keyword - name: cn_mpls_lbl_4 overwrite: true type: keyword - name: cn_mpls_lbl_5 overwrite: true type: keyword - name: cn_mpls_lbl_6 overwrite: true type: keyword - name: cn_mpls_lbl_7 overwrite: true type: keyword - name: cn_mpls_lbl_8 overwrite: true type: keyword - name: cn_mpls_lbl_9 overwrite: true type: keyword - name: cn_mplstoplabel overwrite: true type: keyword - name: cn_mplstoplabip overwrite: true type: keyword - name: cn_mul_dst_byt overwrite: true type: keyword - name: cn_mul_dst_pks overwrite: true type: keyword - name: cn_muligmptype overwrite: true type: keyword - name: cn_sampalgo overwrite: true type: keyword - name: cn_sampint overwrite: true type: keyword - name: cn_seqctr overwrite: true type: keyword - name: cn_spackets overwrite: true type: keyword - name: cn_src_tos overwrite: true type: keyword - name: cn_src_vlan overwrite: true type: keyword - name: cn_sysuptime overwrite: true type: keyword - name: cn_template_id overwrite: true type: keyword - name: cn_totbytsexp overwrite: true type: keyword - name: cn_totflowexp overwrite: true type: keyword - name: cn_totpcktsexp overwrite: true type: keyword - name: cn_unixnanosecs overwrite: true type: keyword - name: cn_v6flowlabel overwrite: true type: keyword - name: cn_v6optheaders overwrite: true type: keyword - name: comp_class overwrite: true type: keyword - name: comp_name overwrite: true type: keyword - name: comp_rbytes overwrite: true type: keyword - name: comp_sbytes overwrite: true type: keyword - name: cpu_data overwrite: true type: keyword - name: criticality overwrite: true type: keyword - name: cs_agency_dst overwrite: true type: keyword - name: cs_analyzedby overwrite: true type: keyword - name: cs_av_other overwrite: true type: keyword - name: cs_av_primary overwrite: true type: keyword - name: cs_av_secondary overwrite: true type: keyword - name: cs_bgpv6nxthop overwrite: true type: keyword - name: cs_bit9status overwrite: true type: keyword - name: cs_context overwrite: true type: keyword - name: cs_control overwrite: true type: keyword - name: cs_data overwrite: true type: keyword - name: cs_datecret overwrite: true type: keyword - name: cs_dst_tld overwrite: true type: keyword - name: cs_eth_dst_ven overwrite: true type: keyword - name: cs_eth_src_ven overwrite: true type: keyword - name: cs_event_uuid overwrite: true type: keyword - name: cs_filetype overwrite: true type: keyword - name: cs_fld overwrite: true type: keyword - name: cs_if_desc overwrite: true type: keyword - name: cs_if_name overwrite: true type: keyword - name: cs_ip_next_hop overwrite: true type: keyword - name: cs_ipv4dstpre overwrite: true type: keyword - name: cs_ipv4srcpre overwrite: true type: keyword - name: cs_lifetime overwrite: true type: keyword - name: cs_log_medium overwrite: true type: keyword - name: cs_loginname overwrite: true type: keyword - name: cs_modulescore overwrite: true type: keyword - name: cs_modulesign overwrite: true type: keyword - name: cs_opswatresult overwrite: true type: keyword - name: cs_payload overwrite: true type: keyword - name: cs_registrant overwrite: true type: keyword - name: cs_registrar overwrite: true type: keyword - name: cs_represult overwrite: true type: keyword - name: cs_rpayload overwrite: true type: keyword - name: cs_sampler_name overwrite: true type: keyword - name: cs_sourcemodule overwrite: true type: keyword - name: cs_streams overwrite: true type: keyword - name: cs_targetmodule overwrite: true type: keyword - name: cs_v6nxthop overwrite: true type: keyword - name: cs_whois_server overwrite: true type: keyword - name: cs_yararesult overwrite: true type: keyword - name: description overwrite: true type: keyword - name: devvendor overwrite: true type: keyword - name: distance overwrite: true type: keyword - name: dstburb overwrite: true type: keyword - name: edomain overwrite: true type: keyword - name: edomaub overwrite: true type: keyword - name: euid overwrite: true type: keyword - name: facility overwrite: true type: keyword - name: finterface overwrite: true type: keyword - name: flags overwrite: true type: keyword - name: gaddr overwrite: true type: keyword - name: id3 overwrite: true type: keyword - name: im_buddyname overwrite: true type: keyword - name: im_croomid overwrite: true type: keyword - name: im_croomtype overwrite: true type: keyword - name: im_members overwrite: true type: keyword - name: im_username overwrite: true type: keyword - name: ipkt overwrite: true type: keyword - name: ipscat overwrite: true type: keyword - name: ipspri overwrite: true type: keyword - name: latitude overwrite: true type: keyword - name: linenum overwrite: true type: keyword - name: list_name overwrite: true type: keyword - name: load_data overwrite: true type: keyword - name: location_floor overwrite: true type: keyword - name: location_mark overwrite: true type: keyword - name: log_id overwrite: true type: keyword - name: log_type overwrite: true type: keyword - name: logid overwrite: true type: keyword - name: logip overwrite: true type: keyword - name: logname overwrite: true type: keyword - name: longitude overwrite: true type: keyword - name: lport overwrite: true type: keyword - name: mbug_data overwrite: true type: keyword - name: misc_name overwrite: true type: keyword - name: msg_type overwrite: true type: keyword - name: msgid overwrite: true type: keyword - name: netsessid overwrite: true type: keyword - name: num overwrite: true type: keyword - name: number1 overwrite: true type: keyword - name: number2 overwrite: true type: keyword - name: nwwn overwrite: true type: keyword - name: object overwrite: true type: keyword - name: operation overwrite: true type: keyword - name: opkt overwrite: true type: keyword - name: orig_from overwrite: true type: keyword - name: owner_id overwrite: true type: keyword - name: p_action overwrite: true type: keyword - name: p_filter overwrite: true type: keyword - name: p_group_object overwrite: true type: keyword - name: p_id overwrite: true type: keyword - name: p_msgid1 overwrite: true type: keyword - name: p_msgid2 overwrite: true type: keyword - name: p_result1 overwrite: true type: keyword - name: password_chg overwrite: true type: keyword - name: password_expire overwrite: true type: keyword - name: permgranted overwrite: true type: keyword - name: permwanted overwrite: true type: keyword - name: pgid overwrite: true type: keyword - name: policyUUID overwrite: true type: keyword - name: prog_asp_num overwrite: true type: keyword - name: program overwrite: true type: keyword - name: real_data overwrite: true type: keyword - name: rec_asp_device overwrite: true type: keyword - name: rec_asp_num overwrite: true type: keyword - name: rec_library overwrite: true type: keyword - name: recordnum overwrite: true type: keyword - name: ruid overwrite: true type: keyword - name: sburb overwrite: true type: keyword - name: sdomain_fld overwrite: true type: keyword - name: sec overwrite: true type: keyword - name: sensorname overwrite: true type: keyword - name: seqnum overwrite: true type: keyword - name: session overwrite: true type: keyword - name: sessiontype overwrite: true type: keyword - name: sigUUID overwrite: true type: keyword - name: spi overwrite: true type: keyword - name: srcburb overwrite: true type: keyword - name: srcdom overwrite: true type: keyword - name: srcservice overwrite: true type: keyword - name: state overwrite: true type: keyword - name: status1 overwrite: true type: keyword - name: svcno overwrite: true type: keyword - name: system overwrite: true type: keyword - name: tbdstr1 overwrite: true type: keyword - name: tgtdom overwrite: true type: keyword - name: tgtdomain overwrite: true type: keyword - name: threshold overwrite: true type: keyword - name: type1 overwrite: true type: keyword - name: udb_class overwrite: true type: keyword - name: url_fld overwrite: true type: keyword - name: user_div overwrite: true type: keyword - name: userid overwrite: true type: keyword - name: username_fld overwrite: true type: keyword - name: utcstamp overwrite: true type: keyword - name: v_instafname overwrite: true type: keyword - name: virt_data overwrite: true type: keyword - name: vpnid overwrite: true type: keyword - name: autorun_type overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number overwrite: true type: long description: Valid Credit Card Numbers only - name: content overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number overwrite: true type: long description: Employee Identification Numbers only - name: found overwrite: true type: keyword description: This is used to capture the results of regex match - name: language overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src overwrite: true type: keyword description: This key captures source parameter - name: search_text overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value overwrite: true type: keyword description: SNMP set request value - name: streams overwrite: true type: long description: This key captures number of streams in session - name: db overwrite: true type: group fields: - name: index overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name overwrite: true type: keyword description: This key is used to capture the table name - name: db_id overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite overwrite: true type: long description: This key is used for the number of logical writes - name: pread overwrite: true type: long description: This key is used for the number of physical writes - name: network overwrite: true type: group fields: - name: alias_host overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain overwrite: true type: keyword - name: host_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr overwrite: true type: ip description: Deprecated - name: faddr overwrite: true type: keyword - name: lhost overwrite: true type: keyword - name: origin overwrite: true type: keyword - name: remote_domain_id overwrite: true type: keyword - name: addr overwrite: true type: keyword - name: dns_a_record overwrite: true type: keyword - name: dns_ptr_record overwrite: true type: keyword - name: fhost overwrite: true type: keyword - name: fport overwrite: true type: keyword - name: laddr overwrite: true type: keyword - name: linterface overwrite: true type: keyword - name: phost overwrite: true type: keyword - name: ad_computer_dst overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record overwrite: true type: keyword - name: dns_id overwrite: true type: keyword - name: dns_opcode overwrite: true type: keyword - name: dns_resp overwrite: true type: keyword - name: dns_type overwrite: true type: keyword - name: domain1 overwrite: true type: keyword - name: host_type overwrite: true type: keyword - name: packet_length overwrite: true type: keyword - name: host_orig overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations overwrite: true type: group fields: - name: ec_activity overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat overwrite: true type: long description: This key captures the Event category number - name: event_cat_name overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category overwrite: true type: keyword description: This used to capture investigation category - name: inv_context overwrite: true type: keyword description: This used to capture investigation context - name: ioc overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters overwrite: true type: group fields: - name: dclass_c1 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity overwrite: true type: group fields: - name: auth_method overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org overwrite: true type: keyword description: This key captures the User organization - name: dn_dst overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept overwrite: true type: keyword description: User's Department Names only - name: user_sid_src overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email overwrite: true type: group fields: - name: email_dst overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file overwrite: true type: group fields: - name: privilege overwrite: true type: keyword description: Deprecated, use permissions - name: attachment overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem overwrite: true type: keyword - name: binary overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp overwrite: true type: keyword - name: directory_dst overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name overwrite: true type: keyword description: This is used to capture name of the task - name: web overwrite: true type: group fields: - name: fqdn overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host overwrite: true type: keyword - name: reputation_num overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain overwrite: true type: keyword description: Web referer's domain - name: web_ref_query overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain overwrite: true type: keyword - name: web_ref_page overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst overwrite: true type: keyword - name: cn_rpackets overwrite: true type: keyword - name: urlpage overwrite: true type: keyword - name: urlroot overwrite: true type: keyword - name: p_url overwrite: true type: keyword - name: p_user_agent overwrite: true type: keyword - name: p_web_cookie overwrite: true type: keyword - name: p_web_method overwrite: true type: keyword - name: p_web_referer overwrite: true type: keyword - name: web_extension_tmp overwrite: true type: keyword - name: web_page overwrite: true type: keyword - name: threat overwrite: true type: group fields: - name: threat_category overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto overwrite: true type: group fields: - name: crypto overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike overwrite: true type: keyword description: IKE negotiation phase. - name: scheme overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer overwrite: true type: keyword - name: cert_host_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src overwrite: true type: keyword description: Deprecated, use version - name: d_certauth overwrite: true type: keyword - name: s_certauth overwrite: true type: keyword - name: ike_cookie1 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum overwrite: true type: keyword - name: cert_host_cat overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize overwrite: true type: keyword - name: cert_username overwrite: true type: keyword - name: https_insact overwrite: true type: keyword - name: https_valid overwrite: true type: keyword - name: cert_ca overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless overwrite: true type: group fields: - name: wlan_ssid overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel overwrite: true type: long description: This is used to capture the channel names - name: wlan_name overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage overwrite: true type: group fields: - name: disk_volume overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical overwrite: true type: group fields: - name: org_dst overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare overwrite: true type: group fields: - name: patient_fname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint overwrite: true type: group fields: - name: host_state overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value overwrite: true type: keyword description: This key captures values or decorators used within a registry entry - name: network.interface.name overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa overwrite: true type: group default_field: false fields: - name: internal overwrite: true type: group fields: - name: msg overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid overwrite: true type: keyword - name: event_desc overwrite: true type: keyword - name: message overwrite: true type: keyword description: This key captures the contents of instant messages - name: time overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id overwrite: true type: long description: Deprecated key defined only in table map. - name: did overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time overwrite: true type: group fields: - name: event_time overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month overwrite: true type: keyword - name: day overwrite: true type: keyword - name: endtime overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str overwrite: true type: keyword description: A text string version of the duration - name: date overwrite: true type: keyword - name: year overwrite: true type: keyword - name: recorded_time overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime overwrite: true type: keyword - name: effective_time overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time overwrite: true type: keyword description: Deprecated, use duration.time - name: hour overwrite: true type: keyword - name: min overwrite: true type: keyword - name: timestamp overwrite: true type: keyword - name: event_queue_time overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 overwrite: true type: keyword - name: tzone overwrite: true type: keyword - name: eventtime overwrite: true type: keyword - name: gmtdate overwrite: true type: keyword - name: gmttime overwrite: true type: keyword - name: p_date overwrite: true type: keyword - name: p_month overwrite: true type: keyword - name: p_time overwrite: true type: keyword - name: p_time2 overwrite: true type: keyword - name: p_year overwrite: true type: keyword - name: expire_time_str overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp overwrite: true type: date description: Deprecated key defined only in table map. - name: misc overwrite: true type: group fields: - name: action overwrite: true type: keyword - name: result overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name overwrite: true type: keyword description: This is used to capture name of object - name: obj_type overwrite: true type: keyword description: This is used to capture type of object - name: event_source overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name overwrite: true type: keyword description: This key captures the Rule Name - name: context overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space overwrite: true type: keyword - name: client overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 overwrite: true type: keyword - name: msgIdPart2 overwrite: true type: keyword - name: change_old overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule overwrite: true type: keyword description: This key captures the Rule number - name: device_name overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log overwrite: true type: keyword description: This key captures the Name of the event log - name: OS overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 overwrite: true type: keyword - name: filter overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname overwrite: true type: keyword description: This key captures the name of the virus - name: content_type overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id overwrite: true type: keyword - name: reason overwrite: true type: keyword - name: status overwrite: true type: keyword - name: mail_id overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout overwrite: true type: keyword - name: p_msgid overwrite: true type: keyword - name: data_type overwrite: true type: keyword - name: msgIdPart4 overwrite: true type: keyword - name: error overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index overwrite: true type: keyword - name: listnum overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype overwrite: true type: keyword - name: observed_val overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count overwrite: true type: keyword - name: number overwrite: true type: keyword - name: sigcat overwrite: true type: keyword - name: type overwrite: true type: keyword - name: comments overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number overwrite: true type: long description: This key captures File Identification number - name: expected_val overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst overwrite: true type: keyword description: Destination SPI Index - name: spi_src overwrite: true type: keyword description: Source SPI Index - name: code overwrite: true type: keyword - name: agent_id overwrite: true type: keyword description: This key is used to capture agent id - name: message_body overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone overwrite: true type: keyword - name: sig_id_str overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd overwrite: true type: keyword - name: misc overwrite: true type: keyword - name: name overwrite: true type: keyword - name: cpu overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid overwrite: true type: keyword - name: im_client overwrite: true type: keyword - name: im_userid overwrite: true type: keyword - name: pid overwrite: true type: keyword - name: priority overwrite: true type: keyword - name: context_subject overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target overwrite: true type: keyword - name: cve overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos overwrite: true type: long description: This key describes the type of service - name: vm_target overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace overwrite: true type: keyword description: This key captures Workspace Description - name: command overwrite: true type: keyword - name: event_category overwrite: true type: keyword - name: facilityname overwrite: true type: keyword - name: forensic_info overwrite: true type: keyword - name: jobname overwrite: true type: keyword - name: mode overwrite: true type: keyword - name: policy overwrite: true type: keyword - name: policy_waiver overwrite: true type: keyword - name: second overwrite: true type: keyword - name: space1 overwrite: true type: keyword - name: subcategory overwrite: true type: keyword - name: tbdstr2 overwrite: true type: keyword - name: alert_id overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult overwrite: true type: long description: This key captures the Filter Result - name: payload_dst overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid overwrite: true type: keyword description: SNMP Object Identifier - name: sql overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id overwrite: true type: keyword - name: acl_op overwrite: true type: keyword - name: acl_pos overwrite: true type: keyword - name: acl_table overwrite: true type: keyword - name: admin overwrite: true type: keyword - name: alarm_id overwrite: true type: keyword - name: alarmname overwrite: true type: keyword - name: app_id overwrite: true type: keyword - name: audit overwrite: true type: keyword - name: audit_object overwrite: true type: keyword - name: auditdata overwrite: true type: keyword - name: benchmark overwrite: true type: keyword - name: bypass overwrite: true type: keyword - name: cache overwrite: true type: keyword - name: cache_hit overwrite: true type: keyword - name: cefversion overwrite: true type: keyword - name: cfg_attr overwrite: true type: keyword - name: cfg_obj overwrite: true type: keyword - name: cfg_path overwrite: true type: keyword - name: changes overwrite: true type: keyword - name: client_ip overwrite: true type: keyword - name: clustermembers overwrite: true type: keyword - name: cn_acttimeout overwrite: true type: keyword - name: cn_asn_src overwrite: true type: keyword - name: cn_bgpv4nxthop overwrite: true type: keyword - name: cn_ctr_dst_code overwrite: true type: keyword - name: cn_dst_tos overwrite: true type: keyword - name: cn_dst_vlan overwrite: true type: keyword - name: cn_engine_id overwrite: true type: keyword - name: cn_engine_type overwrite: true type: keyword - name: cn_f_switch overwrite: true type: keyword - name: cn_flowsampid overwrite: true type: keyword - name: cn_flowsampintv overwrite: true type: keyword - name: cn_flowsampmode overwrite: true type: keyword - name: cn_inacttimeout overwrite: true type: keyword - name: cn_inpermbyts overwrite: true type: keyword - name: cn_inpermpckts overwrite: true type: keyword - name: cn_invalid overwrite: true type: keyword - name: cn_ip_proto_ver overwrite: true type: keyword - name: cn_ipv4_ident overwrite: true type: keyword - name: cn_l_switch overwrite: true type: keyword - name: cn_log_did overwrite: true type: keyword - name: cn_log_rid overwrite: true type: keyword - name: cn_max_ttl overwrite: true type: keyword - name: cn_maxpcktlen overwrite: true type: keyword - name: cn_min_ttl overwrite: true type: keyword - name: cn_minpcktlen overwrite: true type: keyword - name: cn_mpls_lbl_1 overwrite: true type: keyword - name: cn_mpls_lbl_10 overwrite: true type: keyword - name: cn_mpls_lbl_2 overwrite: true type: keyword - name: cn_mpls_lbl_3 overwrite: true type: keyword - name: cn_mpls_lbl_4 overwrite: true type: keyword - name: cn_mpls_lbl_5 overwrite: true type: keyword - name: cn_mpls_lbl_6 overwrite: true type: keyword - name: cn_mpls_lbl_7 overwrite: true type: keyword - name: cn_mpls_lbl_8 overwrite: true type: keyword - name: cn_mpls_lbl_9 overwrite: true type: keyword - name: cn_mplstoplabel overwrite: true type: keyword - name: cn_mplstoplabip overwrite: true type: keyword - name: cn_mul_dst_byt overwrite: true type: keyword - name: cn_mul_dst_pks overwrite: true type: keyword - name: cn_muligmptype overwrite: true type: keyword - name: cn_sampalgo overwrite: true type: keyword - name: cn_sampint overwrite: true type: keyword - name: cn_seqctr overwrite: true type: keyword - name: cn_spackets overwrite: true type: keyword - name: cn_src_tos overwrite: true type: keyword - name: cn_src_vlan overwrite: true type: keyword - name: cn_sysuptime overwrite: true type: keyword - name: cn_template_id overwrite: true type: keyword - name: cn_totbytsexp overwrite: true type: keyword - name: cn_totflowexp overwrite: true type: keyword - name: cn_totpcktsexp overwrite: true type: keyword - name: cn_unixnanosecs overwrite: true type: keyword - name: cn_v6flowlabel overwrite: true type: keyword - name: cn_v6optheaders overwrite: true type: keyword - name: comp_class overwrite: true type: keyword - name: comp_name overwrite: true type: keyword - name: comp_rbytes overwrite: true type: keyword - name: comp_sbytes overwrite: true type: keyword - name: cpu_data overwrite: true type: keyword - name: criticality overwrite: true type: keyword - name: cs_agency_dst overwrite: true type: keyword - name: cs_analyzedby overwrite: true type: keyword - name: cs_av_other overwrite: true type: keyword - name: cs_av_primary overwrite: true type: keyword - name: cs_av_secondary overwrite: true type: keyword - name: cs_bgpv6nxthop overwrite: true type: keyword - name: cs_bit9status overwrite: true type: keyword - name: cs_context overwrite: true type: keyword - name: cs_control overwrite: true type: keyword - name: cs_data overwrite: true type: keyword - name: cs_datecret overwrite: true type: keyword - name: cs_dst_tld overwrite: true type: keyword - name: cs_eth_dst_ven overwrite: true type: keyword - name: cs_eth_src_ven overwrite: true type: keyword - name: cs_event_uuid overwrite: true type: keyword - name: cs_filetype overwrite: true type: keyword - name: cs_fld overwrite: true type: keyword - name: cs_if_desc overwrite: true type: keyword - name: cs_if_name overwrite: true type: keyword - name: cs_ip_next_hop overwrite: true type: keyword - name: cs_ipv4dstpre overwrite: true type: keyword - name: cs_ipv4srcpre overwrite: true type: keyword - name: cs_lifetime overwrite: true type: keyword - name: cs_log_medium overwrite: true type: keyword - name: cs_loginname overwrite: true type: keyword - name: cs_modulescore overwrite: true type: keyword - name: cs_modulesign overwrite: true type: keyword - name: cs_opswatresult overwrite: true type: keyword - name: cs_payload overwrite: true type: keyword - name: cs_registrant overwrite: true type: keyword - name: cs_registrar overwrite: true type: keyword - name: cs_represult overwrite: true type: keyword - name: cs_rpayload overwrite: true type: keyword - name: cs_sampler_name overwrite: true type: keyword - name: cs_sourcemodule overwrite: true type: keyword - name: cs_streams overwrite: true type: keyword - name: cs_targetmodule overwrite: true type: keyword - name: cs_v6nxthop overwrite: true type: keyword - name: cs_whois_server overwrite: true type: keyword - name: cs_yararesult overwrite: true type: keyword - name: description overwrite: true type: keyword - name: devvendor overwrite: true type: keyword - name: distance overwrite: true type: keyword - name: dstburb overwrite: true type: keyword - name: edomain overwrite: true type: keyword - name: edomaub overwrite: true type: keyword - name: euid overwrite: true type: keyword - name: facility overwrite: true type: keyword - name: finterface overwrite: true type: keyword - name: flags overwrite: true type: keyword - name: gaddr overwrite: true type: keyword - name: id3 overwrite: true type: keyword - name: im_buddyname overwrite: true type: keyword - name: im_croomid overwrite: true type: keyword - name: im_croomtype overwrite: true type: keyword - name: im_members overwrite: true type: keyword - name: im_username overwrite: true type: keyword - name: ipkt overwrite: true type: keyword - name: ipscat overwrite: true type: keyword - name: ipspri overwrite: true type: keyword - name: latitude overwrite: true type: keyword - name: linenum overwrite: true type: keyword - name: list_name overwrite: true type: keyword - name: load_data overwrite: true type: keyword - name: location_floor overwrite: true type: keyword - name: location_mark overwrite: true type: keyword - name: log_id overwrite: true type: keyword - name: log_type overwrite: true type: keyword - name: logid overwrite: true type: keyword - name: logip overwrite: true type: keyword - name: logname overwrite: true type: keyword - name: longitude overwrite: true type: keyword - name: lport overwrite: true type: keyword - name: mbug_data overwrite: true type: keyword - name: misc_name overwrite: true type: keyword - name: msg_type overwrite: true type: keyword - name: msgid overwrite: true type: keyword - name: netsessid overwrite: true type: keyword - name: num overwrite: true type: keyword - name: number1 overwrite: true type: keyword - name: number2 overwrite: true type: keyword - name: nwwn overwrite: true type: keyword - name: object overwrite: true type: keyword - name: operation overwrite: true type: keyword - name: opkt overwrite: true type: keyword - name: orig_from overwrite: true type: keyword - name: owner_id overwrite: true type: keyword - name: p_action overwrite: true type: keyword - name: p_filter overwrite: true type: keyword - name: p_group_object overwrite: true type: keyword - name: p_id overwrite: true type: keyword - name: p_msgid1 overwrite: true type: keyword - name: p_msgid2 overwrite: true type: keyword - name: p_result1 overwrite: true type: keyword - name: password_chg overwrite: true type: keyword - name: password_expire overwrite: true type: keyword - name: permgranted overwrite: true type: keyword - name: permwanted overwrite: true type: keyword - name: pgid overwrite: true type: keyword - name: policyUUID overwrite: true type: keyword - name: prog_asp_num overwrite: true type: keyword - name: program overwrite: true type: keyword - name: real_data overwrite: true type: keyword - name: rec_asp_device overwrite: true type: keyword - name: rec_asp_num overwrite: true type: keyword - name: rec_library overwrite: true type: keyword - name: recordnum overwrite: true type: keyword - name: ruid overwrite: true type: keyword - name: sburb overwrite: true type: keyword - name: sdomain_fld overwrite: true type: keyword - name: sec overwrite: true type: keyword - name: sensorname overwrite: true type: keyword - name: seqnum overwrite: true type: keyword - name: session overwrite: true type: keyword - name: sessiontype overwrite: true type: keyword - name: sigUUID overwrite: true type: keyword - name: spi overwrite: true type: keyword - name: srcburb overwrite: true type: keyword - name: srcdom overwrite: true type: keyword - name: srcservice overwrite: true type: keyword - name: state overwrite: true type: keyword - name: status1 overwrite: true type: keyword - name: svcno overwrite: true type: keyword - name: system overwrite: true type: keyword - name: tbdstr1 overwrite: true type: keyword - name: tgtdom overwrite: true type: keyword - name: tgtdomain overwrite: true type: keyword - name: threshold overwrite: true type: keyword - name: type1 overwrite: true type: keyword - name: udb_class overwrite: true type: keyword - name: url_fld overwrite: true type: keyword - name: user_div overwrite: true type: keyword - name: userid overwrite: true type: keyword - name: username_fld overwrite: true type: keyword - name: utcstamp overwrite: true type: keyword - name: v_instafname overwrite: true type: keyword - name: virt_data overwrite: true type: keyword - name: vpnid overwrite: true type: keyword - name: autorun_type overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number overwrite: true type: long description: Valid Credit Card Numbers only - name: content overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number overwrite: true type: long description: Employee Identification Numbers only - name: found overwrite: true type: keyword description: This is used to capture the results of regex match - name: language overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src overwrite: true type: keyword description: This key captures source parameter - name: search_text overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value overwrite: true type: keyword description: SNMP set request value - name: streams overwrite: true type: long description: This key captures number of streams in session - name: db overwrite: true type: group fields: - name: index overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name overwrite: true type: keyword description: This key is used to capture the table name - name: db_id overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite overwrite: true type: long description: This key is used for the number of logical writes - name: pread overwrite: true type: long description: This key is used for the number of physical writes - name: network overwrite: true type: group fields: - name: alias_host overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain overwrite: true type: keyword - name: host_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr overwrite: true type: ip description: Deprecated - name: faddr overwrite: true type: keyword - name: lhost overwrite: true type: keyword - name: origin overwrite: true type: keyword - name: remote_domain_id overwrite: true type: keyword - name: addr overwrite: true type: keyword - name: dns_a_record overwrite: true type: keyword - name: dns_ptr_record overwrite: true type: keyword - name: fhost overwrite: true type: keyword - name: fport overwrite: true type: keyword - name: laddr overwrite: true type: keyword - name: linterface overwrite: true type: keyword - name: phost overwrite: true type: keyword - name: ad_computer_dst overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record overwrite: true type: keyword - name: dns_id overwrite: true type: keyword - name: dns_opcode overwrite: true type: keyword - name: dns_resp overwrite: true type: keyword - name: dns_type overwrite: true type: keyword - name: domain1 overwrite: true type: keyword - name: host_type overwrite: true type: keyword - name: packet_length overwrite: true type: keyword - name: host_orig overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations overwrite: true type: group fields: - name: ec_activity overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat overwrite: true type: long description: This key captures the Event category number - name: event_cat_name overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category overwrite: true type: keyword description: This used to capture investigation category - name: inv_context overwrite: true type: keyword description: This used to capture investigation context - name: ioc overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters overwrite: true type: group fields: - name: dclass_c1 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity overwrite: true type: group fields: - name: auth_method overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org overwrite: true type: keyword description: This key captures the User organization - name: dn_dst overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept overwrite: true type: keyword description: User's Department Names only - name: user_sid_src overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email overwrite: true type: group fields: - name: email_dst overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file overwrite: true type: group fields: - name: privilege overwrite: true type: keyword description: Deprecated, use permissions - name: attachment overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem overwrite: true type: keyword - name: binary overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp overwrite: true type: keyword - name: directory_dst overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name overwrite: true type: keyword description: This is used to capture name of the task - name: web overwrite: true type: group fields: - name: fqdn overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host overwrite: true type: keyword - name: reputation_num overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain overwrite: true type: keyword description: Web referer's domain - name: web_ref_query overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain overwrite: true type: keyword - name: web_ref_page overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst overwrite: true type: keyword - name: cn_rpackets overwrite: true type: keyword - name: urlpage overwrite: true type: keyword - name: urlroot overwrite: true type: keyword - name: p_url overwrite: true type: keyword - name: p_user_agent overwrite: true type: keyword - name: p_web_cookie overwrite: true type: keyword - name: p_web_method overwrite: true type: keyword - name: p_web_referer overwrite: true type: keyword - name: web_extension_tmp overwrite: true type: keyword - name: web_page overwrite: true type: keyword - name: threat overwrite: true type: group fields: - name: threat_category overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto overwrite: true type: group fields: - name: crypto overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike overwrite: true type: keyword description: IKE negotiation phase. - name: scheme overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer overwrite: true type: keyword - name: cert_host_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src overwrite: true type: keyword description: Deprecated, use version - name: d_certauth overwrite: true type: keyword - name: s_certauth overwrite: true type: keyword - name: ike_cookie1 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum overwrite: true type: keyword - name: cert_host_cat overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize overwrite: true type: keyword - name: cert_username overwrite: true type: keyword - name: https_insact overwrite: true type: keyword - name: https_valid overwrite: true type: keyword - name: cert_ca overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless overwrite: true type: group fields: - name: wlan_ssid overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel overwrite: true type: long description: This is used to capture the channel names - name: wlan_name overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage overwrite: true type: group fields: - name: disk_volume overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical overwrite: true type: group fields: - name: org_dst overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare overwrite: true type: group fields: - name: patient_fname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint overwrite: true type: group fields: - name: host_state overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value overwrite: true type: keyword description: This key captures values or decorators used within a registry entry - key: bluecoat title: Blue Coat Director description: > bluecoat fields. fields: - name: network.interface.name overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa overwrite: true type: group default_field: false fields: - name: internal overwrite: true type: group fields: - name: msg overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid overwrite: true type: keyword - name: event_desc overwrite: true type: keyword - name: message overwrite: true type: keyword description: This key captures the contents of instant messages - name: time overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id overwrite: true type: long description: Deprecated key defined only in table map. - name: did overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time overwrite: true type: group fields: - name: event_time overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month overwrite: true type: keyword - name: day overwrite: true type: keyword - name: endtime overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str overwrite: true type: keyword description: A text string version of the duration - name: date overwrite: true type: keyword - name: year overwrite: true type: keyword - name: recorded_time overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime overwrite: true type: keyword - name: effective_time overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time overwrite: true type: keyword description: Deprecated, use duration.time - name: hour overwrite: true type: keyword - name: min overwrite: true type: keyword - name: timestamp overwrite: true type: keyword - name: event_queue_time overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 overwrite: true type: keyword - name: tzone overwrite: true type: keyword - name: eventtime overwrite: true type: keyword - name: gmtdate overwrite: true type: keyword - name: gmttime overwrite: true type: keyword - name: p_date overwrite: true type: keyword - name: p_month overwrite: true type: keyword - name: p_time overwrite: true type: keyword - name: p_time2 overwrite: true type: keyword - name: p_year overwrite: true type: keyword - name: expire_time_str overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp overwrite: true type: date description: Deprecated key defined only in table map. - name: misc overwrite: true type: group fields: - name: action overwrite: true type: keyword - name: result overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name overwrite: true type: keyword description: This is used to capture name of object - name: obj_type overwrite: true type: keyword description: This is used to capture type of object - name: event_source overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name overwrite: true type: keyword description: This key captures the Rule Name - name: context overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space overwrite: true type: keyword - name: client overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 overwrite: true type: keyword - name: msgIdPart2 overwrite: true type: keyword - name: change_old overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule overwrite: true type: keyword description: This key captures the Rule number - name: device_name overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log overwrite: true type: keyword description: This key captures the Name of the event log - name: OS overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 overwrite: true type: keyword - name: filter overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname overwrite: true type: keyword description: This key captures the name of the virus - name: content_type overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id overwrite: true type: keyword - name: reason overwrite: true type: keyword - name: status overwrite: true type: keyword - name: mail_id overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout overwrite: true type: keyword - name: p_msgid overwrite: true type: keyword - name: data_type overwrite: true type: keyword - name: msgIdPart4 overwrite: true type: keyword - name: error overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index overwrite: true type: keyword - name: listnum overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype overwrite: true type: keyword - name: observed_val overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count overwrite: true type: keyword - name: number overwrite: true type: keyword - name: sigcat overwrite: true type: keyword - name: type overwrite: true type: keyword - name: comments overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number overwrite: true type: long description: This key captures File Identification number - name: expected_val overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst overwrite: true type: keyword description: Destination SPI Index - name: spi_src overwrite: true type: keyword description: Source SPI Index - name: code overwrite: true type: keyword - name: agent_id overwrite: true type: keyword description: This key is used to capture agent id - name: message_body overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone overwrite: true type: keyword - name: sig_id_str overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd overwrite: true type: keyword - name: misc overwrite: true type: keyword - name: name overwrite: true type: keyword - name: cpu overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid overwrite: true type: keyword - name: im_client overwrite: true type: keyword - name: im_userid overwrite: true type: keyword - name: pid overwrite: true type: keyword - name: priority overwrite: true type: keyword - name: context_subject overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target overwrite: true type: keyword - name: cve overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos overwrite: true type: long description: This key describes the type of service - name: vm_target overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace overwrite: true type: keyword description: This key captures Workspace Description - name: command overwrite: true type: keyword - name: event_category overwrite: true type: keyword - name: facilityname overwrite: true type: keyword - name: forensic_info overwrite: true type: keyword - name: jobname overwrite: true type: keyword - name: mode overwrite: true type: keyword - name: policy overwrite: true type: keyword - name: policy_waiver overwrite: true type: keyword - name: second overwrite: true type: keyword - name: space1 overwrite: true type: keyword - name: subcategory overwrite: true type: keyword - name: tbdstr2 overwrite: true type: keyword - name: alert_id overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult overwrite: true type: long description: This key captures the Filter Result - name: payload_dst overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid overwrite: true type: keyword description: SNMP Object Identifier - name: sql overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id overwrite: true type: keyword - name: acl_op overwrite: true type: keyword - name: acl_pos overwrite: true type: keyword - name: acl_table overwrite: true type: keyword - name: admin overwrite: true type: keyword - name: alarm_id overwrite: true type: keyword - name: alarmname overwrite: true type: keyword - name: app_id overwrite: true type: keyword - name: audit overwrite: true type: keyword - name: audit_object overwrite: true type: keyword - name: auditdata overwrite: true type: keyword - name: benchmark overwrite: true type: keyword - name: bypass overwrite: true type: keyword - name: cache overwrite: true type: keyword - name: cache_hit overwrite: true type: keyword - name: cefversion overwrite: true type: keyword - name: cfg_attr overwrite: true type: keyword - name: cfg_obj overwrite: true type: keyword - name: cfg_path overwrite: true type: keyword - name: changes overwrite: true type: keyword - name: client_ip overwrite: true type: keyword - name: clustermembers overwrite: true type: keyword - name: cn_acttimeout overwrite: true type: keyword - name: cn_asn_src overwrite: true type: keyword - name: cn_bgpv4nxthop overwrite: true type: keyword - name: cn_ctr_dst_code overwrite: true type: keyword - name: cn_dst_tos overwrite: true type: keyword - name: cn_dst_vlan overwrite: true type: keyword - name: cn_engine_id overwrite: true type: keyword - name: cn_engine_type overwrite: true type: keyword - name: cn_f_switch overwrite: true type: keyword - name: cn_flowsampid overwrite: true type: keyword - name: cn_flowsampintv overwrite: true type: keyword - name: cn_flowsampmode overwrite: true type: keyword - name: cn_inacttimeout overwrite: true type: keyword - name: cn_inpermbyts overwrite: true type: keyword - name: cn_inpermpckts overwrite: true type: keyword - name: cn_invalid overwrite: true type: keyword - name: cn_ip_proto_ver overwrite: true type: keyword - name: cn_ipv4_ident overwrite: true type: keyword - name: cn_l_switch overwrite: true type: keyword - name: cn_log_did overwrite: true type: keyword - name: cn_log_rid overwrite: true type: keyword - name: cn_max_ttl overwrite: true type: keyword - name: cn_maxpcktlen overwrite: true type: keyword - name: cn_min_ttl overwrite: true type: keyword - name: cn_minpcktlen overwrite: true type: keyword - name: cn_mpls_lbl_1 overwrite: true type: keyword - name: cn_mpls_lbl_10 overwrite: true type: keyword - name: cn_mpls_lbl_2 overwrite: true type: keyword - name: cn_mpls_lbl_3 overwrite: true type: keyword - name: cn_mpls_lbl_4 overwrite: true type: keyword - name: cn_mpls_lbl_5 overwrite: true type: keyword - name: cn_mpls_lbl_6 overwrite: true type: keyword - name: cn_mpls_lbl_7 overwrite: true type: keyword - name: cn_mpls_lbl_8 overwrite: true type: keyword - name: cn_mpls_lbl_9 overwrite: true type: keyword - name: cn_mplstoplabel overwrite: true type: keyword - name: cn_mplstoplabip overwrite: true type: keyword - name: cn_mul_dst_byt overwrite: true type: keyword - name: cn_mul_dst_pks overwrite: true type: keyword - name: cn_muligmptype overwrite: true type: keyword - name: cn_sampalgo overwrite: true type: keyword - name: cn_sampint overwrite: true type: keyword - name: cn_seqctr overwrite: true type: keyword - name: cn_spackets overwrite: true type: keyword - name: cn_src_tos overwrite: true type: keyword - name: cn_src_vlan overwrite: true type: keyword - name: cn_sysuptime overwrite: true type: keyword - name: cn_template_id overwrite: true type: keyword - name: cn_totbytsexp overwrite: true type: keyword - name: cn_totflowexp overwrite: true type: keyword - name: cn_totpcktsexp overwrite: true type: keyword - name: cn_unixnanosecs overwrite: true type: keyword - name: cn_v6flowlabel overwrite: true type: keyword - name: cn_v6optheaders overwrite: true type: keyword - name: comp_class overwrite: true type: keyword - name: comp_name overwrite: true type: keyword - name: comp_rbytes overwrite: true type: keyword - name: comp_sbytes overwrite: true type: keyword - name: cpu_data overwrite: true type: keyword - name: criticality overwrite: true type: keyword - name: cs_agency_dst overwrite: true type: keyword - name: cs_analyzedby overwrite: true type: keyword - name: cs_av_other overwrite: true type: keyword - name: cs_av_primary overwrite: true type: keyword - name: cs_av_secondary overwrite: true type: keyword - name: cs_bgpv6nxthop overwrite: true type: keyword - name: cs_bit9status overwrite: true type: keyword - name: cs_context overwrite: true type: keyword - name: cs_control overwrite: true type: keyword - name: cs_data overwrite: true type: keyword - name: cs_datecret overwrite: true type: keyword - name: cs_dst_tld overwrite: true type: keyword - name: cs_eth_dst_ven overwrite: true type: keyword - name: cs_eth_src_ven overwrite: true type: keyword - name: cs_event_uuid overwrite: true type: keyword - name: cs_filetype overwrite: true type: keyword - name: cs_fld overwrite: true type: keyword - name: cs_if_desc overwrite: true type: keyword - name: cs_if_name overwrite: true type: keyword - name: cs_ip_next_hop overwrite: true type: keyword - name: cs_ipv4dstpre overwrite: true type: keyword - name: cs_ipv4srcpre overwrite: true type: keyword - name: cs_lifetime overwrite: true type: keyword - name: cs_log_medium overwrite: true type: keyword - name: cs_loginname overwrite: true type: keyword - name: cs_modulescore overwrite: true type: keyword - name: cs_modulesign overwrite: true type: keyword - name: cs_opswatresult overwrite: true type: keyword - name: cs_payload overwrite: true type: keyword - name: cs_registrant overwrite: true type: keyword - name: cs_registrar overwrite: true type: keyword - name: cs_represult overwrite: true type: keyword - name: cs_rpayload overwrite: true type: keyword - name: cs_sampler_name overwrite: true type: keyword - name: cs_sourcemodule overwrite: true type: keyword - name: cs_streams overwrite: true type: keyword - name: cs_targetmodule overwrite: true type: keyword - name: cs_v6nxthop overwrite: true type: keyword - name: cs_whois_server overwrite: true type: keyword - name: cs_yararesult overwrite: true type: keyword - name: description overwrite: true type: keyword - name: devvendor overwrite: true type: keyword - name: distance overwrite: true type: keyword - name: dstburb overwrite: true type: keyword - name: edomain overwrite: true type: keyword - name: edomaub overwrite: true type: keyword - name: euid overwrite: true type: keyword - name: facility overwrite: true type: keyword - name: finterface overwrite: true type: keyword - name: flags overwrite: true type: keyword - name: gaddr overwrite: true type: keyword - name: id3 overwrite: true type: keyword - name: im_buddyname overwrite: true type: keyword - name: im_croomid overwrite: true type: keyword - name: im_croomtype overwrite: true type: keyword - name: im_members overwrite: true type: keyword - name: im_username overwrite: true type: keyword - name: ipkt overwrite: true type: keyword - name: ipscat overwrite: true type: keyword - name: ipspri overwrite: true type: keyword - name: latitude overwrite: true type: keyword - name: linenum overwrite: true type: keyword - name: list_name overwrite: true type: keyword - name: load_data overwrite: true type: keyword - name: location_floor overwrite: true type: keyword - name: location_mark overwrite: true type: keyword - name: log_id overwrite: true type: keyword - name: log_type overwrite: true type: keyword - name: logid overwrite: true type: keyword - name: logip overwrite: true type: keyword - name: logname overwrite: true type: keyword - name: longitude overwrite: true type: keyword - name: lport overwrite: true type: keyword - name: mbug_data overwrite: true type: keyword - name: misc_name overwrite: true type: keyword - name: msg_type overwrite: true type: keyword - name: msgid overwrite: true type: keyword - name: netsessid overwrite: true type: keyword - name: num overwrite: true type: keyword - name: number1 overwrite: true type: keyword - name: number2 overwrite: true type: keyword - name: nwwn overwrite: true type: keyword - name: object overwrite: true type: keyword - name: operation overwrite: true type: keyword - name: opkt overwrite: true type: keyword - name: orig_from overwrite: true type: keyword - name: owner_id overwrite: true type: keyword - name: p_action overwrite: true type: keyword - name: p_filter overwrite: true type: keyword - name: p_group_object overwrite: true type: keyword - name: p_id overwrite: true type: keyword - name: p_msgid1 overwrite: true type: keyword - name: p_msgid2 overwrite: true type: keyword - name: p_result1 overwrite: true type: keyword - name: password_chg overwrite: true type: keyword - name: password_expire overwrite: true type: keyword - name: permgranted overwrite: true type: keyword - name: permwanted overwrite: true type: keyword - name: pgid overwrite: true type: keyword - name: policyUUID overwrite: true type: keyword - name: prog_asp_num overwrite: true type: keyword - name: program overwrite: true type: keyword - name: real_data overwrite: true type: keyword - name: rec_asp_device overwrite: true type: keyword - name: rec_asp_num overwrite: true type: keyword - name: rec_library overwrite: true type: keyword - name: recordnum overwrite: true type: keyword - name: ruid overwrite: true type: keyword - name: sburb overwrite: true type: keyword - name: sdomain_fld overwrite: true type: keyword - name: sec overwrite: true type: keyword - name: sensorname overwrite: true type: keyword - name: seqnum overwrite: true type: keyword - name: session overwrite: true type: keyword - name: sessiontype overwrite: true type: keyword - name: sigUUID overwrite: true type: keyword - name: spi overwrite: true type: keyword - name: srcburb overwrite: true type: keyword - name: srcdom overwrite: true type: keyword - name: srcservice overwrite: true type: keyword - name: state overwrite: true type: keyword - name: status1 overwrite: true type: keyword - name: svcno overwrite: true type: keyword - name: system overwrite: true type: keyword - name: tbdstr1 overwrite: true type: keyword - name: tgtdom overwrite: true type: keyword - name: tgtdomain overwrite: true type: keyword - name: threshold overwrite: true type: keyword - name: type1 overwrite: true type: keyword - name: udb_class overwrite: true type: keyword - name: url_fld overwrite: true type: keyword - name: user_div overwrite: true type: keyword - name: userid overwrite: true type: keyword - name: username_fld overwrite: true type: keyword - name: utcstamp overwrite: true type: keyword - name: v_instafname overwrite: true type: keyword - name: virt_data overwrite: true type: keyword - name: vpnid overwrite: true type: keyword - name: autorun_type overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number overwrite: true type: long description: Valid Credit Card Numbers only - name: content overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number overwrite: true type: long description: Employee Identification Numbers only - name: found overwrite: true type: keyword description: This is used to capture the results of regex match - name: language overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src overwrite: true type: keyword description: This key captures source parameter - name: search_text overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value overwrite: true type: keyword description: SNMP set request value - name: streams overwrite: true type: long description: This key captures number of streams in session - name: db overwrite: true type: group fields: - name: index overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name overwrite: true type: keyword description: This key is used to capture the table name - name: db_id overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite overwrite: true type: long description: This key is used for the number of logical writes - name: pread overwrite: true type: long description: This key is used for the number of physical writes - name: network overwrite: true type: group fields: - name: alias_host overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain overwrite: true type: keyword - name: host_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr overwrite: true type: ip description: Deprecated - name: faddr overwrite: true type: keyword - name: lhost overwrite: true type: keyword - name: origin overwrite: true type: keyword - name: remote_domain_id overwrite: true type: keyword - name: addr overwrite: true type: keyword - name: dns_a_record overwrite: true type: keyword - name: dns_ptr_record overwrite: true type: keyword - name: fhost overwrite: true type: keyword - name: fport overwrite: true type: keyword - name: laddr overwrite: true type: keyword - name: linterface overwrite: true type: keyword - name: phost overwrite: true type: keyword - name: ad_computer_dst overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record overwrite: true type: keyword - name: dns_id overwrite: true type: keyword - name: dns_opcode overwrite: true type: keyword - name: dns_resp overwrite: true type: keyword - name: dns_type overwrite: true type: keyword - name: domain1 overwrite: true type: keyword - name: host_type overwrite: true type: keyword - name: packet_length overwrite: true type: keyword - name: host_orig overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations overwrite: true type: group fields: - name: ec_activity overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat overwrite: true type: long description: This key captures the Event category number - name: event_cat_name overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category overwrite: true type: keyword description: This used to capture investigation category - name: inv_context overwrite: true type: keyword description: This used to capture investigation context - name: ioc overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters overwrite: true type: group fields: - name: dclass_c1 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity overwrite: true type: group fields: - name: auth_method overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org overwrite: true type: keyword description: This key captures the User organization - name: dn_dst overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept overwrite: true type: keyword description: User's Department Names only - name: user_sid_src overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email overwrite: true type: group fields: - name: email_dst overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file overwrite: true type: group fields: - name: privilege overwrite: true type: keyword description: Deprecated, use permissions - name: attachment overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem overwrite: true type: keyword - name: binary overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp overwrite: true type: keyword - name: directory_dst overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name overwrite: true type: keyword description: This is used to capture name of the task - name: web overwrite: true type: group fields: - name: fqdn overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host overwrite: true type: keyword - name: reputation_num overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain overwrite: true type: keyword description: Web referer's domain - name: web_ref_query overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain overwrite: true type: keyword - name: web_ref_page overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst overwrite: true type: keyword - name: cn_rpackets overwrite: true type: keyword - name: urlpage overwrite: true type: keyword - name: urlroot overwrite: true type: keyword - name: p_url overwrite: true type: keyword - name: p_user_agent overwrite: true type: keyword - name: p_web_cookie overwrite: true type: keyword - name: p_web_method overwrite: true type: keyword - name: p_web_referer overwrite: true type: keyword - name: web_extension_tmp overwrite: true type: keyword - name: web_page overwrite: true type: keyword - name: threat overwrite: true type: group fields: - name: threat_category overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto overwrite: true type: group fields: - name: crypto overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike overwrite: true type: keyword description: IKE negotiation phase. - name: scheme overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer overwrite: true type: keyword - name: cert_host_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src overwrite: true type: keyword description: Deprecated, use version - name: d_certauth overwrite: true type: keyword - name: s_certauth overwrite: true type: keyword - name: ike_cookie1 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum overwrite: true type: keyword - name: cert_host_cat overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize overwrite: true type: keyword - name: cert_username overwrite: true type: keyword - name: https_insact overwrite: true type: keyword - name: https_valid overwrite: true type: keyword - name: cert_ca overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless overwrite: true type: group fields: - name: wlan_ssid overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel overwrite: true type: long description: This is used to capture the channel names - name: wlan_name overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage overwrite: true type: group fields: - name: disk_volume overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical overwrite: true type: group fields: - name: org_dst overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare overwrite: true type: group fields: - name: patient_fname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint overwrite: true type: group fields: - name: host_state overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value overwrite: true type: keyword description: This key captures values or decorators used within a registry entry - key: cef-module title: CEF description: > Module for receiving CEF logs over Syslog. The module adds vendor specific fields in addition to the fields the decode_cef processor provides. fields: - name: forcepoint type: group default_field: false description: > Fields for Forcepoint Custom String mappings fields: - name: virus_id type: keyword description: > Virus ID - name: checkpoint type: group default_field: false description: > Fields for Check Point custom string mappings. fields: - name: app_risk type: keyword overwrite: true description: Application risk. - name: app_severity type: keyword overwrite: true description: Application threat severity. - name: app_sig_id type: keyword overwrite: true description: The signature ID which the application was detected by. - name: auth_method type: keyword overwrite: true description: Password authentication protocol used. - name: category type: keyword overwrite: true description: Category. - name: confidence_level type: integer overwrite: true description: Confidence level determined. - name: connectivity_state type: keyword overwrite: true description: Connectivity state. - name: cookie type: keyword overwrite: true description: IKE cookie. - name: dst_phone_number type: keyword overwrite: true description: Destination IP-Phone. - name: email_control type: keyword overwrite: true description: Engine name. - name: email_id type: keyword overwrite: true description: Internal email ID. - name: email_recipients_num type: long overwrite: true description: Number of recipients. - name: email_session_id type: keyword overwrite: true description: Internal email session ID. - name: email_spool_id overwrite: true type: keyword description: Internal email spool ID. - name: email_subject type: keyword overwrite: true description: Email subject. - name: event_count type: long overwrite: true description: Number of events associated with the log. - name: frequency type: keyword overwrite: true description: Scan frequency. - name: icmp_type type: long overwrite: true description: ICMP type. - name: icmp_code type: long overwrite: true description: ICMP code. - name: identity_type type: keyword overwrite: true description: Identity type. - name: incident_extension type: keyword overwrite: true description: Format of original data. - name: integrity_av_invoke_type type: keyword overwrite: true description: Scan invoke type. - name: malware_family type: keyword overwrite: true description: Malware family. - name: peer_gateway type: ip overwrite: true description: Main IP of the peer Security Gateway. - name: performance_impact type: integer overwrite: true description: Protection performance impact. - name: protection_id type: keyword overwrite: true description: Protection malware ID. - name: protection_name type: keyword overwrite: true description: Specific signature name of the attack. - name: protection_type type: keyword overwrite: true description: Type of protection used to detect the attack. - name: scan_result type: keyword overwrite: true description: Scan result. - name: sensor_mode type: keyword overwrite: true description: Sensor mode. - name: severity type: keyword overwrite: true description: Threat severity. - name: spyware_name type: keyword overwrite: true description: Spyware name. - name: spyware_status type: keyword overwrite: true description: Spyware status. - name: subs_exp type: date overwrite: true description: The expiration date of the subscription. - name: tcp_flags type: keyword overwrite: true description: TCP packet flags. - name: termination_reason type: keyword overwrite: true description: Termination reason. - name: update_status type: keyword overwrite: true description: Update status. - name: user_status type: keyword overwrite: true description: User response. - name: uuid type: keyword overwrite: true description: External ID. - name: virus_name type: keyword overwrite: true description: Virus name. - name: voip_log_type type: keyword overwrite: true description: VoIP log types. - name: cef.extensions type: group default_field: false description: > Extra vendor-specific extensions. fields: - name: cp_app_risk type: keyword - name: cp_severity type: keyword - name: ifname type: keyword - name: inzone type: keyword - name: layer_uuid type: keyword - name: layer_name type: keyword - name: logid type: keyword - name: loguid type: keyword - name: match_id type: keyword - name: nat_addtnl_rulenum type: keyword - name: nat_rulenum type: keyword - name: origin type: keyword - name: originsicname type: keyword - name: outzone type: keyword - name: parent_rule type: keyword - name: product type: keyword - name: rule_action type: keyword - name: rule_uid type: keyword - name: sequencenum type: keyword - name: service_id type: keyword - name: version type: keyword - key: checkpoint title: Checkpoint description: > Some checkpoint module fields: - name: checkpoint type: group release: beta default_field: false description: > Module for parsing Checkpoint syslog. fields: - name: confidence_level type: integer overwrite: true description: > Confidence level determined by ThreatCloud. - name: calc_desc type: keyword overwrite: true description: > Log description. - name: dst_country type: keyword overwrite: true description: > Destination country. - name: dst_user_name type: keyword overwrite: true description: > Connected user name on the destination IP. - name: email_id type: keyword overwrite: true description: > Email number in smtp connection. - name: email_subject type: keyword overwrite: true description: > Original email subject. - name: email_session_id type: keyword overwrite: true description: > Connection uuid. - name: event_count type: long overwrite: true description: > Number of events associated with the log. - name: sys_message type: keyword overwrite: true description: > System messages - name: logid type: keyword overwrite: true description: > System messages - name: failure_impact type: keyword overwrite: true description: > The impact of update service failure. - name: id type: integer overwrite: true description: > Override application ID. - name: information type: keyword overwrite: true description: > Policy installation status for a specific blade. - name: layer_name type: keyword overwrite: true description: > Layer name. - name: layer_uuid type: keyword overwrite: true description: > Layer UUID. - name: log_id type: integer overwrite: true description: > Unique identity for logs. - name: malware_family type: keyword overwrite: true description: > Additional information on protection. - name: origin_sic_name type: keyword overwrite: true description: > Machine SIC. - name: policy_mgmt type: keyword overwrite: true description: > Name of the Management Server that manages this Security Gateway. - name: policy_name type: keyword overwrite: true description: > Name of the last policy that this Security Gateway fetched. - name: protection_id type: keyword overwrite: true description: > Protection malware id. - name: protection_name type: keyword overwrite: true description: > Specific signature name of the attack. - name: protection_type type: keyword overwrite: true description: > Type of protection used to detect the attack. - name: protocol type: keyword overwrite: true description: > Protocol detected on the connection. - name: proxy_src_ip type: ip overwrite: true description: > Sender source IP (even when using proxy). - name: rule type: integer overwrite: true description: > Matched rule number. - name: rule_action type: keyword overwrite: true description: > Action of the matched rule in the access policy. - name: scan_direction type: keyword overwrite: true description: > Scan direction. - name: session_id type: keyword overwrite: true description: > Log uuid. - name: source_os type: keyword overwrite: true description: > OS which generated the attack. - name: src_country type: keyword overwrite: true description: > Country name, derived from connection source IP address. - name: src_user_name type: keyword overwrite: true description: > User name connected to source IP - name: ticket_id type: keyword overwrite: true description: > Unique ID per file. - name: tls_server_host_name type: keyword overwrite: true description: > SNI/CN from encrypted TLS connection used by URLF for categorization. - name: verdict type: keyword overwrite: true description: > TE engine verdict Possible values: Malicious/Benign/Error. - name: user type: keyword overwrite: true description: > Source user name. - name: vendor_list type: keyword overwrite: true description: > The vendor name that provided the verdict for a malicious URL. - name: web_server_type type: keyword overwrite: true description: > Web server detected in the HTTP response. - name: client_name type: keyword overwrite: true description: > Client Application or Software Blade that detected the event. - name: client_version type: keyword overwrite: true description: > Build version of SandBlast Agent client installed on the computer. - name: extension_version type: keyword overwrite: true description: > Build version of the SandBlast Agent browser extension. - name: host_time type: keyword overwrite: true description: > Local time on the endpoint computer. - name: installed_products type: keyword overwrite: true description: > List of installed Endpoint Software Blades. - name: cc type: keyword overwrite: true description: > The Carbon Copy address of the email. - name: parent_process_username type: keyword overwrite: true description: > Owner username of the parent process of the process that triggered the attack. - name: process_username type: keyword overwrite: true description: > Owner username of the process that triggered the attack. - name: audit_status type: keyword overwrite: true description: > Audit Status. Can be Success or Failure. - name: objecttable type: keyword overwrite: true description: > Table of affected objects. - name: objecttype type: keyword overwrite: true description: > The type of the affected object. - name: operation_number type: keyword overwrite: true description: > The operation nuber. - name: email_recipients_num type: integer overwrite: true description: > Amount of recipients whom the mail was sent to. - name: suppressed_logs type: integer overwrite: true description: > Aggregated connections for five minutes on the same source, destination and port. - name: blade_name type: keyword overwrite: true description: > Blade name. - name: status type: keyword overwrite: true description: > Ok/Warning/Error. - name: short_desc type: keyword overwrite: true description: > Short description of the process that was executed. - name: long_desc type: keyword overwrite: true description: > More information on the process (usually describing error reason in failure). - name: scan_hosts_hour type: integer overwrite: true description: > Number of unique hosts during the last hour. - name: scan_hosts_day type: integer overwrite: true description: > Number of unique hosts during the last day. - name: scan_hosts_week type: integer overwrite: true description: > Number of unique hosts during the last week. - name: unique_detected_hour type: integer overwrite: true description: > Detected virus for a specific host during the last hour. - name: unique_detected_day type: integer overwrite: true description: > Detected virus for a specific host during the last day. - name: unique_detected_week type: integer overwrite: true description: > Detected virus for a specific host during the last week. - name: scan_mail type: integer overwrite: true description: > Number of emails that were scanned by "AB malicious activity" engine. - name: additional_ip type: keyword overwrite: true description: > DNS host name. - name: description type: keyword overwrite: true description: > Additional explanation how the security gateway enforced the connection. - name: email_spam_category type: keyword overwrite: true description: > Email categories. Possible values: spam/not spam/phishing. - name: email_control_analysis type: keyword overwrite: true description: > Message classification, received from spam vendor engine. - name: scan_results type: keyword overwrite: true description: > "Infected"/description of a failure. - name: original_queue_id type: keyword overwrite: true description: > Original postfix email queue id. - name: risk type: keyword overwrite: true description: > Risk level we got from the engine. - name: observable_name type: keyword overwrite: true description: > IOC observable signature name. - name: observable_id type: keyword overwrite: true description: > IOC observable signature id. - name: observable_comment type: keyword overwrite: true description: > IOC observable signature description. - name: indicator_name type: keyword overwrite: true description: > IOC indicator name. - name: indicator_description type: keyword overwrite: true description: > IOC indicator description. - name: indicator_reference type: keyword overwrite: true description: > IOC indicator reference. - name: indicator_uuid type: keyword overwrite: true description: > IOC indicator uuid. - name: app_desc type: keyword overwrite: true description: > Application description. - name: app_id type: integer overwrite: true description: > Application ID. - name: app_sig_id type: keyword overwrite: true description: > IOC indicator description. - name: certificate_resource type: keyword overwrite: true description: > HTTPS resource Possible values: SNI or domain name (DN). - name: certificate_validation type: keyword overwrite: true description: > Precise error, describing HTTPS certificate failure under "HTTPS categorize websites" feature. - name: browse_time type: keyword overwrite: true description: > Application session browse time. - name: limit_requested type: integer overwrite: true description: > Indicates whether data limit was requested for the session. - name: limit_applied type: integer overwrite: true description: > Indicates whether the session was actually date limited. - name: dropped_total type: integer overwrite: true description: > Amount of dropped packets (both incoming and outgoing). - name: client_type_os type: keyword overwrite: true description: > Client OS detected in the HTTP request. - name: name type: keyword overwrite: true description: > Application name. - name: properties type: keyword overwrite: true description: > Application categories. - name: sig_id type: keyword overwrite: true description: > Application's signature ID which how it was detected by. - name: desc type: keyword overwrite: true description: > Override application description. - name: referrer_self_uid type: keyword overwrite: true description: > UUID of the current log. - name: referrer_parent_uid type: keyword overwrite: true description: > Log UUID of the referring application. - name: needs_browse_time type: integer overwrite: true description: > Browse time required for the connection. - name: cluster_info type: keyword overwrite: true description: > Cluster information. Possible options: Failover reason/cluster state changes/CP cluster or 3rd party. - name: sync type: keyword overwrite: true description: > Sync status and the reason (stable, at risk). - name: file_direction type: keyword overwrite: true description: > File direction. Possible options: upload/download. - name: invalid_file_size type: integer overwrite: true description: > File_size field is valid only if this field is set to 0. - name: top_archive_file_name type: keyword overwrite: true description: > In case of archive file: the file that was sent/received. - name: data_type_name type: keyword overwrite: true description: > Data type in rulebase that was matched. - name: specific_data_type_name type: keyword overwrite: true description: > Compound/Group scenario, data type that was matched. - name: word_list type: keyword overwrite: true description: > Words matched by data type. - name: info type: keyword overwrite: true description: > Special log message. - name: outgoing_url type: keyword overwrite: true description: > URL related to this log (for HTTP). - name: dlp_rule_name type: keyword overwrite: true description: > Matched rule name. - name: dlp_recipients type: keyword overwrite: true description: > Mail recipients. - name: dlp_subject type: keyword overwrite: true description: > Mail subject. - name: dlp_word_list type: keyword overwrite: true description: > Phrases matched by data type. - name: dlp_template_score type: keyword overwrite: true description: > Template data type match score. - name: message_size type: integer overwrite: true description: > Mail/post size. - name: dlp_incident_uid type: keyword overwrite: true description: > Unique ID of the matched rule. - name: dlp_related_incident_uid type: keyword overwrite: true description: > Other ID related to this one. - name: dlp_data_type_name type: keyword overwrite: true description: > Matched data type. - name: dlp_data_type_uid type: keyword overwrite: true description: > Unique ID of the matched data type. - name: dlp_violation_description type: keyword overwrite: true description: > Violation descriptions described in the rulebase. - name: dlp_relevant_data_types type: keyword overwrite: true description: > In case of Compound/Group: the inner data types that were matched. - name: dlp_action_reason type: keyword overwrite: true description: > Action chosen reason. - name: dlp_categories type: keyword overwrite: true description: > Data type category. - name: dlp_transint type: keyword overwrite: true description: > HTTP/SMTP/FTP. - name: duplicate type: keyword overwrite: true description: > Log marked as duplicated, when mail is split and the Security Gateway sees it twice. - name: incident_extension type: keyword overwrite: true description: > Matched data type. - name: matched_file type: keyword overwrite: true description: > Unique ID of the matched data type. - name: matched_file_text_segments type: integer overwrite: true description: > Fingerprint: number of text segments matched by this traffic. - name: matched_file_percentage type: integer overwrite: true description: > Fingerprint: match percentage of the traffic. - name: dlp_additional_action type: keyword overwrite: true description: > Watermark/None. - name: dlp_watermark_profile type: keyword overwrite: true description: > Watermark which was applied. - name: dlp_repository_id type: keyword overwrite: true description: > ID of scanned repository. - name: dlp_repository_root_path type: keyword overwrite: true description: > Repository path. - name: scan_id type: keyword overwrite: true description: > Sequential number of scan. - name: special_properties type: integer overwrite: true description: > If this field is set to '1' the log will not be shown (in use for monitoring scan progress). - name: dlp_repository_total_size type: integer overwrite: true description: > Repository size. - name: dlp_repository_files_number type: integer overwrite: true description: > Number of files in repository. - name: dlp_repository_scanned_files_number type: integer overwrite: true description: > Number of scanned files in repository. - name: duration type: keyword overwrite: true description: > Scan duration. - name: dlp_fingerprint_long_status type: keyword overwrite: true description: > Scan status - long format. - name: dlp_fingerprint_short_status type: keyword overwrite: true description: > Scan status - short format. - name: dlp_repository_directories_number type: integer overwrite: true description: > Number of directories in repository. - name: dlp_repository_unreachable_directories_number type: integer overwrite: true description: > Number of directories the Security Gateway was unable to read. - name: dlp_fingerprint_files_number type: integer overwrite: true description: > Number of successfully scanned files in repository. - name: dlp_repository_skipped_files_number type: integer overwrite: true description: > Skipped number of files because of configuration. - name: dlp_repository_scanned_directories_number type: integer overwrite: true description: > Amount of directories scanned. - name: number_of_errors type: integer overwrite: true description: > Number of files that were not scanned due to an error. - name: next_scheduled_scan_date type: keyword overwrite: true description: > Next scan scheduled time according to time object. - name: dlp_repository_scanned_total_size type: integer overwrite: true description: > Size scanned. - name: dlp_repository_reached_directories_number type: integer overwrite: true description: > Number of scanned directories in repository. - name: dlp_repository_not_scanned_directories_percentage type: integer overwrite: true description: > Percentage of directories the Security Gateway was unable to read. - name: speed type: integer overwrite: true description: > Current scan speed. - name: dlp_repository_scan_progress type: integer overwrite: true description: > Scan percentage. - name: sub_policy_name type: keyword overwrite: true description: > Layer name. - name: sub_policy_uid type: keyword overwrite: true description: > Layer uid. - name: fw_message type: keyword overwrite: true description: > Used for various firewall errors. - name: message type: keyword overwrite: true description: > ISP link has failed. - name: isp_link type: keyword overwrite: true description: > Name of ISP link. - name: fw_subproduct type: keyword overwrite: true description: > Can be vpn/non vpn. - name: sctp_error type: keyword overwrite: true description: > Error information, what caused sctp to fail on out_of_state. - name: chunk_type type: keyword overwrite: true description: > Chunck of the sctp stream. - name: sctp_association_state type: keyword overwrite: true description: > The bad state you were trying to update to. - name: tcp_packet_out_of_state type: keyword overwrite: true description: > State violation. - name: tcp_flags type: keyword overwrite: true description: > TCP packet flags (SYN, ACK, etc.,). - name: connectivity_level type: keyword overwrite: true description: > Log for a new connection in wire mode. - name: ip_option type: integer overwrite: true description: > IP option that was dropped. - name: tcp_state type: keyword overwrite: true description: > Log reinting a tcp state change. - name: expire_time type: keyword overwrite: true description: > Connection closing time. - name: icmp_type type: integer overwrite: true description: > In case a connection is ICMP, type info will be added to the log. - name: icmp_code type: integer overwrite: true description: > In case a connection is ICMP, code info will be added to the log. - name: rpc_prog type: integer overwrite: true description: > Log for new RPC state - prog values. - name: dce-rpc_interface_uuid type: keyword overwrite: true description: > Log for new RPC state - UUID values - name: elapsed type: keyword overwrite: true description: > Time passed since start time. - name: icmp type: keyword overwrite: true description: > Number of packets, received by the client. - name: capture_uuid type: keyword overwrite: true description: > UUID generated for the capture. Used when enabling the capture when logging. - name: diameter_app_ID type: integer overwrite: true description: > The ID of diameter application. - name: diameter_cmd_code type: integer overwrite: true description: > Diameter not allowed application command id. - name: diameter_msg_type type: keyword overwrite: true description: > Diameter message type. - name: cp_message type: integer overwrite: true description: > Used to log a general message. - name: log_delay type: integer overwrite: true description: > Time left before deleting template. - name: attack_status type: keyword overwrite: true description: > In case of a malicious event on an endpoint computer, the status of the attack. - name: impacted_files type: keyword overwrite: true description: > In case of an infection on an endpoint computer, the list of files that the malware impacted. - name: remediated_files type: keyword overwrite: true description: > In case of an infection and a successful cleaning of that infection, this is a list of remediated files on the computer. - name: triggered_by type: keyword overwrite: true description: > The name of the mechanism that triggered the Software Blade to enforce a protection. - name: https_inspection_rule_id type: keyword overwrite: true description: > ID of the matched rule. - name: https_inspection_rule_name type: keyword overwrite: true description: > Name of the matched rule. - name: app_properties type: keyword overwrite: true description: > List of all found categories. - name: https_validation type: keyword overwrite: true description: > Precise error, describing HTTPS inspection failure. - name: https_inspection_action type: keyword overwrite: true description: > HTTPS inspection action (Inspect/Bypass/Error). - name: icap_service_id type: integer overwrite: true description: > Service ID, can work with multiple servers, treated as services. - name: icap_server_name type: keyword overwrite: true description: > Server name. - name: internal_error type: keyword overwrite: true description: > Internal error, for troubleshooting - name: icap_more_info type: integer overwrite: true description: > Free text for verdict. - name: reply_status type: integer overwrite: true description: > ICAP reply status code, e.g. 200 or 204. - name: icap_server_service type: keyword overwrite: true description: > Service name, as given in the ICAP URI - name: mirror_and_decrypt_type type: keyword overwrite: true description: > Information about decrypt and forward. Possible values: Mirror only, Decrypt and mirror, Partial mirroring (HTTPS inspection Bypass). - name: interface_name type: keyword overwrite: true description: > Designated interface for mirror And decrypt. - name: session_uid type: keyword overwrite: true description: > HTTP session-id. - name: broker_publisher type: ip overwrite: true description: > IP address of the broker publisher who shared the session information. - name: src_user_dn type: keyword overwrite: true description: > User distinguished name connected to source IP. - name: proxy_user_name type: keyword overwrite: true description: > User name connected to proxy IP. - name: proxy_machine_name type: integer overwrite: true description: > Machine name connected to proxy IP. - name: proxy_user_dn type: keyword overwrite: true description: > User distinguished name connected to proxy IP. - name: query type: keyword overwrite: true description: > DNS query. - name: dns_query type: keyword overwrite: true description: > DNS query. - name: inspection_item type: keyword overwrite: true description: > Blade element performed inspection. - name: performance_impact type: integer overwrite: true description: > Protection performance impact. - name: inspection_category type: keyword overwrite: true description: > Inspection category: protocol anomaly, signature etc. - name: inspection_profile type: keyword overwrite: true description: > Profile which the activated protection belongs to. - name: summary type: keyword overwrite: true description: > Summary message of a non-compliant DNS traffic drops or detects. - name: question_rdata type: keyword overwrite: true description: > List of question records domains. - name: answer_rdata type: keyword overwrite: true description: > List of answer resource records to the questioned domains. - name: authority_rdata type: keyword overwrite: true description: > List of authoritative servers. - name: additional_rdata type: keyword overwrite: true description: > List of additional resource records. - name: files_names type: keyword overwrite: true description: > List of files requested by FTP. - name: ftp_user type: keyword overwrite: true description: > FTP username. - name: mime_from type: keyword overwrite: true description: > Sender's address. - name: mime_to type: keyword overwrite: true description: > List of receiver address. - name: bcc type: keyword overwrite: true description: > List of BCC addresses. - name: content_type type: keyword overwrite: true description: > Mail content type. Possible values: application/msword, text/html, image/gif etc. - name: user_agent type: keyword overwrite: true description: > String identifying requesting software user agent. - name: referrer type: keyword overwrite: true description: > Referrer HTTP request header, previous web page address. - name: http_location type: keyword overwrite: true description: > Response header, indicates the URL to redirect a page to. - name: content_disposition type: keyword overwrite: true description: > Indicates how the content is expected to be displayed inline in the browser. - name: via type: keyword overwrite: true description: > Via header is added by proxies for tracking purposes to avoid sending reqests in loop. - name: http_server type: keyword overwrite: true description: > Server HTTP header value, contains information about the software used by the origin server, which handles the request. - name: content_length type: keyword overwrite: true description: > Indicates the size of the entity-body of the HTTP header. - name: authorization type: keyword overwrite: true description: > Authorization HTTP header value. - name: http_host type: keyword overwrite: true description: > Domain name of the server that the HTTP request is sent to. - name: inspection_settings_log type: keyword overwrite: true description: > Indicats that the log was released by inspection settings. - name: cvpn_resource type: keyword overwrite: true description: > Mobile Access application. - name: cvpn_category type: keyword overwrite: true description: > Mobile Access application type. - name: url type: keyword overwrite: true description: > Translated URL. - name: reject_id type: keyword overwrite: true description: > A reject ID that corresponds to the one presented in the Mobile Access error page. - name: fs-proto type: keyword overwrite: true description: > The file share protocol used in mobile acess file share application. - name: app_package type: keyword overwrite: true description: > Unique identifier of the application on the protected mobile device. - name: appi_name type: keyword overwrite: true description: > Name of application downloaded on the protected mobile device. - name: app_repackaged type: keyword overwrite: true description: > Indicates whether the original application was repackage not by the official developer. - name: app_sid_id type: keyword overwrite: true description: > Unique SHA identifier of a mobile application. - name: app_version type: keyword overwrite: true description: > Version of the application downloaded on the protected mobile device. - name: developer_certificate_name type: keyword overwrite: true description: > Name of the developer's certificate that was used to sign the mobile application. - name: email_control type: keyword overwrite: true description: > Engine name. - name: email_message_id type: keyword overwrite: true description: > Email session id (uniqe ID of the mail). - name: email_queue_id type: keyword overwrite: true description: > Postfix email queue id. - name: email_queue_name type: keyword overwrite: true description: > Postfix email queue name. - name: file_name type: keyword overwrite: true description: > Malicious file name. - name: failure_reason type: keyword overwrite: true description: > MTA failure description. - name: email_headers type: keyword overwrite: true description: > String containing all the email headers. - name: arrival_time type: keyword overwrite: true description: > Email arrival timestamp. - name: email_status type: keyword overwrite: true description: > Describes the email's state. Possible options: delivered, deferred, skipped, bounced, hold, new, scan_started, scan_ended - name: status_update type: keyword overwrite: true description: > Last time log was updated. - name: delivery_time type: keyword overwrite: true description: > Timestamp of when email was delivered (MTA finished handling the email. - name: links_num type: integer overwrite: true description: > Number of links in the mail. - name: attachments_num type: integer overwrite: true description: > Number of attachments in the mail. - name: email_content type: keyword overwrite: true description: > Mail contents. Possible options: attachments/links & attachments/links/text only. - name: allocated_ports type: integer overwrite: true description: > Amount of allocated ports. - name: capacity type: integer overwrite: true description: > Capacity of the ports. - name: ports_usage type: integer overwrite: true description: > Percentage of allocated ports. - name: nat_exhausted_pool type: keyword overwrite: true description: > 4-tuple of an exhausted pool. - name: nat_rulenum type: integer overwrite: true description: > NAT rulebase first matched rule. - name: nat_addtnl_rulenum type: integer overwrite: true description: > When matching 2 automatic rules , second rule match will be shown otherwise field will be 0. - name: message_info type: keyword overwrite: true description: > Used for information messages, for example:NAT connection has ended. - name: nat46 type: keyword overwrite: true description: > NAT 46 status, in most cases "enabled". - name: end_time type: keyword overwrite: true description: > TCP connection end time. - name: tcp_end_reason type: keyword overwrite: true description: > Reason for TCP connection closure. - name: cgnet type: keyword overwrite: true description: > Describes NAT allocation for specific subscriber. - name: subscriber type: ip overwrite: true description: > Source IP before CGNAT. - name: hide_ip type: ip overwrite: true description: > Source IP which will be used after CGNAT. - name: int_start type: integer overwrite: true description: > Subscriber start int which will be used for NAT. - name: int_end type: integer overwrite: true description: > Subscriber end int which will be used for NAT. - name: packet_amount type: integer overwrite: true description: > Amount of packets dropped. - name: monitor_reason type: keyword overwrite: true description: > Aggregated logs of monitored packets. - name: drops_amount type: integer overwrite: true description: > Amount of multicast packets dropped. - name: securexl_message type: keyword overwrite: true description: > Two options for a SecureXL message: 1. Missed accounting records after heavy load on logging system. 2. FW log message regarding a packet drop. - name: conns_amount type: integer overwrite: true description: > Connections amount of aggregated log info. - name: scope type: keyword overwrite: true description: > IP related to the attack. - name: analyzed_on type: keyword overwrite: true description: > Check Point ThreatCloud / emulator name. - name: detected_on type: keyword overwrite: true description: > System and applications version the file was emulated on. - name: dropped_file_name type: keyword overwrite: true description: > List of names dropped from the original file. - name: dropped_file_type type: keyword overwrite: true description: > List of file types dropped from the original file. - name: dropped_file_hash type: keyword overwrite: true description: > List of file hashes dropped from the original file. - name: dropped_file_verdict type: keyword overwrite: true description: > List of file verdics dropped from the original file. - name: emulated_on type: keyword overwrite: true description: > Images the files were emulated on. - name: extracted_file_type type: keyword overwrite: true description: > Types of extracted files in case of an archive. - name: extracted_file_names type: keyword overwrite: true description: > Names of extracted files in case of an archive. - name: extracted_file_hash type: keyword overwrite: true description: > Archive hash in case of extracted files. - name: extracted_file_verdict type: keyword overwrite: true description: > Verdict of extracted files in case of an archive. - name: extracted_file_uid type: keyword overwrite: true description: > UID of extracted files in case of an archive. - name: mitre_initial_access type: keyword overwrite: true description: > The adversary is trying to break into your network. - name: mitre_execution type: keyword overwrite: true description: > The adversary is trying to run malicious code. - name: mitre_persistence type: keyword overwrite: true description: > The adversary is trying to maintain his foothold. - name: mitre_privilege_escalation type: keyword overwrite: true description: > The adversary is trying to gain higher-level permissions. - name: mitre_defense_evasion type: keyword overwrite: true description: > The adversary is trying to avoid being detected. - name: mitre_credential_access type: keyword overwrite: true description: > The adversary is trying to steal account names and passwords. - name: mitre_discovery type: keyword overwrite: true description: > The adversary is trying to expose information about your environment. - name: mitre_lateral_movement type: keyword overwrite: true description: > The adversary is trying to explore your environment. - name: mitre_collection type: keyword overwrite: true description: > The adversary is trying to collect data of interest to achieve his goal. - name: mitre_command_and_control type: keyword overwrite: true description: > The adversary is trying to communicate with compromised systems in order to control them. - name: mitre_exfiltration type: keyword overwrite: true description: > The adversary is trying to steal data. - name: mitre_impact type: keyword overwrite: true description: > The adversary is trying to manipulate, interrupt, or destroy your systems and data. - name: parent_file_hash type: keyword overwrite: true description: > Archive's hash in case of extracted files. - name: parent_file_name type: keyword overwrite: true description: > Archive's name in case of extracted files. - name: parent_file_uid type: keyword overwrite: true description: > Archive's UID in case of extracted files. - name: similiar_iocs type: keyword overwrite: true description: > Other IoCs similar to the ones found, related to the malicious file. - name: similar_hashes type: keyword overwrite: true description: > Hashes found similar to the malicious file. - name: similar_strings type: keyword overwrite: true description: > Strings found similar to the malicious file. - name: similar_communication type: keyword overwrite: true description: > Network action found similar to the malicious file. - name: te_verdict_determined_by type: keyword overwrite: true description: > Emulators determined file verdict. - name: packet_capture_unique_id type: keyword overwrite: true description: > Identifier of the packet capture files. - name: total_attachments type: integer overwrite: true description: > The number of attachments in an email. - name: additional_info type: keyword overwrite: true description: > ID of original file/mail which are sent by admin. - name: content_risk type: integer overwrite: true description: > File risk. - name: operation type: keyword overwrite: true description: > Operation made by Threat Extraction. - name: scrubbed_content type: keyword overwrite: true description: > Active content that was found. - name: scrub_time type: keyword overwrite: true description: > Extraction process duration. - name: scrub_download_time type: keyword overwrite: true description: > File download time from resource. - name: scrub_total_time type: keyword overwrite: true description: > Threat extraction total file handling time. - name: scrub_activity type: keyword overwrite: true description: > The result of the extraction - name: watermark type: keyword overwrite: true description: > Reports whether watermark is added to the cleaned file. - name: source_object type: keyword overwrite: true description: > Matched object name on source column. - name: destination_object type: keyword overwrite: true description: > Matched object name on destination column. - name: drop_reason type: keyword overwrite: true description: > Drop reason description. - name: hit type: integer overwrite: true description: > Number of hits on a rule. - name: rulebase_id type: integer overwrite: true description: > Layer number. - name: first_hit_time type: integer overwrite: true description: > First hit time in current interval. - name: last_hit_time type: integer overwrite: true description: > Last hit time in current interval. - name: rematch_info type: keyword overwrite: true description: > Information sent when old connections cannot be matched during policy installation. - name: last_rematch_time type: keyword overwrite: true description: > Connection rematched time. - name: action_reason type: integer overwrite: true description: > Connection drop reason. - name: action_reason_msg type: keyword overwrite: true description: > Connection drop reason message. - name: c_bytes type: integer overwrite: true description: > Boolean value indicates whether bytes sent from the client side are used. - name: context_num type: integer overwrite: true description: > Serial number of the log for a specific connection. - name: match_id type: integer overwrite: true description: > Private key of the rule - name: alert type: keyword overwrite: true description: > Alert level of matched rule (for connection logs). - name: parent_rule type: integer overwrite: true description: > Parent rule number, in case of inline layer. - name: match_fk type: integer overwrite: true description: > Rule number. - name: dropped_outgoing type: integer overwrite: true description: > Number of outgoing bytes dropped when using UP-limit feature. - name: dropped_incoming type: integer overwrite: true description: > Number of incoming bytes dropped when using UP-limit feature. - name: media_type type: keyword overwrite: true description: > Media used (audio, video, etc.) - name: sip_reason type: keyword overwrite: true description: > Explains why 'source_ip' isn't allowed to redirect (handover). - name: voip_method type: keyword overwrite: true description: > Registration request. - name: registered_ip-phones type: keyword overwrite: true description: > Registered IP-Phones. - name: voip_reg_user_type type: keyword overwrite: true description: > Registered IP-Phone type. - name: voip_call_id type: keyword overwrite: true description: > Call-ID. - name: voip_reg_int type: integer overwrite: true description: > Registration port. - name: voip_reg_ipp type: integer overwrite: true description: > Registration IP protocol. - name: voip_reg_period type: integer overwrite: true description: > Registration period. - name: voip_log_type type: keyword overwrite: true description: > VoIP log types. Possible values: reject, call, registration. - name: src_phone_number type: keyword overwrite: true description: > Source IP-Phone. - name: voip_from_user_type type: keyword overwrite: true description: > Source IP-Phone type. - name: dst_phone_number type: keyword overwrite: true description: > Destination IP-Phone. - name: voip_to_user_type type: keyword overwrite: true description: > Destination IP-Phone type. - name: voip_call_dir type: keyword overwrite: true description: > Call direction: in/out. - name: voip_call_state type: keyword overwrite: true description: > Call state. Possible values: in/out. - name: voip_call_term_time type: keyword overwrite: true description: > Call termination time stamp. - name: voip_duration type: keyword overwrite: true description: > Call duration (seconds). - name: voip_media_port type: keyword overwrite: true description: > Media int. - name: voip_media_ipp type: keyword overwrite: true description: > Media IP protocol. - name: voip_est_codec type: keyword overwrite: true description: > Estimated codec. - name: voip_exp type: integer overwrite: true description: > Expiration. - name: voip_attach_sz type: integer overwrite: true description: > Attachment size. - name: voip_attach_action_info type: keyword overwrite: true description: > Attachment action Info. - name: voip_media_codec type: keyword overwrite: true description: > Estimated codec. - name: voip_reject_reason type: keyword overwrite: true description: > Reject reason. - name: voip_reason_info type: keyword overwrite: true description: > Information. - name: voip_config type: keyword overwrite: true description: > Configuration. - name: voip_reg_server type: ip overwrite: true description: > Registrar server IP address. - name: scv_user type: keyword overwrite: true description: > Username whose packets are dropped on SCV. - name: scv_message_info type: keyword overwrite: true description: > Drop reason. - name: ppp type: keyword overwrite: true description: > Authentication status. - name: scheme type: keyword overwrite: true description: > Describes the scheme used for the log. - name: auth_method type: keyword overwrite: true description: > Password authentication protocol used (PAP or EAP). - name: machine type: keyword overwrite: true description: > L2TP machine which triggered the log and the log refers to it. - name: vpn_feature_name type: keyword overwrite: true description: > L2TP /IKE / Link Selection. - name: reject_category type: keyword overwrite: true description: > Authentication failure reason. - name: peer_ip_probing_status_update type: keyword overwrite: true description: > IP address response status. - name: peer_ip type: keyword overwrite: true description: > IP address which the client connects to. - name: peer_gateway type: ip overwrite: true description: > Main IP of the peer Security Gateway. - name: link_probing_status_update type: keyword overwrite: true description: > IP address response status. - name: source_interface type: keyword overwrite: true description: > External Interface name for source interface or Null if not found. - name: next_hop_ip type: keyword overwrite: true description: > Next hop IP address. - name: srckeyid type: keyword overwrite: true description: > Initiator Spi ID. - name: dstkeyid type: keyword overwrite: true description: > Responder Spi ID. - name: encryption_failure type: keyword overwrite: true description: > Message indicating why the encryption failed. - name: ike_ids type: keyword overwrite: true description: > All QM ids. - name: community type: keyword overwrite: true description: > Community name for the IPSec key and the use of the IKEv. - name: ike type: keyword overwrite: true description: > IKEMode (PHASE1, PHASE2, etc..). - name: cookieI type: keyword overwrite: true description: > Initiator cookie. - name: cookieR type: keyword overwrite: true description: > Responder cookie. - name: msgid type: keyword overwrite: true description: > Message ID. - name: methods type: keyword overwrite: true description: > IPSEc methods. - name: connection_uid type: keyword overwrite: true description: > Calculation of md5 of the IP and user name as UID. - name: site_name type: keyword overwrite: true description: > Site name. - name: esod_rule_name type: keyword overwrite: true description: > Unknown rule name. - name: esod_rule_action type: keyword overwrite: true description: > Unknown rule action. - name: esod_rule_type type: keyword overwrite: true description: > Unknown rule type. - name: esod_noncompliance_reason type: keyword overwrite: true description: > Non-compliance reason. - name: esod_associated_policies type: keyword overwrite: true description: > Associated policies. - name: spyware_name type: keyword overwrite: true description: > Spyware name. - name: spyware_type type: keyword overwrite: true description: > Spyware type. - name: anti_virus_type type: keyword overwrite: true description: > Anti virus type. - name: end_user_firewall_type type: keyword overwrite: true description: > End user firewall type. - name: esod_scan_status type: keyword overwrite: true description: > Scan failed. - name: esod_access_status type: keyword overwrite: true description: > Access denied. - name: client_type type: keyword overwrite: true description: > Endpoint Connect. - name: precise_error type: keyword overwrite: true description: > HTTP parser error. - name: method type: keyword overwrite: true description: > HTTP method. - name: trusted_domain type: keyword overwrite: true description: > In case of phishing event, the domain, which the attacker was impersonating. - key: cisco title: Cisco description: > Module for handling Cisco network device logs. fields: - name: cisco.amp type: group release: beta default_field: false description: > Module for parsing Cisco AMP logs. fields: - name: timestamp_nanoseconds type: date description: > The timestamp in Epoch nanoseconds. - name: event_type_id type: keyword description: > A sub ID of the event, depending on event type. - name: detection type: keyword description: > The name of the malware detected. - name: detection_id type: keyword description: > The ID of the detection. - name: connector_guid type: keyword description: > The GUID of the connector sending information to AMP. - name: group_guids type: keyword description: > An array of group GUIDS related to the connector sending information to AMP. - name: vulnerabilities type: flattened description: > An array of related vulnerabilities to the malicious event. - name: scan.description type: keyword description: > Description of an event related to a scan being initiated, for example the specific directory name. - name: scan.clean type: boolean description: > Boolean value if a scanned file was clean or not. - name: scan.scanned_files type: long description: > Count of files scanned in a directory. - name: scan.scanned_processes type: long description: > Count of processes scanned related to a single scan event. - name: scan.scanned_paths type: long description: > Count of different directories scanned related to a single scan event. - name: scan.malicious_detections type: long description: > Count of malicious files or documents detected related to a single scan event. - name: computer.connector_guid type: keyword description: > The GUID of the connector, similar to top level connector_guid, but unique if multiple connectors are involved. - name: computer.external_ip type: ip description: > The external IP of the related host. - name: computer.active type: boolean description: > If the current endpoint is active or not. - name: computer.network_addresses type: flattened description: > All network interface information on the related host. - name: file.disposition type: keyword description: > Categorization of file, for example "Malicious" or "Clean". - name: network_info.disposition type: keyword description: > Categorization of a network event related to a file, for example "Malicious" or "Clean". - name: network_info.nfm.direction type: keyword description: > The current direction based on source and destination IP. - name: related.mac type: keyword description: > An array of all related MAC addresses. - name: related.cve type: keyword description: > An array of all related MAC addresses. - name: cloud_ioc.description type: keyword description: > Description of the related IOC for specific IOC events from AMP. - name: cloud_ioc.short_description type: keyword description: > Short description of the related IOC for specific IOC events from AMP. - name: network_info.parent.disposition type: keyword description: > Categorization of a IOC for example "Malicious" or "Clean". - name: network_info.parent.identity.md5 type: keyword description: > MD5 hash of the related IOC. - name: network_info.parent.identity.sha1 type: keyword description: > SHA1 hash of the related IOC. - name: network_info.parent.identify.sha256 type: keyword description: > SHA256 hash of the related IOC. - name: file.archived_file.disposition type: keyword description: > Categorization of a file archive related to a file, for example "Malicious" or "Clean". - name: file.archived_file.identity.md5 type: keyword description: > MD5 hash of the archived file related to the malicious event. - name: file.archived_file.identity.sha1 type: keyword description: > SHA1 hash of the archived file related to the malicious event. - name: file.archived_file.identity.sha256 type: keyword description: > SHA256 hash of the archived file related to the malicious event. - name: file.attack_details.application type: keyword description: > The application name related to Exploit Prevention events. - name: file.attack_details.attacked_module type: keyword description: > Path to the executable or dll that was attacked and detected by Exploit Prevention. - name: file.attack_details.base_address type: keyword description: > The base memory address related to the exploit detected. - name: file.attack_details.suspicious_files type: keyword description: > An array of related files when an attack is detected by Exploit Prevention. - name: file.parent.disposition type: keyword description: > Categorization of parrent, for example "Malicious" or "Clean". - name: error.description type: keyword description: > Description of an endpoint error event. - name: error.error_code type: keyword description: > The error code describing the related error event. - name: threat_hunting.severity type: keyword description: > Severity result of the threat hunt registered to the malicious event. Can be Low-Critical. - name: threat_hunting.incident_report_guid type: keyword description: > The GUID of the related threat hunting report. - name: threat_hunting.incident_hunt_guid type: keyword description: > The GUID of the related investigation tracking issue. - name: threat_hunting.incident_title type: keyword description: > Title of the incident related to the threat hunting activity. - name: threat_hunting.incident_summary type: keyword description: > Summary of the outcome on the threat hunting activity. - name: threat_hunting.incident_remediation type: keyword description: > Recommendations to resolve the vulnerability or exploited host. - name: threat_hunting.incident_id type: keyword description: > The id of the related incident for the threat hunting activity. - name: threat_hunting.incident_end_time type: date description: > When the threat hunt finalized or closed. - name: threat_hunting.incident_start_time type: date description: > When the threat hunt was initiated. - name: file.attack_details.indicators type: flattened description: > Different indicator types that matches the exploit detected, for example different MITRE tactics. - name: threat_hunting.tactics type: flattened description: > List of all MITRE tactics related to the incident found. - name: threat_hunting.techniques type: flattened description: > List of all MITRE techniques related to the incident found. - name: tactics type: flattened description: > List of all MITRE tactics related to the incident found. - name: mitre_tactics type: keyword description: > Array of all related mitre tactic ID's - name: techniques type: flattened description: > List of all MITRE techniques related to the incident found. - name: mitre_techniques type: keyword description: > Array of all related mitre technique ID's - name: command_line.arguments type: keyword description: > The CLI arguments related to the Cloud Threat IOC reported by Cisco. - name: bp_data type: flattened description: > Endpoint isolation information - name: cisco.asa type: group description: > Fields for Cisco ASA Firewall. fields: - name: message_id type: keyword description: > The Cisco ASA message identifier. - name: suffix type: keyword example: session description: > Optional suffix after %ASA identifier. - name: source_interface type: keyword description: > Source interface for the flow or event. - name: destination_interface type: keyword description: > Destination interface for the flow or event. - name: rule_name type: keyword description: > Name of the Access Control List rule that matched this event. - name: source_username type: keyword description: > Name of the user that is the source for this event. - name: destination_username type: keyword description: > Name of the user that is the destination for this event. - name: mapped_source_ip type: ip description: > The translated source IP address. - name: mapped_source_host type: keyword default_field: false description: > The translated source host. - name: mapped_source_port type: long description: > The translated source port. - name: mapped_destination_ip type: ip description: > The translated destination IP address. - name: mapped_destination_host type: keyword default_field: false description: > The translated destination host. - name: mapped_destination_port type: long description: > The translated destination port. - name: threat_level type: keyword description: > Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. - name: threat_category type: keyword description: > Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. - name: connection_id type: keyword description: > Unique identifier for a flow. - name: icmp_type type: short description: > ICMP type. - name: icmp_code type: short description: > ICMP code. - name: connection_type type: keyword default_field: false description: > The VPN connection type - name: dap_records default_field: false type: keyword description: > The assigned DAP records - name: command_line_arguments default_field: false type: keyword description: > The command line arguments logged by the local audit log - name: assigned_ip default_field: false type: ip description: > The IP address assigned to a VPN client successfully connecting - name: privilege.old default_field: false type: keyword description: > When a users privilege is changed this is the old value - name: privilege.new default_field: false type: keyword description: > When a users privilege is changed this is the new value - name: burst.object default_field: false type: keyword description: > The related object for burst warnings - name: burst.id default_field: false type: keyword description: > The related rate ID for burst warnings - name: burst.current_rate default_field: false type: keyword description: > The current burst rate seen - name: burst.configured_rate default_field: false type: keyword description: > The current configured burst rate - name: burst.avg_rate default_field: false type: keyword description: > The current average burst rate seen - name: burst.configured_avg_rate default_field: false type: keyword description: > The current configured average burst rate allowed - name: burst.cumulative_count default_field: false type: keyword description: > The total count of burst rate hits since the object was created or cleared - name: termination_user default_field: false type: keyword description: > AAA name of user requesting termination - name: webvpn.group_name type: keyword default_field: false description: > The WebVPN group name the user belongs to - name: cisco.ftd type: group description: > Fields for Cisco Firepower Threat Defense Firewall. fields: - name: message_id type: keyword description: > The Cisco FTD message identifier. - name: suffix type: keyword example: session description: > Optional suffix after %FTD identifier. - name: source_interface type: keyword description: > Source interface for the flow or event. - name: destination_interface type: keyword description: > Destination interface for the flow or event. - name: rule_name type: keyword description: > Name of the Access Control List rule that matched this event. - name: source_username type: keyword description: > Name of the user that is the source for this event. - name: destination_username type: keyword description: > Name of the user that is the destination for this event. - name: mapped_source_ip type: ip description: > The translated source IP address. Use ECS source.nat.ip. - name: mapped_source_host type: keyword default_field: false description: > The translated source host. - name: mapped_source_port type: long description: > The translated source port. Use ECS source.nat.port. - name: mapped_destination_ip type: ip description: > The translated destination IP address. Use ECS destination.nat.ip. - name: mapped_destination_host type: keyword default_field: false description: > The translated destination host. - name: mapped_destination_port type: long description: > The translated destination port. Use ECS destination.nat.port. - name: threat_level type: keyword description: > Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. - name: threat_category type: keyword description: > Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. - name: connection_id type: keyword description: > Unique identifier for a flow. - name: icmp_type type: short description: > ICMP type. - name: icmp_code type: short description: > ICMP code. - name: security type: object description: Raw fields for Security Events. - name: connection_type type: keyword default_field: false description: > The VPN connection type - name: dap_records type: keyword default_field: false description: > The assigned DAP records - name: termination_user type: keyword default_field: false description: > AAA name of user requesting termination - name: webvpn.group_name type: keyword default_field: false description: > The WebVPN group name the user belongs to - name: cisco.ios type: group description: > Fields for Cisco IOS logs. fields: - name: access_list type: keyword description: > Name of the IP access list. - name: facility type: keyword example: SEC description: > The facility to which the message refers (for example, SNMP, SYS, and so forth). A facility can be a hardware device, a protocol, or a module of the system software. It denotes the source or the cause of the system message. - name: network.interface.name overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa overwrite: true type: group default_field: false fields: - name: internal overwrite: true type: group fields: - name: msg overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid overwrite: true type: keyword - name: event_desc overwrite: true type: keyword - name: message overwrite: true type: keyword description: This key captures the contents of instant messages - name: time overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id overwrite: true type: long description: Deprecated key defined only in table map. - name: did overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time overwrite: true type: group fields: - name: event_time overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month overwrite: true type: keyword - name: day overwrite: true type: keyword - name: endtime overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str overwrite: true type: keyword description: A text string version of the duration - name: date overwrite: true type: keyword - name: year overwrite: true type: keyword - name: recorded_time overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime overwrite: true type: keyword - name: effective_time overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time overwrite: true type: keyword description: Deprecated, use duration.time - name: hour overwrite: true type: keyword - name: min overwrite: true type: keyword - name: timestamp overwrite: true type: keyword - name: event_queue_time overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 overwrite: true type: keyword - name: tzone overwrite: true type: keyword - name: eventtime overwrite: true type: keyword - name: gmtdate overwrite: true type: keyword - name: gmttime overwrite: true type: keyword - name: p_date overwrite: true type: keyword - name: p_month overwrite: true type: keyword - name: p_time overwrite: true type: keyword - name: p_time2 overwrite: true type: keyword - name: p_year overwrite: true type: keyword - name: expire_time_str overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp overwrite: true type: date description: Deprecated key defined only in table map. - name: misc overwrite: true type: group fields: - name: action overwrite: true type: keyword - name: result overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name overwrite: true type: keyword description: This is used to capture name of object - name: obj_type overwrite: true type: keyword description: This is used to capture type of object - name: event_source overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name overwrite: true type: keyword description: This key captures the Rule Name - name: context overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space overwrite: true type: keyword - name: client overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 overwrite: true type: keyword - name: msgIdPart2 overwrite: true type: keyword - name: change_old overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule overwrite: true type: keyword description: This key captures the Rule number - name: device_name overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log overwrite: true type: keyword description: This key captures the Name of the event log - name: OS overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 overwrite: true type: keyword - name: filter overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname overwrite: true type: keyword description: This key captures the name of the virus - name: content_type overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id overwrite: true type: keyword - name: reason overwrite: true type: keyword - name: status overwrite: true type: keyword - name: mail_id overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout overwrite: true type: keyword - name: p_msgid overwrite: true type: keyword - name: data_type overwrite: true type: keyword - name: msgIdPart4 overwrite: true type: keyword - name: error overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index overwrite: true type: keyword - name: listnum overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype overwrite: true type: keyword - name: observed_val overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count overwrite: true type: keyword - name: number overwrite: true type: keyword - name: sigcat overwrite: true type: keyword - name: type overwrite: true type: keyword - name: comments overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number overwrite: true type: long description: This key captures File Identification number - name: expected_val overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst overwrite: true type: keyword description: Destination SPI Index - name: spi_src overwrite: true type: keyword description: Source SPI Index - name: code overwrite: true type: keyword - name: agent_id overwrite: true type: keyword description: This key is used to capture agent id - name: message_body overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone overwrite: true type: keyword - name: sig_id_str overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd overwrite: true type: keyword - name: misc overwrite: true type: keyword - name: name overwrite: true type: keyword - name: cpu overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid overwrite: true type: keyword - name: im_client overwrite: true type: keyword - name: im_userid overwrite: true type: keyword - name: pid overwrite: true type: keyword - name: priority overwrite: true type: keyword - name: context_subject overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target overwrite: true type: keyword - name: cve overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos overwrite: true type: long description: This key describes the type of service - name: vm_target overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace overwrite: true type: keyword description: This key captures Workspace Description - name: command overwrite: true type: keyword - name: event_category overwrite: true type: keyword - name: facilityname overwrite: true type: keyword - name: forensic_info overwrite: true type: keyword - name: jobname overwrite: true type: keyword - name: mode overwrite: true type: keyword - name: policy overwrite: true type: keyword - name: policy_waiver overwrite: true type: keyword - name: second overwrite: true type: keyword - name: space1 overwrite: true type: keyword - name: subcategory overwrite: true type: keyword - name: tbdstr2 overwrite: true type: keyword - name: alert_id overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult overwrite: true type: long description: This key captures the Filter Result - name: payload_dst overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid overwrite: true type: keyword description: SNMP Object Identifier - name: sql overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id overwrite: true type: keyword - name: acl_op overwrite: true type: keyword - name: acl_pos overwrite: true type: keyword - name: acl_table overwrite: true type: keyword - name: admin overwrite: true type: keyword - name: alarm_id overwrite: true type: keyword - name: alarmname overwrite: true type: keyword - name: app_id overwrite: true type: keyword - name: audit overwrite: true type: keyword - name: audit_object overwrite: true type: keyword - name: auditdata overwrite: true type: keyword - name: benchmark overwrite: true type: keyword - name: bypass overwrite: true type: keyword - name: cache overwrite: true type: keyword - name: cache_hit overwrite: true type: keyword - name: cefversion overwrite: true type: keyword - name: cfg_attr overwrite: true type: keyword - name: cfg_obj overwrite: true type: keyword - name: cfg_path overwrite: true type: keyword - name: changes overwrite: true type: keyword - name: client_ip overwrite: true type: keyword - name: clustermembers overwrite: true type: keyword - name: cn_acttimeout overwrite: true type: keyword - name: cn_asn_src overwrite: true type: keyword - name: cn_bgpv4nxthop overwrite: true type: keyword - name: cn_ctr_dst_code overwrite: true type: keyword - name: cn_dst_tos overwrite: true type: keyword - name: cn_dst_vlan overwrite: true type: keyword - name: cn_engine_id overwrite: true type: keyword - name: cn_engine_type overwrite: true type: keyword - name: cn_f_switch overwrite: true type: keyword - name: cn_flowsampid overwrite: true type: keyword - name: cn_flowsampintv overwrite: true type: keyword - name: cn_flowsampmode overwrite: true type: keyword - name: cn_inacttimeout overwrite: true type: keyword - name: cn_inpermbyts overwrite: true type: keyword - name: cn_inpermpckts overwrite: true type: keyword - name: cn_invalid overwrite: true type: keyword - name: cn_ip_proto_ver overwrite: true type: keyword - name: cn_ipv4_ident overwrite: true type: keyword - name: cn_l_switch overwrite: true type: keyword - name: cn_log_did overwrite: true type: keyword - name: cn_log_rid overwrite: true type: keyword - name: cn_max_ttl overwrite: true type: keyword - name: cn_maxpcktlen overwrite: true type: keyword - name: cn_min_ttl overwrite: true type: keyword - name: cn_minpcktlen overwrite: true type: keyword - name: cn_mpls_lbl_1 overwrite: true type: keyword - name: cn_mpls_lbl_10 overwrite: true type: keyword - name: cn_mpls_lbl_2 overwrite: true type: keyword - name: cn_mpls_lbl_3 overwrite: true type: keyword - name: cn_mpls_lbl_4 overwrite: true type: keyword - name: cn_mpls_lbl_5 overwrite: true type: keyword - name: cn_mpls_lbl_6 overwrite: true type: keyword - name: cn_mpls_lbl_7 overwrite: true type: keyword - name: cn_mpls_lbl_8 overwrite: true type: keyword - name: cn_mpls_lbl_9 overwrite: true type: keyword - name: cn_mplstoplabel overwrite: true type: keyword - name: cn_mplstoplabip overwrite: true type: keyword - name: cn_mul_dst_byt overwrite: true type: keyword - name: cn_mul_dst_pks overwrite: true type: keyword - name: cn_muligmptype overwrite: true type: keyword - name: cn_sampalgo overwrite: true type: keyword - name: cn_sampint overwrite: true type: keyword - name: cn_seqctr overwrite: true type: keyword - name: cn_spackets overwrite: true type: keyword - name: cn_src_tos overwrite: true type: keyword - name: cn_src_vlan overwrite: true type: keyword - name: cn_sysuptime overwrite: true type: keyword - name: cn_template_id overwrite: true type: keyword - name: cn_totbytsexp overwrite: true type: keyword - name: cn_totflowexp overwrite: true type: keyword - name: cn_totpcktsexp overwrite: true type: keyword - name: cn_unixnanosecs overwrite: true type: keyword - name: cn_v6flowlabel overwrite: true type: keyword - name: cn_v6optheaders overwrite: true type: keyword - name: comp_class overwrite: true type: keyword - name: comp_name overwrite: true type: keyword - name: comp_rbytes overwrite: true type: keyword - name: comp_sbytes overwrite: true type: keyword - name: cpu_data overwrite: true type: keyword - name: criticality overwrite: true type: keyword - name: cs_agency_dst overwrite: true type: keyword - name: cs_analyzedby overwrite: true type: keyword - name: cs_av_other overwrite: true type: keyword - name: cs_av_primary overwrite: true type: keyword - name: cs_av_secondary overwrite: true type: keyword - name: cs_bgpv6nxthop overwrite: true type: keyword - name: cs_bit9status overwrite: true type: keyword - name: cs_context overwrite: true type: keyword - name: cs_control overwrite: true type: keyword - name: cs_data overwrite: true type: keyword - name: cs_datecret overwrite: true type: keyword - name: cs_dst_tld overwrite: true type: keyword - name: cs_eth_dst_ven overwrite: true type: keyword - name: cs_eth_src_ven overwrite: true type: keyword - name: cs_event_uuid overwrite: true type: keyword - name: cs_filetype overwrite: true type: keyword - name: cs_fld overwrite: true type: keyword - name: cs_if_desc overwrite: true type: keyword - name: cs_if_name overwrite: true type: keyword - name: cs_ip_next_hop overwrite: true type: keyword - name: cs_ipv4dstpre overwrite: true type: keyword - name: cs_ipv4srcpre overwrite: true type: keyword - name: cs_lifetime overwrite: true type: keyword - name: cs_log_medium overwrite: true type: keyword - name: cs_loginname overwrite: true type: keyword - name: cs_modulescore overwrite: true type: keyword - name: cs_modulesign overwrite: true type: keyword - name: cs_opswatresult overwrite: true type: keyword - name: cs_payload overwrite: true type: keyword - name: cs_registrant overwrite: true type: keyword - name: cs_registrar overwrite: true type: keyword - name: cs_represult overwrite: true type: keyword - name: cs_rpayload overwrite: true type: keyword - name: cs_sampler_name overwrite: true type: keyword - name: cs_sourcemodule overwrite: true type: keyword - name: cs_streams overwrite: true type: keyword - name: cs_targetmodule overwrite: true type: keyword - name: cs_v6nxthop overwrite: true type: keyword - name: cs_whois_server overwrite: true type: keyword - name: cs_yararesult overwrite: true type: keyword - name: description overwrite: true type: keyword - name: devvendor overwrite: true type: keyword - name: distance overwrite: true type: keyword - name: dstburb overwrite: true type: keyword - name: edomain overwrite: true type: keyword - name: edomaub overwrite: true type: keyword - name: euid overwrite: true type: keyword - name: facility overwrite: true type: keyword - name: finterface overwrite: true type: keyword - name: flags overwrite: true type: keyword - name: gaddr overwrite: true type: keyword - name: id3 overwrite: true type: keyword - name: im_buddyname overwrite: true type: keyword - name: im_croomid overwrite: true type: keyword - name: im_croomtype overwrite: true type: keyword - name: im_members overwrite: true type: keyword - name: im_username overwrite: true type: keyword - name: ipkt overwrite: true type: keyword - name: ipscat overwrite: true type: keyword - name: ipspri overwrite: true type: keyword - name: latitude overwrite: true type: keyword - name: linenum overwrite: true type: keyword - name: list_name overwrite: true type: keyword - name: load_data overwrite: true type: keyword - name: location_floor overwrite: true type: keyword - name: location_mark overwrite: true type: keyword - name: log_id overwrite: true type: keyword - name: log_type overwrite: true type: keyword - name: logid overwrite: true type: keyword - name: logip overwrite: true type: keyword - name: logname overwrite: true type: keyword - name: longitude overwrite: true type: keyword - name: lport overwrite: true type: keyword - name: mbug_data overwrite: true type: keyword - name: misc_name overwrite: true type: keyword - name: msg_type overwrite: true type: keyword - name: msgid overwrite: true type: keyword - name: netsessid overwrite: true type: keyword - name: num overwrite: true type: keyword - name: number1 overwrite: true type: keyword - name: number2 overwrite: true type: keyword - name: nwwn overwrite: true type: keyword - name: object overwrite: true type: keyword - name: operation overwrite: true type: keyword - name: opkt overwrite: true type: keyword - name: orig_from overwrite: true type: keyword - name: owner_id overwrite: true type: keyword - name: p_action overwrite: true type: keyword - name: p_filter overwrite: true type: keyword - name: p_group_object overwrite: true type: keyword - name: p_id overwrite: true type: keyword - name: p_msgid1 overwrite: true type: keyword - name: p_msgid2 overwrite: true type: keyword - name: p_result1 overwrite: true type: keyword - name: password_chg overwrite: true type: keyword - name: password_expire overwrite: true type: keyword - name: permgranted overwrite: true type: keyword - name: permwanted overwrite: true type: keyword - name: pgid overwrite: true type: keyword - name: policyUUID overwrite: true type: keyword - name: prog_asp_num overwrite: true type: keyword - name: program overwrite: true type: keyword - name: real_data overwrite: true type: keyword - name: rec_asp_device overwrite: true type: keyword - name: rec_asp_num overwrite: true type: keyword - name: rec_library overwrite: true type: keyword - name: recordnum overwrite: true type: keyword - name: ruid overwrite: true type: keyword - name: sburb overwrite: true type: keyword - name: sdomain_fld overwrite: true type: keyword - name: sec overwrite: true type: keyword - name: sensorname overwrite: true type: keyword - name: seqnum overwrite: true type: keyword - name: session overwrite: true type: keyword - name: sessiontype overwrite: true type: keyword - name: sigUUID overwrite: true type: keyword - name: spi overwrite: true type: keyword - name: srcburb overwrite: true type: keyword - name: srcdom overwrite: true type: keyword - name: srcservice overwrite: true type: keyword - name: state overwrite: true type: keyword - name: status1 overwrite: true type: keyword - name: svcno overwrite: true type: keyword - name: system overwrite: true type: keyword - name: tbdstr1 overwrite: true type: keyword - name: tgtdom overwrite: true type: keyword - name: tgtdomain overwrite: true type: keyword - name: threshold overwrite: true type: keyword - name: type1 overwrite: true type: keyword - name: udb_class overwrite: true type: keyword - name: url_fld overwrite: true type: keyword - name: user_div overwrite: true type: keyword - name: userid overwrite: true type: keyword - name: username_fld overwrite: true type: keyword - name: utcstamp overwrite: true type: keyword - name: v_instafname overwrite: true type: keyword - name: virt_data overwrite: true type: keyword - name: vpnid overwrite: true type: keyword - name: autorun_type overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number overwrite: true type: long description: Valid Credit Card Numbers only - name: content overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number overwrite: true type: long description: Employee Identification Numbers only - name: found overwrite: true type: keyword description: This is used to capture the results of regex match - name: language overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src overwrite: true type: keyword description: This key captures source parameter - name: search_text overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value overwrite: true type: keyword description: SNMP set request value - name: streams overwrite: true type: long description: This key captures number of streams in session - name: db overwrite: true type: group fields: - name: index overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name overwrite: true type: keyword description: This key is used to capture the table name - name: db_id overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite overwrite: true type: long description: This key is used for the number of logical writes - name: pread overwrite: true type: long description: This key is used for the number of physical writes - name: network overwrite: true type: group fields: - name: alias_host overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain overwrite: true type: keyword - name: host_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr overwrite: true type: ip description: Deprecated - name: faddr overwrite: true type: keyword - name: lhost overwrite: true type: keyword - name: origin overwrite: true type: keyword - name: remote_domain_id overwrite: true type: keyword - name: addr overwrite: true type: keyword - name: dns_a_record overwrite: true type: keyword - name: dns_ptr_record overwrite: true type: keyword - name: fhost overwrite: true type: keyword - name: fport overwrite: true type: keyword - name: laddr overwrite: true type: keyword - name: linterface overwrite: true type: keyword - name: phost overwrite: true type: keyword - name: ad_computer_dst overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record overwrite: true type: keyword - name: dns_id overwrite: true type: keyword - name: dns_opcode overwrite: true type: keyword - name: dns_resp overwrite: true type: keyword - name: dns_type overwrite: true type: keyword - name: domain1 overwrite: true type: keyword - name: host_type overwrite: true type: keyword - name: packet_length overwrite: true type: keyword - name: host_orig overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations overwrite: true type: group fields: - name: ec_activity overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat overwrite: true type: long description: This key captures the Event category number - name: event_cat_name overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category overwrite: true type: keyword description: This used to capture investigation category - name: inv_context overwrite: true type: keyword description: This used to capture investigation context - name: ioc overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters overwrite: true type: group fields: - name: dclass_c1 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity overwrite: true type: group fields: - name: auth_method overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org overwrite: true type: keyword description: This key captures the User organization - name: dn_dst overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept overwrite: true type: keyword description: User's Department Names only - name: user_sid_src overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email overwrite: true type: group fields: - name: email_dst overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file overwrite: true type: group fields: - name: privilege overwrite: true type: keyword description: Deprecated, use permissions - name: attachment overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem overwrite: true type: keyword - name: binary overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp overwrite: true type: keyword - name: directory_dst overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name overwrite: true type: keyword description: This is used to capture name of the task - name: web overwrite: true type: group fields: - name: fqdn overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host overwrite: true type: keyword - name: reputation_num overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain overwrite: true type: keyword description: Web referer's domain - name: web_ref_query overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain overwrite: true type: keyword - name: web_ref_page overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst overwrite: true type: keyword - name: cn_rpackets overwrite: true type: keyword - name: urlpage overwrite: true type: keyword - name: urlroot overwrite: true type: keyword - name: p_url overwrite: true type: keyword - name: p_user_agent overwrite: true type: keyword - name: p_web_cookie overwrite: true type: keyword - name: p_web_method overwrite: true type: keyword - name: p_web_referer overwrite: true type: keyword - name: web_extension_tmp overwrite: true type: keyword - name: web_page overwrite: true type: keyword - name: threat overwrite: true type: group fields: - name: threat_category overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto overwrite: true type: group fields: - name: crypto overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike overwrite: true type: keyword description: IKE negotiation phase. - name: scheme overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer overwrite: true type: keyword - name: cert_host_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src overwrite: true type: keyword description: Deprecated, use version - name: d_certauth overwrite: true type: keyword - name: s_certauth overwrite: true type: keyword - name: ike_cookie1 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum overwrite: true type: keyword - name: cert_host_cat overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize overwrite: true type: keyword - name: cert_username overwrite: true type: keyword - name: https_insact overwrite: true type: keyword - name: https_valid overwrite: true type: keyword - name: cert_ca overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless overwrite: true type: group fields: - name: wlan_ssid overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel overwrite: true type: long description: This is used to capture the channel names - name: wlan_name overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage overwrite: true type: group fields: - name: disk_volume overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical overwrite: true type: group fields: - name: org_dst overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare overwrite: true type: group fields: - name: patient_fname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint overwrite: true type: group fields: - name: host_state overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value overwrite: true type: keyword description: This key captures values or decorators used within a registry entry - name: network.interface.name overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa overwrite: true type: group default_field: false fields: - name: internal overwrite: true type: group fields: - name: msg overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid overwrite: true type: keyword - name: event_desc overwrite: true type: keyword - name: message overwrite: true type: keyword description: This key captures the contents of instant messages - name: time overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id overwrite: true type: long description: Deprecated key defined only in table map. - name: did overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time overwrite: true type: group fields: - name: event_time overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month overwrite: true type: keyword - name: day overwrite: true type: keyword - name: endtime overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str overwrite: true type: keyword description: A text string version of the duration - name: date overwrite: true type: keyword - name: year overwrite: true type: keyword - name: recorded_time overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime overwrite: true type: keyword - name: effective_time overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time overwrite: true type: keyword description: Deprecated, use duration.time - name: hour overwrite: true type: keyword - name: min overwrite: true type: keyword - name: timestamp overwrite: true type: keyword - name: event_queue_time overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 overwrite: true type: keyword - name: tzone overwrite: true type: keyword - name: eventtime overwrite: true type: keyword - name: gmtdate overwrite: true type: keyword - name: gmttime overwrite: true type: keyword - name: p_date overwrite: true type: keyword - name: p_month overwrite: true type: keyword - name: p_time overwrite: true type: keyword - name: p_time2 overwrite: true type: keyword - name: p_year overwrite: true type: keyword - name: expire_time_str overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp overwrite: true type: date description: Deprecated key defined only in table map. - name: misc overwrite: true type: group fields: - name: action overwrite: true type: keyword - name: result overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name overwrite: true type: keyword description: This is used to capture name of object - name: obj_type overwrite: true type: keyword description: This is used to capture type of object - name: event_source overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name overwrite: true type: keyword description: This key captures the Rule Name - name: context overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space overwrite: true type: keyword - name: client overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 overwrite: true type: keyword - name: msgIdPart2 overwrite: true type: keyword - name: change_old overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule overwrite: true type: keyword description: This key captures the Rule number - name: device_name overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log overwrite: true type: keyword description: This key captures the Name of the event log - name: OS overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 overwrite: true type: keyword - name: filter overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname overwrite: true type: keyword description: This key captures the name of the virus - name: content_type overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id overwrite: true type: keyword - name: reason overwrite: true type: keyword - name: status overwrite: true type: keyword - name: mail_id overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout overwrite: true type: keyword - name: p_msgid overwrite: true type: keyword - name: data_type overwrite: true type: keyword - name: msgIdPart4 overwrite: true type: keyword - name: error overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index overwrite: true type: keyword - name: listnum overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype overwrite: true type: keyword - name: observed_val overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count overwrite: true type: keyword - name: number overwrite: true type: keyword - name: sigcat overwrite: true type: keyword - name: type overwrite: true type: keyword - name: comments overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number overwrite: true type: long description: This key captures File Identification number - name: expected_val overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst overwrite: true type: keyword description: Destination SPI Index - name: spi_src overwrite: true type: keyword description: Source SPI Index - name: code overwrite: true type: keyword - name: agent_id overwrite: true type: keyword description: This key is used to capture agent id - name: message_body overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone overwrite: true type: keyword - name: sig_id_str overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd overwrite: true type: keyword - name: misc overwrite: true type: keyword - name: name overwrite: true type: keyword - name: cpu overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid overwrite: true type: keyword - name: im_client overwrite: true type: keyword - name: im_userid overwrite: true type: keyword - name: pid overwrite: true type: keyword - name: priority overwrite: true type: keyword - name: context_subject overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target overwrite: true type: keyword - name: cve overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos overwrite: true type: long description: This key describes the type of service - name: vm_target overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace overwrite: true type: keyword description: This key captures Workspace Description - name: command overwrite: true type: keyword - name: event_category overwrite: true type: keyword - name: facilityname overwrite: true type: keyword - name: forensic_info overwrite: true type: keyword - name: jobname overwrite: true type: keyword - name: mode overwrite: true type: keyword - name: policy overwrite: true type: keyword - name: policy_waiver overwrite: true type: keyword - name: second overwrite: true type: keyword - name: space1 overwrite: true type: keyword - name: subcategory overwrite: true type: keyword - name: tbdstr2 overwrite: true type: keyword - name: alert_id overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult overwrite: true type: long description: This key captures the Filter Result - name: payload_dst overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid overwrite: true type: keyword description: SNMP Object Identifier - name: sql overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id overwrite: true type: keyword - name: acl_op overwrite: true type: keyword - name: acl_pos overwrite: true type: keyword - name: acl_table overwrite: true type: keyword - name: admin overwrite: true type: keyword - name: alarm_id overwrite: true type: keyword - name: alarmname overwrite: true type: keyword - name: app_id overwrite: true type: keyword - name: audit overwrite: true type: keyword - name: audit_object overwrite: true type: keyword - name: auditdata overwrite: true type: keyword - name: benchmark overwrite: true type: keyword - name: bypass overwrite: true type: keyword - name: cache overwrite: true type: keyword - name: cache_hit overwrite: true type: keyword - name: cefversion overwrite: true type: keyword - name: cfg_attr overwrite: true type: keyword - name: cfg_obj overwrite: true type: keyword - name: cfg_path overwrite: true type: keyword - name: changes overwrite: true type: keyword - name: client_ip overwrite: true type: keyword - name: clustermembers overwrite: true type: keyword - name: cn_acttimeout overwrite: true type: keyword - name: cn_asn_src overwrite: true type: keyword - name: cn_bgpv4nxthop overwrite: true type: keyword - name: cn_ctr_dst_code overwrite: true type: keyword - name: cn_dst_tos overwrite: true type: keyword - name: cn_dst_vlan overwrite: true type: keyword - name: cn_engine_id overwrite: true type: keyword - name: cn_engine_type overwrite: true type: keyword - name: cn_f_switch overwrite: true type: keyword - name: cn_flowsampid overwrite: true type: keyword - name: cn_flowsampintv overwrite: true type: keyword - name: cn_flowsampmode overwrite: true type: keyword - name: cn_inacttimeout overwrite: true type: keyword - name: cn_inpermbyts overwrite: true type: keyword - name: cn_inpermpckts overwrite: true type: keyword - name: cn_invalid overwrite: true type: keyword - name: cn_ip_proto_ver overwrite: true type: keyword - name: cn_ipv4_ident overwrite: true type: keyword - name: cn_l_switch overwrite: true type: keyword - name: cn_log_did overwrite: true type: keyword - name: cn_log_rid overwrite: true type: keyword - name: cn_max_ttl overwrite: true type: keyword - name: cn_maxpcktlen overwrite: true type: keyword - name: cn_min_ttl overwrite: true type: keyword - name: cn_minpcktlen overwrite: true type: keyword - name: cn_mpls_lbl_1 overwrite: true type: keyword - name: cn_mpls_lbl_10 overwrite: true type: keyword - name: cn_mpls_lbl_2 overwrite: true type: keyword - name: cn_mpls_lbl_3 overwrite: true type: keyword - name: cn_mpls_lbl_4 overwrite: true type: keyword - name: cn_mpls_lbl_5 overwrite: true type: keyword - name: cn_mpls_lbl_6 overwrite: true type: keyword - name: cn_mpls_lbl_7 overwrite: true type: keyword - name: cn_mpls_lbl_8 overwrite: true type: keyword - name: cn_mpls_lbl_9 overwrite: true type: keyword - name: cn_mplstoplabel overwrite: true type: keyword - name: cn_mplstoplabip overwrite: true type: keyword - name: cn_mul_dst_byt overwrite: true type: keyword - name: cn_mul_dst_pks overwrite: true type: keyword - name: cn_muligmptype overwrite: true type: keyword - name: cn_sampalgo overwrite: true type: keyword - name: cn_sampint overwrite: true type: keyword - name: cn_seqctr overwrite: true type: keyword - name: cn_spackets overwrite: true type: keyword - name: cn_src_tos overwrite: true type: keyword - name: cn_src_vlan overwrite: true type: keyword - name: cn_sysuptime overwrite: true type: keyword - name: cn_template_id overwrite: true type: keyword - name: cn_totbytsexp overwrite: true type: keyword - name: cn_totflowexp overwrite: true type: keyword - name: cn_totpcktsexp overwrite: true type: keyword - name: cn_unixnanosecs overwrite: true type: keyword - name: cn_v6flowlabel overwrite: true type: keyword - name: cn_v6optheaders overwrite: true type: keyword - name: comp_class overwrite: true type: keyword - name: comp_name overwrite: true type: keyword - name: comp_rbytes overwrite: true type: keyword - name: comp_sbytes overwrite: true type: keyword - name: cpu_data overwrite: true type: keyword - name: criticality overwrite: true type: keyword - name: cs_agency_dst overwrite: true type: keyword - name: cs_analyzedby overwrite: true type: keyword - name: cs_av_other overwrite: true type: keyword - name: cs_av_primary overwrite: true type: keyword - name: cs_av_secondary overwrite: true type: keyword - name: cs_bgpv6nxthop overwrite: true type: keyword - name: cs_bit9status overwrite: true type: keyword - name: cs_context overwrite: true type: keyword - name: cs_control overwrite: true type: keyword - name: cs_data overwrite: true type: keyword - name: cs_datecret overwrite: true type: keyword - name: cs_dst_tld overwrite: true type: keyword - name: cs_eth_dst_ven overwrite: true type: keyword - name: cs_eth_src_ven overwrite: true type: keyword - name: cs_event_uuid overwrite: true type: keyword - name: cs_filetype overwrite: true type: keyword - name: cs_fld overwrite: true type: keyword - name: cs_if_desc overwrite: true type: keyword - name: cs_if_name overwrite: true type: keyword - name: cs_ip_next_hop overwrite: true type: keyword - name: cs_ipv4dstpre overwrite: true type: keyword - name: cs_ipv4srcpre overwrite: true type: keyword - name: cs_lifetime overwrite: true type: keyword - name: cs_log_medium overwrite: true type: keyword - name: cs_loginname overwrite: true type: keyword - name: cs_modulescore overwrite: true type: keyword - name: cs_modulesign overwrite: true type: keyword - name: cs_opswatresult overwrite: true type: keyword - name: cs_payload overwrite: true type: keyword - name: cs_registrant overwrite: true type: keyword - name: cs_registrar overwrite: true type: keyword - name: cs_represult overwrite: true type: keyword - name: cs_rpayload overwrite: true type: keyword - name: cs_sampler_name overwrite: true type: keyword - name: cs_sourcemodule overwrite: true type: keyword - name: cs_streams overwrite: true type: keyword - name: cs_targetmodule overwrite: true type: keyword - name: cs_v6nxthop overwrite: true type: keyword - name: cs_whois_server overwrite: true type: keyword - name: cs_yararesult overwrite: true type: keyword - name: description overwrite: true type: keyword - name: devvendor overwrite: true type: keyword - name: distance overwrite: true type: keyword - name: dstburb overwrite: true type: keyword - name: edomain overwrite: true type: keyword - name: edomaub overwrite: true type: keyword - name: euid overwrite: true type: keyword - name: facility overwrite: true type: keyword - name: finterface overwrite: true type: keyword - name: flags overwrite: true type: keyword - name: gaddr overwrite: true type: keyword - name: id3 overwrite: true type: keyword - name: im_buddyname overwrite: true type: keyword - name: im_croomid overwrite: true type: keyword - name: im_croomtype overwrite: true type: keyword - name: im_members overwrite: true type: keyword - name: im_username overwrite: true type: keyword - name: ipkt overwrite: true type: keyword - name: ipscat overwrite: true type: keyword - name: ipspri overwrite: true type: keyword - name: latitude overwrite: true type: keyword - name: linenum overwrite: true type: keyword - name: list_name overwrite: true type: keyword - name: load_data overwrite: true type: keyword - name: location_floor overwrite: true type: keyword - name: location_mark overwrite: true type: keyword - name: log_id overwrite: true type: keyword - name: log_type overwrite: true type: keyword - name: logid overwrite: true type: keyword - name: logip overwrite: true type: keyword - name: logname overwrite: true type: keyword - name: longitude overwrite: true type: keyword - name: lport overwrite: true type: keyword - name: mbug_data overwrite: true type: keyword - name: misc_name overwrite: true type: keyword - name: msg_type overwrite: true type: keyword - name: msgid overwrite: true type: keyword - name: netsessid overwrite: true type: keyword - name: num overwrite: true type: keyword - name: number1 overwrite: true type: keyword - name: number2 overwrite: true type: keyword - name: nwwn overwrite: true type: keyword - name: object overwrite: true type: keyword - name: operation overwrite: true type: keyword - name: opkt overwrite: true type: keyword - name: orig_from overwrite: true type: keyword - name: owner_id overwrite: true type: keyword - name: p_action overwrite: true type: keyword - name: p_filter overwrite: true type: keyword - name: p_group_object overwrite: true type: keyword - name: p_id overwrite: true type: keyword - name: p_msgid1 overwrite: true type: keyword - name: p_msgid2 overwrite: true type: keyword - name: p_result1 overwrite: true type: keyword - name: password_chg overwrite: true type: keyword - name: password_expire overwrite: true type: keyword - name: permgranted overwrite: true type: keyword - name: permwanted overwrite: true type: keyword - name: pgid overwrite: true type: keyword - name: policyUUID overwrite: true type: keyword - name: prog_asp_num overwrite: true type: keyword - name: program overwrite: true type: keyword - name: real_data overwrite: true type: keyword - name: rec_asp_device overwrite: true type: keyword - name: rec_asp_num overwrite: true type: keyword - name: rec_library overwrite: true type: keyword - name: recordnum overwrite: true type: keyword - name: ruid overwrite: true type: keyword - name: sburb overwrite: true type: keyword - name: sdomain_fld overwrite: true type: keyword - name: sec overwrite: true type: keyword - name: sensorname overwrite: true type: keyword - name: seqnum overwrite: true type: keyword - name: session overwrite: true type: keyword - name: sessiontype overwrite: true type: keyword - name: sigUUID overwrite: true type: keyword - name: spi overwrite: true type: keyword - name: srcburb overwrite: true type: keyword - name: srcdom overwrite: true type: keyword - name: srcservice overwrite: true type: keyword - name: state overwrite: true type: keyword - name: status1 overwrite: true type: keyword - name: svcno overwrite: true type: keyword - name: system overwrite: true type: keyword - name: tbdstr1 overwrite: true type: keyword - name: tgtdom overwrite: true type: keyword - name: tgtdomain overwrite: true type: keyword - name: threshold overwrite: true type: keyword - name: type1 overwrite: true type: keyword - name: udb_class overwrite: true type: keyword - name: url_fld overwrite: true type: keyword - name: user_div overwrite: true type: keyword - name: userid overwrite: true type: keyword - name: username_fld overwrite: true type: keyword - name: utcstamp overwrite: true type: keyword - name: v_instafname overwrite: true type: keyword - name: virt_data overwrite: true type: keyword - name: vpnid overwrite: true type: keyword - name: autorun_type overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number overwrite: true type: long description: Valid Credit Card Numbers only - name: content overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number overwrite: true type: long description: Employee Identification Numbers only - name: found overwrite: true type: keyword description: This is used to capture the results of regex match - name: language overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src overwrite: true type: keyword description: This key captures source parameter - name: search_text overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value overwrite: true type: keyword description: SNMP set request value - name: streams overwrite: true type: long description: This key captures number of streams in session - name: db overwrite: true type: group fields: - name: index overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name overwrite: true type: keyword description: This key is used to capture the table name - name: db_id overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite overwrite: true type: long description: This key is used for the number of logical writes - name: pread overwrite: true type: long description: This key is used for the number of physical writes - name: network overwrite: true type: group fields: - name: alias_host overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain overwrite: true type: keyword - name: host_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr overwrite: true type: ip description: Deprecated - name: faddr overwrite: true type: keyword - name: lhost overwrite: true type: keyword - name: origin overwrite: true type: keyword - name: remote_domain_id overwrite: true type: keyword - name: addr overwrite: true type: keyword - name: dns_a_record overwrite: true type: keyword - name: dns_ptr_record overwrite: true type: keyword - name: fhost overwrite: true type: keyword - name: fport overwrite: true type: keyword - name: laddr overwrite: true type: keyword - name: linterface overwrite: true type: keyword - name: phost overwrite: true type: keyword - name: ad_computer_dst overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record overwrite: true type: keyword - name: dns_id overwrite: true type: keyword - name: dns_opcode overwrite: true type: keyword - name: dns_resp overwrite: true type: keyword - name: dns_type overwrite: true type: keyword - name: domain1 overwrite: true type: keyword - name: host_type overwrite: true type: keyword - name: packet_length overwrite: true type: keyword - name: host_orig overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations overwrite: true type: group fields: - name: ec_activity overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat overwrite: true type: long description: This key captures the Event category number - name: event_cat_name overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category overwrite: true type: keyword description: This used to capture investigation category - name: inv_context overwrite: true type: keyword description: This used to capture investigation context - name: ioc overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters overwrite: true type: group fields: - name: dclass_c1 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity overwrite: true type: group fields: - name: auth_method overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org overwrite: true type: keyword description: This key captures the User organization - name: dn_dst overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept overwrite: true type: keyword description: User's Department Names only - name: user_sid_src overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email overwrite: true type: group fields: - name: email_dst overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file overwrite: true type: group fields: - name: privilege overwrite: true type: keyword description: Deprecated, use permissions - name: attachment overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem overwrite: true type: keyword - name: binary overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp overwrite: true type: keyword - name: directory_dst overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name overwrite: true type: keyword description: This is used to capture name of the task - name: web overwrite: true type: group fields: - name: fqdn overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host overwrite: true type: keyword - name: reputation_num overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain overwrite: true type: keyword description: Web referer's domain - name: web_ref_query overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain overwrite: true type: keyword - name: web_ref_page overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst overwrite: true type: keyword - name: cn_rpackets overwrite: true type: keyword - name: urlpage overwrite: true type: keyword - name: urlroot overwrite: true type: keyword - name: p_url overwrite: true type: keyword - name: p_user_agent overwrite: true type: keyword - name: p_web_cookie overwrite: true type: keyword - name: p_web_method overwrite: true type: keyword - name: p_web_referer overwrite: true type: keyword - name: web_extension_tmp overwrite: true type: keyword - name: web_page overwrite: true type: keyword - name: threat overwrite: true type: group fields: - name: threat_category overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto overwrite: true type: group fields: - name: crypto overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike overwrite: true type: keyword description: IKE negotiation phase. - name: scheme overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer overwrite: true type: keyword - name: cert_host_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src overwrite: true type: keyword description: Deprecated, use version - name: d_certauth overwrite: true type: keyword - name: s_certauth overwrite: true type: keyword - name: ike_cookie1 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum overwrite: true type: keyword - name: cert_host_cat overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize overwrite: true type: keyword - name: cert_username overwrite: true type: keyword - name: https_insact overwrite: true type: keyword - name: https_valid overwrite: true type: keyword - name: cert_ca overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless overwrite: true type: group fields: - name: wlan_ssid overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel overwrite: true type: long description: This is used to capture the channel names - name: wlan_name overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage overwrite: true type: group fields: - name: disk_volume overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical overwrite: true type: group fields: - name: org_dst overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare overwrite: true type: group fields: - name: patient_fname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint overwrite: true type: group fields: - name: host_state overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value overwrite: true type: keyword description: This key captures values or decorators used within a registry entry - name: cisco.umbrella type: group description: > Fields for Cisco Umbrella. fields: - name: identities type: keyword description: > An array of the different identities related to the event. - name: categories type: keyword description: > The security or content categories that the destination matches. - name: policy_identity_type type: keyword description: > The first identity type matched with this request. Available in version 3 and above. - name: identity_types type: keyword description: > The type of identity that made the request. For example, Roaming Computer or Network. - name: blocked_categories type: keyword description: > The categories that resulted in the destination being blocked. Available in version 4 and above. - name: content_type type: keyword description: > The type of web content, typically text/html. - name: sha_sha256 type: keyword description: > Hex digest of the response content. - name: av_detections type: keyword description: > The detection name according to the antivirus engine used in file inspection. - name: puas type: keyword description: > A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner. - name: amp_disposition type: keyword description: > The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown. - name: amp_malware_name type: keyword description: > If Malicious, the name of the malware according to AMP. - name: amp_score type: keyword description: > The score of the malware from AMP. This field is not currently used and will be blank. - name: datacenter type: keyword description: > The name of the Umbrella Data Center that processed the user-generated traffic. - name: origin_id type: keyword description: > The unique identity of the network tunnel. - key: coredns title: Coredns description: > Module for handling logs produced by coredns fields: - name: coredns type: group description: > coredns fields after normalization fields: - name: id type: keyword description: > id of the DNS transaction - name: query.size type: integer format: bytes description: > size of the DNS query - name: query.class type: keyword description: > DNS query class - name: query.name type: keyword description: > DNS query name - name: query.type type: keyword description: > DNS query type - name: response.code type: keyword description: > DNS response code - name: response.flags type: keyword description: > DNS response flags - name: response.size type: integer format: bytes description: > size of the DNS response - name: dnssec_ok type: boolean description: > dnssec flag - key: crowdstrike title: "Crowdstrike" release: beta description: > Module for collecting Crowdstrike events. fields: - name: crowdstrike type: group description: > Fields for Crowdstrike Falcon event and alert data. fields: - name: metadata title: Metadata fields description: > Meta data fields for each event that include type and timestamp. type: group default_field: false fields: - name: eventType type: keyword description: > DetectionSummaryEvent, FirewallMatchEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent - name: eventCreationTime type: date description: > The time this event occurred on the endpoint in UTC UNIX_MS format. - name: offset type: integer description: > Offset number that tracks the location of the event in stream. This is used to identify unique detection events. - name: customerIDString type: keyword description: > Customer identifier - name: version type: keyword description: > Schema version - name: event title: Event fields description: > Event data fields for each event and alert. type: group default_field: false fields: - name: ProcessStartTime type: date description: > The process start time in UTC UNIX_MS format. - name: ProcessEndTime type: date description: > The process termination time in UTC UNIX_MS format. - name: ProcessId type: integer description: > Process ID related to the detection. - name: ParentProcessId type: integer description: > Parent process ID related to the detection. - name: ComputerName type: keyword description: > Name of the computer where the detection occurred. - name: UserName type: keyword description: > User name associated with the detection. - name: DetectName type: keyword description: > Name of the detection. - name: DetectDescription type: keyword description: > Description of the detection. - name: Severity type: integer description: > Severity score of the detection. - name: SeverityName type: keyword description: > Severity score text. - name: FileName type: keyword description: > File name of the associated process for the detection. - name: FilePath type: keyword description: > Path of the executable associated with the detection. - name: CommandLine type: keyword description: > Executable path with command line arguments. - name: SHA1String type: keyword description: > SHA1 sum of the executable associated with the detection. - name: SHA256String type: keyword description: > SHA256 sum of the executable associated with the detection. - name: MD5String type: keyword description: > MD5 sum of the executable associated with the detection. - name: MachineDomain type: keyword description: > Domain for the machine associated with the detection. - name: FalconHostLink type: keyword description: > URL to view the detection in Falcon. - name: SensorId type: keyword description: > Unique ID associated with the Falcon sensor. - name: DetectId type: keyword description: > Unique ID associated with the detection. - name: LocalIP type: keyword description: > IP address of the host associated with the detection. - name: MACAddress type: keyword description: > MAC address of the host associated with the detection. - name: Tactic type: keyword description: > MITRE tactic category of the detection. - name: Technique type: keyword description: > MITRE technique category of the detection. - name: Objective type: keyword description: > Method of detection. - name: PatternDispositionDescription type: keyword description: > Action taken by Falcon. - name: PatternDispositionValue type: integer description: > Unique ID associated with action taken. - name: PatternDispositionFlags type: object description: > Flags indicating actions taken. - name: State type: keyword description: > Whether the incident summary is open and ongoing or closed. - name: IncidentStartTime type: date description: > Start time for the incident in UTC UNIX format. - name: IncidentEndTime type: date description: > End time for the incident in UTC UNIX format. - name: FineScore type: float description: > Score for incident. - name: UserId type: keyword description: > Email address or user ID associated with the event. - name: UserIp type: keyword description: > IP address associated with the user. - name: OperationName type: keyword description: > Event subtype. - name: ServiceName type: keyword description: > Service associated with this event. - name: Success type: boolean description: > Indicator of whether or not this event was successful. - name: UTCTimestamp type: date description: > Timestamp associated with this event in UTC UNIX format. - name: AuditKeyValues type: nested description: > Fields that were changed in this event. - name: ExecutablesWritten type: nested description: > Detected executables written to disk by a process. - name: SessionId type: keyword description: > Session ID of the remote response session. - name: HostnameField type: keyword description: > Host name of the machine for the remote session. - name: StartTimestamp type: date description: > Start time for the remote session in UTC UNIX format. - name: EndTimestamp type: date description: > End time for the remote session in UTC UNIX format. - name: LateralMovement type: long description: > Lateral movement field for incident. - name: ParentImageFileName type: keyword description: > Path to the parent process. - name: ParentCommandLine type: keyword description: > Parent process command line arguments. - name: GrandparentImageFileName type: keyword description: > Path to the grandparent process. - name: GrandparentCommandLine type: keyword description: > Grandparent process command line arguments. - name: IOCType type: keyword description: > CrowdStrike type for indicator of compromise. - name: IOCValue type: keyword description: > CrowdStrike value for indicator of compromise. # FirewallMatchEvent - name: CustomerId type: keyword description: > Customer identifier. - name: DeviceId type: keyword description: > Device on which the event occurred. - name: Ipv type: keyword description: > Protocol for network request. - name: ConnectionDirection type: keyword description: > Direction for network connection. - name: EventType type: keyword description: > CrowdStrike provided event type. - name: HostName type: keyword description: > Host name of the local machine. - name: ICMPCode type: keyword description: > RFC2780 ICMP Code field. - name: ICMPType type: keyword description: > RFC2780 ICMP Type field. - name: ImageFileName type: keyword description: > File name of the associated process for the detection. - name: PID type: long description: > Associated process id for the detection. - name: LocalAddress type: ip description: > IP address of local machine. - name: LocalPort type: long description: > Port of local machine. - name: RemoteAddress type: ip description: > IP address of remote machine. - name: RemotePort type: long description: > Port of remote machine. - name: RuleAction type: keyword description: > Firewall rule action. - name: RuleDescription type: keyword description: > Firewall rule description. - name: RuleFamilyID type: keyword description: > Firewall rule family id. - name: RuleGroupName type: keyword description: > Firewall rule group name. - name: RuleName type: keyword description: > Firewall rule name. - name: RuleId type: keyword description: > Firewall rule id. - name: MatchCount type: long description: > Number of firewall rule matches. - name: MatchCountSinceLastReport type: long description: > Number of firewall rule matches since the last report. - name: Timestamp type: date description: > Firewall rule triggered timestamp. # Not entirely sure about the descriptions of the following fields - name: Flags.Audit type: boolean description: > CrowdStrike audit flag. - name: Flags.Log type: boolean description: > CrowdStrike log flag. - name: Flags.Monitor type: boolean description: > CrowdStrike monitor flag. - name: Protocol type: keyword description: > CrowdStrike provided protocol. - name: NetworkProfile type: keyword description: > CrowdStrike network profile. - name: PolicyName type: keyword description: > CrowdStrike policy name. - name: PolicyID type: keyword description: > CrowdStrike policy id. - name: Status type: keyword description: > CrowdStrike status. - name: TreeID type: keyword description: > CrowdStrike tree id. # RemoteResponseSessionEndEvent - name: Commands type: keyword description: > Commands run in a remote session. - key: cyberark title: Cyber-Ark description: > cyberark fields. fields: - name: network.interface.name overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa overwrite: true type: group default_field: false fields: - name: internal overwrite: true type: group fields: - name: msg overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid overwrite: true type: keyword - name: event_desc overwrite: true type: keyword - name: message overwrite: true type: keyword description: This key captures the contents of instant messages - name: time overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id overwrite: true type: long description: Deprecated key defined only in table map. - name: did overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time overwrite: true type: group fields: - name: event_time overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month overwrite: true type: keyword - name: day overwrite: true type: keyword - name: endtime overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str overwrite: true type: keyword description: A text string version of the duration - name: date overwrite: true type: keyword - name: year overwrite: true type: keyword - name: recorded_time overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime overwrite: true type: keyword - name: effective_time overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time overwrite: true type: keyword description: Deprecated, use duration.time - name: hour overwrite: true type: keyword - name: min overwrite: true type: keyword - name: timestamp overwrite: true type: keyword - name: event_queue_time overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 overwrite: true type: keyword - name: tzone overwrite: true type: keyword - name: eventtime overwrite: true type: keyword - name: gmtdate overwrite: true type: keyword - name: gmttime overwrite: true type: keyword - name: p_date overwrite: true type: keyword - name: p_month overwrite: true type: keyword - name: p_time overwrite: true type: keyword - name: p_time2 overwrite: true type: keyword - name: p_year overwrite: true type: keyword - name: expire_time_str overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp overwrite: true type: date description: Deprecated key defined only in table map. - name: misc overwrite: true type: group fields: - name: action overwrite: true type: keyword - name: result overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name overwrite: true type: keyword description: This is used to capture name of object - name: obj_type overwrite: true type: keyword description: This is used to capture type of object - name: event_source overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name overwrite: true type: keyword description: This key captures the Rule Name - name: context overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space overwrite: true type: keyword - name: client overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 overwrite: true type: keyword - name: msgIdPart2 overwrite: true type: keyword - name: change_old overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule overwrite: true type: keyword description: This key captures the Rule number - name: device_name overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log overwrite: true type: keyword description: This key captures the Name of the event log - name: OS overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 overwrite: true type: keyword - name: filter overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname overwrite: true type: keyword description: This key captures the name of the virus - name: content_type overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id overwrite: true type: keyword - name: reason overwrite: true type: keyword - name: status overwrite: true type: keyword - name: mail_id overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout overwrite: true type: keyword - name: p_msgid overwrite: true type: keyword - name: data_type overwrite: true type: keyword - name: msgIdPart4 overwrite: true type: keyword - name: error overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index overwrite: true type: keyword - name: listnum overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype overwrite: true type: keyword - name: observed_val overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count overwrite: true type: keyword - name: number overwrite: true type: keyword - name: sigcat overwrite: true type: keyword - name: type overwrite: true type: keyword - name: comments overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number overwrite: true type: long description: This key captures File Identification number - name: expected_val overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst overwrite: true type: keyword description: Destination SPI Index - name: spi_src overwrite: true type: keyword description: Source SPI Index - name: code overwrite: true type: keyword - name: agent_id overwrite: true type: keyword description: This key is used to capture agent id - name: message_body overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone overwrite: true type: keyword - name: sig_id_str overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd overwrite: true type: keyword - name: misc overwrite: true type: keyword - name: name overwrite: true type: keyword - name: cpu overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid overwrite: true type: keyword - name: im_client overwrite: true type: keyword - name: im_userid overwrite: true type: keyword - name: pid overwrite: true type: keyword - name: priority overwrite: true type: keyword - name: context_subject overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target overwrite: true type: keyword - name: cve overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos overwrite: true type: long description: This key describes the type of service - name: vm_target overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace overwrite: true type: keyword description: This key captures Workspace Description - name: command overwrite: true type: keyword - name: event_category overwrite: true type: keyword - name: facilityname overwrite: true type: keyword - name: forensic_info overwrite: true type: keyword - name: jobname overwrite: true type: keyword - name: mode overwrite: true type: keyword - name: policy overwrite: true type: keyword - name: policy_waiver overwrite: true type: keyword - name: second overwrite: true type: keyword - name: space1 overwrite: true type: keyword - name: subcategory overwrite: true type: keyword - name: tbdstr2 overwrite: true type: keyword - name: alert_id overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult overwrite: true type: long description: This key captures the Filter Result - name: payload_dst overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid overwrite: true type: keyword description: SNMP Object Identifier - name: sql overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id overwrite: true type: keyword - name: acl_op overwrite: true type: keyword - name: acl_pos overwrite: true type: keyword - name: acl_table overwrite: true type: keyword - name: admin overwrite: true type: keyword - name: alarm_id overwrite: true type: keyword - name: alarmname overwrite: true type: keyword - name: app_id overwrite: true type: keyword - name: audit overwrite: true type: keyword - name: audit_object overwrite: true type: keyword - name: auditdata overwrite: true type: keyword - name: benchmark overwrite: true type: keyword - name: bypass overwrite: true type: keyword - name: cache overwrite: true type: keyword - name: cache_hit overwrite: true type: keyword - name: cefversion overwrite: true type: keyword - name: cfg_attr overwrite: true type: keyword - name: cfg_obj overwrite: true type: keyword - name: cfg_path overwrite: true type: keyword - name: changes overwrite: true type: keyword - name: client_ip overwrite: true type: keyword - name: clustermembers overwrite: true type: keyword - name: cn_acttimeout overwrite: true type: keyword - name: cn_asn_src overwrite: true type: keyword - name: cn_bgpv4nxthop overwrite: true type: keyword - name: cn_ctr_dst_code overwrite: true type: keyword - name: cn_dst_tos overwrite: true type: keyword - name: cn_dst_vlan overwrite: true type: keyword - name: cn_engine_id overwrite: true type: keyword - name: cn_engine_type overwrite: true type: keyword - name: cn_f_switch overwrite: true type: keyword - name: cn_flowsampid overwrite: true type: keyword - name: cn_flowsampintv overwrite: true type: keyword - name: cn_flowsampmode overwrite: true type: keyword - name: cn_inacttimeout overwrite: true type: keyword - name: cn_inpermbyts overwrite: true type: keyword - name: cn_inpermpckts overwrite: true type: keyword - name: cn_invalid overwrite: true type: keyword - name: cn_ip_proto_ver overwrite: true type: keyword - name: cn_ipv4_ident overwrite: true type: keyword - name: cn_l_switch overwrite: true type: keyword - name: cn_log_did overwrite: true type: keyword - name: cn_log_rid overwrite: true type: keyword - name: cn_max_ttl overwrite: true type: keyword - name: cn_maxpcktlen overwrite: true type: keyword - name: cn_min_ttl overwrite: true type: keyword - name: cn_minpcktlen overwrite: true type: keyword - name: cn_mpls_lbl_1 overwrite: true type: keyword - name: cn_mpls_lbl_10 overwrite: true type: keyword - name: cn_mpls_lbl_2 overwrite: true type: keyword - name: cn_mpls_lbl_3 overwrite: true type: keyword - name: cn_mpls_lbl_4 overwrite: true type: keyword - name: cn_mpls_lbl_5 overwrite: true type: keyword - name: cn_mpls_lbl_6 overwrite: true type: keyword - name: cn_mpls_lbl_7 overwrite: true type: keyword - name: cn_mpls_lbl_8 overwrite: true type: keyword - name: cn_mpls_lbl_9 overwrite: true type: keyword - name: cn_mplstoplabel overwrite: true type: keyword - name: cn_mplstoplabip overwrite: true type: keyword - name: cn_mul_dst_byt overwrite: true type: keyword - name: cn_mul_dst_pks overwrite: true type: keyword - name: cn_muligmptype overwrite: true type: keyword - name: cn_sampalgo overwrite: true type: keyword - name: cn_sampint overwrite: true type: keyword - name: cn_seqctr overwrite: true type: keyword - name: cn_spackets overwrite: true type: keyword - name: cn_src_tos overwrite: true type: keyword - name: cn_src_vlan overwrite: true type: keyword - name: cn_sysuptime overwrite: true type: keyword - name: cn_template_id overwrite: true type: keyword - name: cn_totbytsexp overwrite: true type: keyword - name: cn_totflowexp overwrite: true type: keyword - name: cn_totpcktsexp overwrite: true type: keyword - name: cn_unixnanosecs overwrite: true type: keyword - name: cn_v6flowlabel overwrite: true type: keyword - name: cn_v6optheaders overwrite: true type: keyword - name: comp_class overwrite: true type: keyword - name: comp_name overwrite: true type: keyword - name: comp_rbytes overwrite: true type: keyword - name: comp_sbytes overwrite: true type: keyword - name: cpu_data overwrite: true type: keyword - name: criticality overwrite: true type: keyword - name: cs_agency_dst overwrite: true type: keyword - name: cs_analyzedby overwrite: true type: keyword - name: cs_av_other overwrite: true type: keyword - name: cs_av_primary overwrite: true type: keyword - name: cs_av_secondary overwrite: true type: keyword - name: cs_bgpv6nxthop overwrite: true type: keyword - name: cs_bit9status overwrite: true type: keyword - name: cs_context overwrite: true type: keyword - name: cs_control overwrite: true type: keyword - name: cs_data overwrite: true type: keyword - name: cs_datecret overwrite: true type: keyword - name: cs_dst_tld overwrite: true type: keyword - name: cs_eth_dst_ven overwrite: true type: keyword - name: cs_eth_src_ven overwrite: true type: keyword - name: cs_event_uuid overwrite: true type: keyword - name: cs_filetype overwrite: true type: keyword - name: cs_fld overwrite: true type: keyword - name: cs_if_desc overwrite: true type: keyword - name: cs_if_name overwrite: true type: keyword - name: cs_ip_next_hop overwrite: true type: keyword - name: cs_ipv4dstpre overwrite: true type: keyword - name: cs_ipv4srcpre overwrite: true type: keyword - name: cs_lifetime overwrite: true type: keyword - name: cs_log_medium overwrite: true type: keyword - name: cs_loginname overwrite: true type: keyword - name: cs_modulescore overwrite: true type: keyword - name: cs_modulesign overwrite: true type: keyword - name: cs_opswatresult overwrite: true type: keyword - name: cs_payload overwrite: true type: keyword - name: cs_registrant overwrite: true type: keyword - name: cs_registrar overwrite: true type: keyword - name: cs_represult overwrite: true type: keyword - name: cs_rpayload overwrite: true type: keyword - name: cs_sampler_name overwrite: true type: keyword - name: cs_sourcemodule overwrite: true type: keyword - name: cs_streams overwrite: true type: keyword - name: cs_targetmodule overwrite: true type: keyword - name: cs_v6nxthop overwrite: true type: keyword - name: cs_whois_server overwrite: true type: keyword - name: cs_yararesult overwrite: true type: keyword - name: description overwrite: true type: keyword - name: devvendor overwrite: true type: keyword - name: distance overwrite: true type: keyword - name: dstburb overwrite: true type: keyword - name: edomain overwrite: true type: keyword - name: edomaub overwrite: true type: keyword - name: euid overwrite: true type: keyword - name: facility overwrite: true type: keyword - name: finterface overwrite: true type: keyword - name: flags overwrite: true type: keyword - name: gaddr overwrite: true type: keyword - name: id3 overwrite: true type: keyword - name: im_buddyname overwrite: true type: keyword - name: im_croomid overwrite: true type: keyword - name: im_croomtype overwrite: true type: keyword - name: im_members overwrite: true type: keyword - name: im_username overwrite: true type: keyword - name: ipkt overwrite: true type: keyword - name: ipscat overwrite: true type: keyword - name: ipspri overwrite: true type: keyword - name: latitude overwrite: true type: keyword - name: linenum overwrite: true type: keyword - name: list_name overwrite: true type: keyword - name: load_data overwrite: true type: keyword - name: location_floor overwrite: true type: keyword - name: location_mark overwrite: true type: keyword - name: log_id overwrite: true type: keyword - name: log_type overwrite: true type: keyword - name: logid overwrite: true type: keyword - name: logip overwrite: true type: keyword - name: logname overwrite: true type: keyword - name: longitude overwrite: true type: keyword - name: lport overwrite: true type: keyword - name: mbug_data overwrite: true type: keyword - name: misc_name overwrite: true type: keyword - name: msg_type overwrite: true type: keyword - name: msgid overwrite: true type: keyword - name: netsessid overwrite: true type: keyword - name: num overwrite: true type: keyword - name: number1 overwrite: true type: keyword - name: number2 overwrite: true type: keyword - name: nwwn overwrite: true type: keyword - name: object overwrite: true type: keyword - name: operation overwrite: true type: keyword - name: opkt overwrite: true type: keyword - name: orig_from overwrite: true type: keyword - name: owner_id overwrite: true type: keyword - name: p_action overwrite: true type: keyword - name: p_filter overwrite: true type: keyword - name: p_group_object overwrite: true type: keyword - name: p_id overwrite: true type: keyword - name: p_msgid1 overwrite: true type: keyword - name: p_msgid2 overwrite: true type: keyword - name: p_result1 overwrite: true type: keyword - name: password_chg overwrite: true type: keyword - name: password_expire overwrite: true type: keyword - name: permgranted overwrite: true type: keyword - name: permwanted overwrite: true type: keyword - name: pgid overwrite: true type: keyword - name: policyUUID overwrite: true type: keyword - name: prog_asp_num overwrite: true type: keyword - name: program overwrite: true type: keyword - name: real_data overwrite: true type: keyword - name: rec_asp_device overwrite: true type: keyword - name: rec_asp_num overwrite: true type: keyword - name: rec_library overwrite: true type: keyword - name: recordnum overwrite: true type: keyword - name: ruid overwrite: true type: keyword - name: sburb overwrite: true type: keyword - name: sdomain_fld overwrite: true type: keyword - name: sec overwrite: true type: keyword - name: sensorname overwrite: true type: keyword - name: seqnum overwrite: true type: keyword - name: session overwrite: true type: keyword - name: sessiontype overwrite: true type: keyword - name: sigUUID overwrite: true type: keyword - name: spi overwrite: true type: keyword - name: srcburb overwrite: true type: keyword - name: srcdom overwrite: true type: keyword - name: srcservice overwrite: true type: keyword - name: state overwrite: true type: keyword - name: status1 overwrite: true type: keyword - name: svcno overwrite: true type: keyword - name: system overwrite: true type: keyword - name: tbdstr1 overwrite: true type: keyword - name: tgtdom overwrite: true type: keyword - name: tgtdomain overwrite: true type: keyword - name: threshold overwrite: true type: keyword - name: type1 overwrite: true type: keyword - name: udb_class overwrite: true type: keyword - name: url_fld overwrite: true type: keyword - name: user_div overwrite: true type: keyword - name: userid overwrite: true type: keyword - name: username_fld overwrite: true type: keyword - name: utcstamp overwrite: true type: keyword - name: v_instafname overwrite: true type: keyword - name: virt_data overwrite: true type: keyword - name: vpnid overwrite: true type: keyword - name: autorun_type overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number overwrite: true type: long description: Valid Credit Card Numbers only - name: content overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number overwrite: true type: long description: Employee Identification Numbers only - name: found overwrite: true type: keyword description: This is used to capture the results of regex match - name: language overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src overwrite: true type: keyword description: This key captures source parameter - name: search_text overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value overwrite: true type: keyword description: SNMP set request value - name: streams overwrite: true type: long description: This key captures number of streams in session - name: db overwrite: true type: group fields: - name: index overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name overwrite: true type: keyword description: This key is used to capture the table name - name: db_id overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite overwrite: true type: long description: This key is used for the number of logical writes - name: pread overwrite: true type: long description: This key is used for the number of physical writes - name: network overwrite: true type: group fields: - name: alias_host overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain overwrite: true type: keyword - name: host_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr overwrite: true type: ip description: Deprecated - name: faddr overwrite: true type: keyword - name: lhost overwrite: true type: keyword - name: origin overwrite: true type: keyword - name: remote_domain_id overwrite: true type: keyword - name: addr overwrite: true type: keyword - name: dns_a_record overwrite: true type: keyword - name: dns_ptr_record overwrite: true type: keyword - name: fhost overwrite: true type: keyword - name: fport overwrite: true type: keyword - name: laddr overwrite: true type: keyword - name: linterface overwrite: true type: keyword - name: phost overwrite: true type: keyword - name: ad_computer_dst overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record overwrite: true type: keyword - name: dns_id overwrite: true type: keyword - name: dns_opcode overwrite: true type: keyword - name: dns_resp overwrite: true type: keyword - name: dns_type overwrite: true type: keyword - name: domain1 overwrite: true type: keyword - name: host_type overwrite: true type: keyword - name: packet_length overwrite: true type: keyword - name: host_orig overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations overwrite: true type: group fields: - name: ec_activity overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat overwrite: true type: long description: This key captures the Event category number - name: event_cat_name overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category overwrite: true type: keyword description: This used to capture investigation category - name: inv_context overwrite: true type: keyword description: This used to capture investigation context - name: ioc overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters overwrite: true type: group fields: - name: dclass_c1 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity overwrite: true type: group fields: - name: auth_method overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org overwrite: true type: keyword description: This key captures the User organization - name: dn_dst overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept overwrite: true type: keyword description: User's Department Names only - name: user_sid_src overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email overwrite: true type: group fields: - name: email_dst overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file overwrite: true type: group fields: - name: privilege overwrite: true type: keyword description: Deprecated, use permissions - name: attachment overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem overwrite: true type: keyword - name: binary overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp overwrite: true type: keyword - name: directory_dst overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name overwrite: true type: keyword description: This is used to capture name of the task - name: web overwrite: true type: group fields: - name: fqdn overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host overwrite: true type: keyword - name: reputation_num overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain overwrite: true type: keyword description: Web referer's domain - name: web_ref_query overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain overwrite: true type: keyword - name: web_ref_page overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst overwrite: true type: keyword - name: cn_rpackets overwrite: true type: keyword - name: urlpage overwrite: true type: keyword - name: urlroot overwrite: true type: keyword - name: p_url overwrite: true type: keyword - name: p_user_agent overwrite: true type: keyword - name: p_web_cookie overwrite: true type: keyword - name: p_web_method overwrite: true type: keyword - name: p_web_referer overwrite: true type: keyword - name: web_extension_tmp overwrite: true type: keyword - name: web_page overwrite: true type: keyword - name: threat overwrite: true type: group fields: - name: threat_category overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto overwrite: true type: group fields: - name: crypto overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike overwrite: true type: keyword description: IKE negotiation phase. - name: scheme overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer overwrite: true type: keyword - name: cert_host_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src overwrite: true type: keyword description: Deprecated, use version - name: d_certauth overwrite: true type: keyword - name: s_certauth overwrite: true type: keyword - name: ike_cookie1 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum overwrite: true type: keyword - name: cert_host_cat overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize overwrite: true type: keyword - name: cert_username overwrite: true type: keyword - name: https_insact overwrite: true type: keyword - name: https_valid overwrite: true type: keyword - name: cert_ca overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless overwrite: true type: group fields: - name: wlan_ssid overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel overwrite: true type: long description: This is used to capture the channel names - name: wlan_name overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage overwrite: true type: group fields: - name: disk_volume overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical overwrite: true type: group fields: - name: org_dst overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare overwrite: true type: group fields: - name: patient_fname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint overwrite: true type: group fields: - name: host_state overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value overwrite: true type: keyword description: This key captures values or decorators used within a registry entry - key: cyberarkpas title: CyberArk PAS description: > cyberarkpas fields. fields: - name: cyberarkpas type: group default_field: false fields: - name: audit default_field: false type: group description: > Cyberark Privileged Access Security Audit fields. fields: - name: action type: keyword description: A description of the audit record. - name: ca_properties type: group description: Account metadata. fields: - name: address type: keyword - name: cpm_disabled type: keyword - name: cpm_error_details type: keyword - name: cpm_status type: keyword - name: creation_method type: keyword - name: customer type: keyword - name: database type: keyword - name: device_type type: keyword - name: dual_account_status type: keyword - name: group_name type: keyword - name: in_process type: keyword - name: index type: keyword - name: last_fail_date type: keyword - name: last_success_change type: keyword - name: last_success_reconciliation type: keyword - name: last_success_verification type: keyword - name: last_task type: keyword - name: logon_domain type: keyword - name: policy_id type: keyword - name: port type: keyword - name: privcloud type: keyword - name: reset_immediately type: keyword - name: retries_count type: keyword - name: sequence_id type: keyword - name: tags type: keyword - name: user_dn type: keyword - name: user_name type: keyword - name: virtual_username type: keyword - name: other type: flattened - name: category type: keyword description: The category name (for category-related operations). - name: desc type: keyword description: A static value that displays a description of the audit codes. - name: extra_details type: group description: Specific extra details of the audit records. fields: - name: ad_process_id type: keyword - name: ad_process_name type: keyword - name: application_type type: keyword - name: command type: keyword - name: connection_component_id type: keyword - name: dst_host type: keyword - name: logon_account type: keyword - name: managed_account type: keyword - name: process_id type: keyword - name: process_name type: keyword - name: protocol type: keyword - name: psmid type: keyword - name: session_duration type: keyword - name: session_id type: keyword - name: src_host type: keyword - name: username type: keyword - name: other type: flattened - name: file type: keyword description: The name of the target file. - name: gateway_station type: ip description: The IP of the web application machine (PVWA). - name: hostname type: keyword description: The hostname, in upper case. example: MY-COMPUTER - name: iso_timestamp type: date description: The timestamp, in ISO Timestamp format (RFC 3339). example: 2013-6-25T10:47:19Z - name: issuer type: keyword description: The Vault user who wrote the audit. This is usually the user who performed the operation. - name: location type: keyword description: The target Location (for Location operations). ignore_above: 4096 doc_values: false index: false - name: message type: keyword description: A description of the audit records (same information as in the Desc field). - name: message_id type: keyword description: The code ID of the audit records. - name: product type: keyword description: A static value that represents the product. - name: pvwa_details type: flattened description: Specific details of the PVWA audit records. - name: raw type: keyword description: > Raw XML for the original audit record. Only present when XSLT file has debugging enabled. ignore_above: 4096 doc_values: false index: false - name: reason type: text description: The reason entered by the user. norms: false - name: rfc5424 type: boolean description: Whether the syslog format complies with RFC5424. example: yes - name: safe type: keyword description: The name of the target Safe. - name: severity type: keyword description: The severity of the audit records. - name: source_user type: keyword description: The name of the Vault user who performed the operation. - name: station type: ip description: The IP from where the operation was performed. For PVWA sessions, this will be the real client machine IP. - name: target_user type: keyword description: The name of the Vault user on which the operation was performed. - name: timestamp type: keyword description: The timestamp, in MMM DD HH:MM:SS format. example: Jun 25 10:47:19 - name: vendor type: keyword description: A static value that represents the vendor. - name: version type: keyword description: A static value that represents the version of the Vault. - key: cylance title: CylanceProtect description: > cylance fields. fields: - name: network.interface.name overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa overwrite: true type: group default_field: false fields: - name: internal overwrite: true type: group fields: - name: msg overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid overwrite: true type: keyword - name: event_desc overwrite: true type: keyword - name: message overwrite: true type: keyword description: This key captures the contents of instant messages - name: time overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id overwrite: true type: long description: Deprecated key defined only in table map. - name: did overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time overwrite: true type: group fields: - name: event_time overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month overwrite: true type: keyword - name: day overwrite: true type: keyword - name: endtime overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str overwrite: true type: keyword description: A text string version of the duration - name: date overwrite: true type: keyword - name: year overwrite: true type: keyword - name: recorded_time overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime overwrite: true type: keyword - name: effective_time overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time overwrite: true type: keyword description: Deprecated, use duration.time - name: hour overwrite: true type: keyword - name: min overwrite: true type: keyword - name: timestamp overwrite: true type: keyword - name: event_queue_time overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 overwrite: true type: keyword - name: tzone overwrite: true type: keyword - name: eventtime overwrite: true type: keyword - name: gmtdate overwrite: true type: keyword - name: gmttime overwrite: true type: keyword - name: p_date overwrite: true type: keyword - name: p_month overwrite: true type: keyword - name: p_time overwrite: true type: keyword - name: p_time2 overwrite: true type: keyword - name: p_year overwrite: true type: keyword - name: expire_time_str overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp overwrite: true type: date description: Deprecated key defined only in table map. - name: misc overwrite: true type: group fields: - name: action overwrite: true type: keyword - name: result overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name overwrite: true type: keyword description: This is used to capture name of object - name: obj_type overwrite: true type: keyword description: This is used to capture type of object - name: event_source overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name overwrite: true type: keyword description: This key captures the Rule Name - name: context overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space overwrite: true type: keyword - name: client overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 overwrite: true type: keyword - name: msgIdPart2 overwrite: true type: keyword - name: change_old overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule overwrite: true type: keyword description: This key captures the Rule number - name: device_name overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log overwrite: true type: keyword description: This key captures the Name of the event log - name: OS overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 overwrite: true type: keyword - name: filter overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname overwrite: true type: keyword description: This key captures the name of the virus - name: content_type overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id overwrite: true type: keyword - name: reason overwrite: true type: keyword - name: status overwrite: true type: keyword - name: mail_id overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout overwrite: true type: keyword - name: p_msgid overwrite: true type: keyword - name: data_type overwrite: true type: keyword - name: msgIdPart4 overwrite: true type: keyword - name: error overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index overwrite: true type: keyword - name: listnum overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype overwrite: true type: keyword - name: observed_val overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count overwrite: true type: keyword - name: number overwrite: true type: keyword - name: sigcat overwrite: true type: keyword - name: type overwrite: true type: keyword - name: comments overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number overwrite: true type: long description: This key captures File Identification number - name: expected_val overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst overwrite: true type: keyword description: Destination SPI Index - name: spi_src overwrite: true type: keyword description: Source SPI Index - name: code overwrite: true type: keyword - name: agent_id overwrite: true type: keyword description: This key is used to capture agent id - name: message_body overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone overwrite: true type: keyword - name: sig_id_str overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd overwrite: true type: keyword - name: misc overwrite: true type: keyword - name: name overwrite: true type: keyword - name: cpu overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid overwrite: true type: keyword - name: im_client overwrite: true type: keyword - name: im_userid overwrite: true type: keyword - name: pid overwrite: true type: keyword - name: priority overwrite: true type: keyword - name: context_subject overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target overwrite: true type: keyword - name: cve overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos overwrite: true type: long description: This key describes the type of service - name: vm_target overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace overwrite: true type: keyword description: This key captures Workspace Description - name: command overwrite: true type: keyword - name: event_category overwrite: true type: keyword - name: facilityname overwrite: true type: keyword - name: forensic_info overwrite: true type: keyword - name: jobname overwrite: true type: keyword - name: mode overwrite: true type: keyword - name: policy overwrite: true type: keyword - name: policy_waiver overwrite: true type: keyword - name: second overwrite: true type: keyword - name: space1 overwrite: true type: keyword - name: subcategory overwrite: true type: keyword - name: tbdstr2 overwrite: true type: keyword - name: alert_id overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult overwrite: true type: long description: This key captures the Filter Result - name: payload_dst overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid overwrite: true type: keyword description: SNMP Object Identifier - name: sql overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id overwrite: true type: keyword - name: acl_op overwrite: true type: keyword - name: acl_pos overwrite: true type: keyword - name: acl_table overwrite: true type: keyword - name: admin overwrite: true type: keyword - name: alarm_id overwrite: true type: keyword - name: alarmname overwrite: true type: keyword - name: app_id overwrite: true type: keyword - name: audit overwrite: true type: keyword - name: audit_object overwrite: true type: keyword - name: auditdata overwrite: true type: keyword - name: benchmark overwrite: true type: keyword - name: bypass overwrite: true type: keyword - name: cache overwrite: true type: keyword - name: cache_hit overwrite: true type: keyword - name: cefversion overwrite: true type: keyword - name: cfg_attr overwrite: true type: keyword - name: cfg_obj overwrite: true type: keyword - name: cfg_path overwrite: true type: keyword - name: changes overwrite: true type: keyword - name: client_ip overwrite: true type: keyword - name: clustermembers overwrite: true type: keyword - name: cn_acttimeout overwrite: true type: keyword - name: cn_asn_src overwrite: true type: keyword - name: cn_bgpv4nxthop overwrite: true type: keyword - name: cn_ctr_dst_code overwrite: true type: keyword - name: cn_dst_tos overwrite: true type: keyword - name: cn_dst_vlan overwrite: true type: keyword - name: cn_engine_id overwrite: true type: keyword - name: cn_engine_type overwrite: true type: keyword - name: cn_f_switch overwrite: true type: keyword - name: cn_flowsampid overwrite: true type: keyword - name: cn_flowsampintv overwrite: true type: keyword - name: cn_flowsampmode overwrite: true type: keyword - name: cn_inacttimeout overwrite: true type: keyword - name: cn_inpermbyts overwrite: true type: keyword - name: cn_inpermpckts overwrite: true type: keyword - name: cn_invalid overwrite: true type: keyword - name: cn_ip_proto_ver overwrite: true type: keyword - name: cn_ipv4_ident overwrite: true type: keyword - name: cn_l_switch overwrite: true type: keyword - name: cn_log_did overwrite: true type: keyword - name: cn_log_rid overwrite: true type: keyword - name: cn_max_ttl overwrite: true type: keyword - name: cn_maxpcktlen overwrite: true type: keyword - name: cn_min_ttl overwrite: true type: keyword - name: cn_minpcktlen overwrite: true type: keyword - name: cn_mpls_lbl_1 overwrite: true type: keyword - name: cn_mpls_lbl_10 overwrite: true type: keyword - name: cn_mpls_lbl_2 overwrite: true type: keyword - name: cn_mpls_lbl_3 overwrite: true type: keyword - name: cn_mpls_lbl_4 overwrite: true type: keyword - name: cn_mpls_lbl_5 overwrite: true type: keyword - name: cn_mpls_lbl_6 overwrite: true type: keyword - name: cn_mpls_lbl_7 overwrite: true type: keyword - name: cn_mpls_lbl_8 overwrite: true type: keyword - name: cn_mpls_lbl_9 overwrite: true type: keyword - name: cn_mplstoplabel overwrite: true type: keyword - name: cn_mplstoplabip overwrite: true type: keyword - name: cn_mul_dst_byt overwrite: true type: keyword - name: cn_mul_dst_pks overwrite: true type: keyword - name: cn_muligmptype overwrite: true type: keyword - name: cn_sampalgo overwrite: true type: keyword - name: cn_sampint overwrite: true type: keyword - name: cn_seqctr overwrite: true type: keyword - name: cn_spackets overwrite: true type: keyword - name: cn_src_tos overwrite: true type: keyword - name: cn_src_vlan overwrite: true type: keyword - name: cn_sysuptime overwrite: true type: keyword - name: cn_template_id overwrite: true type: keyword - name: cn_totbytsexp overwrite: true type: keyword - name: cn_totflowexp overwrite: true type: keyword - name: cn_totpcktsexp overwrite: true type: keyword - name: cn_unixnanosecs overwrite: true type: keyword - name: cn_v6flowlabel overwrite: true type: keyword - name: cn_v6optheaders overwrite: true type: keyword - name: comp_class overwrite: true type: keyword - name: comp_name overwrite: true type: keyword - name: comp_rbytes overwrite: true type: keyword - name: comp_sbytes overwrite: true type: keyword - name: cpu_data overwrite: true type: keyword - name: criticality overwrite: true type: keyword - name: cs_agency_dst overwrite: true type: keyword - name: cs_analyzedby overwrite: true type: keyword - name: cs_av_other overwrite: true type: keyword - name: cs_av_primary overwrite: true type: keyword - name: cs_av_secondary overwrite: true type: keyword - name: cs_bgpv6nxthop overwrite: true type: keyword - name: cs_bit9status overwrite: true type: keyword - name: cs_context overwrite: true type: keyword - name: cs_control overwrite: true type: keyword - name: cs_data overwrite: true type: keyword - name: cs_datecret overwrite: true type: keyword - name: cs_dst_tld overwrite: true type: keyword - name: cs_eth_dst_ven overwrite: true type: keyword - name: cs_eth_src_ven overwrite: true type: keyword - name: cs_event_uuid overwrite: true type: keyword - name: cs_filetype overwrite: true type: keyword - name: cs_fld overwrite: true type: keyword - name: cs_if_desc overwrite: true type: keyword - name: cs_if_name overwrite: true type: keyword - name: cs_ip_next_hop overwrite: true type: keyword - name: cs_ipv4dstpre overwrite: true type: keyword - name: cs_ipv4srcpre overwrite: true type: keyword - name: cs_lifetime overwrite: true type: keyword - name: cs_log_medium overwrite: true type: keyword - name: cs_loginname overwrite: true type: keyword - name: cs_modulescore overwrite: true type: keyword - name: cs_modulesign overwrite: true type: keyword - name: cs_opswatresult overwrite: true type: keyword - name: cs_payload overwrite: true type: keyword - name: cs_registrant overwrite: true type: keyword - name: cs_registrar overwrite: true type: keyword - name: cs_represult overwrite: true type: keyword - name: cs_rpayload overwrite: true type: keyword - name: cs_sampler_name overwrite: true type: keyword - name: cs_sourcemodule overwrite: true type: keyword - name: cs_streams overwrite: true type: keyword - name: cs_targetmodule overwrite: true type: keyword - name: cs_v6nxthop overwrite: true type: keyword - name: cs_whois_server overwrite: true type: keyword - name: cs_yararesult overwrite: true type: keyword - name: description overwrite: true type: keyword - name: devvendor overwrite: true type: keyword - name: distance overwrite: true type: keyword - name: dstburb overwrite: true type: keyword - name: edomain overwrite: true type: keyword - name: edomaub overwrite: true type: keyword - name: euid overwrite: true type: keyword - name: facility overwrite: true type: keyword - name: finterface overwrite: true type: keyword - name: flags overwrite: true type: keyword - name: gaddr overwrite: true type: keyword - name: id3 overwrite: true type: keyword - name: im_buddyname overwrite: true type: keyword - name: im_croomid overwrite: true type: keyword - name: im_croomtype overwrite: true type: keyword - name: im_members overwrite: true type: keyword - name: im_username overwrite: true type: keyword - name: ipkt overwrite: true type: keyword - name: ipscat overwrite: true type: keyword - name: ipspri overwrite: true type: keyword - name: latitude overwrite: true type: keyword - name: linenum overwrite: true type: keyword - name: list_name overwrite: true type: keyword - name: load_data overwrite: true type: keyword - name: location_floor overwrite: true type: keyword - name: location_mark overwrite: true type: keyword - name: log_id overwrite: true type: keyword - name: log_type overwrite: true type: keyword - name: logid overwrite: true type: keyword - name: logip overwrite: true type: keyword - name: logname overwrite: true type: keyword - name: longitude overwrite: true type: keyword - name: lport overwrite: true type: keyword - name: mbug_data overwrite: true type: keyword - name: misc_name overwrite: true type: keyword - name: msg_type overwrite: true type: keyword - name: msgid overwrite: true type: keyword - name: netsessid overwrite: true type: keyword - name: num overwrite: true type: keyword - name: number1 overwrite: true type: keyword - name: number2 overwrite: true type: keyword - name: nwwn overwrite: true type: keyword - name: object overwrite: true type: keyword - name: operation overwrite: true type: keyword - name: opkt overwrite: true type: keyword - name: orig_from overwrite: true type: keyword - name: owner_id overwrite: true type: keyword - name: p_action overwrite: true type: keyword - name: p_filter overwrite: true type: keyword - name: p_group_object overwrite: true type: keyword - name: p_id overwrite: true type: keyword - name: p_msgid1 overwrite: true type: keyword - name: p_msgid2 overwrite: true type: keyword - name: p_result1 overwrite: true type: keyword - name: password_chg overwrite: true type: keyword - name: password_expire overwrite: true type: keyword - name: permgranted overwrite: true type: keyword - name: permwanted overwrite: true type: keyword - name: pgid overwrite: true type: keyword - name: policyUUID overwrite: true type: keyword - name: prog_asp_num overwrite: true type: keyword - name: program overwrite: true type: keyword - name: real_data overwrite: true type: keyword - name: rec_asp_device overwrite: true type: keyword - name: rec_asp_num overwrite: true type: keyword - name: rec_library overwrite: true type: keyword - name: recordnum overwrite: true type: keyword - name: ruid overwrite: true type: keyword - name: sburb overwrite: true type: keyword - name: sdomain_fld overwrite: true type: keyword - name: sec overwrite: true type: keyword - name: sensorname overwrite: true type: keyword - name: seqnum overwrite: true type: keyword - name: session overwrite: true type: keyword - name: sessiontype overwrite: true type: keyword - name: sigUUID overwrite: true type: keyword - name: spi overwrite: true type: keyword - name: srcburb overwrite: true type: keyword - name: srcdom overwrite: true type: keyword - name: srcservice overwrite: true type: keyword - name: state overwrite: true type: keyword - name: status1 overwrite: true type: keyword - name: svcno overwrite: true type: keyword - name: system overwrite: true type: keyword - name: tbdstr1 overwrite: true type: keyword - name: tgtdom overwrite: true type: keyword - name: tgtdomain overwrite: true type: keyword - name: threshold overwrite: true type: keyword - name: type1 overwrite: true type: keyword - name: udb_class overwrite: true type: keyword - name: url_fld overwrite: true type: keyword - name: user_div overwrite: true type: keyword - name: userid overwrite: true type: keyword - name: username_fld overwrite: true type: keyword - name: utcstamp overwrite: true type: keyword - name: v_instafname overwrite: true type: keyword - name: virt_data overwrite: true type: keyword - name: vpnid overwrite: true type: keyword - name: autorun_type overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number overwrite: true type: long description: Valid Credit Card Numbers only - name: content overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number overwrite: true type: long description: Employee Identification Numbers only - name: found overwrite: true type: keyword description: This is used to capture the results of regex match - name: language overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src overwrite: true type: keyword description: This key captures source parameter - name: search_text overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value overwrite: true type: keyword description: SNMP set request value - name: streams overwrite: true type: long description: This key captures number of streams in session - name: db overwrite: true type: group fields: - name: index overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name overwrite: true type: keyword description: This key is used to capture the table name - name: db_id overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite overwrite: true type: long description: This key is used for the number of logical writes - name: pread overwrite: true type: long description: This key is used for the number of physical writes - name: network overwrite: true type: group fields: - name: alias_host overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain overwrite: true type: keyword - name: host_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr overwrite: true type: ip description: Deprecated - name: faddr overwrite: true type: keyword - name: lhost overwrite: true type: keyword - name: origin overwrite: true type: keyword - name: remote_domain_id overwrite: true type: keyword - name: addr overwrite: true type: keyword - name: dns_a_record overwrite: true type: keyword - name: dns_ptr_record overwrite: true type: keyword - name: fhost overwrite: true type: keyword - name: fport overwrite: true type: keyword - name: laddr overwrite: true type: keyword - name: linterface overwrite: true type: keyword - name: phost overwrite: true type: keyword - name: ad_computer_dst overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record overwrite: true type: keyword - name: dns_id overwrite: true type: keyword - name: dns_opcode overwrite: true type: keyword - name: dns_resp overwrite: true type: keyword - name: dns_type overwrite: true type: keyword - name: domain1 overwrite: true type: keyword - name: host_type overwrite: true type: keyword - name: packet_length overwrite: true type: keyword - name: host_orig overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations overwrite: true type: group fields: - name: ec_activity overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat overwrite: true type: long description: This key captures the Event category number - name: event_cat_name overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category overwrite: true type: keyword description: This used to capture investigation category - name: inv_context overwrite: true type: keyword description: This used to capture investigation context - name: ioc overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters overwrite: true type: group fields: - name: dclass_c1 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity overwrite: true type: group fields: - name: auth_method overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org overwrite: true type: keyword description: This key captures the User organization - name: dn_dst overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept overwrite: true type: keyword description: User's Department Names only - name: user_sid_src overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email overwrite: true type: group fields: - name: email_dst overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file overwrite: true type: group fields: - name: privilege overwrite: true type: keyword description: Deprecated, use permissions - name: attachment overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem overwrite: true type: keyword - name: binary overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp overwrite: true type: keyword - name: directory_dst overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name overwrite: true type: keyword description: This is used to capture name of the task - name: web overwrite: true type: group fields: - name: fqdn overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host overwrite: true type: keyword - name: reputation_num overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain overwrite: true type: keyword description: Web referer's domain - name: web_ref_query overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain overwrite: true type: keyword - name: web_ref_page overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst overwrite: true type: keyword - name: cn_rpackets overwrite: true type: keyword - name: urlpage overwrite: true type: keyword - name: urlroot overwrite: true type: keyword - name: p_url overwrite: true type: keyword - name: p_user_agent overwrite: true type: keyword - name: p_web_cookie overwrite: true type: keyword - name: p_web_method overwrite: true type: keyword - name: p_web_referer overwrite: true type: keyword - name: web_extension_tmp overwrite: true type: keyword - name: web_page overwrite: true type: keyword - name: threat overwrite: true type: group fields: - name: threat_category overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto overwrite: true type: group fields: - name: crypto overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike overwrite: true type: keyword description: IKE negotiation phase. - name: scheme overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer overwrite: true type: keyword - name: cert_host_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src overwrite: true type: keyword description: Deprecated, use version - name: d_certauth overwrite: true type: keyword - name: s_certauth overwrite: true type: keyword - name: ike_cookie1 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum overwrite: true type: keyword - name: cert_host_cat overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize overwrite: true type: keyword - name: cert_username overwrite: true type: keyword - name: https_insact overwrite: true type: keyword - name: https_valid overwrite: true type: keyword - name: cert_ca overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless overwrite: true type: group fields: - name: wlan_ssid overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel overwrite: true type: long description: This is used to capture the channel names - name: wlan_name overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage overwrite: true type: group fields: - name: disk_volume overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical overwrite: true type: group fields: - name: org_dst overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare overwrite: true type: group fields: - name: patient_fname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint overwrite: true type: group fields: - name: host_state overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value overwrite: true type: keyword description: This key captures values or decorators used within a registry entry - key: envoyproxy title: Envoyproxy description: > Module for handling logs produced by envoy fields: - name: envoyproxy type: group description: > Fields from envoy proxy logs after normalization fields: - name: log_type type: keyword description: > Envoy log type, normally ACCESS - name: response_flags type: keyword description: > Response flags - name: upstream_service_time type: long format: duration input_format: nanoseconds description: > Upstream service time in nanoseconds - name: request_id type: keyword description: > ID of the request - name: authority type: keyword description: > Envoy proxy authority field - name: proxy_type type: keyword description: > Envoy proxy type, tcp or http - key: f5 title: Big-IP Access Policy Manager description: > f5 fields. fields: - name: network.interface.name overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa overwrite: true type: group default_field: false fields: - name: internal overwrite: true type: group fields: - name: msg overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid overwrite: true type: keyword - name: event_desc overwrite: true type: keyword - name: message overwrite: true type: keyword description: This key captures the contents of instant messages - name: time overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id overwrite: true type: long description: Deprecated key defined only in table map. - name: did overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time overwrite: true type: group fields: - name: event_time overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month overwrite: true type: keyword - name: day overwrite: true type: keyword - name: endtime overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str overwrite: true type: keyword description: A text string version of the duration - name: date overwrite: true type: keyword - name: year overwrite: true type: keyword - name: recorded_time overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime overwrite: true type: keyword - name: effective_time overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time overwrite: true type: keyword description: Deprecated, use duration.time - name: hour overwrite: true type: keyword - name: min overwrite: true type: keyword - name: timestamp overwrite: true type: keyword - name: event_queue_time overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 overwrite: true type: keyword - name: tzone overwrite: true type: keyword - name: eventtime overwrite: true type: keyword - name: gmtdate overwrite: true type: keyword - name: gmttime overwrite: true type: keyword - name: p_date overwrite: true type: keyword - name: p_month overwrite: true type: keyword - name: p_time overwrite: true type: keyword - name: p_time2 overwrite: true type: keyword - name: p_year overwrite: true type: keyword - name: expire_time_str overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp overwrite: true type: date description: Deprecated key defined only in table map. - name: misc overwrite: true type: group fields: - name: action overwrite: true type: keyword - name: result overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name overwrite: true type: keyword description: This is used to capture name of object - name: obj_type overwrite: true type: keyword description: This is used to capture type of object - name: event_source overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name overwrite: true type: keyword description: This key captures the Rule Name - name: context overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space overwrite: true type: keyword - name: client overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 overwrite: true type: keyword - name: msgIdPart2 overwrite: true type: keyword - name: change_old overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule overwrite: true type: keyword description: This key captures the Rule number - name: device_name overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log overwrite: true type: keyword description: This key captures the Name of the event log - name: OS overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 overwrite: true type: keyword - name: filter overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname overwrite: true type: keyword description: This key captures the name of the virus - name: content_type overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id overwrite: true type: keyword - name: reason overwrite: true type: keyword - name: status overwrite: true type: keyword - name: mail_id overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout overwrite: true type: keyword - name: p_msgid overwrite: true type: keyword - name: data_type overwrite: true type: keyword - name: msgIdPart4 overwrite: true type: keyword - name: error overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index overwrite: true type: keyword - name: listnum overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype overwrite: true type: keyword - name: observed_val overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count overwrite: true type: keyword - name: number overwrite: true type: keyword - name: sigcat overwrite: true type: keyword - name: type overwrite: true type: keyword - name: comments overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number overwrite: true type: long description: This key captures File Identification number - name: expected_val overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst overwrite: true type: keyword description: Destination SPI Index - name: spi_src overwrite: true type: keyword description: Source SPI Index - name: code overwrite: true type: keyword - name: agent_id overwrite: true type: keyword description: This key is used to capture agent id - name: message_body overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone overwrite: true type: keyword - name: sig_id_str overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd overwrite: true type: keyword - name: misc overwrite: true type: keyword - name: name overwrite: true type: keyword - name: cpu overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid overwrite: true type: keyword - name: im_client overwrite: true type: keyword - name: im_userid overwrite: true type: keyword - name: pid overwrite: true type: keyword - name: priority overwrite: true type: keyword - name: context_subject overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target overwrite: true type: keyword - name: cve overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos overwrite: true type: long description: This key describes the type of service - name: vm_target overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace overwrite: true type: keyword description: This key captures Workspace Description - name: command overwrite: true type: keyword - name: event_category overwrite: true type: keyword - name: facilityname overwrite: true type: keyword - name: forensic_info overwrite: true type: keyword - name: jobname overwrite: true type: keyword - name: mode overwrite: true type: keyword - name: policy overwrite: true type: keyword - name: policy_waiver overwrite: true type: keyword - name: second overwrite: true type: keyword - name: space1 overwrite: true type: keyword - name: subcategory overwrite: true type: keyword - name: tbdstr2 overwrite: true type: keyword - name: alert_id overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult overwrite: true type: long description: This key captures the Filter Result - name: payload_dst overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid overwrite: true type: keyword description: SNMP Object Identifier - name: sql overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id overwrite: true type: keyword - name: acl_op overwrite: true type: keyword - name: acl_pos overwrite: true type: keyword - name: acl_table overwrite: true type: keyword - name: admin overwrite: true type: keyword - name: alarm_id overwrite: true type: keyword - name: alarmname overwrite: true type: keyword - name: app_id overwrite: true type: keyword - name: audit overwrite: true type: keyword - name: audit_object overwrite: true type: keyword - name: auditdata overwrite: true type: keyword - name: benchmark overwrite: true type: keyword - name: bypass overwrite: true type: keyword - name: cache overwrite: true type: keyword - name: cache_hit overwrite: true type: keyword - name: cefversion overwrite: true type: keyword - name: cfg_attr overwrite: true type: keyword - name: cfg_obj overwrite: true type: keyword - name: cfg_path overwrite: true type: keyword - name: changes overwrite: true type: keyword - name: client_ip overwrite: true type: keyword - name: clustermembers overwrite: true type: keyword - name: cn_acttimeout overwrite: true type: keyword - name: cn_asn_src overwrite: true type: keyword - name: cn_bgpv4nxthop overwrite: true type: keyword - name: cn_ctr_dst_code overwrite: true type: keyword - name: cn_dst_tos overwrite: true type: keyword - name: cn_dst_vlan overwrite: true type: keyword - name: cn_engine_id overwrite: true type: keyword - name: cn_engine_type overwrite: true type: keyword - name: cn_f_switch overwrite: true type: keyword - name: cn_flowsampid overwrite: true type: keyword - name: cn_flowsampintv overwrite: true type: keyword - name: cn_flowsampmode overwrite: true type: keyword - name: cn_inacttimeout overwrite: true type: keyword - name: cn_inpermbyts overwrite: true type: keyword - name: cn_inpermpckts overwrite: true type: keyword - name: cn_invalid overwrite: true type: keyword - name: cn_ip_proto_ver overwrite: true type: keyword - name: cn_ipv4_ident overwrite: true type: keyword - name: cn_l_switch overwrite: true type: keyword - name: cn_log_did overwrite: true type: keyword - name: cn_log_rid overwrite: true type: keyword - name: cn_max_ttl overwrite: true type: keyword - name: cn_maxpcktlen overwrite: true type: keyword - name: cn_min_ttl overwrite: true type: keyword - name: cn_minpcktlen overwrite: true type: keyword - name: cn_mpls_lbl_1 overwrite: true type: keyword - name: cn_mpls_lbl_10 overwrite: true type: keyword - name: cn_mpls_lbl_2 overwrite: true type: keyword - name: cn_mpls_lbl_3 overwrite: true type: keyword - name: cn_mpls_lbl_4 overwrite: true type: keyword - name: cn_mpls_lbl_5 overwrite: true type: keyword - name: cn_mpls_lbl_6 overwrite: true type: keyword - name: cn_mpls_lbl_7 overwrite: true type: keyword - name: cn_mpls_lbl_8 overwrite: true type: keyword - name: cn_mpls_lbl_9 overwrite: true type: keyword - name: cn_mplstoplabel overwrite: true type: keyword - name: cn_mplstoplabip overwrite: true type: keyword - name: cn_mul_dst_byt overwrite: true type: keyword - name: cn_mul_dst_pks overwrite: true type: keyword - name: cn_muligmptype overwrite: true type: keyword - name: cn_sampalgo overwrite: true type: keyword - name: cn_sampint overwrite: true type: keyword - name: cn_seqctr overwrite: true type: keyword - name: cn_spackets overwrite: true type: keyword - name: cn_src_tos overwrite: true type: keyword - name: cn_src_vlan overwrite: true type: keyword - name: cn_sysuptime overwrite: true type: keyword - name: cn_template_id overwrite: true type: keyword - name: cn_totbytsexp overwrite: true type: keyword - name: cn_totflowexp overwrite: true type: keyword - name: cn_totpcktsexp overwrite: true type: keyword - name: cn_unixnanosecs overwrite: true type: keyword - name: cn_v6flowlabel overwrite: true type: keyword - name: cn_v6optheaders overwrite: true type: keyword - name: comp_class overwrite: true type: keyword - name: comp_name overwrite: true type: keyword - name: comp_rbytes overwrite: true type: keyword - name: comp_sbytes overwrite: true type: keyword - name: cpu_data overwrite: true type: keyword - name: criticality overwrite: true type: keyword - name: cs_agency_dst overwrite: true type: keyword - name: cs_analyzedby overwrite: true type: keyword - name: cs_av_other overwrite: true type: keyword - name: cs_av_primary overwrite: true type: keyword - name: cs_av_secondary overwrite: true type: keyword - name: cs_bgpv6nxthop overwrite: true type: keyword - name: cs_bit9status overwrite: true type: keyword - name: cs_context overwrite: true type: keyword - name: cs_control overwrite: true type: keyword - name: cs_data overwrite: true type: keyword - name: cs_datecret overwrite: true type: keyword - name: cs_dst_tld overwrite: true type: keyword - name: cs_eth_dst_ven overwrite: true type: keyword - name: cs_eth_src_ven overwrite: true type: keyword - name: cs_event_uuid overwrite: true type: keyword - name: cs_filetype overwrite: true type: keyword - name: cs_fld overwrite: true type: keyword - name: cs_if_desc overwrite: true type: keyword - name: cs_if_name overwrite: true type: keyword - name: cs_ip_next_hop overwrite: true type: keyword - name: cs_ipv4dstpre overwrite: true type: keyword - name: cs_ipv4srcpre overwrite: true type: keyword - name: cs_lifetime overwrite: true type: keyword - name: cs_log_medium overwrite: true type: keyword - name: cs_loginname overwrite: true type: keyword - name: cs_modulescore overwrite: true type: keyword - name: cs_modulesign overwrite: true type: keyword - name: cs_opswatresult overwrite: true type: keyword - name: cs_payload overwrite: true type: keyword - name: cs_registrant overwrite: true type: keyword - name: cs_registrar overwrite: true type: keyword - name: cs_represult overwrite: true type: keyword - name: cs_rpayload overwrite: true type: keyword - name: cs_sampler_name overwrite: true type: keyword - name: cs_sourcemodule overwrite: true type: keyword - name: cs_streams overwrite: true type: keyword - name: cs_targetmodule overwrite: true type: keyword - name: cs_v6nxthop overwrite: true type: keyword - name: cs_whois_server overwrite: true type: keyword - name: cs_yararesult overwrite: true type: keyword - name: description overwrite: true type: keyword - name: devvendor overwrite: true type: keyword - name: distance overwrite: true type: keyword - name: dstburb overwrite: true type: keyword - name: edomain overwrite: true type: keyword - name: edomaub overwrite: true type: keyword - name: euid overwrite: true type: keyword - name: facility overwrite: true type: keyword - name: finterface overwrite: true type: keyword - name: flags overwrite: true type: keyword - name: gaddr overwrite: true type: keyword - name: id3 overwrite: true type: keyword - name: im_buddyname overwrite: true type: keyword - name: im_croomid overwrite: true type: keyword - name: im_croomtype overwrite: true type: keyword - name: im_members overwrite: true type: keyword - name: im_username overwrite: true type: keyword - name: ipkt overwrite: true type: keyword - name: ipscat overwrite: true type: keyword - name: ipspri overwrite: true type: keyword - name: latitude overwrite: true type: keyword - name: linenum overwrite: true type: keyword - name: list_name overwrite: true type: keyword - name: load_data overwrite: true type: keyword - name: location_floor overwrite: true type: keyword - name: location_mark overwrite: true type: keyword - name: log_id overwrite: true type: keyword - name: log_type overwrite: true type: keyword - name: logid overwrite: true type: keyword - name: logip overwrite: true type: keyword - name: logname overwrite: true type: keyword - name: longitude overwrite: true type: keyword - name: lport overwrite: true type: keyword - name: mbug_data overwrite: true type: keyword - name: misc_name overwrite: true type: keyword - name: msg_type overwrite: true type: keyword - name: msgid overwrite: true type: keyword - name: netsessid overwrite: true type: keyword - name: num overwrite: true type: keyword - name: number1 overwrite: true type: keyword - name: number2 overwrite: true type: keyword - name: nwwn overwrite: true type: keyword - name: object overwrite: true type: keyword - name: operation overwrite: true type: keyword - name: opkt overwrite: true type: keyword - name: orig_from overwrite: true type: keyword - name: owner_id overwrite: true type: keyword - name: p_action overwrite: true type: keyword - name: p_filter overwrite: true type: keyword - name: p_group_object overwrite: true type: keyword - name: p_id overwrite: true type: keyword - name: p_msgid1 overwrite: true type: keyword - name: p_msgid2 overwrite: true type: keyword - name: p_result1 overwrite: true type: keyword - name: password_chg overwrite: true type: keyword - name: password_expire overwrite: true type: keyword - name: permgranted overwrite: true type: keyword - name: permwanted overwrite: true type: keyword - name: pgid overwrite: true type: keyword - name: policyUUID overwrite: true type: keyword - name: prog_asp_num overwrite: true type: keyword - name: program overwrite: true type: keyword - name: real_data overwrite: true type: keyword - name: rec_asp_device overwrite: true type: keyword - name: rec_asp_num overwrite: true type: keyword - name: rec_library overwrite: true type: keyword - name: recordnum overwrite: true type: keyword - name: ruid overwrite: true type: keyword - name: sburb overwrite: true type: keyword - name: sdomain_fld overwrite: true type: keyword - name: sec overwrite: true type: keyword - name: sensorname overwrite: true type: keyword - name: seqnum overwrite: true type: keyword - name: session overwrite: true type: keyword - name: sessiontype overwrite: true type: keyword - name: sigUUID overwrite: true type: keyword - name: spi overwrite: true type: keyword - name: srcburb overwrite: true type: keyword - name: srcdom overwrite: true type: keyword - name: srcservice overwrite: true type: keyword - name: state overwrite: true type: keyword - name: status1 overwrite: true type: keyword - name: svcno overwrite: true type: keyword - name: system overwrite: true type: keyword - name: tbdstr1 overwrite: true type: keyword - name: tgtdom overwrite: true type: keyword - name: tgtdomain overwrite: true type: keyword - name: threshold overwrite: true type: keyword - name: type1 overwrite: true type: keyword - name: udb_class overwrite: true type: keyword - name: url_fld overwrite: true type: keyword - name: user_div overwrite: true type: keyword - name: userid overwrite: true type: keyword - name: username_fld overwrite: true type: keyword - name: utcstamp overwrite: true type: keyword - name: v_instafname overwrite: true type: keyword - name: virt_data overwrite: true type: keyword - name: vpnid overwrite: true type: keyword - name: autorun_type overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number overwrite: true type: long description: Valid Credit Card Numbers only - name: content overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number overwrite: true type: long description: Employee Identification Numbers only - name: found overwrite: true type: keyword description: This is used to capture the results of regex match - name: language overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src overwrite: true type: keyword description: This key captures source parameter - name: search_text overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value overwrite: true type: keyword description: SNMP set request value - name: streams overwrite: true type: long description: This key captures number of streams in session - name: db overwrite: true type: group fields: - name: index overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name overwrite: true type: keyword description: This key is used to capture the table name - name: db_id overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite overwrite: true type: long description: This key is used for the number of logical writes - name: pread overwrite: true type: long description: This key is used for the number of physical writes - name: network overwrite: true type: group fields: - name: alias_host overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain overwrite: true type: keyword - name: host_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr overwrite: true type: ip description: Deprecated - name: faddr overwrite: true type: keyword - name: lhost overwrite: true type: keyword - name: origin overwrite: true type: keyword - name: remote_domain_id overwrite: true type: keyword - name: addr overwrite: true type: keyword - name: dns_a_record overwrite: true type: keyword - name: dns_ptr_record overwrite: true type: keyword - name: fhost overwrite: true type: keyword - name: fport overwrite: true type: keyword - name: laddr overwrite: true type: keyword - name: linterface overwrite: true type: keyword - name: phost overwrite: true type: keyword - name: ad_computer_dst overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record overwrite: true type: keyword - name: dns_id overwrite: true type: keyword - name: dns_opcode overwrite: true type: keyword - name: dns_resp overwrite: true type: keyword - name: dns_type overwrite: true type: keyword - name: domain1 overwrite: true type: keyword - name: host_type overwrite: true type: keyword - name: packet_length overwrite: true type: keyword - name: host_orig overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations overwrite: true type: group fields: - name: ec_activity overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat overwrite: true type: long description: This key captures the Event category number - name: event_cat_name overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category overwrite: true type: keyword description: This used to capture investigation category - name: inv_context overwrite: true type: keyword description: This used to capture investigation context - name: ioc overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters overwrite: true type: group fields: - name: dclass_c1 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity overwrite: true type: group fields: - name: auth_method overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org overwrite: true type: keyword description: This key captures the User organization - name: dn_dst overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept overwrite: true type: keyword description: User's Department Names only - name: user_sid_src overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email overwrite: true type: group fields: - name: email_dst overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file overwrite: true type: group fields: - name: privilege overwrite: true type: keyword description: Deprecated, use permissions - name: attachment overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem overwrite: true type: keyword - name: binary overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp overwrite: true type: keyword - name: directory_dst overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name overwrite: true type: keyword description: This is used to capture name of the task - name: web overwrite: true type: group fields: - name: fqdn overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host overwrite: true type: keyword - name: reputation_num overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain overwrite: true type: keyword description: Web referer's domain - name: web_ref_query overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain overwrite: true type: keyword - name: web_ref_page overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst overwrite: true type: keyword - name: cn_rpackets overwrite: true type: keyword - name: urlpage overwrite: true type: keyword - name: urlroot overwrite: true type: keyword - name: p_url overwrite: true type: keyword - name: p_user_agent overwrite: true type: keyword - name: p_web_cookie overwrite: true type: keyword - name: p_web_method overwrite: true type: keyword - name: p_web_referer overwrite: true type: keyword - name: web_extension_tmp overwrite: true type: keyword - name: web_page overwrite: true type: keyword - name: threat overwrite: true type: group fields: - name: threat_category overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto overwrite: true type: group fields: - name: crypto overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike overwrite: true type: keyword description: IKE negotiation phase. - name: scheme overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer overwrite: true type: keyword - name: cert_host_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src overwrite: true type: keyword description: Deprecated, use version - name: d_certauth overwrite: true type: keyword - name: s_certauth overwrite: true type: keyword - name: ike_cookie1 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum overwrite: true type: keyword - name: cert_host_cat overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize overwrite: true type: keyword - name: cert_username overwrite: true type: keyword - name: https_insact overwrite: true type: keyword - name: https_valid overwrite: true type: keyword - name: cert_ca overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless overwrite: true type: group fields: - name: wlan_ssid overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel overwrite: true type: long description: This is used to capture the channel names - name: wlan_name overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage overwrite: true type: group fields: - name: disk_volume overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical overwrite: true type: group fields: - name: org_dst overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare overwrite: true type: group fields: - name: patient_fname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint overwrite: true type: group fields: - name: host_state overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value overwrite: true type: keyword description: This key captures values or decorators used within a registry entry - name: network.interface.name overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa overwrite: true type: group default_field: false fields: - name: internal overwrite: true type: group fields: - name: msg overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid overwrite: true type: keyword - name: event_desc overwrite: true type: keyword - name: message overwrite: true type: keyword description: This key captures the contents of instant messages - name: time overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id overwrite: true type: long description: Deprecated key defined only in table map. - name: did overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time overwrite: true type: group fields: - name: event_time overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month overwrite: true type: keyword - name: day overwrite: true type: keyword - name: endtime overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str overwrite: true type: keyword description: A text string version of the duration - name: date overwrite: true type: keyword - name: year overwrite: true type: keyword - name: recorded_time overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime overwrite: true type: keyword - name: effective_time overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time overwrite: true type: keyword description: Deprecated, use duration.time - name: hour overwrite: true type: keyword - name: min overwrite: true type: keyword - name: timestamp overwrite: true type: keyword - name: event_queue_time overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 overwrite: true type: keyword - name: tzone overwrite: true type: keyword - name: eventtime overwrite: true type: keyword - name: gmtdate overwrite: true type: keyword - name: gmttime overwrite: true type: keyword - name: p_date overwrite: true type: keyword - name: p_month overwrite: true type: keyword - name: p_time overwrite: true type: keyword - name: p_time2 overwrite: true type: keyword - name: p_year overwrite: true type: keyword - name: expire_time_str overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp overwrite: true type: date description: Deprecated key defined only in table map. - name: misc overwrite: true type: group fields: - name: action overwrite: true type: keyword - name: result overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name overwrite: true type: keyword description: This is used to capture name of object - name: obj_type overwrite: true type: keyword description: This is used to capture type of object - name: event_source overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name overwrite: true type: keyword description: This key captures the Rule Name - name: context overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space overwrite: true type: keyword - name: client overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 overwrite: true type: keyword - name: msgIdPart2 overwrite: true type: keyword - name: change_old overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule overwrite: true type: keyword description: This key captures the Rule number - name: device_name overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log overwrite: true type: keyword description: This key captures the Name of the event log - name: OS overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 overwrite: true type: keyword - name: filter overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname overwrite: true type: keyword description: This key captures the name of the virus - name: content_type overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id overwrite: true type: keyword - name: reason overwrite: true type: keyword - name: status overwrite: true type: keyword - name: mail_id overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout overwrite: true type: keyword - name: p_msgid overwrite: true type: keyword - name: data_type overwrite: true type: keyword - name: msgIdPart4 overwrite: true type: keyword - name: error overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index overwrite: true type: keyword - name: listnum overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype overwrite: true type: keyword - name: observed_val overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count overwrite: true type: keyword - name: number overwrite: true type: keyword - name: sigcat overwrite: true type: keyword - name: type overwrite: true type: keyword - name: comments overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number overwrite: true type: long description: This key captures File Identification number - name: expected_val overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst overwrite: true type: keyword description: Destination SPI Index - name: spi_src overwrite: true type: keyword description: Source SPI Index - name: code overwrite: true type: keyword - name: agent_id overwrite: true type: keyword description: This key is used to capture agent id - name: message_body overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone overwrite: true type: keyword - name: sig_id_str overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd overwrite: true type: keyword - name: misc overwrite: true type: keyword - name: name overwrite: true type: keyword - name: cpu overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid overwrite: true type: keyword - name: im_client overwrite: true type: keyword - name: im_userid overwrite: true type: keyword - name: pid overwrite: true type: keyword - name: priority overwrite: true type: keyword - name: context_subject overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target overwrite: true type: keyword - name: cve overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos overwrite: true type: long description: This key describes the type of service - name: vm_target overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace overwrite: true type: keyword description: This key captures Workspace Description - name: command overwrite: true type: keyword - name: event_category overwrite: true type: keyword - name: facilityname overwrite: true type: keyword - name: forensic_info overwrite: true type: keyword - name: jobname overwrite: true type: keyword - name: mode overwrite: true type: keyword - name: policy overwrite: true type: keyword - name: policy_waiver overwrite: true type: keyword - name: second overwrite: true type: keyword - name: space1 overwrite: true type: keyword - name: subcategory overwrite: true type: keyword - name: tbdstr2 overwrite: true type: keyword - name: alert_id overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult overwrite: true type: long description: This key captures the Filter Result - name: payload_dst overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid overwrite: true type: keyword description: SNMP Object Identifier - name: sql overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id overwrite: true type: keyword - name: acl_op overwrite: true type: keyword - name: acl_pos overwrite: true type: keyword - name: acl_table overwrite: true type: keyword - name: admin overwrite: true type: keyword - name: alarm_id overwrite: true type: keyword - name: alarmname overwrite: true type: keyword - name: app_id overwrite: true type: keyword - name: audit overwrite: true type: keyword - name: audit_object overwrite: true type: keyword - name: auditdata overwrite: true type: keyword - name: benchmark overwrite: true type: keyword - name: bypass overwrite: true type: keyword - name: cache overwrite: true type: keyword - name: cache_hit overwrite: true type: keyword - name: cefversion overwrite: true type: keyword - name: cfg_attr overwrite: true type: keyword - name: cfg_obj overwrite: true type: keyword - name: cfg_path overwrite: true type: keyword - name: changes overwrite: true type: keyword - name: client_ip overwrite: true type: keyword - name: clustermembers overwrite: true type: keyword - name: cn_acttimeout overwrite: true type: keyword - name: cn_asn_src overwrite: true type: keyword - name: cn_bgpv4nxthop overwrite: true type: keyword - name: cn_ctr_dst_code overwrite: true type: keyword - name: cn_dst_tos overwrite: true type: keyword - name: cn_dst_vlan overwrite: true type: keyword - name: cn_engine_id overwrite: true type: keyword - name: cn_engine_type overwrite: true type: keyword - name: cn_f_switch overwrite: true type: keyword - name: cn_flowsampid overwrite: true type: keyword - name: cn_flowsampintv overwrite: true type: keyword - name: cn_flowsampmode overwrite: true type: keyword - name: cn_inacttimeout overwrite: true type: keyword - name: cn_inpermbyts overwrite: true type: keyword - name: cn_inpermpckts overwrite: true type: keyword - name: cn_invalid overwrite: true type: keyword - name: cn_ip_proto_ver overwrite: true type: keyword - name: cn_ipv4_ident overwrite: true type: keyword - name: cn_l_switch overwrite: true type: keyword - name: cn_log_did overwrite: true type: keyword - name: cn_log_rid overwrite: true type: keyword - name: cn_max_ttl overwrite: true type: keyword - name: cn_maxpcktlen overwrite: true type: keyword - name: cn_min_ttl overwrite: true type: keyword - name: cn_minpcktlen overwrite: true type: keyword - name: cn_mpls_lbl_1 overwrite: true type: keyword - name: cn_mpls_lbl_10 overwrite: true type: keyword - name: cn_mpls_lbl_2 overwrite: true type: keyword - name: cn_mpls_lbl_3 overwrite: true type: keyword - name: cn_mpls_lbl_4 overwrite: true type: keyword - name: cn_mpls_lbl_5 overwrite: true type: keyword - name: cn_mpls_lbl_6 overwrite: true type: keyword - name: cn_mpls_lbl_7 overwrite: true type: keyword - name: cn_mpls_lbl_8 overwrite: true type: keyword - name: cn_mpls_lbl_9 overwrite: true type: keyword - name: cn_mplstoplabel overwrite: true type: keyword - name: cn_mplstoplabip overwrite: true type: keyword - name: cn_mul_dst_byt overwrite: true type: keyword - name: cn_mul_dst_pks overwrite: true type: keyword - name: cn_muligmptype overwrite: true type: keyword - name: cn_sampalgo overwrite: true type: keyword - name: cn_sampint overwrite: true type: keyword - name: cn_seqctr overwrite: true type: keyword - name: cn_spackets overwrite: true type: keyword - name: cn_src_tos overwrite: true type: keyword - name: cn_src_vlan overwrite: true type: keyword - name: cn_sysuptime overwrite: true type: keyword - name: cn_template_id overwrite: true type: keyword - name: cn_totbytsexp overwrite: true type: keyword - name: cn_totflowexp overwrite: true type: keyword - name: cn_totpcktsexp overwrite: true type: keyword - name: cn_unixnanosecs overwrite: true type: keyword - name: cn_v6flowlabel overwrite: true type: keyword - name: cn_v6optheaders overwrite: true type: keyword - name: comp_class overwrite: true type: keyword - name: comp_name overwrite: true type: keyword - name: comp_rbytes overwrite: true type: keyword - name: comp_sbytes overwrite: true type: keyword - name: cpu_data overwrite: true type: keyword - name: criticality overwrite: true type: keyword - name: cs_agency_dst overwrite: true type: keyword - name: cs_analyzedby overwrite: true type: keyword - name: cs_av_other overwrite: true type: keyword - name: cs_av_primary overwrite: true type: keyword - name: cs_av_secondary overwrite: true type: keyword - name: cs_bgpv6nxthop overwrite: true type: keyword - name: cs_bit9status overwrite: true type: keyword - name: cs_context overwrite: true type: keyword - name: cs_control overwrite: true type: keyword - name: cs_data overwrite: true type: keyword - name: cs_datecret overwrite: true type: keyword - name: cs_dst_tld overwrite: true type: keyword - name: cs_eth_dst_ven overwrite: true type: keyword - name: cs_eth_src_ven overwrite: true type: keyword - name: cs_event_uuid overwrite: true type: keyword - name: cs_filetype overwrite: true type: keyword - name: cs_fld overwrite: true type: keyword - name: cs_if_desc overwrite: true type: keyword - name: cs_if_name overwrite: true type: keyword - name: cs_ip_next_hop overwrite: true type: keyword - name: cs_ipv4dstpre overwrite: true type: keyword - name: cs_ipv4srcpre overwrite: true type: keyword - name: cs_lifetime overwrite: true type: keyword - name: cs_log_medium overwrite: true type: keyword - name: cs_loginname overwrite: true type: keyword - name: cs_modulescore overwrite: true type: keyword - name: cs_modulesign overwrite: true type: keyword - name: cs_opswatresult overwrite: true type: keyword - name: cs_payload overwrite: true type: keyword - name: cs_registrant overwrite: true type: keyword - name: cs_registrar overwrite: true type: keyword - name: cs_represult overwrite: true type: keyword - name: cs_rpayload overwrite: true type: keyword - name: cs_sampler_name overwrite: true type: keyword - name: cs_sourcemodule overwrite: true type: keyword - name: cs_streams overwrite: true type: keyword - name: cs_targetmodule overwrite: true type: keyword - name: cs_v6nxthop overwrite: true type: keyword - name: cs_whois_server overwrite: true type: keyword - name: cs_yararesult overwrite: true type: keyword - name: description overwrite: true type: keyword - name: devvendor overwrite: true type: keyword - name: distance overwrite: true type: keyword - name: dstburb overwrite: true type: keyword - name: edomain overwrite: true type: keyword - name: edomaub overwrite: true type: keyword - name: euid overwrite: true type: keyword - name: facility overwrite: true type: keyword - name: finterface overwrite: true type: keyword - name: flags overwrite: true type: keyword - name: gaddr overwrite: true type: keyword - name: id3 overwrite: true type: keyword - name: im_buddyname overwrite: true type: keyword - name: im_croomid overwrite: true type: keyword - name: im_croomtype overwrite: true type: keyword - name: im_members overwrite: true type: keyword - name: im_username overwrite: true type: keyword - name: ipkt overwrite: true type: keyword - name: ipscat overwrite: true type: keyword - name: ipspri overwrite: true type: keyword - name: latitude overwrite: true type: keyword - name: linenum overwrite: true type: keyword - name: list_name overwrite: true type: keyword - name: load_data overwrite: true type: keyword - name: location_floor overwrite: true type: keyword - name: location_mark overwrite: true type: keyword - name: log_id overwrite: true type: keyword - name: log_type overwrite: true type: keyword - name: logid overwrite: true type: keyword - name: logip overwrite: true type: keyword - name: logname overwrite: true type: keyword - name: longitude overwrite: true type: keyword - name: lport overwrite: true type: keyword - name: mbug_data overwrite: true type: keyword - name: misc_name overwrite: true type: keyword - name: msg_type overwrite: true type: keyword - name: msgid overwrite: true type: keyword - name: netsessid overwrite: true type: keyword - name: num overwrite: true type: keyword - name: number1 overwrite: true type: keyword - name: number2 overwrite: true type: keyword - name: nwwn overwrite: true type: keyword - name: object overwrite: true type: keyword - name: operation overwrite: true type: keyword - name: opkt overwrite: true type: keyword - name: orig_from overwrite: true type: keyword - name: owner_id overwrite: true type: keyword - name: p_action overwrite: true type: keyword - name: p_filter overwrite: true type: keyword - name: p_group_object overwrite: true type: keyword - name: p_id overwrite: true type: keyword - name: p_msgid1 overwrite: true type: keyword - name: p_msgid2 overwrite: true type: keyword - name: p_result1 overwrite: true type: keyword - name: password_chg overwrite: true type: keyword - name: password_expire overwrite: true type: keyword - name: permgranted overwrite: true type: keyword - name: permwanted overwrite: true type: keyword - name: pgid overwrite: true type: keyword - name: policyUUID overwrite: true type: keyword - name: prog_asp_num overwrite: true type: keyword - name: program overwrite: true type: keyword - name: real_data overwrite: true type: keyword - name: rec_asp_device overwrite: true type: keyword - name: rec_asp_num overwrite: true type: keyword - name: rec_library overwrite: true type: keyword - name: recordnum overwrite: true type: keyword - name: ruid overwrite: true type: keyword - name: sburb overwrite: true type: keyword - name: sdomain_fld overwrite: true type: keyword - name: sec overwrite: true type: keyword - name: sensorname overwrite: true type: keyword - name: seqnum overwrite: true type: keyword - name: session overwrite: true type: keyword - name: sessiontype overwrite: true type: keyword - name: sigUUID overwrite: true type: keyword - name: spi overwrite: true type: keyword - name: srcburb overwrite: true type: keyword - name: srcdom overwrite: true type: keyword - name: srcservice overwrite: true type: keyword - name: state overwrite: true type: keyword - name: status1 overwrite: true type: keyword - name: svcno overwrite: true type: keyword - name: system overwrite: true type: keyword - name: tbdstr1 overwrite: true type: keyword - name: tgtdom overwrite: true type: keyword - name: tgtdomain overwrite: true type: keyword - name: threshold overwrite: true type: keyword - name: type1 overwrite: true type: keyword - name: udb_class overwrite: true type: keyword - name: url_fld overwrite: true type: keyword - name: user_div overwrite: true type: keyword - name: userid overwrite: true type: keyword - name: username_fld overwrite: true type: keyword - name: utcstamp overwrite: true type: keyword - name: v_instafname overwrite: true type: keyword - name: virt_data overwrite: true type: keyword - name: vpnid overwrite: true type: keyword - name: autorun_type overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number overwrite: true type: long description: Valid Credit Card Numbers only - name: content overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number overwrite: true type: long description: Employee Identification Numbers only - name: found overwrite: true type: keyword description: This is used to capture the results of regex match - name: language overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src overwrite: true type: keyword description: This key captures source parameter - name: search_text overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value overwrite: true type: keyword description: SNMP set request value - name: streams overwrite: true type: long description: This key captures number of streams in session - name: db overwrite: true type: group fields: - name: index overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name overwrite: true type: keyword description: This key is used to capture the table name - name: db_id overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite overwrite: true type: long description: This key is used for the number of logical writes - name: pread overwrite: true type: long description: This key is used for the number of physical writes - name: network overwrite: true type: group fields: - name: alias_host overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain overwrite: true type: keyword - name: host_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr overwrite: true type: ip description: Deprecated - name: faddr overwrite: true type: keyword - name: lhost overwrite: true type: keyword - name: origin overwrite: true type: keyword - name: remote_domain_id overwrite: true type: keyword - name: addr overwrite: true type: keyword - name: dns_a_record overwrite: true type: keyword - name: dns_ptr_record overwrite: true type: keyword - name: fhost overwrite: true type: keyword - name: fport overwrite: true type: keyword - name: laddr overwrite: true type: keyword - name: linterface overwrite: true type: keyword - name: phost overwrite: true type: keyword - name: ad_computer_dst overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record overwrite: true type: keyword - name: dns_id overwrite: true type: keyword - name: dns_opcode overwrite: true type: keyword - name: dns_resp overwrite: true type: keyword - name: dns_type overwrite: true type: keyword - name: domain1 overwrite: true type: keyword - name: host_type overwrite: true type: keyword - name: packet_length overwrite: true type: keyword - name: host_orig overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations overwrite: true type: group fields: - name: ec_activity overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat overwrite: true type: long description: This key captures the Event category number - name: event_cat_name overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category overwrite: true type: keyword description: This used to capture investigation category - name: inv_context overwrite: true type: keyword description: This used to capture investigation context - name: ioc overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters overwrite: true type: group fields: - name: dclass_c1 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity overwrite: true type: group fields: - name: auth_method overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org overwrite: true type: keyword description: This key captures the User organization - name: dn_dst overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept overwrite: true type: keyword description: User's Department Names only - name: user_sid_src overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email overwrite: true type: group fields: - name: email_dst overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file overwrite: true type: group fields: - name: privilege overwrite: true type: keyword description: Deprecated, use permissions - name: attachment overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem overwrite: true type: keyword - name: binary overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp overwrite: true type: keyword - name: directory_dst overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name overwrite: true type: keyword description: This is used to capture name of the task - name: web overwrite: true type: group fields: - name: fqdn overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host overwrite: true type: keyword - name: reputation_num overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain overwrite: true type: keyword description: Web referer's domain - name: web_ref_query overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain overwrite: true type: keyword - name: web_ref_page overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst overwrite: true type: keyword - name: cn_rpackets overwrite: true type: keyword - name: urlpage overwrite: true type: keyword - name: urlroot overwrite: true type: keyword - name: p_url overwrite: true type: keyword - name: p_user_agent overwrite: true type: keyword - name: p_web_cookie overwrite: true type: keyword - name: p_web_method overwrite: true type: keyword - name: p_web_referer overwrite: true type: keyword - name: web_extension_tmp overwrite: true type: keyword - name: web_page overwrite: true type: keyword - name: threat overwrite: true type: group fields: - name: threat_category overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto overwrite: true type: group fields: - name: crypto overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike overwrite: true type: keyword description: IKE negotiation phase. - name: scheme overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer overwrite: true type: keyword - name: cert_host_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src overwrite: true type: keyword description: Deprecated, use version - name: d_certauth overwrite: true type: keyword - name: s_certauth overwrite: true type: keyword - name: ike_cookie1 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum overwrite: true type: keyword - name: cert_host_cat overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize overwrite: true type: keyword - name: cert_username overwrite: true type: keyword - name: https_insact overwrite: true type: keyword - name: https_valid overwrite: true type: keyword - name: cert_ca overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless overwrite: true type: group fields: - name: wlan_ssid overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel overwrite: true type: long description: This is used to capture the channel names - name: wlan_name overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage overwrite: true type: group fields: - name: disk_volume overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical overwrite: true type: group fields: - name: org_dst overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare overwrite: true type: group fields: - name: patient_fname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint overwrite: true type: group fields: - name: host_state overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value overwrite: true type: keyword description: This key captures values or decorators used within a registry entry - key: fortinet title: Fortinet description: > fortinet Module fields: - name: network.interface.name overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa overwrite: true type: group default_field: false fields: - name: internal overwrite: true type: group fields: - name: msg overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid overwrite: true type: keyword - name: event_desc overwrite: true type: keyword - name: message overwrite: true type: keyword description: This key captures the contents of instant messages - name: time overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id overwrite: true type: long description: Deprecated key defined only in table map. - name: did overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time overwrite: true type: group fields: - name: event_time overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month overwrite: true type: keyword - name: day overwrite: true type: keyword - name: endtime overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str overwrite: true type: keyword description: A text string version of the duration - name: date overwrite: true type: keyword - name: year overwrite: true type: keyword - name: recorded_time overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime overwrite: true type: keyword - name: effective_time overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time overwrite: true type: keyword description: Deprecated, use duration.time - name: hour overwrite: true type: keyword - name: min overwrite: true type: keyword - name: timestamp overwrite: true type: keyword - name: event_queue_time overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 overwrite: true type: keyword - name: tzone overwrite: true type: keyword - name: eventtime overwrite: true type: keyword - name: gmtdate overwrite: true type: keyword - name: gmttime overwrite: true type: keyword - name: p_date overwrite: true type: keyword - name: p_month overwrite: true type: keyword - name: p_time overwrite: true type: keyword - name: p_time2 overwrite: true type: keyword - name: p_year overwrite: true type: keyword - name: expire_time_str overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp overwrite: true type: date description: Deprecated key defined only in table map. - name: misc overwrite: true type: group fields: - name: action overwrite: true type: keyword - name: result overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name overwrite: true type: keyword description: This is used to capture name of object - name: obj_type overwrite: true type: keyword description: This is used to capture type of object - name: event_source overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name overwrite: true type: keyword description: This key captures the Rule Name - name: context overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space overwrite: true type: keyword - name: client overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 overwrite: true type: keyword - name: msgIdPart2 overwrite: true type: keyword - name: change_old overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule overwrite: true type: keyword description: This key captures the Rule number - name: device_name overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log overwrite: true type: keyword description: This key captures the Name of the event log - name: OS overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 overwrite: true type: keyword - name: filter overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname overwrite: true type: keyword description: This key captures the name of the virus - name: content_type overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id overwrite: true type: keyword - name: reason overwrite: true type: keyword - name: status overwrite: true type: keyword - name: mail_id overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout overwrite: true type: keyword - name: p_msgid overwrite: true type: keyword - name: data_type overwrite: true type: keyword - name: msgIdPart4 overwrite: true type: keyword - name: error overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index overwrite: true type: keyword - name: listnum overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype overwrite: true type: keyword - name: observed_val overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count overwrite: true type: keyword - name: number overwrite: true type: keyword - name: sigcat overwrite: true type: keyword - name: type overwrite: true type: keyword - name: comments overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number overwrite: true type: long description: This key captures File Identification number - name: expected_val overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst overwrite: true type: keyword description: Destination SPI Index - name: spi_src overwrite: true type: keyword description: Source SPI Index - name: code overwrite: true type: keyword - name: agent_id overwrite: true type: keyword description: This key is used to capture agent id - name: message_body overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone overwrite: true type: keyword - name: sig_id_str overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd overwrite: true type: keyword - name: misc overwrite: true type: keyword - name: name overwrite: true type: keyword - name: cpu overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid overwrite: true type: keyword - name: im_client overwrite: true type: keyword - name: im_userid overwrite: true type: keyword - name: pid overwrite: true type: keyword - name: priority overwrite: true type: keyword - name: context_subject overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target overwrite: true type: keyword - name: cve overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos overwrite: true type: long description: This key describes the type of service - name: vm_target overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace overwrite: true type: keyword description: This key captures Workspace Description - name: command overwrite: true type: keyword - name: event_category overwrite: true type: keyword - name: facilityname overwrite: true type: keyword - name: forensic_info overwrite: true type: keyword - name: jobname overwrite: true type: keyword - name: mode overwrite: true type: keyword - name: policy overwrite: true type: keyword - name: policy_waiver overwrite: true type: keyword - name: second overwrite: true type: keyword - name: space1 overwrite: true type: keyword - name: subcategory overwrite: true type: keyword - name: tbdstr2 overwrite: true type: keyword - name: alert_id overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult overwrite: true type: long description: This key captures the Filter Result - name: payload_dst overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid overwrite: true type: keyword description: SNMP Object Identifier - name: sql overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id overwrite: true type: keyword - name: acl_op overwrite: true type: keyword - name: acl_pos overwrite: true type: keyword - name: acl_table overwrite: true type: keyword - name: admin overwrite: true type: keyword - name: alarm_id overwrite: true type: keyword - name: alarmname overwrite: true type: keyword - name: app_id overwrite: true type: keyword - name: audit overwrite: true type: keyword - name: audit_object overwrite: true type: keyword - name: auditdata overwrite: true type: keyword - name: benchmark overwrite: true type: keyword - name: bypass overwrite: true type: keyword - name: cache overwrite: true type: keyword - name: cache_hit overwrite: true type: keyword - name: cefversion overwrite: true type: keyword - name: cfg_attr overwrite: true type: keyword - name: cfg_obj overwrite: true type: keyword - name: cfg_path overwrite: true type: keyword - name: changes overwrite: true type: keyword - name: client_ip overwrite: true type: keyword - name: clustermembers overwrite: true type: keyword - name: cn_acttimeout overwrite: true type: keyword - name: cn_asn_src overwrite: true type: keyword - name: cn_bgpv4nxthop overwrite: true type: keyword - name: cn_ctr_dst_code overwrite: true type: keyword - name: cn_dst_tos overwrite: true type: keyword - name: cn_dst_vlan overwrite: true type: keyword - name: cn_engine_id overwrite: true type: keyword - name: cn_engine_type overwrite: true type: keyword - name: cn_f_switch overwrite: true type: keyword - name: cn_flowsampid overwrite: true type: keyword - name: cn_flowsampintv overwrite: true type: keyword - name: cn_flowsampmode overwrite: true type: keyword - name: cn_inacttimeout overwrite: true type: keyword - name: cn_inpermbyts overwrite: true type: keyword - name: cn_inpermpckts overwrite: true type: keyword - name: cn_invalid overwrite: true type: keyword - name: cn_ip_proto_ver overwrite: true type: keyword - name: cn_ipv4_ident overwrite: true type: keyword - name: cn_l_switch overwrite: true type: keyword - name: cn_log_did overwrite: true type: keyword - name: cn_log_rid overwrite: true type: keyword - name: cn_max_ttl overwrite: true type: keyword - name: cn_maxpcktlen overwrite: true type: keyword - name: cn_min_ttl overwrite: true type: keyword - name: cn_minpcktlen overwrite: true type: keyword - name: cn_mpls_lbl_1 overwrite: true type: keyword - name: cn_mpls_lbl_10 overwrite: true type: keyword - name: cn_mpls_lbl_2 overwrite: true type: keyword - name: cn_mpls_lbl_3 overwrite: true type: keyword - name: cn_mpls_lbl_4 overwrite: true type: keyword - name: cn_mpls_lbl_5 overwrite: true type: keyword - name: cn_mpls_lbl_6 overwrite: true type: keyword - name: cn_mpls_lbl_7 overwrite: true type: keyword - name: cn_mpls_lbl_8 overwrite: true type: keyword - name: cn_mpls_lbl_9 overwrite: true type: keyword - name: cn_mplstoplabel overwrite: true type: keyword - name: cn_mplstoplabip overwrite: true type: keyword - name: cn_mul_dst_byt overwrite: true type: keyword - name: cn_mul_dst_pks overwrite: true type: keyword - name: cn_muligmptype overwrite: true type: keyword - name: cn_sampalgo overwrite: true type: keyword - name: cn_sampint overwrite: true type: keyword - name: cn_seqctr overwrite: true type: keyword - name: cn_spackets overwrite: true type: keyword - name: cn_src_tos overwrite: true type: keyword - name: cn_src_vlan overwrite: true type: keyword - name: cn_sysuptime overwrite: true type: keyword - name: cn_template_id overwrite: true type: keyword - name: cn_totbytsexp overwrite: true type: keyword - name: cn_totflowexp overwrite: true type: keyword - name: cn_totpcktsexp overwrite: true type: keyword - name: cn_unixnanosecs overwrite: true type: keyword - name: cn_v6flowlabel overwrite: true type: keyword - name: cn_v6optheaders overwrite: true type: keyword - name: comp_class overwrite: true type: keyword - name: comp_name overwrite: true type: keyword - name: comp_rbytes overwrite: true type: keyword - name: comp_sbytes overwrite: true type: keyword - name: cpu_data overwrite: true type: keyword - name: criticality overwrite: true type: keyword - name: cs_agency_dst overwrite: true type: keyword - name: cs_analyzedby overwrite: true type: keyword - name: cs_av_other overwrite: true type: keyword - name: cs_av_primary overwrite: true type: keyword - name: cs_av_secondary overwrite: true type: keyword - name: cs_bgpv6nxthop overwrite: true type: keyword - name: cs_bit9status overwrite: true type: keyword - name: cs_context overwrite: true type: keyword - name: cs_control overwrite: true type: keyword - name: cs_data overwrite: true type: keyword - name: cs_datecret overwrite: true type: keyword - name: cs_dst_tld overwrite: true type: keyword - name: cs_eth_dst_ven overwrite: true type: keyword - name: cs_eth_src_ven overwrite: true type: keyword - name: cs_event_uuid overwrite: true type: keyword - name: cs_filetype overwrite: true type: keyword - name: cs_fld overwrite: true type: keyword - name: cs_if_desc overwrite: true type: keyword - name: cs_if_name overwrite: true type: keyword - name: cs_ip_next_hop overwrite: true type: keyword - name: cs_ipv4dstpre overwrite: true type: keyword - name: cs_ipv4srcpre overwrite: true type: keyword - name: cs_lifetime overwrite: true type: keyword - name: cs_log_medium overwrite: true type: keyword - name: cs_loginname overwrite: true type: keyword - name: cs_modulescore overwrite: true type: keyword - name: cs_modulesign overwrite: true type: keyword - name: cs_opswatresult overwrite: true type: keyword - name: cs_payload overwrite: true type: keyword - name: cs_registrant overwrite: true type: keyword - name: cs_registrar overwrite: true type: keyword - name: cs_represult overwrite: true type: keyword - name: cs_rpayload overwrite: true type: keyword - name: cs_sampler_name overwrite: true type: keyword - name: cs_sourcemodule overwrite: true type: keyword - name: cs_streams overwrite: true type: keyword - name: cs_targetmodule overwrite: true type: keyword - name: cs_v6nxthop overwrite: true type: keyword - name: cs_whois_server overwrite: true type: keyword - name: cs_yararesult overwrite: true type: keyword - name: description overwrite: true type: keyword - name: devvendor overwrite: true type: keyword - name: distance overwrite: true type: keyword - name: dstburb overwrite: true type: keyword - name: edomain overwrite: true type: keyword - name: edomaub overwrite: true type: keyword - name: euid overwrite: true type: keyword - name: facility overwrite: true type: keyword - name: finterface overwrite: true type: keyword - name: flags overwrite: true type: keyword - name: gaddr overwrite: true type: keyword - name: id3 overwrite: true type: keyword - name: im_buddyname overwrite: true type: keyword - name: im_croomid overwrite: true type: keyword - name: im_croomtype overwrite: true type: keyword - name: im_members overwrite: true type: keyword - name: im_username overwrite: true type: keyword - name: ipkt overwrite: true type: keyword - name: ipscat overwrite: true type: keyword - name: ipspri overwrite: true type: keyword - name: latitude overwrite: true type: keyword - name: linenum overwrite: true type: keyword - name: list_name overwrite: true type: keyword - name: load_data overwrite: true type: keyword - name: location_floor overwrite: true type: keyword - name: location_mark overwrite: true type: keyword - name: log_id overwrite: true type: keyword - name: log_type overwrite: true type: keyword - name: logid overwrite: true type: keyword - name: logip overwrite: true type: keyword - name: logname overwrite: true type: keyword - name: longitude overwrite: true type: keyword - name: lport overwrite: true type: keyword - name: mbug_data overwrite: true type: keyword - name: misc_name overwrite: true type: keyword - name: msg_type overwrite: true type: keyword - name: msgid overwrite: true type: keyword - name: netsessid overwrite: true type: keyword - name: num overwrite: true type: keyword - name: number1 overwrite: true type: keyword - name: number2 overwrite: true type: keyword - name: nwwn overwrite: true type: keyword - name: object overwrite: true type: keyword - name: operation overwrite: true type: keyword - name: opkt overwrite: true type: keyword - name: orig_from overwrite: true type: keyword - name: owner_id overwrite: true type: keyword - name: p_action overwrite: true type: keyword - name: p_filter overwrite: true type: keyword - name: p_group_object overwrite: true type: keyword - name: p_id overwrite: true type: keyword - name: p_msgid1 overwrite: true type: keyword - name: p_msgid2 overwrite: true type: keyword - name: p_result1 overwrite: true type: keyword - name: password_chg overwrite: true type: keyword - name: password_expire overwrite: true type: keyword - name: permgranted overwrite: true type: keyword - name: permwanted overwrite: true type: keyword - name: pgid overwrite: true type: keyword - name: policyUUID overwrite: true type: keyword - name: prog_asp_num overwrite: true type: keyword - name: program overwrite: true type: keyword - name: real_data overwrite: true type: keyword - name: rec_asp_device overwrite: true type: keyword - name: rec_asp_num overwrite: true type: keyword - name: rec_library overwrite: true type: keyword - name: recordnum overwrite: true type: keyword - name: ruid overwrite: true type: keyword - name: sburb overwrite: true type: keyword - name: sdomain_fld overwrite: true type: keyword - name: sec overwrite: true type: keyword - name: sensorname overwrite: true type: keyword - name: seqnum overwrite: true type: keyword - name: session overwrite: true type: keyword - name: sessiontype overwrite: true type: keyword - name: sigUUID overwrite: true type: keyword - name: spi overwrite: true type: keyword - name: srcburb overwrite: true type: keyword - name: srcdom overwrite: true type: keyword - name: srcservice overwrite: true type: keyword - name: state overwrite: true type: keyword - name: status1 overwrite: true type: keyword - name: svcno overwrite: true type: keyword - name: system overwrite: true type: keyword - name: tbdstr1 overwrite: true type: keyword - name: tgtdom overwrite: true type: keyword - name: tgtdomain overwrite: true type: keyword - name: threshold overwrite: true type: keyword - name: type1 overwrite: true type: keyword - name: udb_class overwrite: true type: keyword - name: url_fld overwrite: true type: keyword - name: user_div overwrite: true type: keyword - name: userid overwrite: true type: keyword - name: username_fld overwrite: true type: keyword - name: utcstamp overwrite: true type: keyword - name: v_instafname overwrite: true type: keyword - name: virt_data overwrite: true type: keyword - name: vpnid overwrite: true type: keyword - name: autorun_type overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number overwrite: true type: long description: Valid Credit Card Numbers only - name: content overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number overwrite: true type: long description: Employee Identification Numbers only - name: found overwrite: true type: keyword description: This is used to capture the results of regex match - name: language overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src overwrite: true type: keyword description: This key captures source parameter - name: search_text overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value overwrite: true type: keyword description: SNMP set request value - name: streams overwrite: true type: long description: This key captures number of streams in session - name: db overwrite: true type: group fields: - name: index overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name overwrite: true type: keyword description: This key is used to capture the table name - name: db_id overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite overwrite: true type: long description: This key is used for the number of logical writes - name: pread overwrite: true type: long description: This key is used for the number of physical writes - name: network overwrite: true type: group fields: - name: alias_host overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain overwrite: true type: keyword - name: host_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr overwrite: true type: ip description: Deprecated - name: faddr overwrite: true type: keyword - name: lhost overwrite: true type: keyword - name: origin overwrite: true type: keyword - name: remote_domain_id overwrite: true type: keyword - name: addr overwrite: true type: keyword - name: dns_a_record overwrite: true type: keyword - name: dns_ptr_record overwrite: true type: keyword - name: fhost overwrite: true type: keyword - name: fport overwrite: true type: keyword - name: laddr overwrite: true type: keyword - name: linterface overwrite: true type: keyword - name: phost overwrite: true type: keyword - name: ad_computer_dst overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record overwrite: true type: keyword - name: dns_id overwrite: true type: keyword - name: dns_opcode overwrite: true type: keyword - name: dns_resp overwrite: true type: keyword - name: dns_type overwrite: true type: keyword - name: domain1 overwrite: true type: keyword - name: host_type overwrite: true type: keyword - name: packet_length overwrite: true type: keyword - name: host_orig overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations overwrite: true type: group fields: - name: ec_activity overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat overwrite: true type: long description: This key captures the Event category number - name: event_cat_name overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category overwrite: true type: keyword description: This used to capture investigation category - name: inv_context overwrite: true type: keyword description: This used to capture investigation context - name: ioc overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters overwrite: true type: group fields: - name: dclass_c1 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity overwrite: true type: group fields: - name: auth_method overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org overwrite: true type: keyword description: This key captures the User organization - name: dn_dst overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept overwrite: true type: keyword description: User's Department Names only - name: user_sid_src overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email overwrite: true type: group fields: - name: email_dst overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file overwrite: true type: group fields: - name: privilege overwrite: true type: keyword description: Deprecated, use permissions - name: attachment overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem overwrite: true type: keyword - name: binary overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp overwrite: true type: keyword - name: directory_dst overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name overwrite: true type: keyword description: This is used to capture name of the task - name: web overwrite: true type: group fields: - name: fqdn overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host overwrite: true type: keyword - name: reputation_num overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain overwrite: true type: keyword description: Web referer's domain - name: web_ref_query overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain overwrite: true type: keyword - name: web_ref_page overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst overwrite: true type: keyword - name: cn_rpackets overwrite: true type: keyword - name: urlpage overwrite: true type: keyword - name: urlroot overwrite: true type: keyword - name: p_url overwrite: true type: keyword - name: p_user_agent overwrite: true type: keyword - name: p_web_cookie overwrite: true type: keyword - name: p_web_method overwrite: true type: keyword - name: p_web_referer overwrite: true type: keyword - name: web_extension_tmp overwrite: true type: keyword - name: web_page overwrite: true type: keyword - name: threat overwrite: true type: group fields: - name: threat_category overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto overwrite: true type: group fields: - name: crypto overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike overwrite: true type: keyword description: IKE negotiation phase. - name: scheme overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer overwrite: true type: keyword - name: cert_host_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src overwrite: true type: keyword description: Deprecated, use version - name: d_certauth overwrite: true type: keyword - name: s_certauth overwrite: true type: keyword - name: ike_cookie1 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum overwrite: true type: keyword - name: cert_host_cat overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize overwrite: true type: keyword - name: cert_username overwrite: true type: keyword - name: https_insact overwrite: true type: keyword - name: https_valid overwrite: true type: keyword - name: cert_ca overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless overwrite: true type: group fields: - name: wlan_ssid overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel overwrite: true type: long description: This is used to capture the channel names - name: wlan_name overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage overwrite: true type: group fields: - name: disk_volume overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical overwrite: true type: group fields: - name: org_dst overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare overwrite: true type: group fields: - name: patient_fname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint overwrite: true type: group fields: - name: host_state overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value overwrite: true type: keyword description: This key captures values or decorators used within a registry entry - name: fortinet type: group description: > Fields from fortinet FortiOS fields: - name: file.hash.crc32 type: keyword description: > CRC32 Hash of file - name: firewall type: group release: beta default_field: false description: > Module for parsing Fortinet syslog. fields: - name: acct_stat type: keyword description: > Accounting state (RADIUS) - name: acktime type: keyword description: > Alarm Acknowledge Time - name: act type: keyword description: > Action - name: action type: keyword description: > Status of the session - name: activity type: keyword description: > HA activity message - name: addr type: ip description: > IP Address - name: addr_type type: keyword description: > Address Type - name: addrgrp type: keyword description: > Address Group - name: adgroup type: keyword description: > AD Group Name - name: admin type: keyword description: > Admin User - name: age type: integer description: > Time in seconds - time passed since last seen - name: agent type: keyword description: > User agent - eg. agent="Mozilla/5.0" - name: alarmid type: integer description: > Alarm ID - name: alert type: keyword description: > Alert - name: analyticscksum type: keyword description: > The checksum of the file submitted for analytics - name: analyticssubmit type: keyword description: > The flag for analytics submission - name: ap type: keyword description: > Access Point - name: app-type type: keyword description: > Address Type - name: appact type: keyword description: > The security action from app control - name: appid type: integer description: > Application ID - name: applist type: keyword description: > Application Control profile - name: apprisk type: keyword description: > Application Risk Level - name: apscan type: keyword description: > The name of the AP, which scanned and detected the rogue AP - name: apsn type: keyword description: > Access Point - name: apstatus type: keyword description: > Access Point status - name: aptype type: keyword description: > Access Point type - name: assigned type: ip description: > Assigned IP Address - name: assignip type: ip description: > Assigned IP Address - name: attachment type: keyword description: > The flag for email attachement - name: attack type: keyword description: > Attack Name - name: attackcontext type: keyword description: > The trigger patterns and the packetdata with base64 encoding - name: attackcontextid type: keyword description: > Attack context id / total - name: attackid type: integer description: > Attack ID - name: auditid type: long description: > Audit ID - name: auditscore type: keyword description: > The Audit Score - name: audittime type: long description: > The time of the audit - name: authgrp type: keyword description: > Authorization Group - name: authid type: keyword description: > Authentication ID - name: authproto type: keyword description: > The protocol that initiated the authentication - name: authserver type: keyword description: > Authentication server - name: bandwidth type: keyword description: > Bandwidth - name: banned_rule type: keyword description: > NAC quarantine Banned Rule Name - name: banned_src type: keyword description: > NAC quarantine Banned Source IP - name: banword type: keyword description: > Banned word - name: botnetdomain type: keyword description: > Botnet Domain Name - name: botnetip type: ip description: > Botnet IP Address - name: bssid type: keyword description: > Service Set ID - name: call_id type: keyword description: > Caller ID - name: carrier_ep type: keyword description: > The FortiOS Carrier end-point identification - name: cat type: integer description: > DNS category ID - name: category type: keyword description: > Authentication category - name: cc type: keyword description: > CC Email Address - name: cdrcontent type: keyword description: > Cdrcontent - name: centralnatid type: integer description: > Central NAT ID - name: cert type: keyword description: > Certificate - name: cert-type type: keyword description: > Certificate type - name: certhash type: keyword description: > Certificate hash - name: cfgattr type: keyword description: > Configuration attribute - name: cfgobj type: keyword description: > Configuration object - name: cfgpath type: keyword description: > Configuration path - name: cfgtid type: keyword description: > Configuration transaction ID - name: cfgtxpower type: integer description: > Configuration TX power - name: channel type: integer description: > Wireless Channel - name: channeltype type: keyword description: > SSH channel type - name: chassisid type: integer description: > Chassis ID - name: checksum type: keyword description: > The checksum of the scanned file - name: chgheaders type: keyword description: > HTTP Headers - name: cldobjid type: keyword description: > Connector object ID - name: client_addr type: keyword description: > Wifi client address - name: cloudaction type: keyword description: > Cloud Action - name: clouduser type: keyword description: > Cloud User - name: column type: integer description: > VOIP Column - name: command type: keyword description: > CLI Command - name: community type: keyword description: > SNMP Community - name: configcountry type: keyword description: > Configuration country - name: connection_type type: keyword description: > FortiClient Connection Type - name: conserve type: keyword description: > Flag for conserve mode - name: constraint type: keyword description: > WAF http protocol restrictions - name: contentdisarmed type: keyword description: > Email scanned content - name: contenttype type: keyword description: > Content Type from HTTP header - name: cookies type: keyword description: > VPN Cookie - name: count type: integer description: > Counts of action type - name: countapp type: integer description: > Number of App Ctrl logs associated with the session - name: countav type: integer description: > Number of AV logs associated with the session - name: countcifs type: integer description: > Number of CIFS logs associated with the session - name: countdlp type: integer description: > Number of DLP logs associated with the session - name: countdns type: integer description: > Number of DNS logs associated with the session - name: countemail type: integer description: > Number of email logs associated with the session - name: countff type: integer description: > Number of ff logs associated with the session - name: countips type: integer description: > Number of IPS logs associated with the session - name: countssh type: integer description: > Number of SSH logs associated with the session - name: countssl type: integer description: > Number of SSL logs associated with the session - name: countwaf type: integer description: > Number of WAF logs associated with the session - name: countweb type: integer description: > Number of Web filter logs associated with the session - name: cpu type: integer description: > CPU Usage - name: craction type: integer description: > Client Reputation Action - name: criticalcount type: integer description: > Number of critical ratings - name: crl type: keyword description: > Client Reputation Level - name: crlevel type: keyword description: > Client Reputation Level - name: crscore type: integer description: > Some description - name: cveid type: keyword description: > CVE ID - name: daemon type: keyword description: > Daemon name - name: datarange type: keyword description: > Data range for reports - name: date type: keyword description: > Date - name: ddnsserver type: ip description: > DDNS server - name: desc type: keyword description: > Description - name: detectionmethod type: keyword description: > Detection method - name: devcategory type: keyword description: > Device category - name: devintfname type: keyword description: > HA device Interface Name - name: devtype type: keyword description: > Device type - name: dhcp_msg type: keyword description: > DHCP Message - name: dintf type: keyword description: > Destination interface - name: disk type: keyword description: > Assosciated disk - name: disklograte type: long description: > Disk logging rate - name: dlpextra type: keyword description: > DLP extra information - name: docsource type: keyword description: > DLP fingerprint document source - name: domainctrlauthstate type: integer description: > CIFS domain auth state - name: domainctrlauthtype type: integer description: > CIFS domain auth type - name: domainctrldomain type: keyword description: > CIFS domain auth domain - name: domainctrlip type: ip description: > CIFS Domain IP - name: domainctrlname type: keyword description: > CIFS Domain name - name: domainctrlprotocoltype type: integer description: > CIFS Domain connection protocol - name: domainctrlusername type: keyword description: > CIFS Domain username - name: domainfilteridx type: integer description: > Domain filter ID - name: domainfilterlist type: keyword description: > Domain filter name - name: ds type: keyword description: > Direction with distribution system - name: dst_int type: keyword description: > Destination interface - name: dstintfrole type: keyword description: > Destination interface role - name: dstcountry type: keyword description: > Destination country - name: dstdevcategory type: keyword description: > Destination device category - name: dstdevtype type: keyword description: > Destination device type - name: dstfamily type: keyword description: > Destination OS family - name: dsthwvendor type: keyword description: > Destination HW vendor - name: dsthwversion type: keyword description: > Destination HW version - name: dstinetsvc type: keyword description: > Destination interface service - name: dstosname type: keyword description: > Destination OS name - name: dstosversion type: keyword description: > Destination OS version - name: dstserver type: integer description: > Destination server - name: dstssid type: keyword description: > Destination SSID - name: dstswversion type: keyword description: > Destination software version - name: dstunauthusersource type: keyword description: > Destination unauthenticated source - name: dstuuid type: keyword description: > UUID of the Destination IP address - name: duid type: keyword description: > DHCP UID - name: eapolcnt type: integer description: > EAPOL packet count - name: eapoltype type: keyword description: > EAPOL packet type - name: encrypt type: integer description: > Whether the packet is encrypted or not - name: encryption type: keyword description: > Encryption method - name: epoch type: integer description: > Epoch used for locating file - name: espauth type: keyword description: > ESP Authentication - name: esptransform type: keyword description: > ESP Transform - name: eventtype type: keyword description: > UTM Event Type - name: exch type: keyword description: > Mail Exchanges from DNS response answer section - name: exchange type: keyword description: > Mail Exchanges from DNS response answer section - name: expectedsignature type: keyword description: > Expected SSL signature - name: expiry type: keyword description: > FortiGuard override expiry timestamp - name: fams_pause type: integer description: > Fortinet Analysis and Management Service Pause - name: fazlograte type: long description: > FortiAnalyzer Logging Rate - name: fctemssn type: keyword description: > FortiClient Endpoint SSN - name: fctuid type: keyword description: > FortiClient UID - name: field type: keyword description: > NTP status field - name: filefilter type: keyword description: > The filter used to identify the affected file - name: filehashsrc type: keyword description: > Filehash source - name: filtercat type: keyword description: > DLP filter category - name: filteridx type: integer description: > DLP filter ID - name: filtername type: keyword description: > DLP rule name - name: filtertype type: keyword description: > DLP filter type - name: fortiguardresp type: keyword description: > Antispam ESP value - name: forwardedfor type: keyword description: > Email address forwarded - name: fqdn type: keyword description: > FQDN - name: frametype type: keyword description: > Wireless frametype - name: freediskstorage type: integer description: > Free disk integer - name: from type: keyword description: > From email address - name: from_vcluster type: integer description: > Source virtual cluster number - name: fsaverdict type: keyword description: > FSA verdict - name: fwserver_name type: keyword description: > Web proxy server name - name: gateway type: ip description: > Gateway ip address for PPPoE status report - name: green type: keyword description: > Memory status - name: groupid type: integer description: > User Group ID - name: ha-prio type: integer description: > HA Priority - name: ha_group type: keyword description: > HA Group - name: ha_role type: keyword description: > HA Role - name: handshake type: keyword description: > SSL Handshake - name: hash type: keyword description: > Hash value of downloaded file - name: hbdn_reason type: keyword description: > Heartbeat down reason - name: highcount type: integer description: > Highcount fabric summary - name: host type: keyword description: > Hostname - name: iaid type: keyword description: > DHCPv6 id - name: icmpcode type: keyword description: > Destination Port of the ICMP message - name: icmpid type: keyword description: > Source port of the ICMP message - name: icmptype type: keyword description: > The type of ICMP message - name: identifier type: integer description: > Network traffic identifier - name: in_spi type: keyword description: > IPSEC inbound SPI - name: incidentserialno type: integer description: > Incident serial number - name: infected type: integer description: > Infected MMS - name: infectedfilelevel type: integer description: > DLP infected file level - name: informationsource type: keyword description: > Information source - name: init type: keyword description: > IPSEC init stage - name: initiator type: keyword description: > Original login user name for Fortiguard override - name: interface type: keyword description: > Related interface - name: intf type: keyword description: > Related interface - name: invalidmac type: keyword description: > The MAC address with invalid OUI - name: ip type: ip description: > Related IP - name: iptype type: keyword description: > Related IP type - name: keyword type: keyword description: > Keyword used for search - name: kind type: keyword description: > VOIP kind - name: lanin type: long description: > LAN incoming traffic in bytes - name: lanout type: long description: > LAN outbound traffic in bytes - name: lease type: integer description: > DHCP lease - name: license_limit type: keyword description: > Maximum Number of FortiClients for the License - name: limit type: integer description: > Virtual Domain Resource Limit - name: line type: keyword description: > VOIP line - name: live type: integer description: > Time in seconds - name: local type: ip description: > Local IP for a PPPD Connection - name: log type: keyword description: > Log message - name: login type: keyword description: > SSH login - name: lowcount type: integer description: > Fabric lowcount - name: mac type: keyword description: > DHCP mac address - name: malform_data type: integer description: > VOIP malformed data - name: malform_desc type: keyword description: > VOIP malformed data description - name: manuf type: keyword description: > Manufacturer name - name: masterdstmac type: keyword description: > Master mac address for a host with multiple network interfaces - name: mastersrcmac type: keyword description: > The master MAC address for a host that has multiple network interfaces - name: mediumcount type: integer description: > Fabric medium count - name: mem type: integer description: > Memory usage system statistics - name: meshmode type: keyword description: > Wireless mesh mode - name: message_type type: keyword description: > VOIP message type - name: method type: keyword description: > HTTP method - name: mgmtcnt type: integer description: > The number of unauthorized client flooding managemet frames - name: mode type: keyword description: > IPSEC mode - name: module type: keyword description: > PCI-DSS module - name: monitor-name type: keyword description: > Health Monitor Name - name: monitor-type type: keyword description: > Health Monitor Type - name: mpsk type: keyword description: > Wireless MPSK - name: msgproto type: keyword description: > Message Protocol Number - name: mtu type: integer description: > Max Transmission Unit Value - name: name type: keyword description: > Name - name: nat type: keyword description: > NAT IP Address - name: netid type: keyword description: > Connector NetID - name: new_status type: keyword description: > New status on user change - name: new_value type: keyword description: > New Virtual Domain Name - name: newchannel type: integer description: > New Channel Number - name: newchassisid type: integer description: > New Chassis ID - name: newslot type: integer description: > New Slot Number - name: nextstat type: integer description: > Time interval in seconds for the next statistics. - name: nf_type type: keyword description: > Notification Type - name: noise type: integer description: > Wifi Noise - name: old_status type: keyword description: > Original Status - name: old_value type: keyword description: > Original Virtual Domain name - name: oldchannel type: integer description: > Original channel - name: oldchassisid type: integer description: > Original Chassis Number - name: oldslot type: integer description: > Original Slot Number - name: oldsn type: keyword description: > Old Serial number - name: oldwprof type: keyword description: > Old Web Filter Profile - name: onwire type: keyword description: > A flag to indicate if the AP is onwire or not - name: opercountry type: keyword description: > Operating Country - name: opertxpower type: integer description: > Operating TX power - name: osname type: keyword description: > Operating System name - name: osversion type: keyword description: > Operating System version - name: out_spi type: keyword description: > Out SPI - name: outintf type: keyword description: > Out interface - name: passedcount type: integer description: > Fabric passed count - name: passwd type: keyword description: > Changed user password information - name: path type: keyword description: > Path of looped configuration for security fabric - name: peer type: keyword description: > WAN optimization peer - name: peer_notif type: keyword description: > VPN peer notification - name: phase2_name type: keyword description: > VPN phase2 name - name: phone type: keyword description: > VOIP Phone - name: pid type: integer description: > Process ID - name: policytype type: keyword description: > Policy Type - name: poolname type: keyword description: > IP Pool name - name: port type: integer description: > Log upload error port - name: portbegin type: integer description: > IP Pool port number to begin - name: portend type: integer description: > IP Pool port number to end - name: probeproto type: keyword description: > Link Monitor Probe Protocol - name: process type: keyword description: > URL Filter process - name: processtime type: integer description: > Process time for reports - name: profile type: keyword description: > Profile Name - name: profile_vd type: keyword description: > Virtual Domain Name - name: profilegroup type: keyword description: > Profile Group Name - name: profiletype type: keyword description: > Profile Type - name: qtypeval type: integer description: > DNS question type value - name: quarskip type: keyword description: > Quarantine skip explanation - name: quotaexceeded type: keyword description: > If quota has been exceeded - name: quotamax type: long description: > Maximum quota allowed - in seconds if time-based - in bytes if traffic-based - name: quotatype type: keyword description: > Quota type - name: quotaused type: long description: > Quota used - in seconds if time-based - in bytes if trafficbased) - name: radioband type: keyword description: > Radio band - name: radioid type: integer description: > Radio ID - name: radioidclosest type: integer description: > Radio ID on the AP closest the rogue AP - name: radioiddetected type: integer description: > Radio ID on the AP which detected the rogue AP - name: rate type: keyword description: > Wireless rogue rate value - name: rawdata type: keyword description: > Raw data value - name: rawdataid type: keyword description: > Raw data ID - name: rcvddelta type: keyword description: > Received bytes delta - name: reason type: keyword description: > Alert reason - name: received type: integer description: > Server key exchange received - name: receivedsignature type: keyword description: > Server key exchange received signature - name: red type: keyword description: > Memory information in red - name: referralurl type: keyword description: > Web filter referralurl - name: remote type: ip description: > Remote PPP IP address - name: remotewtptime type: keyword description: > Remote Wifi Radius authentication time - name: reporttype type: keyword description: > Report type - name: reqtype type: keyword description: > Request type - name: request_name type: keyword description: > VOIP request name - name: result type: keyword description: > VPN phase result - name: role type: keyword description: > VPN Phase 2 role - name: rssi type: integer description: > Received signal strength indicator - name: rsso_key type: keyword description: > RADIUS SSO attribute value - name: ruledata type: keyword description: > Rule data - name: ruletype type: keyword description: > Rule type - name: scanned type: integer description: > Number of Scanned MMSs - name: scantime type: long description: > Scanned time - name: scope type: keyword description: > FortiGuard Override Scope - name: security type: keyword description: > Wireless rogue security - name: sensitivity type: keyword description: > Sensitivity for document fingerprint - name: sensor type: keyword description: > NAC Sensor Name - name: sentdelta type: keyword description: > Sent bytes delta - name: seq type: keyword description: > Sequence number - name: serial type: keyword description: > WAN optimisation serial - name: serialno type: keyword description: > Serial number - name: server type: keyword description: > AD server FQDN or IP - name: session_id type: keyword description: > Session ID - name: sessionid type: integer description: > WAD Session ID - name: setuprate type: long description: > Session Setup Rate - name: severity type: keyword description: > Severity - name: shaperdroprcvdbyte type: integer description: > Received bytes dropped by shaper - name: shaperdropsentbyte type: integer description: > Sent bytes dropped by shaper - name: shaperperipdropbyte type: integer description: > Dropped bytes per IP by shaper - name: shaperperipname type: keyword description: > Traffic shaper name (per IP) - name: shaperrcvdname type: keyword description: > Traffic shaper name for received traffic - name: shapersentname type: keyword description: > Traffic shaper name for sent traffic - name: shapingpolicyid type: integer description: > Traffic shaper policy ID - name: signal type: integer description: > Wireless rogue API signal - name: size type: long description: > Email size in bytes - name: slot type: integer description: > Slot number - name: sn type: keyword description: > Security fabric serial number - name: snclosest type: keyword description: > SN of the AP closest to the rogue AP - name: sndetected type: keyword description: > SN of the AP which detected the rogue AP - name: snmeshparent type: keyword description: > SN of the mesh parent - name: spi type: keyword description: > IPSEC SPI - name: src_int type: keyword description: > Source interface - name: srcintfrole type: keyword description: > Source interface role - name: srccountry type: keyword description: > Source country - name: srcfamily type: keyword description: > Source family - name: srchwvendor type: keyword description: > Source hardware vendor - name: srchwversion type: keyword description: > Source hardware version - name: srcinetsvc type: keyword description: > Source interface service - name: srcname type: keyword description: > Source name - name: srcserver type: integer description: > Source server - name: srcssid type: keyword description: > Source SSID - name: srcswversion type: keyword description: > Source software version - name: srcuuid type: keyword description: > Source UUID - name: sscname type: keyword description: > SSC name - name: ssid type: keyword description: > Base Service Set ID - name: sslaction type: keyword description: > SSL Action - name: ssllocal type: keyword description: > WAD SSL local - name: sslremote type: keyword description: > WAD SSL remote - name: stacount type: integer description: > Number of stations/clients - name: stage type: keyword description: > IPSEC stage - name: stamac type: keyword description: > 802.1x station mac - name: state type: keyword description: > Admin login state - name: status type: keyword description: > Status - name: stitch type: keyword description: > Automation stitch triggered - name: subject type: keyword description: > Email subject - name: submodule type: keyword description: > Configuration Sub-Module Name - name: subservice type: keyword description: > AV subservice - name: subtype type: keyword description: > Log subtype - name: suspicious type: integer description: > Number of Suspicious MMSs - name: switchproto type: keyword description: > Protocol change information - name: sync_status type: keyword description: > The sync status with the master - name: sync_type type: keyword description: > The sync type with the master - name: sysuptime type: keyword description: > System uptime - name: tamac type: keyword description: > the MAC address of Transmitter, if none, then Receiver - name: threattype type: keyword description: > WIDS threat type - name: time type: keyword description: > Time of the event - name: to type: keyword description: > Email to field - name: to_vcluster type: integer description: > destination virtual cluster number - name: total type: integer description: > Total memory - name: totalsession type: integer description: > Total Number of Sessions - name: trace_id type: keyword description: > Session clash trace ID - name: trandisp type: keyword description: > NAT translation type - name: transid type: integer description: > HTTP transaction ID - name: translationid type: keyword description: > DNS filter transaltion ID - name: trigger type: keyword description: > Automation stitch trigger - name: trueclntip type: ip description: > File filter true client IP - name: tunnelid type: integer description: > IPSEC tunnel ID - name: tunnelip type: ip description: > IPSEC tunnel IP - name: tunneltype type: keyword description: > IPSEC tunnel type - name: type type: keyword description: > Module type - name: ui type: keyword description: > Admin authentication UI type - name: unauthusersource type: keyword description: > Unauthenticated user source - name: unit type: integer description: > Power supply unit - name: urlfilteridx type: integer description: > URL filter ID - name: urlfilterlist type: keyword description: > URL filter list - name: urlsource type: keyword description: > URL filter source - name: urltype type: keyword description: > URL filter type - name: used type: integer description: > Number of Used IPs - name: used_for_type type: integer description: > Connection for the type - name: utmaction type: keyword description: > Security action performed by UTM - name: utmref type: keyword description: > Reference to UTM - name: vap type: keyword description: > Virtual AP - name: vapmode type: keyword description: > Virtual AP mode - name: vcluster type: integer description: > virtual cluster id - name: vcluster_member type: integer description: > Virtual cluster member - name: vcluster_state type: keyword description: > Virtual cluster state - name: vd type: keyword description: > Virtual Domain Name - name: vdname type: keyword description: > Virtual Domain Name - name: vendorurl type: keyword description: > Vulnerability scan vendor name - name: version type: keyword description: > Version - name: vip type: keyword description: > Virtual IP - name: virus type: keyword description: > Virus name - name: virusid type: integer description: > Virus ID (unique virus identifier) - name: voip_proto type: keyword description: > VOIP protocol - name: vpn type: keyword description: > VPN description - name: vpntunnel type: keyword description: > IPsec Vpn Tunnel Name - name: vpntype type: keyword description: > The type of the VPN tunnel - name: vrf type: integer description: > VRF number - name: vulncat type: keyword description: > Vulnerability Category - name: vulnid type: integer description: > Vulnerability ID - name: vulnname type: keyword description: > Vulnerability name - name: vwlid type: integer description: > VWL ID - name: vwlquality type: keyword description: > VWL quality - name: vwlservice type: keyword description: > VWL service - name: vwpvlanid type: integer description: > VWP VLAN ID - name: wanin type: long description: > WAN incoming traffic in bytes - name: wanoptapptype type: keyword description: > WAN Optimization Application type - name: wanout type: long description: > WAN outgoing traffic in bytes - name: weakwepiv type: keyword description: > Weak Wep Initiation Vector - name: xauthgroup type: keyword description: > XAuth Group Name - name: xauthuser type: keyword description: > XAuth User Name - name: xid type: integer description: > Wireless X ID - name: network.interface.name overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa overwrite: true type: group default_field: false fields: - name: internal overwrite: true type: group fields: - name: msg overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid overwrite: true type: keyword - name: event_desc overwrite: true type: keyword - name: message overwrite: true type: keyword description: This key captures the contents of instant messages - name: time overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id overwrite: true type: long description: Deprecated key defined only in table map. - name: did overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time overwrite: true type: group fields: - name: event_time overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month overwrite: true type: keyword - name: day overwrite: true type: keyword - name: endtime overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str overwrite: true type: keyword description: A text string version of the duration - name: date overwrite: true type: keyword - name: year overwrite: true type: keyword - name: recorded_time overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime overwrite: true type: keyword - name: effective_time overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time overwrite: true type: keyword description: Deprecated, use duration.time - name: hour overwrite: true type: keyword - name: min overwrite: true type: keyword - name: timestamp overwrite: true type: keyword - name: event_queue_time overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 overwrite: true type: keyword - name: tzone overwrite: true type: keyword - name: eventtime overwrite: true type: keyword - name: gmtdate overwrite: true type: keyword - name: gmttime overwrite: true type: keyword - name: p_date overwrite: true type: keyword - name: p_month overwrite: true type: keyword - name: p_time overwrite: true type: keyword - name: p_time2 overwrite: true type: keyword - name: p_year overwrite: true type: keyword - name: expire_time_str overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp overwrite: true type: date description: Deprecated key defined only in table map. - name: misc overwrite: true type: group fields: - name: action overwrite: true type: keyword - name: result overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name overwrite: true type: keyword description: This is used to capture name of object - name: obj_type overwrite: true type: keyword description: This is used to capture type of object - name: event_source overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name overwrite: true type: keyword description: This key captures the Rule Name - name: context overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space overwrite: true type: keyword - name: client overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 overwrite: true type: keyword - name: msgIdPart2 overwrite: true type: keyword - name: change_old overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule overwrite: true type: keyword description: This key captures the Rule number - name: device_name overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log overwrite: true type: keyword description: This key captures the Name of the event log - name: OS overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 overwrite: true type: keyword - name: filter overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname overwrite: true type: keyword description: This key captures the name of the virus - name: content_type overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id overwrite: true type: keyword - name: reason overwrite: true type: keyword - name: status overwrite: true type: keyword - name: mail_id overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout overwrite: true type: keyword - name: p_msgid overwrite: true type: keyword - name: data_type overwrite: true type: keyword - name: msgIdPart4 overwrite: true type: keyword - name: error overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index overwrite: true type: keyword - name: listnum overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype overwrite: true type: keyword - name: observed_val overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count overwrite: true type: keyword - name: number overwrite: true type: keyword - name: sigcat overwrite: true type: keyword - name: type overwrite: true type: keyword - name: comments overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number overwrite: true type: long description: This key captures File Identification number - name: expected_val overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst overwrite: true type: keyword description: Destination SPI Index - name: spi_src overwrite: true type: keyword description: Source SPI Index - name: code overwrite: true type: keyword - name: agent_id overwrite: true type: keyword description: This key is used to capture agent id - name: message_body overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone overwrite: true type: keyword - name: sig_id_str overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd overwrite: true type: keyword - name: misc overwrite: true type: keyword - name: name overwrite: true type: keyword - name: cpu overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid overwrite: true type: keyword - name: im_client overwrite: true type: keyword - name: im_userid overwrite: true type: keyword - name: pid overwrite: true type: keyword - name: priority overwrite: true type: keyword - name: context_subject overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target overwrite: true type: keyword - name: cve overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos overwrite: true type: long description: This key describes the type of service - name: vm_target overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace overwrite: true type: keyword description: This key captures Workspace Description - name: command overwrite: true type: keyword - name: event_category overwrite: true type: keyword - name: facilityname overwrite: true type: keyword - name: forensic_info overwrite: true type: keyword - name: jobname overwrite: true type: keyword - name: mode overwrite: true type: keyword - name: policy overwrite: true type: keyword - name: policy_waiver overwrite: true type: keyword - name: second overwrite: true type: keyword - name: space1 overwrite: true type: keyword - name: subcategory overwrite: true type: keyword - name: tbdstr2 overwrite: true type: keyword - name: alert_id overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult overwrite: true type: long description: This key captures the Filter Result - name: payload_dst overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid overwrite: true type: keyword description: SNMP Object Identifier - name: sql overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id overwrite: true type: keyword - name: acl_op overwrite: true type: keyword - name: acl_pos overwrite: true type: keyword - name: acl_table overwrite: true type: keyword - name: admin overwrite: true type: keyword - name: alarm_id overwrite: true type: keyword - name: alarmname overwrite: true type: keyword - name: app_id overwrite: true type: keyword - name: audit overwrite: true type: keyword - name: audit_object overwrite: true type: keyword - name: auditdata overwrite: true type: keyword - name: benchmark overwrite: true type: keyword - name: bypass overwrite: true type: keyword - name: cache overwrite: true type: keyword - name: cache_hit overwrite: true type: keyword - name: cefversion overwrite: true type: keyword - name: cfg_attr overwrite: true type: keyword - name: cfg_obj overwrite: true type: keyword - name: cfg_path overwrite: true type: keyword - name: changes overwrite: true type: keyword - name: client_ip overwrite: true type: keyword - name: clustermembers overwrite: true type: keyword - name: cn_acttimeout overwrite: true type: keyword - name: cn_asn_src overwrite: true type: keyword - name: cn_bgpv4nxthop overwrite: true type: keyword - name: cn_ctr_dst_code overwrite: true type: keyword - name: cn_dst_tos overwrite: true type: keyword - name: cn_dst_vlan overwrite: true type: keyword - name: cn_engine_id overwrite: true type: keyword - name: cn_engine_type overwrite: true type: keyword - name: cn_f_switch overwrite: true type: keyword - name: cn_flowsampid overwrite: true type: keyword - name: cn_flowsampintv overwrite: true type: keyword - name: cn_flowsampmode overwrite: true type: keyword - name: cn_inacttimeout overwrite: true type: keyword - name: cn_inpermbyts overwrite: true type: keyword - name: cn_inpermpckts overwrite: true type: keyword - name: cn_invalid overwrite: true type: keyword - name: cn_ip_proto_ver overwrite: true type: keyword - name: cn_ipv4_ident overwrite: true type: keyword - name: cn_l_switch overwrite: true type: keyword - name: cn_log_did overwrite: true type: keyword - name: cn_log_rid overwrite: true type: keyword - name: cn_max_ttl overwrite: true type: keyword - name: cn_maxpcktlen overwrite: true type: keyword - name: cn_min_ttl overwrite: true type: keyword - name: cn_minpcktlen overwrite: true type: keyword - name: cn_mpls_lbl_1 overwrite: true type: keyword - name: cn_mpls_lbl_10 overwrite: true type: keyword - name: cn_mpls_lbl_2 overwrite: true type: keyword - name: cn_mpls_lbl_3 overwrite: true type: keyword - name: cn_mpls_lbl_4 overwrite: true type: keyword - name: cn_mpls_lbl_5 overwrite: true type: keyword - name: cn_mpls_lbl_6 overwrite: true type: keyword - name: cn_mpls_lbl_7 overwrite: true type: keyword - name: cn_mpls_lbl_8 overwrite: true type: keyword - name: cn_mpls_lbl_9 overwrite: true type: keyword - name: cn_mplstoplabel overwrite: true type: keyword - name: cn_mplstoplabip overwrite: true type: keyword - name: cn_mul_dst_byt overwrite: true type: keyword - name: cn_mul_dst_pks overwrite: true type: keyword - name: cn_muligmptype overwrite: true type: keyword - name: cn_sampalgo overwrite: true type: keyword - name: cn_sampint overwrite: true type: keyword - name: cn_seqctr overwrite: true type: keyword - name: cn_spackets overwrite: true type: keyword - name: cn_src_tos overwrite: true type: keyword - name: cn_src_vlan overwrite: true type: keyword - name: cn_sysuptime overwrite: true type: keyword - name: cn_template_id overwrite: true type: keyword - name: cn_totbytsexp overwrite: true type: keyword - name: cn_totflowexp overwrite: true type: keyword - name: cn_totpcktsexp overwrite: true type: keyword - name: cn_unixnanosecs overwrite: true type: keyword - name: cn_v6flowlabel overwrite: true type: keyword - name: cn_v6optheaders overwrite: true type: keyword - name: comp_class overwrite: true type: keyword - name: comp_name overwrite: true type: keyword - name: comp_rbytes overwrite: true type: keyword - name: comp_sbytes overwrite: true type: keyword - name: cpu_data overwrite: true type: keyword - name: criticality overwrite: true type: keyword - name: cs_agency_dst overwrite: true type: keyword - name: cs_analyzedby overwrite: true type: keyword - name: cs_av_other overwrite: true type: keyword - name: cs_av_primary overwrite: true type: keyword - name: cs_av_secondary overwrite: true type: keyword - name: cs_bgpv6nxthop overwrite: true type: keyword - name: cs_bit9status overwrite: true type: keyword - name: cs_context overwrite: true type: keyword - name: cs_control overwrite: true type: keyword - name: cs_data overwrite: true type: keyword - name: cs_datecret overwrite: true type: keyword - name: cs_dst_tld overwrite: true type: keyword - name: cs_eth_dst_ven overwrite: true type: keyword - name: cs_eth_src_ven overwrite: true type: keyword - name: cs_event_uuid overwrite: true type: keyword - name: cs_filetype overwrite: true type: keyword - name: cs_fld overwrite: true type: keyword - name: cs_if_desc overwrite: true type: keyword - name: cs_if_name overwrite: true type: keyword - name: cs_ip_next_hop overwrite: true type: keyword - name: cs_ipv4dstpre overwrite: true type: keyword - name: cs_ipv4srcpre overwrite: true type: keyword - name: cs_lifetime overwrite: true type: keyword - name: cs_log_medium overwrite: true type: keyword - name: cs_loginname overwrite: true type: keyword - name: cs_modulescore overwrite: true type: keyword - name: cs_modulesign overwrite: true type: keyword - name: cs_opswatresult overwrite: true type: keyword - name: cs_payload overwrite: true type: keyword - name: cs_registrant overwrite: true type: keyword - name: cs_registrar overwrite: true type: keyword - name: cs_represult overwrite: true type: keyword - name: cs_rpayload overwrite: true type: keyword - name: cs_sampler_name overwrite: true type: keyword - name: cs_sourcemodule overwrite: true type: keyword - name: cs_streams overwrite: true type: keyword - name: cs_targetmodule overwrite: true type: keyword - name: cs_v6nxthop overwrite: true type: keyword - name: cs_whois_server overwrite: true type: keyword - name: cs_yararesult overwrite: true type: keyword - name: description overwrite: true type: keyword - name: devvendor overwrite: true type: keyword - name: distance overwrite: true type: keyword - name: dstburb overwrite: true type: keyword - name: edomain overwrite: true type: keyword - name: edomaub overwrite: true type: keyword - name: euid overwrite: true type: keyword - name: facility overwrite: true type: keyword - name: finterface overwrite: true type: keyword - name: flags overwrite: true type: keyword - name: gaddr overwrite: true type: keyword - name: id3 overwrite: true type: keyword - name: im_buddyname overwrite: true type: keyword - name: im_croomid overwrite: true type: keyword - name: im_croomtype overwrite: true type: keyword - name: im_members overwrite: true type: keyword - name: im_username overwrite: true type: keyword - name: ipkt overwrite: true type: keyword - name: ipscat overwrite: true type: keyword - name: ipspri overwrite: true type: keyword - name: latitude overwrite: true type: keyword - name: linenum overwrite: true type: keyword - name: list_name overwrite: true type: keyword - name: load_data overwrite: true type: keyword - name: location_floor overwrite: true type: keyword - name: location_mark overwrite: true type: keyword - name: log_id overwrite: true type: keyword - name: log_type overwrite: true type: keyword - name: logid overwrite: true type: keyword - name: logip overwrite: true type: keyword - name: logname overwrite: true type: keyword - name: longitude overwrite: true type: keyword - name: lport overwrite: true type: keyword - name: mbug_data overwrite: true type: keyword - name: misc_name overwrite: true type: keyword - name: msg_type overwrite: true type: keyword - name: msgid overwrite: true type: keyword - name: netsessid overwrite: true type: keyword - name: num overwrite: true type: keyword - name: number1 overwrite: true type: keyword - name: number2 overwrite: true type: keyword - name: nwwn overwrite: true type: keyword - name: object overwrite: true type: keyword - name: operation overwrite: true type: keyword - name: opkt overwrite: true type: keyword - name: orig_from overwrite: true type: keyword - name: owner_id overwrite: true type: keyword - name: p_action overwrite: true type: keyword - name: p_filter overwrite: true type: keyword - name: p_group_object overwrite: true type: keyword - name: p_id overwrite: true type: keyword - name: p_msgid1 overwrite: true type: keyword - name: p_msgid2 overwrite: true type: keyword - name: p_result1 overwrite: true type: keyword - name: password_chg overwrite: true type: keyword - name: password_expire overwrite: true type: keyword - name: permgranted overwrite: true type: keyword - name: permwanted overwrite: true type: keyword - name: pgid overwrite: true type: keyword - name: policyUUID overwrite: true type: keyword - name: prog_asp_num overwrite: true type: keyword - name: program overwrite: true type: keyword - name: real_data overwrite: true type: keyword - name: rec_asp_device overwrite: true type: keyword - name: rec_asp_num overwrite: true type: keyword - name: rec_library overwrite: true type: keyword - name: recordnum overwrite: true type: keyword - name: ruid overwrite: true type: keyword - name: sburb overwrite: true type: keyword - name: sdomain_fld overwrite: true type: keyword - name: sec overwrite: true type: keyword - name: sensorname overwrite: true type: keyword - name: seqnum overwrite: true type: keyword - name: session overwrite: true type: keyword - name: sessiontype overwrite: true type: keyword - name: sigUUID overwrite: true type: keyword - name: spi overwrite: true type: keyword - name: srcburb overwrite: true type: keyword - name: srcdom overwrite: true type: keyword - name: srcservice overwrite: true type: keyword - name: state overwrite: true type: keyword - name: status1 overwrite: true type: keyword - name: svcno overwrite: true type: keyword - name: system overwrite: true type: keyword - name: tbdstr1 overwrite: true type: keyword - name: tgtdom overwrite: true type: keyword - name: tgtdomain overwrite: true type: keyword - name: threshold overwrite: true type: keyword - name: type1 overwrite: true type: keyword - name: udb_class overwrite: true type: keyword - name: url_fld overwrite: true type: keyword - name: user_div overwrite: true type: keyword - name: userid overwrite: true type: keyword - name: username_fld overwrite: true type: keyword - name: utcstamp overwrite: true type: keyword - name: v_instafname overwrite: true type: keyword - name: virt_data overwrite: true type: keyword - name: vpnid overwrite: true type: keyword - name: autorun_type overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number overwrite: true type: long description: Valid Credit Card Numbers only - name: content overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number overwrite: true type: long description: Employee Identification Numbers only - name: found overwrite: true type: keyword description: This is used to capture the results of regex match - name: language overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src overwrite: true type: keyword description: This key captures source parameter - name: search_text overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value overwrite: true type: keyword description: SNMP set request value - name: streams overwrite: true type: long description: This key captures number of streams in session - name: db overwrite: true type: group fields: - name: index overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name overwrite: true type: keyword description: This key is used to capture the table name - name: db_id overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite overwrite: true type: long description: This key is used for the number of logical writes - name: pread overwrite: true type: long description: This key is used for the number of physical writes - name: network overwrite: true type: group fields: - name: alias_host overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain overwrite: true type: keyword - name: host_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr overwrite: true type: ip description: Deprecated - name: faddr overwrite: true type: keyword - name: lhost overwrite: true type: keyword - name: origin overwrite: true type: keyword - name: remote_domain_id overwrite: true type: keyword - name: addr overwrite: true type: keyword - name: dns_a_record overwrite: true type: keyword - name: dns_ptr_record overwrite: true type: keyword - name: fhost overwrite: true type: keyword - name: fport overwrite: true type: keyword - name: laddr overwrite: true type: keyword - name: linterface overwrite: true type: keyword - name: phost overwrite: true type: keyword - name: ad_computer_dst overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record overwrite: true type: keyword - name: dns_id overwrite: true type: keyword - name: dns_opcode overwrite: true type: keyword - name: dns_resp overwrite: true type: keyword - name: dns_type overwrite: true type: keyword - name: domain1 overwrite: true type: keyword - name: host_type overwrite: true type: keyword - name: packet_length overwrite: true type: keyword - name: host_orig overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations overwrite: true type: group fields: - name: ec_activity overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat overwrite: true type: long description: This key captures the Event category number - name: event_cat_name overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category overwrite: true type: keyword description: This used to capture investigation category - name: inv_context overwrite: true type: keyword description: This used to capture investigation context - name: ioc overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters overwrite: true type: group fields: - name: dclass_c1 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity overwrite: true type: group fields: - name: auth_method overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org overwrite: true type: keyword description: This key captures the User organization - name: dn_dst overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept overwrite: true type: keyword description: User's Department Names only - name: user_sid_src overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email overwrite: true type: group fields: - name: email_dst overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file overwrite: true type: group fields: - name: privilege overwrite: true type: keyword description: Deprecated, use permissions - name: attachment overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem overwrite: true type: keyword - name: binary overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp overwrite: true type: keyword - name: directory_dst overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name overwrite: true type: keyword description: This is used to capture name of the task - name: web overwrite: true type: group fields: - name: fqdn overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host overwrite: true type: keyword - name: reputation_num overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain overwrite: true type: keyword description: Web referer's domain - name: web_ref_query overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain overwrite: true type: keyword - name: web_ref_page overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst overwrite: true type: keyword - name: cn_rpackets overwrite: true type: keyword - name: urlpage overwrite: true type: keyword - name: urlroot overwrite: true type: keyword - name: p_url overwrite: true type: keyword - name: p_user_agent overwrite: true type: keyword - name: p_web_cookie overwrite: true type: keyword - name: p_web_method overwrite: true type: keyword - name: p_web_referer overwrite: true type: keyword - name: web_extension_tmp overwrite: true type: keyword - name: web_page overwrite: true type: keyword - name: threat overwrite: true type: group fields: - name: threat_category overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto overwrite: true type: group fields: - name: crypto overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike overwrite: true type: keyword description: IKE negotiation phase. - name: scheme overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer overwrite: true type: keyword - name: cert_host_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src overwrite: true type: keyword description: Deprecated, use version - name: d_certauth overwrite: true type: keyword - name: s_certauth overwrite: true type: keyword - name: ike_cookie1 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum overwrite: true type: keyword - name: cert_host_cat overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize overwrite: true type: keyword - name: cert_username overwrite: true type: keyword - name: https_insact overwrite: true type: keyword - name: https_valid overwrite: true type: keyword - name: cert_ca overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless overwrite: true type: group fields: - name: wlan_ssid overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel overwrite: true type: long description: This is used to capture the channel names - name: wlan_name overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage overwrite: true type: group fields: - name: disk_volume overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical overwrite: true type: group fields: - name: org_dst overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare overwrite: true type: group fields: - name: patient_fname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint overwrite: true type: group fields: - name: host_state overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value overwrite: true type: keyword description: This key captures values or decorators used within a registry entry - name: network.interface.name overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa overwrite: true type: group default_field: false fields: - name: internal overwrite: true type: group fields: - name: msg overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid overwrite: true type: keyword - name: event_desc overwrite: true type: keyword - name: message overwrite: true type: keyword description: This key captures the contents of instant messages - name: time overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id overwrite: true type: long description: Deprecated key defined only in table map. - name: did overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time overwrite: true type: group fields: - name: event_time overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month overwrite: true type: keyword - name: day overwrite: true type: keyword - name: endtime overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str overwrite: true type: keyword description: A text string version of the duration - name: date overwrite: true type: keyword - name: year overwrite: true type: keyword - name: recorded_time overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime overwrite: true type: keyword - name: effective_time overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time overwrite: true type: keyword description: Deprecated, use duration.time - name: hour overwrite: true type: keyword - name: min overwrite: true type: keyword - name: timestamp overwrite: true type: keyword - name: event_queue_time overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 overwrite: true type: keyword - name: tzone overwrite: true type: keyword - name: eventtime overwrite: true type: keyword - name: gmtdate overwrite: true type: keyword - name: gmttime overwrite: true type: keyword - name: p_date overwrite: true type: keyword - name: p_month overwrite: true type: keyword - name: p_time overwrite: true type: keyword - name: p_time2 overwrite: true type: keyword - name: p_year overwrite: true type: keyword - name: expire_time_str overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp overwrite: true type: date description: Deprecated key defined only in table map. - name: misc overwrite: true type: group fields: - name: action overwrite: true type: keyword - name: result overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name overwrite: true type: keyword description: This is used to capture name of object - name: obj_type overwrite: true type: keyword description: This is used to capture type of object - name: event_source overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name overwrite: true type: keyword description: This key captures the Rule Name - name: context overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space overwrite: true type: keyword - name: client overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 overwrite: true type: keyword - name: msgIdPart2 overwrite: true type: keyword - name: change_old overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule overwrite: true type: keyword description: This key captures the Rule number - name: device_name overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log overwrite: true type: keyword description: This key captures the Name of the event log - name: OS overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 overwrite: true type: keyword - name: filter overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname overwrite: true type: keyword description: This key captures the name of the virus - name: content_type overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id overwrite: true type: keyword - name: reason overwrite: true type: keyword - name: status overwrite: true type: keyword - name: mail_id overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout overwrite: true type: keyword - name: p_msgid overwrite: true type: keyword - name: data_type overwrite: true type: keyword - name: msgIdPart4 overwrite: true type: keyword - name: error overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index overwrite: true type: keyword - name: listnum overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype overwrite: true type: keyword - name: observed_val overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count overwrite: true type: keyword - name: number overwrite: true type: keyword - name: sigcat overwrite: true type: keyword - name: type overwrite: true type: keyword - name: comments overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number overwrite: true type: long description: This key captures File Identification number - name: expected_val overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst overwrite: true type: keyword description: Destination SPI Index - name: spi_src overwrite: true type: keyword description: Source SPI Index - name: code overwrite: true type: keyword - name: agent_id overwrite: true type: keyword description: This key is used to capture agent id - name: message_body overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone overwrite: true type: keyword - name: sig_id_str overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd overwrite: true type: keyword - name: misc overwrite: true type: keyword - name: name overwrite: true type: keyword - name: cpu overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid overwrite: true type: keyword - name: im_client overwrite: true type: keyword - name: im_userid overwrite: true type: keyword - name: pid overwrite: true type: keyword - name: priority overwrite: true type: keyword - name: context_subject overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target overwrite: true type: keyword - name: cve overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos overwrite: true type: long description: This key describes the type of service - name: vm_target overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace overwrite: true type: keyword description: This key captures Workspace Description - name: command overwrite: true type: keyword - name: event_category overwrite: true type: keyword - name: facilityname overwrite: true type: keyword - name: forensic_info overwrite: true type: keyword - name: jobname overwrite: true type: keyword - name: mode overwrite: true type: keyword - name: policy overwrite: true type: keyword - name: policy_waiver overwrite: true type: keyword - name: second overwrite: true type: keyword - name: space1 overwrite: true type: keyword - name: subcategory overwrite: true type: keyword - name: tbdstr2 overwrite: true type: keyword - name: alert_id overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult overwrite: true type: long description: This key captures the Filter Result - name: payload_dst overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid overwrite: true type: keyword description: SNMP Object Identifier - name: sql overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id overwrite: true type: keyword - name: acl_op overwrite: true type: keyword - name: acl_pos overwrite: true type: keyword - name: acl_table overwrite: true type: keyword - name: admin overwrite: true type: keyword - name: alarm_id overwrite: true type: keyword - name: alarmname overwrite: true type: keyword - name: app_id overwrite: true type: keyword - name: audit overwrite: true type: keyword - name: audit_object overwrite: true type: keyword - name: auditdata overwrite: true type: keyword - name: benchmark overwrite: true type: keyword - name: bypass overwrite: true type: keyword - name: cache overwrite: true type: keyword - name: cache_hit overwrite: true type: keyword - name: cefversion overwrite: true type: keyword - name: cfg_attr overwrite: true type: keyword - name: cfg_obj overwrite: true type: keyword - name: cfg_path overwrite: true type: keyword - name: changes overwrite: true type: keyword - name: client_ip overwrite: true type: keyword - name: clustermembers overwrite: true type: keyword - name: cn_acttimeout overwrite: true type: keyword - name: cn_asn_src overwrite: true type: keyword - name: cn_bgpv4nxthop overwrite: true type: keyword - name: cn_ctr_dst_code overwrite: true type: keyword - name: cn_dst_tos overwrite: true type: keyword - name: cn_dst_vlan overwrite: true type: keyword - name: cn_engine_id overwrite: true type: keyword - name: cn_engine_type overwrite: true type: keyword - name: cn_f_switch overwrite: true type: keyword - name: cn_flowsampid overwrite: true type: keyword - name: cn_flowsampintv overwrite: true type: keyword - name: cn_flowsampmode overwrite: true type: keyword - name: cn_inacttimeout overwrite: true type: keyword - name: cn_inpermbyts overwrite: true type: keyword - name: cn_inpermpckts overwrite: true type: keyword - name: cn_invalid overwrite: true type: keyword - name: cn_ip_proto_ver overwrite: true type: keyword - name: cn_ipv4_ident overwrite: true type: keyword - name: cn_l_switch overwrite: true type: keyword - name: cn_log_did overwrite: true type: keyword - name: cn_log_rid overwrite: true type: keyword - name: cn_max_ttl overwrite: true type: keyword - name: cn_maxpcktlen overwrite: true type: keyword - name: cn_min_ttl overwrite: true type: keyword - name: cn_minpcktlen overwrite: true type: keyword - name: cn_mpls_lbl_1 overwrite: true type: keyword - name: cn_mpls_lbl_10 overwrite: true type: keyword - name: cn_mpls_lbl_2 overwrite: true type: keyword - name: cn_mpls_lbl_3 overwrite: true type: keyword - name: cn_mpls_lbl_4 overwrite: true type: keyword - name: cn_mpls_lbl_5 overwrite: true type: keyword - name: cn_mpls_lbl_6 overwrite: true type: keyword - name: cn_mpls_lbl_7 overwrite: true type: keyword - name: cn_mpls_lbl_8 overwrite: true type: keyword - name: cn_mpls_lbl_9 overwrite: true type: keyword - name: cn_mplstoplabel overwrite: true type: keyword - name: cn_mplstoplabip overwrite: true type: keyword - name: cn_mul_dst_byt overwrite: true type: keyword - name: cn_mul_dst_pks overwrite: true type: keyword - name: cn_muligmptype overwrite: true type: keyword - name: cn_sampalgo overwrite: true type: keyword - name: cn_sampint overwrite: true type: keyword - name: cn_seqctr overwrite: true type: keyword - name: cn_spackets overwrite: true type: keyword - name: cn_src_tos overwrite: true type: keyword - name: cn_src_vlan overwrite: true type: keyword - name: cn_sysuptime overwrite: true type: keyword - name: cn_template_id overwrite: true type: keyword - name: cn_totbytsexp overwrite: true type: keyword - name: cn_totflowexp overwrite: true type: keyword - name: cn_totpcktsexp overwrite: true type: keyword - name: cn_unixnanosecs overwrite: true type: keyword - name: cn_v6flowlabel overwrite: true type: keyword - name: cn_v6optheaders overwrite: true type: keyword - name: comp_class overwrite: true type: keyword - name: comp_name overwrite: true type: keyword - name: comp_rbytes overwrite: true type: keyword - name: comp_sbytes overwrite: true type: keyword - name: cpu_data overwrite: true type: keyword - name: criticality overwrite: true type: keyword - name: cs_agency_dst overwrite: true type: keyword - name: cs_analyzedby overwrite: true type: keyword - name: cs_av_other overwrite: true type: keyword - name: cs_av_primary overwrite: true type: keyword - name: cs_av_secondary overwrite: true type: keyword - name: cs_bgpv6nxthop overwrite: true type: keyword - name: cs_bit9status overwrite: true type: keyword - name: cs_context overwrite: true type: keyword - name: cs_control overwrite: true type: keyword - name: cs_data overwrite: true type: keyword - name: cs_datecret overwrite: true type: keyword - name: cs_dst_tld overwrite: true type: keyword - name: cs_eth_dst_ven overwrite: true type: keyword - name: cs_eth_src_ven overwrite: true type: keyword - name: cs_event_uuid overwrite: true type: keyword - name: cs_filetype overwrite: true type: keyword - name: cs_fld overwrite: true type: keyword - name: cs_if_desc overwrite: true type: keyword - name: cs_if_name overwrite: true type: keyword - name: cs_ip_next_hop overwrite: true type: keyword - name: cs_ipv4dstpre overwrite: true type: keyword - name: cs_ipv4srcpre overwrite: true type: keyword - name: cs_lifetime overwrite: true type: keyword - name: cs_log_medium overwrite: true type: keyword - name: cs_loginname overwrite: true type: keyword - name: cs_modulescore overwrite: true type: keyword - name: cs_modulesign overwrite: true type: keyword - name: cs_opswatresult overwrite: true type: keyword - name: cs_payload overwrite: true type: keyword - name: cs_registrant overwrite: true type: keyword - name: cs_registrar overwrite: true type: keyword - name: cs_represult overwrite: true type: keyword - name: cs_rpayload overwrite: true type: keyword - name: cs_sampler_name overwrite: true type: keyword - name: cs_sourcemodule overwrite: true type: keyword - name: cs_streams overwrite: true type: keyword - name: cs_targetmodule overwrite: true type: keyword - name: cs_v6nxthop overwrite: true type: keyword - name: cs_whois_server overwrite: true type: keyword - name: cs_yararesult overwrite: true type: keyword - name: description overwrite: true type: keyword - name: devvendor overwrite: true type: keyword - name: distance overwrite: true type: keyword - name: dstburb overwrite: true type: keyword - name: edomain overwrite: true type: keyword - name: edomaub overwrite: true type: keyword - name: euid overwrite: true type: keyword - name: facility overwrite: true type: keyword - name: finterface overwrite: true type: keyword - name: flags overwrite: true type: keyword - name: gaddr overwrite: true type: keyword - name: id3 overwrite: true type: keyword - name: im_buddyname overwrite: true type: keyword - name: im_croomid overwrite: true type: keyword - name: im_croomtype overwrite: true type: keyword - name: im_members overwrite: true type: keyword - name: im_username overwrite: true type: keyword - name: ipkt overwrite: true type: keyword - name: ipscat overwrite: true type: keyword - name: ipspri overwrite: true type: keyword - name: latitude overwrite: true type: keyword - name: linenum overwrite: true type: keyword - name: list_name overwrite: true type: keyword - name: load_data overwrite: true type: keyword - name: location_floor overwrite: true type: keyword - name: location_mark overwrite: true type: keyword - name: log_id overwrite: true type: keyword - name: log_type overwrite: true type: keyword - name: logid overwrite: true type: keyword - name: logip overwrite: true type: keyword - name: logname overwrite: true type: keyword - name: longitude overwrite: true type: keyword - name: lport overwrite: true type: keyword - name: mbug_data overwrite: true type: keyword - name: misc_name overwrite: true type: keyword - name: msg_type overwrite: true type: keyword - name: msgid overwrite: true type: keyword - name: netsessid overwrite: true type: keyword - name: num overwrite: true type: keyword - name: number1 overwrite: true type: keyword - name: number2 overwrite: true type: keyword - name: nwwn overwrite: true type: keyword - name: object overwrite: true type: keyword - name: operation overwrite: true type: keyword - name: opkt overwrite: true type: keyword - name: orig_from overwrite: true type: keyword - name: owner_id overwrite: true type: keyword - name: p_action overwrite: true type: keyword - name: p_filter overwrite: true type: keyword - name: p_group_object overwrite: true type: keyword - name: p_id overwrite: true type: keyword - name: p_msgid1 overwrite: true type: keyword - name: p_msgid2 overwrite: true type: keyword - name: p_result1 overwrite: true type: keyword - name: password_chg overwrite: true type: keyword - name: password_expire overwrite: true type: keyword - name: permgranted overwrite: true type: keyword - name: permwanted overwrite: true type: keyword - name: pgid overwrite: true type: keyword - name: policyUUID overwrite: true type: keyword - name: prog_asp_num overwrite: true type: keyword - name: program overwrite: true type: keyword - name: real_data overwrite: true type: keyword - name: rec_asp_device overwrite: true type: keyword - name: rec_asp_num overwrite: true type: keyword - name: rec_library overwrite: true type: keyword - name: recordnum overwrite: true type: keyword - name: ruid overwrite: true type: keyword - name: sburb overwrite: true type: keyword - name: sdomain_fld overwrite: true type: keyword - name: sec overwrite: true type: keyword - name: sensorname overwrite: true type: keyword - name: seqnum overwrite: true type: keyword - name: session overwrite: true type: keyword - name: sessiontype overwrite: true type: keyword - name: sigUUID overwrite: true type: keyword - name: spi overwrite: true type: keyword - name: srcburb overwrite: true type: keyword - name: srcdom overwrite: true type: keyword - name: srcservice overwrite: true type: keyword - name: state overwrite: true type: keyword - name: status1 overwrite: true type: keyword - name: svcno overwrite: true type: keyword - name: system overwrite: true type: keyword - name: tbdstr1 overwrite: true type: keyword - name: tgtdom overwrite: true type: keyword - name: tgtdomain overwrite: true type: keyword - name: threshold overwrite: true type: keyword - name: type1 overwrite: true type: keyword - name: udb_class overwrite: true type: keyword - name: url_fld overwrite: true type: keyword - name: user_div overwrite: true type: keyword - name: userid overwrite: true type: keyword - name: username_fld overwrite: true type: keyword - name: utcstamp overwrite: true type: keyword - name: v_instafname overwrite: true type: keyword - name: virt_data overwrite: true type: keyword - name: vpnid overwrite: true type: keyword - name: autorun_type overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number overwrite: true type: long description: Valid Credit Card Numbers only - name: content overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number overwrite: true type: long description: Employee Identification Numbers only - name: found overwrite: true type: keyword description: This is used to capture the results of regex match - name: language overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src overwrite: true type: keyword description: This key captures source parameter - name: search_text overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value overwrite: true type: keyword description: SNMP set request value - name: streams overwrite: true type: long description: This key captures number of streams in session - name: db overwrite: true type: group fields: - name: index overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name overwrite: true type: keyword description: This key is used to capture the table name - name: db_id overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite overwrite: true type: long description: This key is used for the number of logical writes - name: pread overwrite: true type: long description: This key is used for the number of physical writes - name: network overwrite: true type: group fields: - name: alias_host overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain overwrite: true type: keyword - name: host_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr overwrite: true type: ip description: Deprecated - name: faddr overwrite: true type: keyword - name: lhost overwrite: true type: keyword - name: origin overwrite: true type: keyword - name: remote_domain_id overwrite: true type: keyword - name: addr overwrite: true type: keyword - name: dns_a_record overwrite: true type: keyword - name: dns_ptr_record overwrite: true type: keyword - name: fhost overwrite: true type: keyword - name: fport overwrite: true type: keyword - name: laddr overwrite: true type: keyword - name: linterface overwrite: true type: keyword - name: phost overwrite: true type: keyword - name: ad_computer_dst overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record overwrite: true type: keyword - name: dns_id overwrite: true type: keyword - name: dns_opcode overwrite: true type: keyword - name: dns_resp overwrite: true type: keyword - name: dns_type overwrite: true type: keyword - name: domain1 overwrite: true type: keyword - name: host_type overwrite: true type: keyword - name: packet_length overwrite: true type: keyword - name: host_orig overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations overwrite: true type: group fields: - name: ec_activity overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat overwrite: true type: long description: This key captures the Event category number - name: event_cat_name overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category overwrite: true type: keyword description: This used to capture investigation category - name: inv_context overwrite: true type: keyword description: This used to capture investigation context - name: ioc overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters overwrite: true type: group fields: - name: dclass_c1 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity overwrite: true type: group fields: - name: auth_method overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org overwrite: true type: keyword description: This key captures the User organization - name: dn_dst overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept overwrite: true type: keyword description: User's Department Names only - name: user_sid_src overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email overwrite: true type: group fields: - name: email_dst overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file overwrite: true type: group fields: - name: privilege overwrite: true type: keyword description: Deprecated, use permissions - name: attachment overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem overwrite: true type: keyword - name: binary overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp overwrite: true type: keyword - name: directory_dst overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name overwrite: true type: keyword description: This is used to capture name of the task - name: web overwrite: true type: group fields: - name: fqdn overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host overwrite: true type: keyword - name: reputation_num overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain overwrite: true type: keyword description: Web referer's domain - name: web_ref_query overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain overwrite: true type: keyword - name: web_ref_page overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst overwrite: true type: keyword - name: cn_rpackets overwrite: true type: keyword - name: urlpage overwrite: true type: keyword - name: urlroot overwrite: true type: keyword - name: p_url overwrite: true type: keyword - name: p_user_agent overwrite: true type: keyword - name: p_web_cookie overwrite: true type: keyword - name: p_web_method overwrite: true type: keyword - name: p_web_referer overwrite: true type: keyword - name: web_extension_tmp overwrite: true type: keyword - name: web_page overwrite: true type: keyword - name: threat overwrite: true type: group fields: - name: threat_category overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto overwrite: true type: group fields: - name: crypto overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike overwrite: true type: keyword description: IKE negotiation phase. - name: scheme overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer overwrite: true type: keyword - name: cert_host_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src overwrite: true type: keyword description: Deprecated, use version - name: d_certauth overwrite: true type: keyword - name: s_certauth overwrite: true type: keyword - name: ike_cookie1 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum overwrite: true type: keyword - name: cert_host_cat overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize overwrite: true type: keyword - name: cert_username overwrite: true type: keyword - name: https_insact overwrite: true type: keyword - name: https_valid overwrite: true type: keyword - name: cert_ca overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless overwrite: true type: group fields: - name: wlan_ssid overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel overwrite: true type: long description: This is used to capture the channel names - name: wlan_name overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage overwrite: true type: group fields: - name: disk_volume overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical overwrite: true type: group fields: - name: org_dst overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare overwrite: true type: group fields: - name: patient_fname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint overwrite: true type: group fields: - name: host_state overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value overwrite: true type: keyword description: This key captures values or decorators used within a registry entry - key: gcp title: Google Cloud Platform (GCP) description: > Module for handling logs from Google Cloud. fields: - name: gcp type: group description: > Fields from Google Cloud logs. fields: - name: destination.instance type: group description: > If the destination of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project. fields: - name: project_id type: keyword description: > ID of the project containing the VM. - name: region type: keyword description: > Region of the VM. - name: zone type: keyword description: > Zone of the VM. - name: destination.vpc type: group description: > If the destination of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project. fields: - name: project_id type: keyword description: > ID of the project containing the VM. - name: vpc_name type: keyword description: > VPC on which the VM is operating. - name: subnetwork_name type: keyword description: > Subnetwork on which the VM is operating. - name: source.instance type: group description: > If the source of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project. fields: - name: project_id type: keyword description: > ID of the project containing the VM. - name: region type: keyword description: > Region of the VM. - name: zone type: keyword description: > Zone of the VM. - name: source.vpc type: group description: > If the source of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project. fields: - name: project_id type: keyword description: > ID of the project containing the VM. - name: vpc_name type: keyword description: > VPC on which the VM is operating. - name: subnetwork_name type: keyword description: > Subnetwork on which the VM is operating. - name: audit type: group description: > Fields for Google Cloud audit logs. fields: - name: type type: keyword description: > Type property. - name: authentication_info type: group description: > Authentication information. fields: - name: principal_email type: keyword description: > The email address of the authenticated user making the request. - name: authority_selector type: keyword description: > The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. - name: authorization_info type: array description: > Authorization information for the operation. fields: - name: permission type: keyword description: > The required IAM permission. - name: granted type: boolean description: > Whether or not authorization for resource and permission was granted. - name: resource_attributes type: group description: > The attributes of the resource. fields: - name: service type: keyword description: > The name of the service. - name: name type: keyword description: > The name of the resource. - name: type type: keyword description: > The type of the resource. - name: method_name type: keyword description: > The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. - name: num_response_items type: long description: > The number of items returned from a List or Query API method, if applicable. - name: request type: group description: > The operation request. fields: - name: proto_name type: keyword description: > Type property of the request. - name: filter type: keyword description: > Filter of the request. - name: name type: keyword description: > Name of the request. - name: resource_name type: keyword description: > Name of the request resource. - name: request_metadata type: group description: > Metadata about the request. fields: - name: caller_ip type: ip description: > The IP address of the caller. - name: caller_supplied_user_agent type: keyword description: > The user agent of the caller. This information is not authenticated and should be treated accordingly. - name: response type: group description: > The operation response. fields: - name: proto_name type: keyword description: > Type property of the response. - name: details type: group description: > The details of the response. fields: - name: group type: keyword description: > The name of the group. - name: kind type: keyword description: > The kind of the response details. - name: name type: keyword description: > The name of the response details. - name: uid type: keyword description: > The uid of the response details. - name: status type: keyword description: > Status of the response. - name: resource_name type: keyword description: > The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. - name: resource_location type: group description: > The location of the resource. fields: - name: current_locations type: keyword description: > Current locations of the resource. - name: service_name type: keyword description: > The name of the API service performing the operation. For example, datastore.googleapis.com. - name: status type: group description: > The status of the overall operation. fields: - name: code type: integer description: > The status code, which should be an enum value of google.rpc.Code. - name: message type: keyword description: > A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. - name: firewall type: group description: > Fields for Google Cloud Firewall logs. fields: - name: rule_details type: group description: > Description of the firewall rule that matched this connection. fields: - name: priority type: long description: The priority for the firewall rule. - name: action type: keyword description: Action that the rule performs on match. - name: direction type: keyword description: Direction of traffic that matches this rule. - name: reference type: keyword description: Reference to the firewall rule. - name: source_range type: keyword description: List of source ranges that the firewall rule applies to. - name: destination_range type: keyword description: List of destination ranges that the firewall applies to. - name: source_tag type: keyword description: > List of all the source tags that the firewall rule applies to. - name: target_tag type: keyword description: > List of all the target tags that the firewall rule applies to. - name: ip_port_info type: array description: > List of ip protocols and applicable port ranges for rules. - name: source_service_account type: keyword description: > List of all the source service accounts that the firewall rule applies to. - name: target_service_account type: keyword description: > List of all the target service accounts that the firewall rule applies to. - name: vpcflow type: group description: > Fields for Google Cloud VPC flow logs. fields: - name: reporter type: keyword description: > The side which reported the flow. Can be either 'SRC' or 'DEST'. - name: rtt.ms type: long description: > Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. - key: google_workspace title: "google_workspace" description: > Google Workspace Module fields: - name: google_workspace default_field: false type: group description: > Google Workspace specific fields. More information about specific fields can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list fields: - name: actor.type type: keyword description: > The type of actor. Values can be: *USER*: Another user in the same domain. *EXTERNAL_USER*: A user outside the domain. *KEY*: A non-human actor. - name: actor.key type: keyword description: > Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. - name: event.type type: keyword description: > The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list example: audit#activity - name: kind type: keyword description: > The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list example: audit#activity - name: organization.domain type: keyword description: > The domain that is affected by the report's event. - name: admin type: group fields: - name: application.edition type: keyword description: The Google Workspace edition. - name: application.name type: keyword description: The application's name. - name: application.enabled type: keyword description: The enabled application. - name: application.licences_order_number type: keyword description: Order number used to redeem licenses. - name: application.licences_purchased type: keyword description: Number of licences purchased. - name: application.id type: keyword description: The application ID. - name: application.asp_id type: keyword description: The application specific password ID. - name: application.package_id type: keyword description: The mobile application package ID. - name: group.email type: keyword description: The group's primary email address. - name: new_value type: keyword description: The new value for the setting. - name: old_value type: keyword description: The old value for the setting. - name: org_unit.name type: keyword description: The organizational unit name. - name: org_unit.full type: keyword description: The org unit full path including the root org unit name. - name: setting.name type: keyword description: The setting name. - name: user_defined_setting.name type: keyword description: The name of the user-defined setting. - name: setting.description type: keyword description: The setting name. - name: group.priorities type: keyword description: Group priorities. - name: domain.alias type: keyword description: The domain alias. - name: domain.name type: keyword description: The primary domain name. - name: domain.secondary_name type: keyword description: The secondary domain name. - name: managed_configuration type: keyword description: The name of the managed configuration. - name: non_featured_services_selection type: keyword description: > Non-featured services selection. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED - name: field type: keyword description: The name of the field. - name: resource.id type: keyword description: The name of the resource identifier. - name: user.email type: keyword description: The user's primary email address. - name: user.nickname type: keyword description: The user's nickname. - name: user.birthdate type: date description: The user's birth date. - name: gateway.name type: keyword description: Gateway name. Present on some chat settings. - name: chrome_os.session_type type: keyword description: Chrome OS session type. - name: device.serial_number type: keyword description: Device serial number. - name: device.id type: keyword - name: device.type type: keyword description: Device type. - name: print_server.name type: keyword description: The name of the print server. - name: printer.name type: keyword description: The name of the printer. - name: device.command_details type: keyword description: Command details. - name: role.id type: keyword description: Unique identifier for this role privilege. - name: role.name type: keyword description: > The role name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings - name: privilege.name type: keyword description: Privilege name. - name: service.name type: keyword description: The service name. - name: url.name type: keyword description: The website name. - name: product.name type: keyword description: The product name. - name: product.sku type: keyword description: The product SKU. - name: bulk_upload.failed type: long description: Number of failed records in bulk upload operation. - name: bulk_upload.total type: long description: Number of total records in bulk upload operation. - name: group.allowed_list type: keyword description: Names of allow-listed groups. - name: email.quarantine_name type: keyword description: The name of the quarantine. - name: email.log_search_filter.message_id type: keyword description: The log search filter's email message ID. - name: email.log_search_filter.start_date type: date description: The log search filter's start date. - name: email.log_search_filter.end_date type: date description: The log search filter's ending date. - name: email.log_search_filter.recipient.value type: keyword description: The log search filter's email recipient. - name: email.log_search_filter.sender.value type: keyword description: The log search filter's email sender. - name: email.log_search_filter.recipient.ip type: ip description: The log search filter's email recipient's IP address. - name: email.log_search_filter.sender.ip type: ip description: The log search filter's email sender's IP address. - name: chrome_licenses.enabled type: keyword description: > Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings - name: chrome_licenses.allowed type: keyword description: > Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings - name: oauth2.service.name type: keyword description: > OAuth2 service name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings - name: oauth2.application.id type: keyword description: OAuth2 application ID. - name: oauth2.application.name type: keyword description: OAuth2 application name. - name: oauth2.application.type type: keyword description: > OAuth2 application type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings - name: verification_method type: keyword description: > Related verification method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings and https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings - name: alert.name type: keyword description: The alert name. - name: rule.name type: keyword description: The rule name. - name: api.client.name type: keyword description: The API client name. - name: api.scopes type: keyword description: The API scopes. - name: mdm.token type: keyword description: The MDM vendor enrollment token. - name: mdm.vendor type: keyword description: The MDM vendor's name. - name: info_type type: keyword description: > This will be used to state what kind of information was changed. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings - name: email_monitor.dest_email type: keyword description: The destination address of the email monitor. - name: email_monitor.level.chat type: keyword description: The chat email monitor level. - name: email_monitor.level.draft type: keyword description: The draft email monitor level. - name: email_monitor.level.incoming type: keyword description: The incoming email monitor level. - name: email_monitor.level.outgoing type: keyword description: The outgoing email monitor level. - name: email_dump.include_deleted type: boolean description: Indicates if deleted emails are included in the export. - name: email_dump.package_content type: keyword description: The contents of the mailbox package. - name: email_dump.query type: keyword description: The search query used for the dump. - name: request.id type: keyword description: The request ID. - name: mobile.action.id type: keyword description: The mobile device action's ID. - name: mobile.action.type type: keyword description: > The mobile device action's type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings - name: mobile.certificate.name type: keyword description: The mobile certificate common name. - name: mobile.company_owned_devices type: long description: The number of devices a company owns. - name: distribution.entity.name type: keyword description: > The distribution entity value, which can be a group name or an org-unit name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings - name: distribution.entity.type type: keyword description: > The distribution entity type, which can be a group or an org-unit. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings - name: drive type: group fields: - name: billable type: boolean description: Whether this activity is billable. - name: source_folder_id type: keyword - name: source_folder_title type: keyword - name: destination_folder_id type: keyword - name: destination_folder_title type: keyword - name: file.id type: keyword - name: file.type type: keyword description: > Document Drive type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive - name: originating_app_id type: keyword description: > The Google Cloud Project ID of the application that performed the action. - name: file.owner.email type: keyword - name: file.owner.is_shared_drive type: boolean description: > Boolean flag denoting whether owner is a shared drive. - name: primary_event type: boolean description: > Whether this is a primary event. A single user action in Drive may generate several events. - name: shared_drive_id type: keyword description: > The unique identifier of the Team Drive. Only populated for for events relating to a Team Drive or item contained inside a Team Drive. - name: visibility type: keyword description: > Visibility of target file. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive - name: new_value type: keyword description: > When a setting or property of the file changes, the new value for it will appear here. - name: old_value type: keyword description: > When a setting or property of the file changes, the old value for it will appear here. - name: sheets_import_range_recipient_doc type: keyword description: Doc ID of the recipient of a sheets import range. - name: old_visibility type: keyword description: > When visibility changes, this holds the old value. - name: visibility_change type: keyword description: > When visibility changes, this holds the new overall visibility of the file. - name: target_domain type: keyword description: > The domain for which the acccess scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document. - name: added_role type: keyword description: > Added membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive - name: membership_change_type type: keyword description: > Type of change in Team Drive membership of a user/group. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive - name: shared_drive_settings_change_type type: keyword description: > Type of change in Team Drive settings. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive - name: removed_role type: keyword description: > Removed membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive - name: target type: keyword description: Target user or group. - name: groups type: group fields: - name: acl_permission type: keyword description: > Group permission setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups - name: email type: keyword description: > Group email. - name: member.email type: keyword description: > Member email. - name: member.role type: keyword description: > Member role. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups - name: setting type: keyword description: > Group setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups - name: new_value type: keyword description: > New value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups - name: old_value type: keyword description: Old value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups - name: value type: keyword description: > Value of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups - name: message.id type: keyword description: > SMTP message Id of an email message. Present for moderation events. - name: message.moderation_action type: keyword description: > Message moderation action. Possible values are `approved` and `rejected`. - name: status type: keyword description: > A status describing the output of an operation. Possible values are `failed` and `succeeded`. - name: login type: group fields: - name: affected_email_address type: keyword - name: challenge_method type: keyword description: > Login challenge method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. - name: failure_type type: keyword description: > Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. - name: type type: keyword description: > Login credentials type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. - name: is_second_factor type: boolean - name: is_suspicious type: boolean - name: saml type: group fields: - name: application_name type: keyword description: > Saml SP application name. - name: failure_type type: keyword description: > Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml. - name: initiated_by type: keyword description: > Requester of SAML authentication. - name: orgunit_path type: keyword description: > User orgunit. - name: status_code type: keyword description: > SAML status code. - name: second_level_status_code type: keyword description: > SAML second level status code. - key: gsuite title: "gsuite" description: > gsuite Module fields: - name: gsuite default_field: false type: group description: > Gsuite specific fields. More information about specific fields can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list fields: - name: actor.type type: keyword description: > The type of actor. Values can be: *USER*: Another user in the same domain. *EXTERNAL_USER*: A user outside the domain. *KEY*: A non-human actor. - name: actor.key type: keyword description: > Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. - name: event.type type: keyword description: > The type of GSuite event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list example: audit#activity - name: kind type: keyword description: > The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list example: audit#activity - name: organization.domain type: keyword description: > The domain that is affected by the report's event. - name: admin type: group fields: - name: application.edition type: keyword description: The GSuite edition. - name: application.name type: keyword description: The application's name. - name: application.enabled type: keyword description: The enabled application. - name: application.licences_order_number type: keyword description: Order number used to redeem licenses. - name: application.licences_purchased type: keyword description: Number of licences purchased. - name: application.id type: keyword description: The application ID. - name: application.asp_id type: keyword description: The application specific password ID. - name: application.package_id type: keyword description: The mobile application package ID. - name: group.email type: keyword description: The group's primary email address. - name: new_value type: keyword description: The new value for the setting. - name: old_value type: keyword description: The old value for the setting. - name: org_unit.name type: keyword description: The organizational unit name. - name: org_unit.full type: keyword description: The org unit full path including the root org unit name. - name: setting.name type: keyword description: The setting name. - name: user_defined_setting.name type: keyword description: The name of the user-defined setting. - name: setting.description type: keyword description: The setting name. - name: group.priorities type: keyword description: Group priorities. - name: domain.alias type: keyword description: The domain alias. - name: domain.name type: keyword description: The primary domain name. - name: domain.secondary_name type: keyword description: The secondary domain name. - name: managed_configuration type: keyword description: The name of the managed configuration. - name: non_featured_services_selection type: keyword description: > Non-featured services selection. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED - name: field type: keyword description: The name of the field. - name: resource.id type: keyword description: The name of the resource identifier. - name: user.email type: keyword description: The user's primary email address. - name: user.nickname type: keyword description: The user's nickname. - name: user.birthdate type: date description: The user's birth date. - name: gateway.name type: keyword description: Gateway name. Present on some chat settings. - name: chrome_os.session_type type: keyword description: Chrome OS session type. - name: device.serial_number type: keyword description: Device serial number. - name: device.id type: keyword - name: device.type type: keyword description: Device type. - name: print_server.name type: keyword description: The name of the print server. - name: printer.name type: keyword description: The name of the printer. - name: device.command_details type: keyword description: Command details. - name: role.id type: keyword description: Unique identifier for this role privilege. - name: role.name type: keyword description: > The role name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings - name: privilege.name type: keyword description: Privilege name. - name: service.name type: keyword description: The service name. - name: url.name type: keyword description: The website name. - name: product.name type: keyword description: The product name. - name: product.sku type: keyword description: The product SKU. - name: bulk_upload.failed type: long description: Number of failed records in bulk upload operation. - name: bulk_upload.total type: long description: Number of total records in bulk upload operation. - name: group.allowed_list type: keyword description: Names of allow-listed groups. - name: email.quarantine_name type: keyword description: The name of the quarantine. - name: email.log_search_filter.message_id type: keyword description: The log search filter's email message ID. - name: email.log_search_filter.start_date type: date description: The log search filter's start date. - name: email.log_search_filter.end_date type: date description: The log search filter's ending date. - name: email.log_search_filter.recipient.value type: keyword description: The log search filter's email recipient. - name: email.log_search_filter.sender.value type: keyword description: The log search filter's email sender. - name: email.log_search_filter.recipient.ip type: ip description: The log search filter's email recipient's IP address. - name: email.log_search_filter.sender.ip type: ip description: The log search filter's email sender's IP address. - name: chrome_licenses.enabled type: keyword description: > Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings - name: chrome_licenses.allowed type: keyword description: > Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings - name: oauth2.service.name type: keyword description: > OAuth2 service name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings - name: oauth2.application.id type: keyword description: OAuth2 application ID. - name: oauth2.application.name type: keyword description: OAuth2 application name. - name: oauth2.application.type type: keyword description: > OAuth2 application type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings - name: verification_method type: keyword description: > Related verification method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings and https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings - name: alert.name type: keyword description: The alert name. - name: rule.name type: keyword description: The rule name. - name: api.client.name type: keyword description: The API client name. - name: api.scopes type: keyword description: The API scopes. - name: mdm.token type: keyword description: The MDM vendor enrollment token. - name: mdm.vendor type: keyword description: The MDM vendor's name. - name: info_type type: keyword description: > This will be used to state what kind of information was changed. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings - name: email_monitor.dest_email type: keyword description: The destination address of the email monitor. - name: email_monitor.level.chat type: keyword description: The chat email monitor level. - name: email_monitor.level.draft type: keyword description: The draft email monitor level. - name: email_monitor.level.incoming type: keyword description: The incoming email monitor level. - name: email_monitor.level.outgoing type: keyword description: The outgoing email monitor level. - name: email_dump.include_deleted type: boolean description: Indicates if deleted emails are included in the export. - name: email_dump.package_content type: keyword description: The contents of the mailbox package. - name: email_dump.query type: keyword description: The search query used for the dump. - name: request.id type: keyword description: The request ID. - name: mobile.action.id type: keyword description: The mobile device action's ID. - name: mobile.action.type type: keyword description: > The mobile device action's type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings - name: mobile.certificate.name type: keyword description: The mobile certificate common name. - name: mobile.company_owned_devices type: long description: The number of devices a company owns. - name: distribution.entity.name type: keyword description: > The distribution entity value, which can be a group name or an org-unit name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings - name: distribution.entity.type type: keyword description: > The distribution entity type, which can be a group or an org-unit. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings - name: drive type: group fields: - name: billable type: boolean description: Whether this activity is billable. - name: source_folder_id type: keyword - name: source_folder_title type: keyword - name: destination_folder_id type: keyword - name: destination_folder_title type: keyword - name: file.id type: keyword - name: file.type type: keyword description: > Document Drive type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive - name: originating_app_id type: keyword description: > The Google Cloud Project ID of the application that performed the action. - name: file.owner.email type: keyword - name: file.owner.is_shared_drive type: boolean description: > Boolean flag denoting whether owner is a shared drive. - name: primary_event type: boolean description: > Whether this is a primary event. A single user action in Drive may generate several events. - name: shared_drive_id type: keyword description: > The unique identifier of the Team Drive. Only populated for for events relating to a Team Drive or item contained inside a Team Drive. - name: visibility type: keyword description: > Visibility of target file. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive - name: new_value type: keyword description: > When a setting or property of the file changes, the new value for it will appear here. - name: old_value type: keyword description: > When a setting or property of the file changes, the old value for it will appear here. - name: sheets_import_range_recipient_doc type: keyword description: Doc ID of the recipient of a sheets import range. - name: old_visibility type: keyword description: > When visibility changes, this holds the old value. - name: visibility_change type: keyword description: > When visibility changes, this holds the new overall visibility of the file. - name: target_domain type: keyword description: > The domain for which the acccess scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document. - name: added_role type: keyword description: > Added membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive - name: membership_change_type type: keyword description: > Type of change in Team Drive membership of a user/group. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive - name: shared_drive_settings_change_type type: keyword description: > Type of change in Team Drive settings. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive - name: removed_role type: keyword description: > Removed membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive - name: target type: keyword description: Target user or group. - name: groups type: group fields: - name: acl_permission type: keyword description: > Group permission setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups - name: email type: keyword description: > Group email. - name: member.email type: keyword description: > Member email. - name: member.role type: keyword description: > Member role. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups - name: setting type: keyword description: > Group setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups - name: new_value type: keyword description: > New value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups - name: old_value type: keyword description: Old value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups - name: value type: keyword description: > Value of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups - name: message.id type: keyword description: > SMTP message Id of an email message. Present for moderation events. - name: message.moderation_action type: keyword description: > Message moderation action. Possible values are `approved` and `rejected`. - name: status type: keyword description: > A status describing the output of an operation. Possible values are `failed` and `succeeded`. - name: login type: group fields: - name: affected_email_address type: keyword - name: challenge_method type: keyword description: > Login challenge method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. - name: failure_type type: keyword description: > Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. - name: type type: keyword description: > Login credentials type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. - name: is_second_factor type: boolean - name: is_suspicious type: boolean - name: saml type: group fields: - name: application_name type: keyword description: > Saml SP application name. - name: failure_type type: keyword description: > Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml. - name: initiated_by type: keyword description: > Requester of SAML authentication. - name: orgunit_path type: keyword description: > User orgunit. - name: status_code type: keyword description: > SAML status code. - name: second_level_status_code type: keyword description: > SAML second level status code. - key: ibmmq title: "ibmmq" description: > ibmmq Module release: ga fields: - name: ibmmq type: group description: > fields: - name: errorlog description: IBM MQ error logs type: group fields: - name: installation description: > This is the installation name which can be given at installation time. Each installation of IBM MQ on UNIX, Linux, and Windows, has a unique identifier known as an installation name. The installation name is used to associate things such as queue managers and configuration files with an installation. type: keyword - name: qmgr description: > Name of the queue manager. Queue managers provide queuing services to applications, and manages the queues that belong to them. type: keyword - name: arithinsert description: Changing content based on error.id type: keyword - name: commentinsert description: Changing content based on error.id type: keyword - name: errordescription description: Please add description example: Please add example type: text - name: explanation description: Explaines the error in more detail type: keyword - name: action description: Defines what to do when the error occurs type: keyword - name: code description: Error code. type: keyword - key: imperva title: Imperva SecureSphere description: > imperva fields. fields: - name: network.interface.name overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa overwrite: true type: group default_field: false fields: - name: internal overwrite: true type: group fields: - name: msg overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid overwrite: true type: keyword - name: event_desc overwrite: true type: keyword - name: message overwrite: true type: keyword description: This key captures the contents of instant messages - name: time overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id overwrite: true type: long description: Deprecated key defined only in table map. - name: did overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time overwrite: true type: group fields: - name: event_time overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month overwrite: true type: keyword - name: day overwrite: true type: keyword - name: endtime overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str overwrite: true type: keyword description: A text string version of the duration - name: date overwrite: true type: keyword - name: year overwrite: true type: keyword - name: recorded_time overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime overwrite: true type: keyword - name: effective_time overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time overwrite: true type: keyword description: Deprecated, use duration.time - name: hour overwrite: true type: keyword - name: min overwrite: true type: keyword - name: timestamp overwrite: true type: keyword - name: event_queue_time overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 overwrite: true type: keyword - name: tzone overwrite: true type: keyword - name: eventtime overwrite: true type: keyword - name: gmtdate overwrite: true type: keyword - name: gmttime overwrite: true type: keyword - name: p_date overwrite: true type: keyword - name: p_month overwrite: true type: keyword - name: p_time overwrite: true type: keyword - name: p_time2 overwrite: true type: keyword - name: p_year overwrite: true type: keyword - name: expire_time_str overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp overwrite: true type: date description: Deprecated key defined only in table map. - name: misc overwrite: true type: group fields: - name: action overwrite: true type: keyword - name: result overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name overwrite: true type: keyword description: This is used to capture name of object - name: obj_type overwrite: true type: keyword description: This is used to capture type of object - name: event_source overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name overwrite: true type: keyword description: This key captures the Rule Name - name: context overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space overwrite: true type: keyword - name: client overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 overwrite: true type: keyword - name: msgIdPart2 overwrite: true type: keyword - name: change_old overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule overwrite: true type: keyword description: This key captures the Rule number - name: device_name overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log overwrite: true type: keyword description: This key captures the Name of the event log - name: OS overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 overwrite: true type: keyword - name: filter overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname overwrite: true type: keyword description: This key captures the name of the virus - name: content_type overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id overwrite: true type: keyword - name: reason overwrite: true type: keyword - name: status overwrite: true type: keyword - name: mail_id overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout overwrite: true type: keyword - name: p_msgid overwrite: true type: keyword - name: data_type overwrite: true type: keyword - name: msgIdPart4 overwrite: true type: keyword - name: error overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index overwrite: true type: keyword - name: listnum overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype overwrite: true type: keyword - name: observed_val overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count overwrite: true type: keyword - name: number overwrite: true type: keyword - name: sigcat overwrite: true type: keyword - name: type overwrite: true type: keyword - name: comments overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number overwrite: true type: long description: This key captures File Identification number - name: expected_val overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst overwrite: true type: keyword description: Destination SPI Index - name: spi_src overwrite: true type: keyword description: Source SPI Index - name: code overwrite: true type: keyword - name: agent_id overwrite: true type: keyword description: This key is used to capture agent id - name: message_body overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone overwrite: true type: keyword - name: sig_id_str overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd overwrite: true type: keyword - name: misc overwrite: true type: keyword - name: name overwrite: true type: keyword - name: cpu overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid overwrite: true type: keyword - name: im_client overwrite: true type: keyword - name: im_userid overwrite: true type: keyword - name: pid overwrite: true type: keyword - name: priority overwrite: true type: keyword - name: context_subject overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target overwrite: true type: keyword - name: cve overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos overwrite: true type: long description: This key describes the type of service - name: vm_target overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace overwrite: true type: keyword description: This key captures Workspace Description - name: command overwrite: true type: keyword - name: event_category overwrite: true type: keyword - name: facilityname overwrite: true type: keyword - name: forensic_info overwrite: true type: keyword - name: jobname overwrite: true type: keyword - name: mode overwrite: true type: keyword - name: policy overwrite: true type: keyword - name: policy_waiver overwrite: true type: keyword - name: second overwrite: true type: keyword - name: space1 overwrite: true type: keyword - name: subcategory overwrite: true type: keyword - name: tbdstr2 overwrite: true type: keyword - name: alert_id overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult overwrite: true type: long description: This key captures the Filter Result - name: payload_dst overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid overwrite: true type: keyword description: SNMP Object Identifier - name: sql overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id overwrite: true type: keyword - name: acl_op overwrite: true type: keyword - name: acl_pos overwrite: true type: keyword - name: acl_table overwrite: true type: keyword - name: admin overwrite: true type: keyword - name: alarm_id overwrite: true type: keyword - name: alarmname overwrite: true type: keyword - name: app_id overwrite: true type: keyword - name: audit overwrite: true type: keyword - name: audit_object overwrite: true type: keyword - name: auditdata overwrite: true type: keyword - name: benchmark overwrite: true type: keyword - name: bypass overwrite: true type: keyword - name: cache overwrite: true type: keyword - name: cache_hit overwrite: true type: keyword - name: cefversion overwrite: true type: keyword - name: cfg_attr overwrite: true type: keyword - name: cfg_obj overwrite: true type: keyword - name: cfg_path overwrite: true type: keyword - name: changes overwrite: true type: keyword - name: client_ip overwrite: true type: keyword - name: clustermembers overwrite: true type: keyword - name: cn_acttimeout overwrite: true type: keyword - name: cn_asn_src overwrite: true type: keyword - name: cn_bgpv4nxthop overwrite: true type: keyword - name: cn_ctr_dst_code overwrite: true type: keyword - name: cn_dst_tos overwrite: true type: keyword - name: cn_dst_vlan overwrite: true type: keyword - name: cn_engine_id overwrite: true type: keyword - name: cn_engine_type overwrite: true type: keyword - name: cn_f_switch overwrite: true type: keyword - name: cn_flowsampid overwrite: true type: keyword - name: cn_flowsampintv overwrite: true type: keyword - name: cn_flowsampmode overwrite: true type: keyword - name: cn_inacttimeout overwrite: true type: keyword - name: cn_inpermbyts overwrite: true type: keyword - name: cn_inpermpckts overwrite: true type: keyword - name: cn_invalid overwrite: true type: keyword - name: cn_ip_proto_ver overwrite: true type: keyword - name: cn_ipv4_ident overwrite: true type: keyword - name: cn_l_switch overwrite: true type: keyword - name: cn_log_did overwrite: true type: keyword - name: cn_log_rid overwrite: true type: keyword - name: cn_max_ttl overwrite: true type: keyword - name: cn_maxpcktlen overwrite: true type: keyword - name: cn_min_ttl overwrite: true type: keyword - name: cn_minpcktlen overwrite: true type: keyword - name: cn_mpls_lbl_1 overwrite: true type: keyword - name: cn_mpls_lbl_10 overwrite: true type: keyword - name: cn_mpls_lbl_2 overwrite: true type: keyword - name: cn_mpls_lbl_3 overwrite: true type: keyword - name: cn_mpls_lbl_4 overwrite: true type: keyword - name: cn_mpls_lbl_5 overwrite: true type: keyword - name: cn_mpls_lbl_6 overwrite: true type: keyword - name: cn_mpls_lbl_7 overwrite: true type: keyword - name: cn_mpls_lbl_8 overwrite: true type: keyword - name: cn_mpls_lbl_9 overwrite: true type: keyword - name: cn_mplstoplabel overwrite: true type: keyword - name: cn_mplstoplabip overwrite: true type: keyword - name: cn_mul_dst_byt overwrite: true type: keyword - name: cn_mul_dst_pks overwrite: true type: keyword - name: cn_muligmptype overwrite: true type: keyword - name: cn_sampalgo overwrite: true type: keyword - name: cn_sampint overwrite: true type: keyword - name: cn_seqctr overwrite: true type: keyword - name: cn_spackets overwrite: true type: keyword - name: cn_src_tos overwrite: true type: keyword - name: cn_src_vlan overwrite: true type: keyword - name: cn_sysuptime overwrite: true type: keyword - name: cn_template_id overwrite: true type: keyword - name: cn_totbytsexp overwrite: true type: keyword - name: cn_totflowexp overwrite: true type: keyword - name: cn_totpcktsexp overwrite: true type: keyword - name: cn_unixnanosecs overwrite: true type: keyword - name: cn_v6flowlabel overwrite: true type: keyword - name: cn_v6optheaders overwrite: true type: keyword - name: comp_class overwrite: true type: keyword - name: comp_name overwrite: true type: keyword - name: comp_rbytes overwrite: true type: keyword - name: comp_sbytes overwrite: true type: keyword - name: cpu_data overwrite: true type: keyword - name: criticality overwrite: true type: keyword - name: cs_agency_dst overwrite: true type: keyword - name: cs_analyzedby overwrite: true type: keyword - name: cs_av_other overwrite: true type: keyword - name: cs_av_primary overwrite: true type: keyword - name: cs_av_secondary overwrite: true type: keyword - name: cs_bgpv6nxthop overwrite: true type: keyword - name: cs_bit9status overwrite: true type: keyword - name: cs_context overwrite: true type: keyword - name: cs_control overwrite: true type: keyword - name: cs_data overwrite: true type: keyword - name: cs_datecret overwrite: true type: keyword - name: cs_dst_tld overwrite: true type: keyword - name: cs_eth_dst_ven overwrite: true type: keyword - name: cs_eth_src_ven overwrite: true type: keyword - name: cs_event_uuid overwrite: true type: keyword - name: cs_filetype overwrite: true type: keyword - name: cs_fld overwrite: true type: keyword - name: cs_if_desc overwrite: true type: keyword - name: cs_if_name overwrite: true type: keyword - name: cs_ip_next_hop overwrite: true type: keyword - name: cs_ipv4dstpre overwrite: true type: keyword - name: cs_ipv4srcpre overwrite: true type: keyword - name: cs_lifetime overwrite: true type: keyword - name: cs_log_medium overwrite: true type: keyword - name: cs_loginname overwrite: true type: keyword - name: cs_modulescore overwrite: true type: keyword - name: cs_modulesign overwrite: true type: keyword - name: cs_opswatresult overwrite: true type: keyword - name: cs_payload overwrite: true type: keyword - name: cs_registrant overwrite: true type: keyword - name: cs_registrar overwrite: true type: keyword - name: cs_represult overwrite: true type: keyword - name: cs_rpayload overwrite: true type: keyword - name: cs_sampler_name overwrite: true type: keyword - name: cs_sourcemodule overwrite: true type: keyword - name: cs_streams overwrite: true type: keyword - name: cs_targetmodule overwrite: true type: keyword - name: cs_v6nxthop overwrite: true type: keyword - name: cs_whois_server overwrite: true type: keyword - name: cs_yararesult overwrite: true type: keyword - name: description overwrite: true type: keyword - name: devvendor overwrite: true type: keyword - name: distance overwrite: true type: keyword - name: dstburb overwrite: true type: keyword - name: edomain overwrite: true type: keyword - name: edomaub overwrite: true type: keyword - name: euid overwrite: true type: keyword - name: facility overwrite: true type: keyword - name: finterface overwrite: true type: keyword - name: flags overwrite: true type: keyword - name: gaddr overwrite: true type: keyword - name: id3 overwrite: true type: keyword - name: im_buddyname overwrite: true type: keyword - name: im_croomid overwrite: true type: keyword - name: im_croomtype overwrite: true type: keyword - name: im_members overwrite: true type: keyword - name: im_username overwrite: true type: keyword - name: ipkt overwrite: true type: keyword - name: ipscat overwrite: true type: keyword - name: ipspri overwrite: true type: keyword - name: latitude overwrite: true type: keyword - name: linenum overwrite: true type: keyword - name: list_name overwrite: true type: keyword - name: load_data overwrite: true type: keyword - name: location_floor overwrite: true type: keyword - name: location_mark overwrite: true type: keyword - name: log_id overwrite: true type: keyword - name: log_type overwrite: true type: keyword - name: logid overwrite: true type: keyword - name: logip overwrite: true type: keyword - name: logname overwrite: true type: keyword - name: longitude overwrite: true type: keyword - name: lport overwrite: true type: keyword - name: mbug_data overwrite: true type: keyword - name: misc_name overwrite: true type: keyword - name: msg_type overwrite: true type: keyword - name: msgid overwrite: true type: keyword - name: netsessid overwrite: true type: keyword - name: num overwrite: true type: keyword - name: number1 overwrite: true type: keyword - name: number2 overwrite: true type: keyword - name: nwwn overwrite: true type: keyword - name: object overwrite: true type: keyword - name: operation overwrite: true type: keyword - name: opkt overwrite: true type: keyword - name: orig_from overwrite: true type: keyword - name: owner_id overwrite: true type: keyword - name: p_action overwrite: true type: keyword - name: p_filter overwrite: true type: keyword - name: p_group_object overwrite: true type: keyword - name: p_id overwrite: true type: keyword - name: p_msgid1 overwrite: true type: keyword - name: p_msgid2 overwrite: true type: keyword - name: p_result1 overwrite: true type: keyword - name: password_chg overwrite: true type: keyword - name: password_expire overwrite: true type: keyword - name: permgranted overwrite: true type: keyword - name: permwanted overwrite: true type: keyword - name: pgid overwrite: true type: keyword - name: policyUUID overwrite: true type: keyword - name: prog_asp_num overwrite: true type: keyword - name: program overwrite: true type: keyword - name: real_data overwrite: true type: keyword - name: rec_asp_device overwrite: true type: keyword - name: rec_asp_num overwrite: true type: keyword - name: rec_library overwrite: true type: keyword - name: recordnum overwrite: true type: keyword - name: ruid overwrite: true type: keyword - name: sburb overwrite: true type: keyword - name: sdomain_fld overwrite: true type: keyword - name: sec overwrite: true type: keyword - name: sensorname overwrite: true type: keyword - name: seqnum overwrite: true type: keyword - name: session overwrite: true type: keyword - name: sessiontype overwrite: true type: keyword - name: sigUUID overwrite: true type: keyword - name: spi overwrite: true type: keyword - name: srcburb overwrite: true type: keyword - name: srcdom overwrite: true type: keyword - name: srcservice overwrite: true type: keyword - name: state overwrite: true type: keyword - name: status1 overwrite: true type: keyword - name: svcno overwrite: true type: keyword - name: system overwrite: true type: keyword - name: tbdstr1 overwrite: true type: keyword - name: tgtdom overwrite: true type: keyword - name: tgtdomain overwrite: true type: keyword - name: threshold overwrite: true type: keyword - name: type1 overwrite: true type: keyword - name: udb_class overwrite: true type: keyword - name: url_fld overwrite: true type: keyword - name: user_div overwrite: true type: keyword - name: userid overwrite: true type: keyword - name: username_fld overwrite: true type: keyword - name: utcstamp overwrite: true type: keyword - name: v_instafname overwrite: true type: keyword - name: virt_data overwrite: true type: keyword - name: vpnid overwrite: true type: keyword - name: autorun_type overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number overwrite: true type: long description: Valid Credit Card Numbers only - name: content overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number overwrite: true type: long description: Employee Identification Numbers only - name: found overwrite: true type: keyword description: This is used to capture the results of regex match - name: language overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src overwrite: true type: keyword description: This key captures source parameter - name: search_text overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value overwrite: true type: keyword description: SNMP set request value - name: streams overwrite: true type: long description: This key captures number of streams in session - name: db overwrite: true type: group fields: - name: index overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name overwrite: true type: keyword description: This key is used to capture the table name - name: db_id overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite overwrite: true type: long description: This key is used for the number of logical writes - name: pread overwrite: true type: long description: This key is used for the number of physical writes - name: network overwrite: true type: group fields: - name: alias_host overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain overwrite: true type: keyword - name: host_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr overwrite: true type: ip description: Deprecated - name: faddr overwrite: true type: keyword - name: lhost overwrite: true type: keyword - name: origin overwrite: true type: keyword - name: remote_domain_id overwrite: true type: keyword - name: addr overwrite: true type: keyword - name: dns_a_record overwrite: true type: keyword - name: dns_ptr_record overwrite: true type: keyword - name: fhost overwrite: true type: keyword - name: fport overwrite: true type: keyword - name: laddr overwrite: true type: keyword - name: linterface overwrite: true type: keyword - name: phost overwrite: true type: keyword - name: ad_computer_dst overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record overwrite: true type: keyword - name: dns_id overwrite: true type: keyword - name: dns_opcode overwrite: true type: keyword - name: dns_resp overwrite: true type: keyword - name: dns_type overwrite: true type: keyword - name: domain1 overwrite: true type: keyword - name: host_type overwrite: true type: keyword - name: packet_length overwrite: true type: keyword - name: host_orig overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations overwrite: true type: group fields: - name: ec_activity overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat overwrite: true type: long description: This key captures the Event category number - name: event_cat_name overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category overwrite: true type: keyword description: This used to capture investigation category - name: inv_context overwrite: true type: keyword description: This used to capture investigation context - name: ioc overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters overwrite: true type: group fields: - name: dclass_c1 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity overwrite: true type: group fields: - name: auth_method overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org overwrite: true type: keyword description: This key captures the User organization - name: dn_dst overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept overwrite: true type: keyword description: User's Department Names only - name: user_sid_src overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email overwrite: true type: group fields: - name: email_dst overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file overwrite: true type: group fields: - name: privilege overwrite: true type: keyword description: Deprecated, use permissions - name: attachment overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem overwrite: true type: keyword - name: binary overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp overwrite: true type: keyword - name: directory_dst overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name overwrite: true type: keyword description: This is used to capture name of the task - name: web overwrite: true type: group fields: - name: fqdn overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host overwrite: true type: keyword - name: reputation_num overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain overwrite: true type: keyword description: Web referer's domain - name: web_ref_query overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain overwrite: true type: keyword - name: web_ref_page overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst overwrite: true type: keyword - name: cn_rpackets overwrite: true type: keyword - name: urlpage overwrite: true type: keyword - name: urlroot overwrite: true type: keyword - name: p_url overwrite: true type: keyword - name: p_user_agent overwrite: true type: keyword - name: p_web_cookie overwrite: true type: keyword - name: p_web_method overwrite: true type: keyword - name: p_web_referer overwrite: true type: keyword - name: web_extension_tmp overwrite: true type: keyword - name: web_page overwrite: true type: keyword - name: threat overwrite: true type: group fields: - name: threat_category overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto overwrite: true type: group fields: - name: crypto overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike overwrite: true type: keyword description: IKE negotiation phase. - name: scheme overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer overwrite: true type: keyword - name: cert_host_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src overwrite: true type: keyword description: Deprecated, use version - name: d_certauth overwrite: true type: keyword - name: s_certauth overwrite: true type: keyword - name: ike_cookie1 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum overwrite: true type: keyword - name: cert_host_cat overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize overwrite: true type: keyword - name: cert_username overwrite: true type: keyword - name: https_insact overwrite: true type: keyword - name: https_valid overwrite: true type: keyword - name: cert_ca overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless overwrite: true type: group fields: - name: wlan_ssid overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel overwrite: true type: long description: This is used to capture the channel names - name: wlan_name overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage overwrite: true type: group fields: - name: disk_volume overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical overwrite: true type: group fields: - name: org_dst overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare overwrite: true type: group fields: - name: patient_fname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint overwrite: true type: group fields: - name: host_state overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value overwrite: true type: keyword description: This key captures values or decorators used within a registry entry - key: infoblox title: Infoblox NIOS description: > infoblox fields. fields: - name: network.interface.name overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa overwrite: true type: group default_field: false fields: - name: internal overwrite: true type: group fields: - name: msg overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid overwrite: true type: keyword - name: event_desc overwrite: true type: keyword - name: message overwrite: true type: keyword description: This key captures the contents of instant messages - name: time overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id overwrite: true type: long description: Deprecated key defined only in table map. - name: did overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time overwrite: true type: group fields: - name: event_time overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month overwrite: true type: keyword - name: day overwrite: true type: keyword - name: endtime overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str overwrite: true type: keyword description: A text string version of the duration - name: date overwrite: true type: keyword - name: year overwrite: true type: keyword - name: recorded_time overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime overwrite: true type: keyword - name: effective_time overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time overwrite: true type: keyword description: Deprecated, use duration.time - name: hour overwrite: true type: keyword - name: min overwrite: true type: keyword - name: timestamp overwrite: true type: keyword - name: event_queue_time overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 overwrite: true type: keyword - name: tzone overwrite: true type: keyword - name: eventtime overwrite: true type: keyword - name: gmtdate overwrite: true type: keyword - name: gmttime overwrite: true type: keyword - name: p_date overwrite: true type: keyword - name: p_month overwrite: true type: keyword - name: p_time overwrite: true type: keyword - name: p_time2 overwrite: true type: keyword - name: p_year overwrite: true type: keyword - name: expire_time_str overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp overwrite: true type: date description: Deprecated key defined only in table map. - name: misc overwrite: true type: group fields: - name: action overwrite: true type: keyword - name: result overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name overwrite: true type: keyword description: This is used to capture name of object - name: obj_type overwrite: true type: keyword description: This is used to capture type of object - name: event_source overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name overwrite: true type: keyword description: This key captures the Rule Name - name: context overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space overwrite: true type: keyword - name: client overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 overwrite: true type: keyword - name: msgIdPart2 overwrite: true type: keyword - name: change_old overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule overwrite: true type: keyword description: This key captures the Rule number - name: device_name overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log overwrite: true type: keyword description: This key captures the Name of the event log - name: OS overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 overwrite: true type: keyword - name: filter overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname overwrite: true type: keyword description: This key captures the name of the virus - name: content_type overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id overwrite: true type: keyword - name: reason overwrite: true type: keyword - name: status overwrite: true type: keyword - name: mail_id overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout overwrite: true type: keyword - name: p_msgid overwrite: true type: keyword - name: data_type overwrite: true type: keyword - name: msgIdPart4 overwrite: true type: keyword - name: error overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index overwrite: true type: keyword - name: listnum overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype overwrite: true type: keyword - name: observed_val overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count overwrite: true type: keyword - name: number overwrite: true type: keyword - name: sigcat overwrite: true type: keyword - name: type overwrite: true type: keyword - name: comments overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number overwrite: true type: long description: This key captures File Identification number - name: expected_val overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst overwrite: true type: keyword description: Destination SPI Index - name: spi_src overwrite: true type: keyword description: Source SPI Index - name: code overwrite: true type: keyword - name: agent_id overwrite: true type: keyword description: This key is used to capture agent id - name: message_body overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone overwrite: true type: keyword - name: sig_id_str overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd overwrite: true type: keyword - name: misc overwrite: true type: keyword - name: name overwrite: true type: keyword - name: cpu overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid overwrite: true type: keyword - name: im_client overwrite: true type: keyword - name: im_userid overwrite: true type: keyword - name: pid overwrite: true type: keyword - name: priority overwrite: true type: keyword - name: context_subject overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target overwrite: true type: keyword - name: cve overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos overwrite: true type: long description: This key describes the type of service - name: vm_target overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace overwrite: true type: keyword description: This key captures Workspace Description - name: command overwrite: true type: keyword - name: event_category overwrite: true type: keyword - name: facilityname overwrite: true type: keyword - name: forensic_info overwrite: true type: keyword - name: jobname overwrite: true type: keyword - name: mode overwrite: true type: keyword - name: policy overwrite: true type: keyword - name: policy_waiver overwrite: true type: keyword - name: second overwrite: true type: keyword - name: space1 overwrite: true type: keyword - name: subcategory overwrite: true type: keyword - name: tbdstr2 overwrite: true type: keyword - name: alert_id overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult overwrite: true type: long description: This key captures the Filter Result - name: payload_dst overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid overwrite: true type: keyword description: SNMP Object Identifier - name: sql overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id overwrite: true type: keyword - name: acl_op overwrite: true type: keyword - name: acl_pos overwrite: true type: keyword - name: acl_table overwrite: true type: keyword - name: admin overwrite: true type: keyword - name: alarm_id overwrite: true type: keyword - name: alarmname overwrite: true type: keyword - name: app_id overwrite: true type: keyword - name: audit overwrite: true type: keyword - name: audit_object overwrite: true type: keyword - name: auditdata overwrite: true type: keyword - name: benchmark overwrite: true type: keyword - name: bypass overwrite: true type: keyword - name: cache overwrite: true type: keyword - name: cache_hit overwrite: true type: keyword - name: cefversion overwrite: true type: keyword - name: cfg_attr overwrite: true type: keyword - name: cfg_obj overwrite: true type: keyword - name: cfg_path overwrite: true type: keyword - name: changes overwrite: true type: keyword - name: client_ip overwrite: true type: keyword - name: clustermembers overwrite: true type: keyword - name: cn_acttimeout overwrite: true type: keyword - name: cn_asn_src overwrite: true type: keyword - name: cn_bgpv4nxthop overwrite: true type: keyword - name: cn_ctr_dst_code overwrite: true type: keyword - name: cn_dst_tos overwrite: true type: keyword - name: cn_dst_vlan overwrite: true type: keyword - name: cn_engine_id overwrite: true type: keyword - name: cn_engine_type overwrite: true type: keyword - name: cn_f_switch overwrite: true type: keyword - name: cn_flowsampid overwrite: true type: keyword - name: cn_flowsampintv overwrite: true type: keyword - name: cn_flowsampmode overwrite: true type: keyword - name: cn_inacttimeout overwrite: true type: keyword - name: cn_inpermbyts overwrite: true type: keyword - name: cn_inpermpckts overwrite: true type: keyword - name: cn_invalid overwrite: true type: keyword - name: cn_ip_proto_ver overwrite: true type: keyword - name: cn_ipv4_ident overwrite: true type: keyword - name: cn_l_switch overwrite: true type: keyword - name: cn_log_did overwrite: true type: keyword - name: cn_log_rid overwrite: true type: keyword - name: cn_max_ttl overwrite: true type: keyword - name: cn_maxpcktlen overwrite: true type: keyword - name: cn_min_ttl overwrite: true type: keyword - name: cn_minpcktlen overwrite: true type: keyword - name: cn_mpls_lbl_1 overwrite: true type: keyword - name: cn_mpls_lbl_10 overwrite: true type: keyword - name: cn_mpls_lbl_2 overwrite: true type: keyword - name: cn_mpls_lbl_3 overwrite: true type: keyword - name: cn_mpls_lbl_4 overwrite: true type: keyword - name: cn_mpls_lbl_5 overwrite: true type: keyword - name: cn_mpls_lbl_6 overwrite: true type: keyword - name: cn_mpls_lbl_7 overwrite: true type: keyword - name: cn_mpls_lbl_8 overwrite: true type: keyword - name: cn_mpls_lbl_9 overwrite: true type: keyword - name: cn_mplstoplabel overwrite: true type: keyword - name: cn_mplstoplabip overwrite: true type: keyword - name: cn_mul_dst_byt overwrite: true type: keyword - name: cn_mul_dst_pks overwrite: true type: keyword - name: cn_muligmptype overwrite: true type: keyword - name: cn_sampalgo overwrite: true type: keyword - name: cn_sampint overwrite: true type: keyword - name: cn_seqctr overwrite: true type: keyword - name: cn_spackets overwrite: true type: keyword - name: cn_src_tos overwrite: true type: keyword - name: cn_src_vlan overwrite: true type: keyword - name: cn_sysuptime overwrite: true type: keyword - name: cn_template_id overwrite: true type: keyword - name: cn_totbytsexp overwrite: true type: keyword - name: cn_totflowexp overwrite: true type: keyword - name: cn_totpcktsexp overwrite: true type: keyword - name: cn_unixnanosecs overwrite: true type: keyword - name: cn_v6flowlabel overwrite: true type: keyword - name: cn_v6optheaders overwrite: true type: keyword - name: comp_class overwrite: true type: keyword - name: comp_name overwrite: true type: keyword - name: comp_rbytes overwrite: true type: keyword - name: comp_sbytes overwrite: true type: keyword - name: cpu_data overwrite: true type: keyword - name: criticality overwrite: true type: keyword - name: cs_agency_dst overwrite: true type: keyword - name: cs_analyzedby overwrite: true type: keyword - name: cs_av_other overwrite: true type: keyword - name: cs_av_primary overwrite: true type: keyword - name: cs_av_secondary overwrite: true type: keyword - name: cs_bgpv6nxthop overwrite: true type: keyword - name: cs_bit9status overwrite: true type: keyword - name: cs_context overwrite: true type: keyword - name: cs_control overwrite: true type: keyword - name: cs_data overwrite: true type: keyword - name: cs_datecret overwrite: true type: keyword - name: cs_dst_tld overwrite: true type: keyword - name: cs_eth_dst_ven overwrite: true type: keyword - name: cs_eth_src_ven overwrite: true type: keyword - name: cs_event_uuid overwrite: true type: keyword - name: cs_filetype overwrite: true type: keyword - name: cs_fld overwrite: true type: keyword - name: cs_if_desc overwrite: true type: keyword - name: cs_if_name overwrite: true type: keyword - name: cs_ip_next_hop overwrite: true type: keyword - name: cs_ipv4dstpre overwrite: true type: keyword - name: cs_ipv4srcpre overwrite: true type: keyword - name: cs_lifetime overwrite: true type: keyword - name: cs_log_medium overwrite: true type: keyword - name: cs_loginname overwrite: true type: keyword - name: cs_modulescore overwrite: true type: keyword - name: cs_modulesign overwrite: true type: keyword - name: cs_opswatresult overwrite: true type: keyword - name: cs_payload overwrite: true type: keyword - name: cs_registrant overwrite: true type: keyword - name: cs_registrar overwrite: true type: keyword - name: cs_represult overwrite: true type: keyword - name: cs_rpayload overwrite: true type: keyword - name: cs_sampler_name overwrite: true type: keyword - name: cs_sourcemodule overwrite: true type: keyword - name: cs_streams overwrite: true type: keyword - name: cs_targetmodule overwrite: true type: keyword - name: cs_v6nxthop overwrite: true type: keyword - name: cs_whois_server overwrite: true type: keyword - name: cs_yararesult overwrite: true type: keyword - name: description overwrite: true type: keyword - name: devvendor overwrite: true type: keyword - name: distance overwrite: true type: keyword - name: dstburb overwrite: true type: keyword - name: edomain overwrite: true type: keyword - name: edomaub overwrite: true type: keyword - name: euid overwrite: true type: keyword - name: facility overwrite: true type: keyword - name: finterface overwrite: true type: keyword - name: flags overwrite: true type: keyword - name: gaddr overwrite: true type: keyword - name: id3 overwrite: true type: keyword - name: im_buddyname overwrite: true type: keyword - name: im_croomid overwrite: true type: keyword - name: im_croomtype overwrite: true type: keyword - name: im_members overwrite: true type: keyword - name: im_username overwrite: true type: keyword - name: ipkt overwrite: true type: keyword - name: ipscat overwrite: true type: keyword - name: ipspri overwrite: true type: keyword - name: latitude overwrite: true type: keyword - name: linenum overwrite: true type: keyword - name: list_name overwrite: true type: keyword - name: load_data overwrite: true type: keyword - name: location_floor overwrite: true type: keyword - name: location_mark overwrite: true type: keyword - name: log_id overwrite: true type: keyword - name: log_type overwrite: true type: keyword - name: logid overwrite: true type: keyword - name: logip overwrite: true type: keyword - name: logname overwrite: true type: keyword - name: longitude overwrite: true type: keyword - name: lport overwrite: true type: keyword - name: mbug_data overwrite: true type: keyword - name: misc_name overwrite: true type: keyword - name: msg_type overwrite: true type: keyword - name: msgid overwrite: true type: keyword - name: netsessid overwrite: true type: keyword - name: num overwrite: true type: keyword - name: number1 overwrite: true type: keyword - name: number2 overwrite: true type: keyword - name: nwwn overwrite: true type: keyword - name: object overwrite: true type: keyword - name: operation overwrite: true type: keyword - name: opkt overwrite: true type: keyword - name: orig_from overwrite: true type: keyword - name: owner_id overwrite: true type: keyword - name: p_action overwrite: true type: keyword - name: p_filter overwrite: true type: keyword - name: p_group_object overwrite: true type: keyword - name: p_id overwrite: true type: keyword - name: p_msgid1 overwrite: true type: keyword - name: p_msgid2 overwrite: true type: keyword - name: p_result1 overwrite: true type: keyword - name: password_chg overwrite: true type: keyword - name: password_expire overwrite: true type: keyword - name: permgranted overwrite: true type: keyword - name: permwanted overwrite: true type: keyword - name: pgid overwrite: true type: keyword - name: policyUUID overwrite: true type: keyword - name: prog_asp_num overwrite: true type: keyword - name: program overwrite: true type: keyword - name: real_data overwrite: true type: keyword - name: rec_asp_device overwrite: true type: keyword - name: rec_asp_num overwrite: true type: keyword - name: rec_library overwrite: true type: keyword - name: recordnum overwrite: true type: keyword - name: ruid overwrite: true type: keyword - name: sburb overwrite: true type: keyword - name: sdomain_fld overwrite: true type: keyword - name: sec overwrite: true type: keyword - name: sensorname overwrite: true type: keyword - name: seqnum overwrite: true type: keyword - name: session overwrite: true type: keyword - name: sessiontype overwrite: true type: keyword - name: sigUUID overwrite: true type: keyword - name: spi overwrite: true type: keyword - name: srcburb overwrite: true type: keyword - name: srcdom overwrite: true type: keyword - name: srcservice overwrite: true type: keyword - name: state overwrite: true type: keyword - name: status1 overwrite: true type: keyword - name: svcno overwrite: true type: keyword - name: system overwrite: true type: keyword - name: tbdstr1 overwrite: true type: keyword - name: tgtdom overwrite: true type: keyword - name: tgtdomain overwrite: true type: keyword - name: threshold overwrite: true type: keyword - name: type1 overwrite: true type: keyword - name: udb_class overwrite: true type: keyword - name: url_fld overwrite: true type: keyword - name: user_div overwrite: true type: keyword - name: userid overwrite: true type: keyword - name: username_fld overwrite: true type: keyword - name: utcstamp overwrite: true type: keyword - name: v_instafname overwrite: true type: keyword - name: virt_data overwrite: true type: keyword - name: vpnid overwrite: true type: keyword - name: autorun_type overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number overwrite: true type: long description: Valid Credit Card Numbers only - name: content overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number overwrite: true type: long description: Employee Identification Numbers only - name: found overwrite: true type: keyword description: This is used to capture the results of regex match - name: language overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src overwrite: true type: keyword description: This key captures source parameter - name: search_text overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value overwrite: true type: keyword description: SNMP set request value - name: streams overwrite: true type: long description: This key captures number of streams in session - name: db overwrite: true type: group fields: - name: index overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name overwrite: true type: keyword description: This key is used to capture the table name - name: db_id overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite overwrite: true type: long description: This key is used for the number of logical writes - name: pread overwrite: true type: long description: This key is used for the number of physical writes - name: network overwrite: true type: group fields: - name: alias_host overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain overwrite: true type: keyword - name: host_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr overwrite: true type: ip description: Deprecated - name: faddr overwrite: true type: keyword - name: lhost overwrite: true type: keyword - name: origin overwrite: true type: keyword - name: remote_domain_id overwrite: true type: keyword - name: addr overwrite: true type: keyword - name: dns_a_record overwrite: true type: keyword - name: dns_ptr_record overwrite: true type: keyword - name: fhost overwrite: true type: keyword - name: fport overwrite: true type: keyword - name: laddr overwrite: true type: keyword - name: linterface overwrite: true type: keyword - name: phost overwrite: true type: keyword - name: ad_computer_dst overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record overwrite: true type: keyword - name: dns_id overwrite: true type: keyword - name: dns_opcode overwrite: true type: keyword - name: dns_resp overwrite: true type: keyword - name: dns_type overwrite: true type: keyword - name: domain1 overwrite: true type: keyword - name: host_type overwrite: true type: keyword - name: packet_length overwrite: true type: keyword - name: host_orig overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations overwrite: true type: group fields: - name: ec_activity overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat overwrite: true type: long description: This key captures the Event category number - name: event_cat_name overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category overwrite: true type: keyword description: This used to capture investigation category - name: inv_context overwrite: true type: keyword description: This used to capture investigation context - name: ioc overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters overwrite: true type: group fields: - name: dclass_c1 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity overwrite: true type: group fields: - name: auth_method overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org overwrite: true type: keyword description: This key captures the User organization - name: dn_dst overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept overwrite: true type: keyword description: User's Department Names only - name: user_sid_src overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email overwrite: true type: group fields: - name: email_dst overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file overwrite: true type: group fields: - name: privilege overwrite: true type: keyword description: Deprecated, use permissions - name: attachment overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem overwrite: true type: keyword - name: binary overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp overwrite: true type: keyword - name: directory_dst overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name overwrite: true type: keyword description: This is used to capture name of the task - name: web overwrite: true type: group fields: - name: fqdn overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host overwrite: true type: keyword - name: reputation_num overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain overwrite: true type: keyword description: Web referer's domain - name: web_ref_query overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain overwrite: true type: keyword - name: web_ref_page overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst overwrite: true type: keyword - name: cn_rpackets overwrite: true type: keyword - name: urlpage overwrite: true type: keyword - name: urlroot overwrite: true type: keyword - name: p_url overwrite: true type: keyword - name: p_user_agent overwrite: true type: keyword - name: p_web_cookie overwrite: true type: keyword - name: p_web_method overwrite: true type: keyword - name: p_web_referer overwrite: true type: keyword - name: web_extension_tmp overwrite: true type: keyword - name: web_page overwrite: true type: keyword - name: threat overwrite: true type: group fields: - name: threat_category overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto overwrite: true type: group fields: - name: crypto overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike overwrite: true type: keyword description: IKE negotiation phase. - name: scheme overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer overwrite: true type: keyword - name: cert_host_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src overwrite: true type: keyword description: Deprecated, use version - name: d_certauth overwrite: true type: keyword - name: s_certauth overwrite: true type: keyword - name: ike_cookie1 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum overwrite: true type: keyword - name: cert_host_cat overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize overwrite: true type: keyword - name: cert_username overwrite: true type: keyword - name: https_insact overwrite: true type: keyword - name: https_valid overwrite: true type: keyword - name: cert_ca overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless overwrite: true type: group fields: - name: wlan_ssid overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel overwrite: true type: long description: This is used to capture the channel names - name: wlan_name overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage overwrite: true type: group fields: - name: disk_volume overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical overwrite: true type: group fields: - name: org_dst overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare overwrite: true type: group fields: - name: patient_fname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint overwrite: true type: group fields: - name: host_state overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value overwrite: true type: keyword description: This key captures values or decorators used within a registry entry - key: iptables title: iptables description: > Module for handling the iptables logs. fields: - name: iptables type: group description: > Fields from the iptables logs. fields: - name: ether_type type: long description: > Value of the ethernet type field identifying the network layer protocol. - name: flow_label type: integer description: > IPv6 flow label. - name: fragment_flags type: keyword description: > IP fragment flags. A combination of CE, DF and MF. - name: fragment_offset type: long description: > Offset of the current IP fragment. - name: icmp type: group description: > ICMP fields. fields: - name: code type: long description: > ICMP code. - name: id type: long description: > ICMP ID. - name: parameter type: long description: > ICMP parameter. - name: redirect type: ip description: > ICMP redirect address. - name: seq type: long description: > ICMP sequence number. - name: type type: long description: > ICMP type. - name: id type: long description: > Packet identifier. - name: incomplete_bytes type: long description: > Number of incomplete bytes. - name: input_device type: keyword description: > Device that received the packet. - name: precedence_bits type: short description: > IP precedence bits. - name: tos type: long description: > IP Type of Service field. - name: length type: long description: > Packet length. - name: output_device type: keyword description: > Device that output the packet. - name: tcp type: group description: > TCP fields. fields: - name: flags type: keyword description: > TCP flags. - name: reserved_bits type: short description: > TCP reserved bits. - name: seq type: long description: > TCP sequence number. - name: ack type: long description: > TCP Acknowledgment number. - name: window type: long description: > Advertised TCP window size. - name: ttl type: integer description: > Time To Live field. - name: udp type: group description: > UDP fields. fields: - name: length type: long description: > Length of the UDP header and payload. - name: ubiquiti type: group description: > Fields for Ubiquiti network devices. fields: - name: input_zone type: keyword description: > Input zone. - name: output_zone type: keyword description: > Output zone. - name: rule_number type: keyword description: The rule number within the rule set. - name: rule_set type: keyword description: The rule set name. - key: juniper title: Juniper JUNOS description: > juniper fields. fields: - name: network.interface.name overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa overwrite: true type: group default_field: false fields: - name: internal overwrite: true type: group fields: - name: msg overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid overwrite: true type: keyword - name: event_desc overwrite: true type: keyword - name: message overwrite: true type: keyword description: This key captures the contents of instant messages - name: time overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id overwrite: true type: long description: Deprecated key defined only in table map. - name: did overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time overwrite: true type: group fields: - name: event_time overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month overwrite: true type: keyword - name: day overwrite: true type: keyword - name: endtime overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str overwrite: true type: keyword description: A text string version of the duration - name: date overwrite: true type: keyword - name: year overwrite: true type: keyword - name: recorded_time overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime overwrite: true type: keyword - name: effective_time overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time overwrite: true type: keyword description: Deprecated, use duration.time - name: hour overwrite: true type: keyword - name: min overwrite: true type: keyword - name: timestamp overwrite: true type: keyword - name: event_queue_time overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 overwrite: true type: keyword - name: tzone overwrite: true type: keyword - name: eventtime overwrite: true type: keyword - name: gmtdate overwrite: true type: keyword - name: gmttime overwrite: true type: keyword - name: p_date overwrite: true type: keyword - name: p_month overwrite: true type: keyword - name: p_time overwrite: true type: keyword - name: p_time2 overwrite: true type: keyword - name: p_year overwrite: true type: keyword - name: expire_time_str overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp overwrite: true type: date description: Deprecated key defined only in table map. - name: misc overwrite: true type: group fields: - name: action overwrite: true type: keyword - name: result overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name overwrite: true type: keyword description: This is used to capture name of object - name: obj_type overwrite: true type: keyword description: This is used to capture type of object - name: event_source overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name overwrite: true type: keyword description: This key captures the Rule Name - name: context overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space overwrite: true type: keyword - name: client overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 overwrite: true type: keyword - name: msgIdPart2 overwrite: true type: keyword - name: change_old overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule overwrite: true type: keyword description: This key captures the Rule number - name: device_name overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log overwrite: true type: keyword description: This key captures the Name of the event log - name: OS overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 overwrite: true type: keyword - name: filter overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname overwrite: true type: keyword description: This key captures the name of the virus - name: content_type overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id overwrite: true type: keyword - name: reason overwrite: true type: keyword - name: status overwrite: true type: keyword - name: mail_id overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout overwrite: true type: keyword - name: p_msgid overwrite: true type: keyword - name: data_type overwrite: true type: keyword - name: msgIdPart4 overwrite: true type: keyword - name: error overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index overwrite: true type: keyword - name: listnum overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype overwrite: true type: keyword - name: observed_val overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count overwrite: true type: keyword - name: number overwrite: true type: keyword - name: sigcat overwrite: true type: keyword - name: type overwrite: true type: keyword - name: comments overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number overwrite: true type: long description: This key captures File Identification number - name: expected_val overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst overwrite: true type: keyword description: Destination SPI Index - name: spi_src overwrite: true type: keyword description: Source SPI Index - name: code overwrite: true type: keyword - name: agent_id overwrite: true type: keyword description: This key is used to capture agent id - name: message_body overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone overwrite: true type: keyword - name: sig_id_str overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd overwrite: true type: keyword - name: misc overwrite: true type: keyword - name: name overwrite: true type: keyword - name: cpu overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid overwrite: true type: keyword - name: im_client overwrite: true type: keyword - name: im_userid overwrite: true type: keyword - name: pid overwrite: true type: keyword - name: priority overwrite: true type: keyword - name: context_subject overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target overwrite: true type: keyword - name: cve overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos overwrite: true type: long description: This key describes the type of service - name: vm_target overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace overwrite: true type: keyword description: This key captures Workspace Description - name: command overwrite: true type: keyword - name: event_category overwrite: true type: keyword - name: facilityname overwrite: true type: keyword - name: forensic_info overwrite: true type: keyword - name: jobname overwrite: true type: keyword - name: mode overwrite: true type: keyword - name: policy overwrite: true type: keyword - name: policy_waiver overwrite: true type: keyword - name: second overwrite: true type: keyword - name: space1 overwrite: true type: keyword - name: subcategory overwrite: true type: keyword - name: tbdstr2 overwrite: true type: keyword - name: alert_id overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult overwrite: true type: long description: This key captures the Filter Result - name: payload_dst overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid overwrite: true type: keyword description: SNMP Object Identifier - name: sql overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id overwrite: true type: keyword - name: acl_op overwrite: true type: keyword - name: acl_pos overwrite: true type: keyword - name: acl_table overwrite: true type: keyword - name: admin overwrite: true type: keyword - name: alarm_id overwrite: true type: keyword - name: alarmname overwrite: true type: keyword - name: app_id overwrite: true type: keyword - name: audit overwrite: true type: keyword - name: audit_object overwrite: true type: keyword - name: auditdata overwrite: true type: keyword - name: benchmark overwrite: true type: keyword - name: bypass overwrite: true type: keyword - name: cache overwrite: true type: keyword - name: cache_hit overwrite: true type: keyword - name: cefversion overwrite: true type: keyword - name: cfg_attr overwrite: true type: keyword - name: cfg_obj overwrite: true type: keyword - name: cfg_path overwrite: true type: keyword - name: changes overwrite: true type: keyword - name: client_ip overwrite: true type: keyword - name: clustermembers overwrite: true type: keyword - name: cn_acttimeout overwrite: true type: keyword - name: cn_asn_src overwrite: true type: keyword - name: cn_bgpv4nxthop overwrite: true type: keyword - name: cn_ctr_dst_code overwrite: true type: keyword - name: cn_dst_tos overwrite: true type: keyword - name: cn_dst_vlan overwrite: true type: keyword - name: cn_engine_id overwrite: true type: keyword - name: cn_engine_type overwrite: true type: keyword - name: cn_f_switch overwrite: true type: keyword - name: cn_flowsampid overwrite: true type: keyword - name: cn_flowsampintv overwrite: true type: keyword - name: cn_flowsampmode overwrite: true type: keyword - name: cn_inacttimeout overwrite: true type: keyword - name: cn_inpermbyts overwrite: true type: keyword - name: cn_inpermpckts overwrite: true type: keyword - name: cn_invalid overwrite: true type: keyword - name: cn_ip_proto_ver overwrite: true type: keyword - name: cn_ipv4_ident overwrite: true type: keyword - name: cn_l_switch overwrite: true type: keyword - name: cn_log_did overwrite: true type: keyword - name: cn_log_rid overwrite: true type: keyword - name: cn_max_ttl overwrite: true type: keyword - name: cn_maxpcktlen overwrite: true type: keyword - name: cn_min_ttl overwrite: true type: keyword - name: cn_minpcktlen overwrite: true type: keyword - name: cn_mpls_lbl_1 overwrite: true type: keyword - name: cn_mpls_lbl_10 overwrite: true type: keyword - name: cn_mpls_lbl_2 overwrite: true type: keyword - name: cn_mpls_lbl_3 overwrite: true type: keyword - name: cn_mpls_lbl_4 overwrite: true type: keyword - name: cn_mpls_lbl_5 overwrite: true type: keyword - name: cn_mpls_lbl_6 overwrite: true type: keyword - name: cn_mpls_lbl_7 overwrite: true type: keyword - name: cn_mpls_lbl_8 overwrite: true type: keyword - name: cn_mpls_lbl_9 overwrite: true type: keyword - name: cn_mplstoplabel overwrite: true type: keyword - name: cn_mplstoplabip overwrite: true type: keyword - name: cn_mul_dst_byt overwrite: true type: keyword - name: cn_mul_dst_pks overwrite: true type: keyword - name: cn_muligmptype overwrite: true type: keyword - name: cn_sampalgo overwrite: true type: keyword - name: cn_sampint overwrite: true type: keyword - name: cn_seqctr overwrite: true type: keyword - name: cn_spackets overwrite: true type: keyword - name: cn_src_tos overwrite: true type: keyword - name: cn_src_vlan overwrite: true type: keyword - name: cn_sysuptime overwrite: true type: keyword - name: cn_template_id overwrite: true type: keyword - name: cn_totbytsexp overwrite: true type: keyword - name: cn_totflowexp overwrite: true type: keyword - name: cn_totpcktsexp overwrite: true type: keyword - name: cn_unixnanosecs overwrite: true type: keyword - name: cn_v6flowlabel overwrite: true type: keyword - name: cn_v6optheaders overwrite: true type: keyword - name: comp_class overwrite: true type: keyword - name: comp_name overwrite: true type: keyword - name: comp_rbytes overwrite: true type: keyword - name: comp_sbytes overwrite: true type: keyword - name: cpu_data overwrite: true type: keyword - name: criticality overwrite: true type: keyword - name: cs_agency_dst overwrite: true type: keyword - name: cs_analyzedby overwrite: true type: keyword - name: cs_av_other overwrite: true type: keyword - name: cs_av_primary overwrite: true type: keyword - name: cs_av_secondary overwrite: true type: keyword - name: cs_bgpv6nxthop overwrite: true type: keyword - name: cs_bit9status overwrite: true type: keyword - name: cs_context overwrite: true type: keyword - name: cs_control overwrite: true type: keyword - name: cs_data overwrite: true type: keyword - name: cs_datecret overwrite: true type: keyword - name: cs_dst_tld overwrite: true type: keyword - name: cs_eth_dst_ven overwrite: true type: keyword - name: cs_eth_src_ven overwrite: true type: keyword - name: cs_event_uuid overwrite: true type: keyword - name: cs_filetype overwrite: true type: keyword - name: cs_fld overwrite: true type: keyword - name: cs_if_desc overwrite: true type: keyword - name: cs_if_name overwrite: true type: keyword - name: cs_ip_next_hop overwrite: true type: keyword - name: cs_ipv4dstpre overwrite: true type: keyword - name: cs_ipv4srcpre overwrite: true type: keyword - name: cs_lifetime overwrite: true type: keyword - name: cs_log_medium overwrite: true type: keyword - name: cs_loginname overwrite: true type: keyword - name: cs_modulescore overwrite: true type: keyword - name: cs_modulesign overwrite: true type: keyword - name: cs_opswatresult overwrite: true type: keyword - name: cs_payload overwrite: true type: keyword - name: cs_registrant overwrite: true type: keyword - name: cs_registrar overwrite: true type: keyword - name: cs_represult overwrite: true type: keyword - name: cs_rpayload overwrite: true type: keyword - name: cs_sampler_name overwrite: true type: keyword - name: cs_sourcemodule overwrite: true type: keyword - name: cs_streams overwrite: true type: keyword - name: cs_targetmodule overwrite: true type: keyword - name: cs_v6nxthop overwrite: true type: keyword - name: cs_whois_server overwrite: true type: keyword - name: cs_yararesult overwrite: true type: keyword - name: description overwrite: true type: keyword - name: devvendor overwrite: true type: keyword - name: distance overwrite: true type: keyword - name: dstburb overwrite: true type: keyword - name: edomain overwrite: true type: keyword - name: edomaub overwrite: true type: keyword - name: euid overwrite: true type: keyword - name: facility overwrite: true type: keyword - name: finterface overwrite: true type: keyword - name: flags overwrite: true type: keyword - name: gaddr overwrite: true type: keyword - name: id3 overwrite: true type: keyword - name: im_buddyname overwrite: true type: keyword - name: im_croomid overwrite: true type: keyword - name: im_croomtype overwrite: true type: keyword - name: im_members overwrite: true type: keyword - name: im_username overwrite: true type: keyword - name: ipkt overwrite: true type: keyword - name: ipscat overwrite: true type: keyword - name: ipspri overwrite: true type: keyword - name: latitude overwrite: true type: keyword - name: linenum overwrite: true type: keyword - name: list_name overwrite: true type: keyword - name: load_data overwrite: true type: keyword - name: location_floor overwrite: true type: keyword - name: location_mark overwrite: true type: keyword - name: log_id overwrite: true type: keyword - name: log_type overwrite: true type: keyword - name: logid overwrite: true type: keyword - name: logip overwrite: true type: keyword - name: logname overwrite: true type: keyword - name: longitude overwrite: true type: keyword - name: lport overwrite: true type: keyword - name: mbug_data overwrite: true type: keyword - name: misc_name overwrite: true type: keyword - name: msg_type overwrite: true type: keyword - name: msgid overwrite: true type: keyword - name: netsessid overwrite: true type: keyword - name: num overwrite: true type: keyword - name: number1 overwrite: true type: keyword - name: number2 overwrite: true type: keyword - name: nwwn overwrite: true type: keyword - name: object overwrite: true type: keyword - name: operation overwrite: true type: keyword - name: opkt overwrite: true type: keyword - name: orig_from overwrite: true type: keyword - name: owner_id overwrite: true type: keyword - name: p_action overwrite: true type: keyword - name: p_filter overwrite: true type: keyword - name: p_group_object overwrite: true type: keyword - name: p_id overwrite: true type: keyword - name: p_msgid1 overwrite: true type: keyword - name: p_msgid2 overwrite: true type: keyword - name: p_result1 overwrite: true type: keyword - name: password_chg overwrite: true type: keyword - name: password_expire overwrite: true type: keyword - name: permgranted overwrite: true type: keyword - name: permwanted overwrite: true type: keyword - name: pgid overwrite: true type: keyword - name: policyUUID overwrite: true type: keyword - name: prog_asp_num overwrite: true type: keyword - name: program overwrite: true type: keyword - name: real_data overwrite: true type: keyword - name: rec_asp_device overwrite: true type: keyword - name: rec_asp_num overwrite: true type: keyword - name: rec_library overwrite: true type: keyword - name: recordnum overwrite: true type: keyword - name: ruid overwrite: true type: keyword - name: sburb overwrite: true type: keyword - name: sdomain_fld overwrite: true type: keyword - name: sec overwrite: true type: keyword - name: sensorname overwrite: true type: keyword - name: seqnum overwrite: true type: keyword - name: session overwrite: true type: keyword - name: sessiontype overwrite: true type: keyword - name: sigUUID overwrite: true type: keyword - name: spi overwrite: true type: keyword - name: srcburb overwrite: true type: keyword - name: srcdom overwrite: true type: keyword - name: srcservice overwrite: true type: keyword - name: state overwrite: true type: keyword - name: status1 overwrite: true type: keyword - name: svcno overwrite: true type: keyword - name: system overwrite: true type: keyword - name: tbdstr1 overwrite: true type: keyword - name: tgtdom overwrite: true type: keyword - name: tgtdomain overwrite: true type: keyword - name: threshold overwrite: true type: keyword - name: type1 overwrite: true type: keyword - name: udb_class overwrite: true type: keyword - name: url_fld overwrite: true type: keyword - name: user_div overwrite: true type: keyword - name: userid overwrite: true type: keyword - name: username_fld overwrite: true type: keyword - name: utcstamp overwrite: true type: keyword - name: v_instafname overwrite: true type: keyword - name: virt_data overwrite: true type: keyword - name: vpnid overwrite: true type: keyword - name: autorun_type overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number overwrite: true type: long description: Valid Credit Card Numbers only - name: content overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number overwrite: true type: long description: Employee Identification Numbers only - name: found overwrite: true type: keyword description: This is used to capture the results of regex match - name: language overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src overwrite: true type: keyword description: This key captures source parameter - name: search_text overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value overwrite: true type: keyword description: SNMP set request value - name: streams overwrite: true type: long description: This key captures number of streams in session - name: db overwrite: true type: group fields: - name: index overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name overwrite: true type: keyword description: This key is used to capture the table name - name: db_id overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite overwrite: true type: long description: This key is used for the number of logical writes - name: pread overwrite: true type: long description: This key is used for the number of physical writes - name: network overwrite: true type: group fields: - name: alias_host overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain overwrite: true type: keyword - name: host_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr overwrite: true type: ip description: Deprecated - name: faddr overwrite: true type: keyword - name: lhost overwrite: true type: keyword - name: origin overwrite: true type: keyword - name: remote_domain_id overwrite: true type: keyword - name: addr overwrite: true type: keyword - name: dns_a_record overwrite: true type: keyword - name: dns_ptr_record overwrite: true type: keyword - name: fhost overwrite: true type: keyword - name: fport overwrite: true type: keyword - name: laddr overwrite: true type: keyword - name: linterface overwrite: true type: keyword - name: phost overwrite: true type: keyword - name: ad_computer_dst overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record overwrite: true type: keyword - name: dns_id overwrite: true type: keyword - name: dns_opcode overwrite: true type: keyword - name: dns_resp overwrite: true type: keyword - name: dns_type overwrite: true type: keyword - name: domain1 overwrite: true type: keyword - name: host_type overwrite: true type: keyword - name: packet_length overwrite: true type: keyword - name: host_orig overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations overwrite: true type: group fields: - name: ec_activity overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat overwrite: true type: long description: This key captures the Event category number - name: event_cat_name overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category overwrite: true type: keyword description: This used to capture investigation category - name: inv_context overwrite: true type: keyword description: This used to capture investigation context - name: ioc overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters overwrite: true type: group fields: - name: dclass_c1 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity overwrite: true type: group fields: - name: auth_method overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org overwrite: true type: keyword description: This key captures the User organization - name: dn_dst overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept overwrite: true type: keyword description: User's Department Names only - name: user_sid_src overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email overwrite: true type: group fields: - name: email_dst overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file overwrite: true type: group fields: - name: privilege overwrite: true type: keyword description: Deprecated, use permissions - name: attachment overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem overwrite: true type: keyword - name: binary overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp overwrite: true type: keyword - name: directory_dst overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name overwrite: true type: keyword description: This is used to capture name of the task - name: web overwrite: true type: group fields: - name: fqdn overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host overwrite: true type: keyword - name: reputation_num overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain overwrite: true type: keyword description: Web referer's domain - name: web_ref_query overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain overwrite: true type: keyword - name: web_ref_page overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst overwrite: true type: keyword - name: cn_rpackets overwrite: true type: keyword - name: urlpage overwrite: true type: keyword - name: urlroot overwrite: true type: keyword - name: p_url overwrite: true type: keyword - name: p_user_agent overwrite: true type: keyword - name: p_web_cookie overwrite: true type: keyword - name: p_web_method overwrite: true type: keyword - name: p_web_referer overwrite: true type: keyword - name: web_extension_tmp overwrite: true type: keyword - name: web_page overwrite: true type: keyword - name: threat overwrite: true type: group fields: - name: threat_category overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto overwrite: true type: group fields: - name: crypto overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike overwrite: true type: keyword description: IKE negotiation phase. - name: scheme overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer overwrite: true type: keyword - name: cert_host_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src overwrite: true type: keyword description: Deprecated, use version - name: d_certauth overwrite: true type: keyword - name: s_certauth overwrite: true type: keyword - name: ike_cookie1 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum overwrite: true type: keyword - name: cert_host_cat overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize overwrite: true type: keyword - name: cert_username overwrite: true type: keyword - name: https_insact overwrite: true type: keyword - name: https_valid overwrite: true type: keyword - name: cert_ca overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless overwrite: true type: group fields: - name: wlan_ssid overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel overwrite: true type: long description: This is used to capture the channel names - name: wlan_name overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage overwrite: true type: group fields: - name: disk_volume overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical overwrite: true type: group fields: - name: org_dst overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare overwrite: true type: group fields: - name: patient_fname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint overwrite: true type: group fields: - name: host_state overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value overwrite: true type: keyword description: This key captures values or decorators used within a registry entry - name: network.interface.name overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa overwrite: true type: group default_field: false fields: - name: internal overwrite: true type: group fields: - name: msg overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid overwrite: true type: keyword - name: event_desc overwrite: true type: keyword - name: message overwrite: true type: keyword description: This key captures the contents of instant messages - name: time overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id overwrite: true type: long description: Deprecated key defined only in table map. - name: did overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time overwrite: true type: group fields: - name: event_time overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month overwrite: true type: keyword - name: day overwrite: true type: keyword - name: endtime overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str overwrite: true type: keyword description: A text string version of the duration - name: date overwrite: true type: keyword - name: year overwrite: true type: keyword - name: recorded_time overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime overwrite: true type: keyword - name: effective_time overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time overwrite: true type: keyword description: Deprecated, use duration.time - name: hour overwrite: true type: keyword - name: min overwrite: true type: keyword - name: timestamp overwrite: true type: keyword - name: event_queue_time overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 overwrite: true type: keyword - name: tzone overwrite: true type: keyword - name: eventtime overwrite: true type: keyword - name: gmtdate overwrite: true type: keyword - name: gmttime overwrite: true type: keyword - name: p_date overwrite: true type: keyword - name: p_month overwrite: true type: keyword - name: p_time overwrite: true type: keyword - name: p_time2 overwrite: true type: keyword - name: p_year overwrite: true type: keyword - name: expire_time_str overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp overwrite: true type: date description: Deprecated key defined only in table map. - name: misc overwrite: true type: group fields: - name: action overwrite: true type: keyword - name: result overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name overwrite: true type: keyword description: This is used to capture name of object - name: obj_type overwrite: true type: keyword description: This is used to capture type of object - name: event_source overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name overwrite: true type: keyword description: This key captures the Rule Name - name: context overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space overwrite: true type: keyword - name: client overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 overwrite: true type: keyword - name: msgIdPart2 overwrite: true type: keyword - name: change_old overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule overwrite: true type: keyword description: This key captures the Rule number - name: device_name overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log overwrite: true type: keyword description: This key captures the Name of the event log - name: OS overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 overwrite: true type: keyword - name: filter overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname overwrite: true type: keyword description: This key captures the name of the virus - name: content_type overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id overwrite: true type: keyword - name: reason overwrite: true type: keyword - name: status overwrite: true type: keyword - name: mail_id overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout overwrite: true type: keyword - name: p_msgid overwrite: true type: keyword - name: data_type overwrite: true type: keyword - name: msgIdPart4 overwrite: true type: keyword - name: error overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index overwrite: true type: keyword - name: listnum overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype overwrite: true type: keyword - name: observed_val overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count overwrite: true type: keyword - name: number overwrite: true type: keyword - name: sigcat overwrite: true type: keyword - name: type overwrite: true type: keyword - name: comments overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number overwrite: true type: long description: This key captures File Identification number - name: expected_val overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst overwrite: true type: keyword description: Destination SPI Index - name: spi_src overwrite: true type: keyword description: Source SPI Index - name: code overwrite: true type: keyword - name: agent_id overwrite: true type: keyword description: This key is used to capture agent id - name: message_body overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone overwrite: true type: keyword - name: sig_id_str overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd overwrite: true type: keyword - name: misc overwrite: true type: keyword - name: name overwrite: true type: keyword - name: cpu overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid overwrite: true type: keyword - name: im_client overwrite: true type: keyword - name: im_userid overwrite: true type: keyword - name: pid overwrite: true type: keyword - name: priority overwrite: true type: keyword - name: context_subject overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target overwrite: true type: keyword - name: cve overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos overwrite: true type: long description: This key describes the type of service - name: vm_target overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace overwrite: true type: keyword description: This key captures Workspace Description - name: command overwrite: true type: keyword - name: event_category overwrite: true type: keyword - name: facilityname overwrite: true type: keyword - name: forensic_info overwrite: true type: keyword - name: jobname overwrite: true type: keyword - name: mode overwrite: true type: keyword - name: policy overwrite: true type: keyword - name: policy_waiver overwrite: true type: keyword - name: second overwrite: true type: keyword - name: space1 overwrite: true type: keyword - name: subcategory overwrite: true type: keyword - name: tbdstr2 overwrite: true type: keyword - name: alert_id overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult overwrite: true type: long description: This key captures the Filter Result - name: payload_dst overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid overwrite: true type: keyword description: SNMP Object Identifier - name: sql overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id overwrite: true type: keyword - name: acl_op overwrite: true type: keyword - name: acl_pos overwrite: true type: keyword - name: acl_table overwrite: true type: keyword - name: admin overwrite: true type: keyword - name: alarm_id overwrite: true type: keyword - name: alarmname overwrite: true type: keyword - name: app_id overwrite: true type: keyword - name: audit overwrite: true type: keyword - name: audit_object overwrite: true type: keyword - name: auditdata overwrite: true type: keyword - name: benchmark overwrite: true type: keyword - name: bypass overwrite: true type: keyword - name: cache overwrite: true type: keyword - name: cache_hit overwrite: true type: keyword - name: cefversion overwrite: true type: keyword - name: cfg_attr overwrite: true type: keyword - name: cfg_obj overwrite: true type: keyword - name: cfg_path overwrite: true type: keyword - name: changes overwrite: true type: keyword - name: client_ip overwrite: true type: keyword - name: clustermembers overwrite: true type: keyword - name: cn_acttimeout overwrite: true type: keyword - name: cn_asn_src overwrite: true type: keyword - name: cn_bgpv4nxthop overwrite: true type: keyword - name: cn_ctr_dst_code overwrite: true type: keyword - name: cn_dst_tos overwrite: true type: keyword - name: cn_dst_vlan overwrite: true type: keyword - name: cn_engine_id overwrite: true type: keyword - name: cn_engine_type overwrite: true type: keyword - name: cn_f_switch overwrite: true type: keyword - name: cn_flowsampid overwrite: true type: keyword - name: cn_flowsampintv overwrite: true type: keyword - name: cn_flowsampmode overwrite: true type: keyword - name: cn_inacttimeout overwrite: true type: keyword - name: cn_inpermbyts overwrite: true type: keyword - name: cn_inpermpckts overwrite: true type: keyword - name: cn_invalid overwrite: true type: keyword - name: cn_ip_proto_ver overwrite: true type: keyword - name: cn_ipv4_ident overwrite: true type: keyword - name: cn_l_switch overwrite: true type: keyword - name: cn_log_did overwrite: true type: keyword - name: cn_log_rid overwrite: true type: keyword - name: cn_max_ttl overwrite: true type: keyword - name: cn_maxpcktlen overwrite: true type: keyword - name: cn_min_ttl overwrite: true type: keyword - name: cn_minpcktlen overwrite: true type: keyword - name: cn_mpls_lbl_1 overwrite: true type: keyword - name: cn_mpls_lbl_10 overwrite: true type: keyword - name: cn_mpls_lbl_2 overwrite: true type: keyword - name: cn_mpls_lbl_3 overwrite: true type: keyword - name: cn_mpls_lbl_4 overwrite: true type: keyword - name: cn_mpls_lbl_5 overwrite: true type: keyword - name: cn_mpls_lbl_6 overwrite: true type: keyword - name: cn_mpls_lbl_7 overwrite: true type: keyword - name: cn_mpls_lbl_8 overwrite: true type: keyword - name: cn_mpls_lbl_9 overwrite: true type: keyword - name: cn_mplstoplabel overwrite: true type: keyword - name: cn_mplstoplabip overwrite: true type: keyword - name: cn_mul_dst_byt overwrite: true type: keyword - name: cn_mul_dst_pks overwrite: true type: keyword - name: cn_muligmptype overwrite: true type: keyword - name: cn_sampalgo overwrite: true type: keyword - name: cn_sampint overwrite: true type: keyword - name: cn_seqctr overwrite: true type: keyword - name: cn_spackets overwrite: true type: keyword - name: cn_src_tos overwrite: true type: keyword - name: cn_src_vlan overwrite: true type: keyword - name: cn_sysuptime overwrite: true type: keyword - name: cn_template_id overwrite: true type: keyword - name: cn_totbytsexp overwrite: true type: keyword - name: cn_totflowexp overwrite: true type: keyword - name: cn_totpcktsexp overwrite: true type: keyword - name: cn_unixnanosecs overwrite: true type: keyword - name: cn_v6flowlabel overwrite: true type: keyword - name: cn_v6optheaders overwrite: true type: keyword - name: comp_class overwrite: true type: keyword - name: comp_name overwrite: true type: keyword - name: comp_rbytes overwrite: true type: keyword - name: comp_sbytes overwrite: true type: keyword - name: cpu_data overwrite: true type: keyword - name: criticality overwrite: true type: keyword - name: cs_agency_dst overwrite: true type: keyword - name: cs_analyzedby overwrite: true type: keyword - name: cs_av_other overwrite: true type: keyword - name: cs_av_primary overwrite: true type: keyword - name: cs_av_secondary overwrite: true type: keyword - name: cs_bgpv6nxthop overwrite: true type: keyword - name: cs_bit9status overwrite: true type: keyword - name: cs_context overwrite: true type: keyword - name: cs_control overwrite: true type: keyword - name: cs_data overwrite: true type: keyword - name: cs_datecret overwrite: true type: keyword - name: cs_dst_tld overwrite: true type: keyword - name: cs_eth_dst_ven overwrite: true type: keyword - name: cs_eth_src_ven overwrite: true type: keyword - name: cs_event_uuid overwrite: true type: keyword - name: cs_filetype overwrite: true type: keyword - name: cs_fld overwrite: true type: keyword - name: cs_if_desc overwrite: true type: keyword - name: cs_if_name overwrite: true type: keyword - name: cs_ip_next_hop overwrite: true type: keyword - name: cs_ipv4dstpre overwrite: true type: keyword - name: cs_ipv4srcpre overwrite: true type: keyword - name: cs_lifetime overwrite: true type: keyword - name: cs_log_medium overwrite: true type: keyword - name: cs_loginname overwrite: true type: keyword - name: cs_modulescore overwrite: true type: keyword - name: cs_modulesign overwrite: true type: keyword - name: cs_opswatresult overwrite: true type: keyword - name: cs_payload overwrite: true type: keyword - name: cs_registrant overwrite: true type: keyword - name: cs_registrar overwrite: true type: keyword - name: cs_represult overwrite: true type: keyword - name: cs_rpayload overwrite: true type: keyword - name: cs_sampler_name overwrite: true type: keyword - name: cs_sourcemodule overwrite: true type: keyword - name: cs_streams overwrite: true type: keyword - name: cs_targetmodule overwrite: true type: keyword - name: cs_v6nxthop overwrite: true type: keyword - name: cs_whois_server overwrite: true type: keyword - name: cs_yararesult overwrite: true type: keyword - name: description overwrite: true type: keyword - name: devvendor overwrite: true type: keyword - name: distance overwrite: true type: keyword - name: dstburb overwrite: true type: keyword - name: edomain overwrite: true type: keyword - name: edomaub overwrite: true type: keyword - name: euid overwrite: true type: keyword - name: facility overwrite: true type: keyword - name: finterface overwrite: true type: keyword - name: flags overwrite: true type: keyword - name: gaddr overwrite: true type: keyword - name: id3 overwrite: true type: keyword - name: im_buddyname overwrite: true type: keyword - name: im_croomid overwrite: true type: keyword - name: im_croomtype overwrite: true type: keyword - name: im_members overwrite: true type: keyword - name: im_username overwrite: true type: keyword - name: ipkt overwrite: true type: keyword - name: ipscat overwrite: true type: keyword - name: ipspri overwrite: true type: keyword - name: latitude overwrite: true type: keyword - name: linenum overwrite: true type: keyword - name: list_name overwrite: true type: keyword - name: load_data overwrite: true type: keyword - name: location_floor overwrite: true type: keyword - name: location_mark overwrite: true type: keyword - name: log_id overwrite: true type: keyword - name: log_type overwrite: true type: keyword - name: logid overwrite: true type: keyword - name: logip overwrite: true type: keyword - name: logname overwrite: true type: keyword - name: longitude overwrite: true type: keyword - name: lport overwrite: true type: keyword - name: mbug_data overwrite: true type: keyword - name: misc_name overwrite: true type: keyword - name: msg_type overwrite: true type: keyword - name: msgid overwrite: true type: keyword - name: netsessid overwrite: true type: keyword - name: num overwrite: true type: keyword - name: number1 overwrite: true type: keyword - name: number2 overwrite: true type: keyword - name: nwwn overwrite: true type: keyword - name: object overwrite: true type: keyword - name: operation overwrite: true type: keyword - name: opkt overwrite: true type: keyword - name: orig_from overwrite: true type: keyword - name: owner_id overwrite: true type: keyword - name: p_action overwrite: true type: keyword - name: p_filter overwrite: true type: keyword - name: p_group_object overwrite: true type: keyword - name: p_id overwrite: true type: keyword - name: p_msgid1 overwrite: true type: keyword - name: p_msgid2 overwrite: true type: keyword - name: p_result1 overwrite: true type: keyword - name: password_chg overwrite: true type: keyword - name: password_expire overwrite: true type: keyword - name: permgranted overwrite: true type: keyword - name: permwanted overwrite: true type: keyword - name: pgid overwrite: true type: keyword - name: policyUUID overwrite: true type: keyword - name: prog_asp_num overwrite: true type: keyword - name: program overwrite: true type: keyword - name: real_data overwrite: true type: keyword - name: rec_asp_device overwrite: true type: keyword - name: rec_asp_num overwrite: true type: keyword - name: rec_library overwrite: true type: keyword - name: recordnum overwrite: true type: keyword - name: ruid overwrite: true type: keyword - name: sburb overwrite: true type: keyword - name: sdomain_fld overwrite: true type: keyword - name: sec overwrite: true type: keyword - name: sensorname overwrite: true type: keyword - name: seqnum overwrite: true type: keyword - name: session overwrite: true type: keyword - name: sessiontype overwrite: true type: keyword - name: sigUUID overwrite: true type: keyword - name: spi overwrite: true type: keyword - name: srcburb overwrite: true type: keyword - name: srcdom overwrite: true type: keyword - name: srcservice overwrite: true type: keyword - name: state overwrite: true type: keyword - name: status1 overwrite: true type: keyword - name: svcno overwrite: true type: keyword - name: system overwrite: true type: keyword - name: tbdstr1 overwrite: true type: keyword - name: tgtdom overwrite: true type: keyword - name: tgtdomain overwrite: true type: keyword - name: threshold overwrite: true type: keyword - name: type1 overwrite: true type: keyword - name: udb_class overwrite: true type: keyword - name: url_fld overwrite: true type: keyword - name: user_div overwrite: true type: keyword - name: userid overwrite: true type: keyword - name: username_fld overwrite: true type: keyword - name: utcstamp overwrite: true type: keyword - name: v_instafname overwrite: true type: keyword - name: virt_data overwrite: true type: keyword - name: vpnid overwrite: true type: keyword - name: autorun_type overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number overwrite: true type: long description: Valid Credit Card Numbers only - name: content overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number overwrite: true type: long description: Employee Identification Numbers only - name: found overwrite: true type: keyword description: This is used to capture the results of regex match - name: language overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src overwrite: true type: keyword description: This key captures source parameter - name: search_text overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value overwrite: true type: keyword description: SNMP set request value - name: streams overwrite: true type: long description: This key captures number of streams in session - name: db overwrite: true type: group fields: - name: index overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name overwrite: true type: keyword description: This key is used to capture the table name - name: db_id overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite overwrite: true type: long description: This key is used for the number of logical writes - name: pread overwrite: true type: long description: This key is used for the number of physical writes - name: network overwrite: true type: group fields: - name: alias_host overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain overwrite: true type: keyword - name: host_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr overwrite: true type: ip description: Deprecated - name: faddr overwrite: true type: keyword - name: lhost overwrite: true type: keyword - name: origin overwrite: true type: keyword - name: remote_domain_id overwrite: true type: keyword - name: addr overwrite: true type: keyword - name: dns_a_record overwrite: true type: keyword - name: dns_ptr_record overwrite: true type: keyword - name: fhost overwrite: true type: keyword - name: fport overwrite: true type: keyword - name: laddr overwrite: true type: keyword - name: linterface overwrite: true type: keyword - name: phost overwrite: true type: keyword - name: ad_computer_dst overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record overwrite: true type: keyword - name: dns_id overwrite: true type: keyword - name: dns_opcode overwrite: true type: keyword - name: dns_resp overwrite: true type: keyword - name: dns_type overwrite: true type: keyword - name: domain1 overwrite: true type: keyword - name: host_type overwrite: true type: keyword - name: packet_length overwrite: true type: keyword - name: host_orig overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations overwrite: true type: group fields: - name: ec_activity overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat overwrite: true type: long description: This key captures the Event category number - name: event_cat_name overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category overwrite: true type: keyword description: This used to capture investigation category - name: inv_context overwrite: true type: keyword description: This used to capture investigation context - name: ioc overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters overwrite: true type: group fields: - name: dclass_c1 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity overwrite: true type: group fields: - name: auth_method overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org overwrite: true type: keyword description: This key captures the User organization - name: dn_dst overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept overwrite: true type: keyword description: User's Department Names only - name: user_sid_src overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email overwrite: true type: group fields: - name: email_dst overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file overwrite: true type: group fields: - name: privilege overwrite: true type: keyword description: Deprecated, use permissions - name: attachment overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem overwrite: true type: keyword - name: binary overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp overwrite: true type: keyword - name: directory_dst overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name overwrite: true type: keyword description: This is used to capture name of the task - name: web overwrite: true type: group fields: - name: fqdn overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host overwrite: true type: keyword - name: reputation_num overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain overwrite: true type: keyword description: Web referer's domain - name: web_ref_query overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain overwrite: true type: keyword - name: web_ref_page overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst overwrite: true type: keyword - name: cn_rpackets overwrite: true type: keyword - name: urlpage overwrite: true type: keyword - name: urlroot overwrite: true type: keyword - name: p_url overwrite: true type: keyword - name: p_user_agent overwrite: true type: keyword - name: p_web_cookie overwrite: true type: keyword - name: p_web_method overwrite: true type: keyword - name: p_web_referer overwrite: true type: keyword - name: web_extension_tmp overwrite: true type: keyword - name: web_page overwrite: true type: keyword - name: threat overwrite: true type: group fields: - name: threat_category overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto overwrite: true type: group fields: - name: crypto overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike overwrite: true type: keyword description: IKE negotiation phase. - name: scheme overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer overwrite: true type: keyword - name: cert_host_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src overwrite: true type: keyword description: Deprecated, use version - name: d_certauth overwrite: true type: keyword - name: s_certauth overwrite: true type: keyword - name: ike_cookie1 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum overwrite: true type: keyword - name: cert_host_cat overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize overwrite: true type: keyword - name: cert_username overwrite: true type: keyword - name: https_insact overwrite: true type: keyword - name: https_valid overwrite: true type: keyword - name: cert_ca overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless overwrite: true type: group fields: - name: wlan_ssid overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel overwrite: true type: long description: This is used to capture the channel names - name: wlan_name overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage overwrite: true type: group fields: - name: disk_volume overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical overwrite: true type: group fields: - name: org_dst overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare overwrite: true type: group fields: - name: patient_fname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint overwrite: true type: group fields: - name: host_state overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value overwrite: true type: keyword description: This key captures values or decorators used within a registry entry - name: juniper.srx type: group release: beta default_field: false overwrite: true description: > Module for parsing junipersrx syslog. fields: - name: reason type: keyword description: > reason - name: connection_tag type: keyword description: > connection tag - name: service_name type: keyword description: > service name - name: nat_connection_tag type: keyword description: > nat connection tag - name: src_nat_rule_type type: keyword description: > src nat rule type - name: src_nat_rule_name type: keyword description: > src nat rule name - name: dst_nat_rule_type type: keyword description: > dst nat rule type - name: dst_nat_rule_name type: keyword description: > dst nat rule name - name: protocol_id type: keyword description: > protocol id - name: policy_name type: keyword description: > policy name - name: session_id_32 type: keyword description: > session id 32 - name: session_id type: keyword description: > session id - name: outbound_packets type: integer description: > packets from client - name: outbound_bytes type: integer description: > bytes from client - name: inbound_packets type: integer description: > packets from server - name: inbound_bytes type: integer description: > bytes from server - name: elapsed_time type: date description: > elapsed time - name: application type: keyword description: > application - name: nested_application type: keyword description: > nested application - name: username type: keyword description: > username - name: roles type: keyword description: > roles - name: encrypted type: keyword description: > encrypted - name: application_category type: keyword description: > application category - name: application_sub_category type: keyword description: > application sub category - name: application_characteristics type: keyword description: > application characteristics - name: secure_web_proxy_session_type type: keyword description: > secure web proxy session type - name: peer_session_id type: keyword description: > peer session id - name: peer_source_address type: ip description: > peer source address - name: peer_source_port type: integer description: > peer source port - name: peer_destination_address type: ip description: > peer destination address - name: peer_destination_port type: integer description: > peer destination port - name: hostname type: keyword description: > hostname - name: src_vrf_grp type: keyword description: > src_vrf_grp - name: dst_vrf_grp type: keyword description: > dst_vrf_grp - name: icmp_type type: integer description: > icmp type - name: process type: keyword description: > process that generated the message - name: apbr_rule_type type: keyword description: > apbr rule type - name: dscp_value type: integer description: > apbr rule type - name: logical_system_name type: keyword description: > logical system name - name: profile_name type: keyword description: > profile name - name: routing_instance type: keyword description: > routing instance - name: rule_name type: keyword description: > rule name - name: uplink_tx_bytes type: integer description: > uplink tx bytes - name: uplink_rx_bytes type: integer description: > uplink rx bytes - name: obj type: keyword description: > url path - name: url type: keyword description: > url domain - name: profile type: keyword description: > filter profile - name: category type: keyword description: > filter category - name: filename type: keyword description: > filename - name: temporary_filename type: keyword description: > temporary_filename - name: name type: keyword description: > name - name: error_message type: keyword description: > error_message - name: error_code type: keyword description: > error_code - name: action type: keyword description: > action - name: protocol type: keyword description: > protocol - name: protocol_name type: keyword description: > protocol name - name: type type: keyword description: > type - name: repeat_count type: integer description: > repeat count - name: alert type: keyword description: > repeat alert - name: message_type type: keyword description: > message type - name: threat_severity type: keyword description: > threat severity - name: application_name type: keyword description: > application name - name: attack_name type: keyword description: > attack name - name: index type: keyword description: > index - name: message type: keyword description: > mesagge - name: epoch_time type: date description: > epoch time - name: packet_log_id type: integer description: > packet log id - name: export_id type: integer description: > packet log id - name: ddos_application_name type: keyword description: > ddos application name - name: connection_hit_rate type: integer description: > connection hit rate - name: time_scope type: keyword description: > time scope - name: context_hit_rate type: integer description: > context hit rate - name: context_value_hit_rate type: integer description: > context value hit rate - name: time_count type: integer description: > time count - name: time_period type: integer description: > time period - name: context_value type: keyword description: > context value - name: context_name type: keyword description: > context name - name: ruleebase_name type: keyword description: > ruleebase name - name: verdict_source type: keyword description: > verdict source - name: verdict_number type: integer description: > verdict number - name: file_category type: keyword description: > file category - name: sample_sha256 type: keyword description: > sample sha256 - name: malware_info type: keyword description: > malware info - name: client_ip type: ip description: > client ip - name: tenant_id type: keyword description: > tenant id - name: timestamp type: date description: > timestamp - name: th type: keyword description: > th - name: status type: keyword description: > status - name: state type: keyword description: > state - name: file_hash_lookup type: keyword description: > file hash lookup - name: file_name type: keyword description: > file name - name: action_detail type: keyword description: > action detail - name: sub_category type: keyword description: > sub category - name: feed_name type: keyword description: > feed name - name: occur_count type: integer description: > occur count - name: tag type: keyword description: > system log message tag, which uniquely identifies the message. - key: microsoft title: Microsoft description: > Microsoft Module fields: - name: microsoft.defender_atp type: group release: beta default_field: false description: > Module for ingesting Microsoft Defender ATP. fields: - name: lastUpdateTime type: date description: > The date and time (in UTC) the alert was last updated. - name: resolvedTime type: date description: > The date and time in which the status of the alert was changed to 'Resolved'. - name: incidentId type: keyword description: > The Incident ID of the Alert. - name: investigationId type: keyword description: > The Investigation ID related to the Alert. - name: investigationState type: keyword description: > The current state of the Investigation. - name: assignedTo type: keyword description: > Owner of the alert. - name: status type: keyword description: > Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'. - name: classification type: keyword description: > Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'. - name: determination type: keyword description: > Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'. - name: threatFamilyName type: keyword description: > Threat family. - name: rbacGroupName type: keyword description: > User group related to the alert - name: evidence.domainName type: keyword description: > Domain name related to the alert - name: evidence.ipAddress type: ip description: > IP address involved in the alert - name: evidence.aadUserId type: keyword description: > ID of the user involved in the alert - name: evidence.accountName type: keyword description: > Username of the user involved in the alert - name: evidence.entityType type: keyword description: > The type of evidence - name: evidence.userPrincipalName type: keyword description: > Principal name of the user involved in the alert - name: network.interface.name overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa overwrite: true type: group default_field: false fields: - name: internal overwrite: true type: group fields: - name: msg overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid overwrite: true type: keyword - name: event_desc overwrite: true type: keyword - name: message overwrite: true type: keyword description: This key captures the contents of instant messages - name: time overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id overwrite: true type: long description: Deprecated key defined only in table map. - name: did overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time overwrite: true type: group fields: - name: event_time overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month overwrite: true type: keyword - name: day overwrite: true type: keyword - name: endtime overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str overwrite: true type: keyword description: A text string version of the duration - name: date overwrite: true type: keyword - name: year overwrite: true type: keyword - name: recorded_time overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime overwrite: true type: keyword - name: effective_time overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time overwrite: true type: keyword description: Deprecated, use duration.time - name: hour overwrite: true type: keyword - name: min overwrite: true type: keyword - name: timestamp overwrite: true type: keyword - name: event_queue_time overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 overwrite: true type: keyword - name: tzone overwrite: true type: keyword - name: eventtime overwrite: true type: keyword - name: gmtdate overwrite: true type: keyword - name: gmttime overwrite: true type: keyword - name: p_date overwrite: true type: keyword - name: p_month overwrite: true type: keyword - name: p_time overwrite: true type: keyword - name: p_time2 overwrite: true type: keyword - name: p_year overwrite: true type: keyword - name: expire_time_str overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp overwrite: true type: date description: Deprecated key defined only in table map. - name: misc overwrite: true type: group fields: - name: action overwrite: true type: keyword - name: result overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name overwrite: true type: keyword description: This is used to capture name of object - name: obj_type overwrite: true type: keyword description: This is used to capture type of object - name: event_source overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name overwrite: true type: keyword description: This key captures the Rule Name - name: context overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space overwrite: true type: keyword - name: client overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 overwrite: true type: keyword - name: msgIdPart2 overwrite: true type: keyword - name: change_old overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule overwrite: true type: keyword description: This key captures the Rule number - name: device_name overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log overwrite: true type: keyword description: This key captures the Name of the event log - name: OS overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 overwrite: true type: keyword - name: filter overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname overwrite: true type: keyword description: This key captures the name of the virus - name: content_type overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id overwrite: true type: keyword - name: reason overwrite: true type: keyword - name: status overwrite: true type: keyword - name: mail_id overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout overwrite: true type: keyword - name: p_msgid overwrite: true type: keyword - name: data_type overwrite: true type: keyword - name: msgIdPart4 overwrite: true type: keyword - name: error overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index overwrite: true type: keyword - name: listnum overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype overwrite: true type: keyword - name: observed_val overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count overwrite: true type: keyword - name: number overwrite: true type: keyword - name: sigcat overwrite: true type: keyword - name: type overwrite: true type: keyword - name: comments overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number overwrite: true type: long description: This key captures File Identification number - name: expected_val overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst overwrite: true type: keyword description: Destination SPI Index - name: spi_src overwrite: true type: keyword description: Source SPI Index - name: code overwrite: true type: keyword - name: agent_id overwrite: true type: keyword description: This key is used to capture agent id - name: message_body overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone overwrite: true type: keyword - name: sig_id_str overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd overwrite: true type: keyword - name: misc overwrite: true type: keyword - name: name overwrite: true type: keyword - name: cpu overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid overwrite: true type: keyword - name: im_client overwrite: true type: keyword - name: im_userid overwrite: true type: keyword - name: pid overwrite: true type: keyword - name: priority overwrite: true type: keyword - name: context_subject overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target overwrite: true type: keyword - name: cve overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos overwrite: true type: long description: This key describes the type of service - name: vm_target overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace overwrite: true type: keyword description: This key captures Workspace Description - name: command overwrite: true type: keyword - name: event_category overwrite: true type: keyword - name: facilityname overwrite: true type: keyword - name: forensic_info overwrite: true type: keyword - name: jobname overwrite: true type: keyword - name: mode overwrite: true type: keyword - name: policy overwrite: true type: keyword - name: policy_waiver overwrite: true type: keyword - name: second overwrite: true type: keyword - name: space1 overwrite: true type: keyword - name: subcategory overwrite: true type: keyword - name: tbdstr2 overwrite: true type: keyword - name: alert_id overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult overwrite: true type: long description: This key captures the Filter Result - name: payload_dst overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid overwrite: true type: keyword description: SNMP Object Identifier - name: sql overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id overwrite: true type: keyword - name: acl_op overwrite: true type: keyword - name: acl_pos overwrite: true type: keyword - name: acl_table overwrite: true type: keyword - name: admin overwrite: true type: keyword - name: alarm_id overwrite: true type: keyword - name: alarmname overwrite: true type: keyword - name: app_id overwrite: true type: keyword - name: audit overwrite: true type: keyword - name: audit_object overwrite: true type: keyword - name: auditdata overwrite: true type: keyword - name: benchmark overwrite: true type: keyword - name: bypass overwrite: true type: keyword - name: cache overwrite: true type: keyword - name: cache_hit overwrite: true type: keyword - name: cefversion overwrite: true type: keyword - name: cfg_attr overwrite: true type: keyword - name: cfg_obj overwrite: true type: keyword - name: cfg_path overwrite: true type: keyword - name: changes overwrite: true type: keyword - name: client_ip overwrite: true type: keyword - name: clustermembers overwrite: true type: keyword - name: cn_acttimeout overwrite: true type: keyword - name: cn_asn_src overwrite: true type: keyword - name: cn_bgpv4nxthop overwrite: true type: keyword - name: cn_ctr_dst_code overwrite: true type: keyword - name: cn_dst_tos overwrite: true type: keyword - name: cn_dst_vlan overwrite: true type: keyword - name: cn_engine_id overwrite: true type: keyword - name: cn_engine_type overwrite: true type: keyword - name: cn_f_switch overwrite: true type: keyword - name: cn_flowsampid overwrite: true type: keyword - name: cn_flowsampintv overwrite: true type: keyword - name: cn_flowsampmode overwrite: true type: keyword - name: cn_inacttimeout overwrite: true type: keyword - name: cn_inpermbyts overwrite: true type: keyword - name: cn_inpermpckts overwrite: true type: keyword - name: cn_invalid overwrite: true type: keyword - name: cn_ip_proto_ver overwrite: true type: keyword - name: cn_ipv4_ident overwrite: true type: keyword - name: cn_l_switch overwrite: true type: keyword - name: cn_log_did overwrite: true type: keyword - name: cn_log_rid overwrite: true type: keyword - name: cn_max_ttl overwrite: true type: keyword - name: cn_maxpcktlen overwrite: true type: keyword - name: cn_min_ttl overwrite: true type: keyword - name: cn_minpcktlen overwrite: true type: keyword - name: cn_mpls_lbl_1 overwrite: true type: keyword - name: cn_mpls_lbl_10 overwrite: true type: keyword - name: cn_mpls_lbl_2 overwrite: true type: keyword - name: cn_mpls_lbl_3 overwrite: true type: keyword - name: cn_mpls_lbl_4 overwrite: true type: keyword - name: cn_mpls_lbl_5 overwrite: true type: keyword - name: cn_mpls_lbl_6 overwrite: true type: keyword - name: cn_mpls_lbl_7 overwrite: true type: keyword - name: cn_mpls_lbl_8 overwrite: true type: keyword - name: cn_mpls_lbl_9 overwrite: true type: keyword - name: cn_mplstoplabel overwrite: true type: keyword - name: cn_mplstoplabip overwrite: true type: keyword - name: cn_mul_dst_byt overwrite: true type: keyword - name: cn_mul_dst_pks overwrite: true type: keyword - name: cn_muligmptype overwrite: true type: keyword - name: cn_sampalgo overwrite: true type: keyword - name: cn_sampint overwrite: true type: keyword - name: cn_seqctr overwrite: true type: keyword - name: cn_spackets overwrite: true type: keyword - name: cn_src_tos overwrite: true type: keyword - name: cn_src_vlan overwrite: true type: keyword - name: cn_sysuptime overwrite: true type: keyword - name: cn_template_id overwrite: true type: keyword - name: cn_totbytsexp overwrite: true type: keyword - name: cn_totflowexp overwrite: true type: keyword - name: cn_totpcktsexp overwrite: true type: keyword - name: cn_unixnanosecs overwrite: true type: keyword - name: cn_v6flowlabel overwrite: true type: keyword - name: cn_v6optheaders overwrite: true type: keyword - name: comp_class overwrite: true type: keyword - name: comp_name overwrite: true type: keyword - name: comp_rbytes overwrite: true type: keyword - name: comp_sbytes overwrite: true type: keyword - name: cpu_data overwrite: true type: keyword - name: criticality overwrite: true type: keyword - name: cs_agency_dst overwrite: true type: keyword - name: cs_analyzedby overwrite: true type: keyword - name: cs_av_other overwrite: true type: keyword - name: cs_av_primary overwrite: true type: keyword - name: cs_av_secondary overwrite: true type: keyword - name: cs_bgpv6nxthop overwrite: true type: keyword - name: cs_bit9status overwrite: true type: keyword - name: cs_context overwrite: true type: keyword - name: cs_control overwrite: true type: keyword - name: cs_data overwrite: true type: keyword - name: cs_datecret overwrite: true type: keyword - name: cs_dst_tld overwrite: true type: keyword - name: cs_eth_dst_ven overwrite: true type: keyword - name: cs_eth_src_ven overwrite: true type: keyword - name: cs_event_uuid overwrite: true type: keyword - name: cs_filetype overwrite: true type: keyword - name: cs_fld overwrite: true type: keyword - name: cs_if_desc overwrite: true type: keyword - name: cs_if_name overwrite: true type: keyword - name: cs_ip_next_hop overwrite: true type: keyword - name: cs_ipv4dstpre overwrite: true type: keyword - name: cs_ipv4srcpre overwrite: true type: keyword - name: cs_lifetime overwrite: true type: keyword - name: cs_log_medium overwrite: true type: keyword - name: cs_loginname overwrite: true type: keyword - name: cs_modulescore overwrite: true type: keyword - name: cs_modulesign overwrite: true type: keyword - name: cs_opswatresult overwrite: true type: keyword - name: cs_payload overwrite: true type: keyword - name: cs_registrant overwrite: true type: keyword - name: cs_registrar overwrite: true type: keyword - name: cs_represult overwrite: true type: keyword - name: cs_rpayload overwrite: true type: keyword - name: cs_sampler_name overwrite: true type: keyword - name: cs_sourcemodule overwrite: true type: keyword - name: cs_streams overwrite: true type: keyword - name: cs_targetmodule overwrite: true type: keyword - name: cs_v6nxthop overwrite: true type: keyword - name: cs_whois_server overwrite: true type: keyword - name: cs_yararesult overwrite: true type: keyword - name: description overwrite: true type: keyword - name: devvendor overwrite: true type: keyword - name: distance overwrite: true type: keyword - name: dstburb overwrite: true type: keyword - name: edomain overwrite: true type: keyword - name: edomaub overwrite: true type: keyword - name: euid overwrite: true type: keyword - name: facility overwrite: true type: keyword - name: finterface overwrite: true type: keyword - name: flags overwrite: true type: keyword - name: gaddr overwrite: true type: keyword - name: id3 overwrite: true type: keyword - name: im_buddyname overwrite: true type: keyword - name: im_croomid overwrite: true type: keyword - name: im_croomtype overwrite: true type: keyword - name: im_members overwrite: true type: keyword - name: im_username overwrite: true type: keyword - name: ipkt overwrite: true type: keyword - name: ipscat overwrite: true type: keyword - name: ipspri overwrite: true type: keyword - name: latitude overwrite: true type: keyword - name: linenum overwrite: true type: keyword - name: list_name overwrite: true type: keyword - name: load_data overwrite: true type: keyword - name: location_floor overwrite: true type: keyword - name: location_mark overwrite: true type: keyword - name: log_id overwrite: true type: keyword - name: log_type overwrite: true type: keyword - name: logid overwrite: true type: keyword - name: logip overwrite: true type: keyword - name: logname overwrite: true type: keyword - name: longitude overwrite: true type: keyword - name: lport overwrite: true type: keyword - name: mbug_data overwrite: true type: keyword - name: misc_name overwrite: true type: keyword - name: msg_type overwrite: true type: keyword - name: msgid overwrite: true type: keyword - name: netsessid overwrite: true type: keyword - name: num overwrite: true type: keyword - name: number1 overwrite: true type: keyword - name: number2 overwrite: true type: keyword - name: nwwn overwrite: true type: keyword - name: object overwrite: true type: keyword - name: operation overwrite: true type: keyword - name: opkt overwrite: true type: keyword - name: orig_from overwrite: true type: keyword - name: owner_id overwrite: true type: keyword - name: p_action overwrite: true type: keyword - name: p_filter overwrite: true type: keyword - name: p_group_object overwrite: true type: keyword - name: p_id overwrite: true type: keyword - name: p_msgid1 overwrite: true type: keyword - name: p_msgid2 overwrite: true type: keyword - name: p_result1 overwrite: true type: keyword - name: password_chg overwrite: true type: keyword - name: password_expire overwrite: true type: keyword - name: permgranted overwrite: true type: keyword - name: permwanted overwrite: true type: keyword - name: pgid overwrite: true type: keyword - name: policyUUID overwrite: true type: keyword - name: prog_asp_num overwrite: true type: keyword - name: program overwrite: true type: keyword - name: real_data overwrite: true type: keyword - name: rec_asp_device overwrite: true type: keyword - name: rec_asp_num overwrite: true type: keyword - name: rec_library overwrite: true type: keyword - name: recordnum overwrite: true type: keyword - name: ruid overwrite: true type: keyword - name: sburb overwrite: true type: keyword - name: sdomain_fld overwrite: true type: keyword - name: sec overwrite: true type: keyword - name: sensorname overwrite: true type: keyword - name: seqnum overwrite: true type: keyword - name: session overwrite: true type: keyword - name: sessiontype overwrite: true type: keyword - name: sigUUID overwrite: true type: keyword - name: spi overwrite: true type: keyword - name: srcburb overwrite: true type: keyword - name: srcdom overwrite: true type: keyword - name: srcservice overwrite: true type: keyword - name: state overwrite: true type: keyword - name: status1 overwrite: true type: keyword - name: svcno overwrite: true type: keyword - name: system overwrite: true type: keyword - name: tbdstr1 overwrite: true type: keyword - name: tgtdom overwrite: true type: keyword - name: tgtdomain overwrite: true type: keyword - name: threshold overwrite: true type: keyword - name: type1 overwrite: true type: keyword - name: udb_class overwrite: true type: keyword - name: url_fld overwrite: true type: keyword - name: user_div overwrite: true type: keyword - name: userid overwrite: true type: keyword - name: username_fld overwrite: true type: keyword - name: utcstamp overwrite: true type: keyword - name: v_instafname overwrite: true type: keyword - name: virt_data overwrite: true type: keyword - name: vpnid overwrite: true type: keyword - name: autorun_type overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number overwrite: true type: long description: Valid Credit Card Numbers only - name: content overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number overwrite: true type: long description: Employee Identification Numbers only - name: found overwrite: true type: keyword description: This is used to capture the results of regex match - name: language overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src overwrite: true type: keyword description: This key captures source parameter - name: search_text overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value overwrite: true type: keyword description: SNMP set request value - name: streams overwrite: true type: long description: This key captures number of streams in session - name: db overwrite: true type: group fields: - name: index overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name overwrite: true type: keyword description: This key is used to capture the table name - name: db_id overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite overwrite: true type: long description: This key is used for the number of logical writes - name: pread overwrite: true type: long description: This key is used for the number of physical writes - name: network overwrite: true type: group fields: - name: alias_host overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain overwrite: true type: keyword - name: host_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr overwrite: true type: ip description: Deprecated - name: faddr overwrite: true type: keyword - name: lhost overwrite: true type: keyword - name: origin overwrite: true type: keyword - name: remote_domain_id overwrite: true type: keyword - name: addr overwrite: true type: keyword - name: dns_a_record overwrite: true type: keyword - name: dns_ptr_record overwrite: true type: keyword - name: fhost overwrite: true type: keyword - name: fport overwrite: true type: keyword - name: laddr overwrite: true type: keyword - name: linterface overwrite: true type: keyword - name: phost overwrite: true type: keyword - name: ad_computer_dst overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record overwrite: true type: keyword - name: dns_id overwrite: true type: keyword - name: dns_opcode overwrite: true type: keyword - name: dns_resp overwrite: true type: keyword - name: dns_type overwrite: true type: keyword - name: domain1 overwrite: true type: keyword - name: host_type overwrite: true type: keyword - name: packet_length overwrite: true type: keyword - name: host_orig overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations overwrite: true type: group fields: - name: ec_activity overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat overwrite: true type: long description: This key captures the Event category number - name: event_cat_name overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category overwrite: true type: keyword description: This used to capture investigation category - name: inv_context overwrite: true type: keyword description: This used to capture investigation context - name: ioc overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters overwrite: true type: group fields: - name: dclass_c1 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity overwrite: true type: group fields: - name: auth_method overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org overwrite: true type: keyword description: This key captures the User organization - name: dn_dst overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept overwrite: true type: keyword description: User's Department Names only - name: user_sid_src overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email overwrite: true type: group fields: - name: email_dst overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file overwrite: true type: group fields: - name: privilege overwrite: true type: keyword description: Deprecated, use permissions - name: attachment overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem overwrite: true type: keyword - name: binary overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp overwrite: true type: keyword - name: directory_dst overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name overwrite: true type: keyword description: This is used to capture name of the task - name: web overwrite: true type: group fields: - name: fqdn overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host overwrite: true type: keyword - name: reputation_num overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain overwrite: true type: keyword description: Web referer's domain - name: web_ref_query overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain overwrite: true type: keyword - name: web_ref_page overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst overwrite: true type: keyword - name: cn_rpackets overwrite: true type: keyword - name: urlpage overwrite: true type: keyword - name: urlroot overwrite: true type: keyword - name: p_url overwrite: true type: keyword - name: p_user_agent overwrite: true type: keyword - name: p_web_cookie overwrite: true type: keyword - name: p_web_method overwrite: true type: keyword - name: p_web_referer overwrite: true type: keyword - name: web_extension_tmp overwrite: true type: keyword - name: web_page overwrite: true type: keyword - name: threat overwrite: true type: group fields: - name: threat_category overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto overwrite: true type: group fields: - name: crypto overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike overwrite: true type: keyword description: IKE negotiation phase. - name: scheme overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer overwrite: true type: keyword - name: cert_host_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src overwrite: true type: keyword description: Deprecated, use version - name: d_certauth overwrite: true type: keyword - name: s_certauth overwrite: true type: keyword - name: ike_cookie1 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum overwrite: true type: keyword - name: cert_host_cat overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize overwrite: true type: keyword - name: cert_username overwrite: true type: keyword - name: https_insact overwrite: true type: keyword - name: https_valid overwrite: true type: keyword - name: cert_ca overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless overwrite: true type: group fields: - name: wlan_ssid overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel overwrite: true type: long description: This is used to capture the channel names - name: wlan_name overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage overwrite: true type: group fields: - name: disk_volume overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical overwrite: true type: group fields: - name: org_dst overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare overwrite: true type: group fields: - name: patient_fname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint overwrite: true type: group fields: - name: host_state overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value overwrite: true type: keyword description: This key captures values or decorators used within a registry entry - name: microsoft.m365_defender type: group release: beta default_field: false description: > Module for ingesting Microsoft Defender ATP. fields: - name: incidentId type: keyword description: > Unique identifier to represent the incident. - name: redirectIncidentId type: keyword description: > Only populated in case an incident is being grouped together with another incident, as part of the incident processing logic. - name: incidentName type: keyword description: > Name of the Incident. - name: determination type: keyword description: > Specifies the determination of the incident. The property values are: NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, Other. - name: investigationState type: keyword description: > The current state of the Investigation. - name: assignedTo type: keyword description: > Owner of the alert. - name: tags type: keyword description: > Array of custom tags associated with an incident, for example to flag a group of incidents with a common characteristic. - name: status type: keyword description: > Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'. - name: classification type: keyword description: > Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'. - name: alerts.incidentId type: keyword description: > Unique identifier to represent the incident this alert is associated with. - name: alerts.resolvedTime type: date description: > Time when alert was resolved. - name: alerts.status type: keyword description: > Categorize alerts (as New, Active, or Resolved). - name: alerts.severity type: keyword description: > The severity of the related alert. - name: alerts.creationTime type: date description: > Time when alert was first created. - name: alerts.lastUpdatedTime type: date description: > Time when alert was last updated. - name: alerts.investigationId type: keyword description: > The automated investigation id triggered by this alert. - name: alerts.userSid type: keyword description: > The SID of the related user - name: alerts.detectionSource type: keyword description: > The service that initially detected the threat. - name: alerts.classification type: keyword description: > The specification for the incident. The property values are: Unknown, FalsePositive, TruePositive or null. - name: alerts.investigationState type: keyword description: > Information on the investigation's current status. - name: alerts.determination type: keyword description: > Specifies the determination of the incident. The property values are: NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, Other or null - name: alerts.assignedTo type: keyword description: > Owner of the incident, or null if no owner is assigned. - name: alerts.actorName type: keyword description: > The activity group, if any, the associated with this alert. - name: alerts.threatFamilyName type: keyword description: > Threat family associated with this alert. - name: alerts.mitreTechniques type: keyword description: > The attack techniques, as aligned with the MITRE ATT&CK™ framework. - name: alerts.entities.entityType type: keyword description: > Entities that have been identified to be part of, or related to, a given alert. The properties values are: User, Ip, Url, File, Process, MailBox, MailMessage, MailCluster, Registry. - name: alerts.entities.accountName type: keyword description: > Account name of the related user. - name: alerts.entities.mailboxDisplayName type: keyword description: > The display name of the related mailbox. - name: alerts.entities.mailboxAddress type: keyword description: > The mail address of the related mailbox. - name: alerts.entities.clusterBy type: keyword description: > A list of metadata if the entityType is MailCluster. - name: alerts.entities.sender type: keyword description: > The sender for the related email message. - name: alerts.entities.recipient type: keyword description: > The recipient for the related email message. - name: alerts.entities.subject type: keyword description: > The subject for the related email message. - name: alerts.entities.deliveryAction type: keyword description: > The delivery status for the related email message. - name: alerts.entities.securityGroupId type: keyword description: > The Security Group ID for the user related to the email message. - name: alerts.entities.securityGroupName type: keyword description: > The Security Group Name for the user related to the email message. - name: alerts.entities.registryHive type: keyword description: > Reference to which Hive in registry the event is related to, if eventType is registry. Example: HKEY_LOCAL_MACHINE. - name: alerts.entities.registryKey type: keyword description: > Reference to the related registry key to the event. - name: alerts.entities.registryValueType type: keyword description: > Value type of the registry key/value pair related to the event. - name: alerts.entities.deviceId type: keyword description: > The unique ID of the device related to the event. - name: alerts.entities.ipAddress type: keyword description: > The related IP address to the event. - name: alerts.devices type: flattened description: > The devices related to the investigation. - key: misp title: MISP description: > Module for handling threat information from MISP. fields: - name: misp type: group description: > Fields from MISP threat information. fields: - name: attack_pattern title: Attack Pattern short: Fields that let you store attack patterns description: > Fields provide support for specifying information about attack patterns. type: group fields: - name: id level: core type: keyword description: > Identifier of the threat indicator. - name: name level: core type: keyword description: > Name of the attack pattern. - name: description level: extended type: text description: > Description of the attack pattern. - name: kill_chain_phases level: extended type: keyword description: > The kill chain phase(s) to which this attack pattern corresponds. - name: campaign title: Campaign short: Fields that let you store campaign information description: > Fields provide support for specifying information about campaigns. type: group fields: - name: id level: core type: keyword description: > Identifier of the campaign. - name: name level: core type: keyword description: > Name of the campaign. - name: description level: extended type: text description: > Description of the campaign. - name: aliases level: extended type: text description: > Alternative names used to identify this campaign. - name: first_seen level: core type: date description: > The time that this Campaign was first seen, in RFC3339 format. - name: last_seen level: core type: date description: > The time that this Campaign was last seen, in RFC3339 format. - name: objective level: core type: keyword description: > This field defines the Campaign's primary goal, objective, desired outcome, or intended effect. - name: course_of_action title: Course of Action short: Fields that let you store information about course of action. description: > A Course of Action is an action taken either to prevent an attack or to respond to an attack that is in progress. type: group fields: - name: id level: core type: keyword description: > Identifier of the Course of Action. - name: name level: core type: keyword description: > The name used to identify the Course of Action. - name: description level: extended type: text description: > Description of the Course of Action. - name: identity title: Identity short: Fields that let you store information about identity. description: > Identity can represent actual individuals, organizations, or groups, as well as classes of individuals, organizations, or groups. type: group fields: - name: id level: core type: keyword description: > Identifier of the Identity. - name: name level: core type: keyword description: > The name used to identify the Identity. - name: description level: extended type: text description: > Description of the Identity. - name: identity_class level: core type: keyword description: > The type of entity that this Identity describes, e.g., an individual or organization. Open Vocab - identity-class-ov - name: labels level: extended type: keyword description: > The list of roles that this Identity performs. example: > CEO - name: sectors level: extended type: keyword description: > The list of sectors that this Identity belongs to. Open Vocab - industry-sector-ov - name: contact_information level: extended type: text description: > The contact information (e-mail, phone number, etc.) for this Identity. - name: intrusion_set title: Intrusion Set short: Fields that let you store information about Intrusion Set. description: > An Intrusion Set is a grouped set of adversary behavior and resources with common properties that is believed to be orchestrated by a single organization. type: group fields: - name: id level: core type: keyword description: > Identifier of the Intrusion Set. - name: name level: core type: keyword description: > The name used to identify the Intrusion Set. - name: description level: extended type: text description: > Description of the Intrusion Set. - name: aliases level: extended type: text description: > Alternative names used to identify the Intrusion Set. - name: first_seen level: extended type: date description: > The time that this Intrusion Set was first seen, in RFC3339 format. - name: last_seen level: extended type: date description: > The time that this Intrusion Set was last seen, in RFC3339 format. - name: goals level: extended type: text description: > The high level goals of this Intrusion Set, namely, what are they trying to do. - name: resource_level level: extended type: text description: > This defines the organizational level at which this Intrusion Set typically works. Open Vocab - attack-resource-level-ov - name: primary_motivation level: extended type: text description: > The primary reason, motivation, or purpose behind this Intrusion Set. Open Vocab - attack-motivation-ov - name: secondary_motivations level: extended type: text description: > The secondary reasons, motivations, or purposes behind this Intrusion Set. Open Vocab - attack-motivation-ov - name: malware title: Malware short: Fields that let you store information about Malware. description: > Malware is a type of TTP that is also known as malicious code and malicious software, refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim. type: group fields: - name: id level: core type: keyword description: > Identifier of the Malware. - name: name level: core type: keyword description: > The name used to identify the Malware. - name: description level: extended type: text description: > Description of the Malware. - name: labels level: core type: keyword description: > The type of malware being described. Open Vocab - malware-label-ov. adware,backdoor,bot,ddos,dropper,exploit-kit,keylogger,ransomware, remote-access-trojan,resource-exploitation,rogue-security-software,rootkit, screen-capture,spyware,trojan,virus,worm - name: kill_chain_phases format: string level: extended type: keyword description: > The list of kill chain phases for which this Malware instance can be used. - name: note title: Note short: Fields that let you store information about Malware. description: > A Note is a comment or note containing informative text to help explain the context of one or more STIX Objects (SDOs or SROs) or to provide additional analysis that is not contained in the original object. type: group fields: - name: id level: core type: keyword description: > Identifier of the Note. - name: summary level: extended type: keyword description: > A brief description used as a summary of the Note. - name: description level: extended type: text description: > The content of the Note. - name: authors level: extended type: keyword description: > The name of the author(s) of this Note. - name: object_refs level: extended type: keyword description: > The STIX Objects (SDOs and SROs) that the note is being applied to. - name: threat_indicator title: Threat Indicator short: Fields that let you store Threat Indicators description: > Fields provide support for specifying information about threat indicators, and related matching patterns. type: group fields: - name: labels level: core type: keyword description: > list of type open-vocab that specifies the type of indicator. example: > Domain Watchlist - name: id level: core type: keyword description: > Identifier of the threat indicator. - name: version level: core type: keyword description: > Version of the threat indicator. - name: type level: core type: keyword description: > Type of the threat indicator. - name: description level: core type: text description: > Description of the threat indicator. - name: feed level: core type: text description: > Name of the threat feed. - name: valid_from level: core type: date description: > The time from which this Indicator should be considered valuable intelligence, in RFC3339 format. - name: valid_until level: core type: date description: > The time at which this Indicator should no longer be considered valuable intelligence. If the valid_until property is omitted, then there is no constraint on the latest time for which the indicator should be used, in RFC3339 format. - name: severity format: string level: core type: keyword description: > Threat severity to which this indicator corresponds. example: high - name: confidence level: core type: keyword description: > Confidence level to which this indicator corresponds. example: high - name: kill_chain_phases format: string level: extended type: keyword description: > The kill chain phase(s) to which this indicator corresponds. - name: mitre_tactic format: string level: extended type: keyword description: > MITRE tactics to which this indicator corresponds. example: Initial Access - name: mitre_technique format: string level: extended type: keyword description: > MITRE techniques to which this indicator corresponds. example: Drive-by Compromise - name: attack_pattern level: core type: keyword description: > The attack_pattern for this indicator is a STIX Pattern as specified in STIX Version 2.0 Part 5 - STIX Patterning. example: > [destination:ip = '91.219.29.188/32'] - name: attack_pattern_kql level: core type: keyword description: > The attack_pattern for this indicator is KQL query that matches the attack_pattern specified in the STIX Pattern format. example: > destination.ip: "91.219.29.188/32" - name: negate level: core type: boolean description: > When set to true, it specifies the absence of the attack_pattern. - name: intrusion_set level: extended type: keyword description: > Name of the intrusion set if known. - name: campaign level: extended type: keyword description: > Name of the attack campaign if known. - name: threat_actor level: extended type: keyword description: > Name of the threat actor if known. - name: observed_data title: Observed Data short: Fields that let you store information about Observed Data. description: > Observed data conveys information that was observed on systems and networks, such as log data or network traffic, using the Cyber Observable specification. type: group fields: - name: id level: core type: keyword description: > Identifier of the Observed Data. - name: first_observed level: core type: date description: > The beginning of the time window that the data was observed, in RFC3339 format. - name: last_observed level: core type: date description: > The end of the time window that the data was observed, in RFC3339 format. - name: number_observed level: core type: integer description: > The number of times the data represented in the objects property was observed. This MUST be an integer between 1 and 999,999,999 inclusive. - name: objects level: core type: keyword description: > A dictionary of Cyber Observable Objects that describes the single fact that was observed. - name: report title: Report short: Fields that let you store information about Report. description: > Reports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details. type: group fields: - name: id level: core type: keyword description: > Identifier of the Report. - name: labels level: core type: keyword description: > This field is an Open Vocabulary that specifies the primary subject of this report. Open Vocab - report-label-ov. threat-report,attack-pattern,campaign,identity,indicator,malware,observed-data,threat-actor,tool,vulnerability - name: name level: core type: keyword description: > The name used to identify the Report. - name: description level: extended type: text description: > A description that provides more details and context about Report. - name: published level: extended type: date description: > The date that this report object was officially published by the creator of this report, in RFC3339 format. - name: object_refs level: core type: text description: > Specifies the STIX Objects that are referred to by this Report. - name: threat_actor title: Threat Actor short: Fields that let you store information about Threat Actor. description: > Threat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent. type: group fields: - name: id level: core type: keyword description: > Identifier of the Threat Actor. - name: labels level: core type: keyword description: > This field specifies the type of threat actor. Open Vocab - threat-actor-label-ov. activist,competitor,crime-syndicate,criminal,hacker,insider-accidental,insider-disgruntled,nation-state,sensationalist,spy,terrorist - name: name level: core type: keyword description: > The name used to identify this Threat Actor or Threat Actor group. - name: description level: extended type: text description: > A description that provides more details and context about the Threat Actor. - name: aliases level: extended type: text description: > A list of other names that this Threat Actor is believed to use. - name: roles level: extended type: text description: > This is a list of roles the Threat Actor plays. Open Vocab - threat-actor-role-ov. agent,director,independent,sponsor,infrastructure-operator,infrastructure-architect,malware-author - name: goals level: extended type: text description: > The high level goals of this Threat Actor, namely, what are they trying to do. - name: sophistication level: extended type: text description: > The skill, specific knowledge, special training, or expertise a Threat Actor must have to perform the attack. Open Vocab - threat-actor-sophistication-ov. none,minimal,intermediate,advanced,strategic,expert,innovator - name: resource_level level: extended type: text description: > This defines the organizational level at which this Threat Actor typically works. Open Vocab - attack-resource-level-ov. individual,club,contest,team,organization,government - name: primary_motivation level: extended type: text description: > The primary reason, motivation, or purpose behind this Threat Actor. Open Vocab - attack-motivation-ov. accidental,coercion,dominance,ideology,notoriety,organizational-gain,personal-gain,personal-satisfaction,revenge,unpredictable - name: secondary_motivations level: extended type: text description: > The secondary reasons, motivations, or purposes behind this Threat Actor. Open Vocab - attack-motivation-ov. accidental,coercion,dominance,ideology,notoriety,organizational-gain,personal-gain,personal-satisfaction,revenge,unpredictable - name: personal_motivations level: extended type: text description: > The personal reasons, motivations, or purposes of the Threat Actor regardless of organizational goals. Open Vocab - attack-motivation-ov. accidental,coercion,dominance,ideology,notoriety,organizational-gain,personal-gain,personal-satisfaction,revenge,unpredictable - name: tool title: Tool short: Fields that let you store information about Tool. description: > Tools are legitimate software that can be used by threat actors to perform attacks. type: group fields: - name: id level: core type: keyword description: > Identifier of the Tool. - name: labels level: core type: keyword description: > The kind(s) of tool(s) being described. Open Vocab - tool-label-ov. denial-of-service,exploitation,information-gathering,network-capture,credential-exploitation,remote-access,vulnerability-scanning - name: name level: core type: keyword description: > The name used to identify the Tool. - name: description level: extended type: text description: > A description that provides more details and context about the Tool. - name: tool_version level: extended type: keyword description: > The version identifier associated with the Tool. - name: kill_chain_phases level: extended type: text description: > The list of kill chain phases for which this Tool instance can be used. - name: vulnerability title: Vulnerability short: Fields that let you store information about Vulnerability. description: > A Vulnerability is a mistake in software that can be directly used by a hacker to gain access to a system or network. type: group fields: - name: id level: core type: keyword description: > Identifier of the Vulnerability. - name: name level: core type: keyword description: > The name used to identify the Vulnerability. - name: description level: extended type: text description: > A description that provides more details and context about the Vulnerability. - key: mssql title: "mssql" description: MS SQL Filebeat Module fields: - name: mssql type: group description: Fields from the MSSQL log files fields: - name: log description: Common log fields type: group fields: - name: origin description: Origin of the message, usually the server but it can also be a recovery process type: keyword - key: mysqlenterprise title: MySQL Enterprise description: > MySQL Enterprise Audit module fields: - name: mysqlenterprise type: group description: > Fields from MySQL Enterprise Logs fields: - name: audit type: group release: beta default_field: false description: > Module for parsing MySQL Enterprise Audit Logs fields: - name: class type: keyword description: > A string representing the event class. The class defines the type of event, when taken together with the event item that specifies the event subclass. - name: connection_id type: keyword description: > An integer representing the client connection identifier. This is the same as the value returned by the CONNECTION_ID() function within the session. - name: id type: keyword description: > An unsigned integer representing an event ID. - name: connection_data.connection_type type: keyword description: > The security state of the connection to the server. Permitted values are tcp/ip (TCP/IP connection established without encryption), ssl (TCP/IP connection established with encryption), socket (Unix socket file connection), named_pipe (Windows named pipe connection), and shared_memory (Windows shared memory connection). - name: connection_data.status type: long description: > An integer representing the command status: 0 for success, nonzero if an error occurred. - name: connection_data.db type: keyword description: > A string representing a database name. For connection_data, it is the default database. For table_access_data, it is the table database. - name: connection_data.connection_attributes type: flattened description: > Connection attributes that might be passed by different MySQL Clients. - name: general_data.command type: keyword description: > A string representing the type of instruction that generated the audit event, such as a command that the server received from a client. - name: general_data.sql_command type: keyword description: > A string that indicates the SQL statement type. - name: general_data.query type: keyword description: > A string representing the text of an SQL statement. The value can be empty. Long values may be truncated. The string, like the audit log file itself, is written using UTF-8 (up to 4 bytes per character), so the value may be the result of conversion. - name: general_data.status type: long description: > An integer representing the command status: 0 for success, nonzero if an error occurred. This is the same as the value of the mysql_errno() C API function. - name: login.user type: keyword description: > A string representing the information indicating how a client connected to the server. - name: login.proxy type: keyword description: > A string representing the proxy user. The value is empty if user proxying is not in effect. - name: shutdown_data.server_id type: keyword description: > An integer representing the server ID. This is the same as the value of the server_id system variable. - name: startup_data.server_id type: keyword description: > An integer representing the server ID. This is the same as the value of the server_id system variable. - name: startup_data.mysql_version type: keyword description: > An integer representing the server ID. This is the same as the value of the server_id system variable. - name: table_access_data.db type: keyword description: > A string representing a database name. For connection_data, it is the default database. For table_access_data, it is the table database. - name: table_access_data.table type: keyword description: > A string representing a table name. - name: table_access_data.query type: keyword description: > A string representing the text of an SQL statement. The value can be empty. Long values may be truncated. The string, like the audit log file itself, is written using UTF-8 (up to 4 bytes per character), so the value may be the result of conversion. - name: table_access_data.sql_command type: keyword description: > A string that indicates the SQL statement type. - name: account.user type: keyword description: > A string representing the user that the server authenticated the client as. This is the user name that the server uses for privilege checking. - name: account.host type: keyword description: > A string representing the client host name. - name: login.os type: keyword description: > A string representing the external user name used during the authentication process, as set by the plugin used to authenticate the client. - key: netflow-module title: NetFlow description: > Module for receiving NetFlow and IPFIX flow records over UDP. The module does not add fields beyond what the netflow input provides. skipdocs: fields: - key: netscout title: Arbor Peakflow SP description: > netscout fields. fields: - name: network.interface.name overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa overwrite: true type: group default_field: false fields: - name: internal overwrite: true type: group fields: - name: msg overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid overwrite: true type: keyword - name: event_desc overwrite: true type: keyword - name: message overwrite: true type: keyword description: This key captures the contents of instant messages - name: time overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id overwrite: true type: long description: Deprecated key defined only in table map. - name: did overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time overwrite: true type: group fields: - name: event_time overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month overwrite: true type: keyword - name: day overwrite: true type: keyword - name: endtime overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str overwrite: true type: keyword description: A text string version of the duration - name: date overwrite: true type: keyword - name: year overwrite: true type: keyword - name: recorded_time overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime overwrite: true type: keyword - name: effective_time overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time overwrite: true type: keyword description: Deprecated, use duration.time - name: hour overwrite: true type: keyword - name: min overwrite: true type: keyword - name: timestamp overwrite: true type: keyword - name: event_queue_time overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 overwrite: true type: keyword - name: tzone overwrite: true type: keyword - name: eventtime overwrite: true type: keyword - name: gmtdate overwrite: true type: keyword - name: gmttime overwrite: true type: keyword - name: p_date overwrite: true type: keyword - name: p_month overwrite: true type: keyword - name: p_time overwrite: true type: keyword - name: p_time2 overwrite: true type: keyword - name: p_year overwrite: true type: keyword - name: expire_time_str overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp overwrite: true type: date description: Deprecated key defined only in table map. - name: misc overwrite: true type: group fields: - name: action overwrite: true type: keyword - name: result overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name overwrite: true type: keyword description: This is used to capture name of object - name: obj_type overwrite: true type: keyword description: This is used to capture type of object - name: event_source overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name overwrite: true type: keyword description: This key captures the Rule Name - name: context overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space overwrite: true type: keyword - name: client overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 overwrite: true type: keyword - name: msgIdPart2 overwrite: true type: keyword - name: change_old overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule overwrite: true type: keyword description: This key captures the Rule number - name: device_name overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log overwrite: true type: keyword description: This key captures the Name of the event log - name: OS overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 overwrite: true type: keyword - name: filter overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname overwrite: true type: keyword description: This key captures the name of the virus - name: content_type overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id overwrite: true type: keyword - name: reason overwrite: true type: keyword - name: status overwrite: true type: keyword - name: mail_id overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout overwrite: true type: keyword - name: p_msgid overwrite: true type: keyword - name: data_type overwrite: true type: keyword - name: msgIdPart4 overwrite: true type: keyword - name: error overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index overwrite: true type: keyword - name: listnum overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype overwrite: true type: keyword - name: observed_val overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count overwrite: true type: keyword - name: number overwrite: true type: keyword - name: sigcat overwrite: true type: keyword - name: type overwrite: true type: keyword - name: comments overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number overwrite: true type: long description: This key captures File Identification number - name: expected_val overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst overwrite: true type: keyword description: Destination SPI Index - name: spi_src overwrite: true type: keyword description: Source SPI Index - name: code overwrite: true type: keyword - name: agent_id overwrite: true type: keyword description: This key is used to capture agent id - name: message_body overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone overwrite: true type: keyword - name: sig_id_str overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd overwrite: true type: keyword - name: misc overwrite: true type: keyword - name: name overwrite: true type: keyword - name: cpu overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid overwrite: true type: keyword - name: im_client overwrite: true type: keyword - name: im_userid overwrite: true type: keyword - name: pid overwrite: true type: keyword - name: priority overwrite: true type: keyword - name: context_subject overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target overwrite: true type: keyword - name: cve overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos overwrite: true type: long description: This key describes the type of service - name: vm_target overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace overwrite: true type: keyword description: This key captures Workspace Description - name: command overwrite: true type: keyword - name: event_category overwrite: true type: keyword - name: facilityname overwrite: true type: keyword - name: forensic_info overwrite: true type: keyword - name: jobname overwrite: true type: keyword - name: mode overwrite: true type: keyword - name: policy overwrite: true type: keyword - name: policy_waiver overwrite: true type: keyword - name: second overwrite: true type: keyword - name: space1 overwrite: true type: keyword - name: subcategory overwrite: true type: keyword - name: tbdstr2 overwrite: true type: keyword - name: alert_id overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult overwrite: true type: long description: This key captures the Filter Result - name: payload_dst overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid overwrite: true type: keyword description: SNMP Object Identifier - name: sql overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id overwrite: true type: keyword - name: acl_op overwrite: true type: keyword - name: acl_pos overwrite: true type: keyword - name: acl_table overwrite: true type: keyword - name: admin overwrite: true type: keyword - name: alarm_id overwrite: true type: keyword - name: alarmname overwrite: true type: keyword - name: app_id overwrite: true type: keyword - name: audit overwrite: true type: keyword - name: audit_object overwrite: true type: keyword - name: auditdata overwrite: true type: keyword - name: benchmark overwrite: true type: keyword - name: bypass overwrite: true type: keyword - name: cache overwrite: true type: keyword - name: cache_hit overwrite: true type: keyword - name: cefversion overwrite: true type: keyword - name: cfg_attr overwrite: true type: keyword - name: cfg_obj overwrite: true type: keyword - name: cfg_path overwrite: true type: keyword - name: changes overwrite: true type: keyword - name: client_ip overwrite: true type: keyword - name: clustermembers overwrite: true type: keyword - name: cn_acttimeout overwrite: true type: keyword - name: cn_asn_src overwrite: true type: keyword - name: cn_bgpv4nxthop overwrite: true type: keyword - name: cn_ctr_dst_code overwrite: true type: keyword - name: cn_dst_tos overwrite: true type: keyword - name: cn_dst_vlan overwrite: true type: keyword - name: cn_engine_id overwrite: true type: keyword - name: cn_engine_type overwrite: true type: keyword - name: cn_f_switch overwrite: true type: keyword - name: cn_flowsampid overwrite: true type: keyword - name: cn_flowsampintv overwrite: true type: keyword - name: cn_flowsampmode overwrite: true type: keyword - name: cn_inacttimeout overwrite: true type: keyword - name: cn_inpermbyts overwrite: true type: keyword - name: cn_inpermpckts overwrite: true type: keyword - name: cn_invalid overwrite: true type: keyword - name: cn_ip_proto_ver overwrite: true type: keyword - name: cn_ipv4_ident overwrite: true type: keyword - name: cn_l_switch overwrite: true type: keyword - name: cn_log_did overwrite: true type: keyword - name: cn_log_rid overwrite: true type: keyword - name: cn_max_ttl overwrite: true type: keyword - name: cn_maxpcktlen overwrite: true type: keyword - name: cn_min_ttl overwrite: true type: keyword - name: cn_minpcktlen overwrite: true type: keyword - name: cn_mpls_lbl_1 overwrite: true type: keyword - name: cn_mpls_lbl_10 overwrite: true type: keyword - name: cn_mpls_lbl_2 overwrite: true type: keyword - name: cn_mpls_lbl_3 overwrite: true type: keyword - name: cn_mpls_lbl_4 overwrite: true type: keyword - name: cn_mpls_lbl_5 overwrite: true type: keyword - name: cn_mpls_lbl_6 overwrite: true type: keyword - name: cn_mpls_lbl_7 overwrite: true type: keyword - name: cn_mpls_lbl_8 overwrite: true type: keyword - name: cn_mpls_lbl_9 overwrite: true type: keyword - name: cn_mplstoplabel overwrite: true type: keyword - name: cn_mplstoplabip overwrite: true type: keyword - name: cn_mul_dst_byt overwrite: true type: keyword - name: cn_mul_dst_pks overwrite: true type: keyword - name: cn_muligmptype overwrite: true type: keyword - name: cn_sampalgo overwrite: true type: keyword - name: cn_sampint overwrite: true type: keyword - name: cn_seqctr overwrite: true type: keyword - name: cn_spackets overwrite: true type: keyword - name: cn_src_tos overwrite: true type: keyword - name: cn_src_vlan overwrite: true type: keyword - name: cn_sysuptime overwrite: true type: keyword - name: cn_template_id overwrite: true type: keyword - name: cn_totbytsexp overwrite: true type: keyword - name: cn_totflowexp overwrite: true type: keyword - name: cn_totpcktsexp overwrite: true type: keyword - name: cn_unixnanosecs overwrite: true type: keyword - name: cn_v6flowlabel overwrite: true type: keyword - name: cn_v6optheaders overwrite: true type: keyword - name: comp_class overwrite: true type: keyword - name: comp_name overwrite: true type: keyword - name: comp_rbytes overwrite: true type: keyword - name: comp_sbytes overwrite: true type: keyword - name: cpu_data overwrite: true type: keyword - name: criticality overwrite: true type: keyword - name: cs_agency_dst overwrite: true type: keyword - name: cs_analyzedby overwrite: true type: keyword - name: cs_av_other overwrite: true type: keyword - name: cs_av_primary overwrite: true type: keyword - name: cs_av_secondary overwrite: true type: keyword - name: cs_bgpv6nxthop overwrite: true type: keyword - name: cs_bit9status overwrite: true type: keyword - name: cs_context overwrite: true type: keyword - name: cs_control overwrite: true type: keyword - name: cs_data overwrite: true type: keyword - name: cs_datecret overwrite: true type: keyword - name: cs_dst_tld overwrite: true type: keyword - name: cs_eth_dst_ven overwrite: true type: keyword - name: cs_eth_src_ven overwrite: true type: keyword - name: cs_event_uuid overwrite: true type: keyword - name: cs_filetype overwrite: true type: keyword - name: cs_fld overwrite: true type: keyword - name: cs_if_desc overwrite: true type: keyword - name: cs_if_name overwrite: true type: keyword - name: cs_ip_next_hop overwrite: true type: keyword - name: cs_ipv4dstpre overwrite: true type: keyword - name: cs_ipv4srcpre overwrite: true type: keyword - name: cs_lifetime overwrite: true type: keyword - name: cs_log_medium overwrite: true type: keyword - name: cs_loginname overwrite: true type: keyword - name: cs_modulescore overwrite: true type: keyword - name: cs_modulesign overwrite: true type: keyword - name: cs_opswatresult overwrite: true type: keyword - name: cs_payload overwrite: true type: keyword - name: cs_registrant overwrite: true type: keyword - name: cs_registrar overwrite: true type: keyword - name: cs_represult overwrite: true type: keyword - name: cs_rpayload overwrite: true type: keyword - name: cs_sampler_name overwrite: true type: keyword - name: cs_sourcemodule overwrite: true type: keyword - name: cs_streams overwrite: true type: keyword - name: cs_targetmodule overwrite: true type: keyword - name: cs_v6nxthop overwrite: true type: keyword - name: cs_whois_server overwrite: true type: keyword - name: cs_yararesult overwrite: true type: keyword - name: description overwrite: true type: keyword - name: devvendor overwrite: true type: keyword - name: distance overwrite: true type: keyword - name: dstburb overwrite: true type: keyword - name: edomain overwrite: true type: keyword - name: edomaub overwrite: true type: keyword - name: euid overwrite: true type: keyword - name: facility overwrite: true type: keyword - name: finterface overwrite: true type: keyword - name: flags overwrite: true type: keyword - name: gaddr overwrite: true type: keyword - name: id3 overwrite: true type: keyword - name: im_buddyname overwrite: true type: keyword - name: im_croomid overwrite: true type: keyword - name: im_croomtype overwrite: true type: keyword - name: im_members overwrite: true type: keyword - name: im_username overwrite: true type: keyword - name: ipkt overwrite: true type: keyword - name: ipscat overwrite: true type: keyword - name: ipspri overwrite: true type: keyword - name: latitude overwrite: true type: keyword - name: linenum overwrite: true type: keyword - name: list_name overwrite: true type: keyword - name: load_data overwrite: true type: keyword - name: location_floor overwrite: true type: keyword - name: location_mark overwrite: true type: keyword - name: log_id overwrite: true type: keyword - name: log_type overwrite: true type: keyword - name: logid overwrite: true type: keyword - name: logip overwrite: true type: keyword - name: logname overwrite: true type: keyword - name: longitude overwrite: true type: keyword - name: lport overwrite: true type: keyword - name: mbug_data overwrite: true type: keyword - name: misc_name overwrite: true type: keyword - name: msg_type overwrite: true type: keyword - name: msgid overwrite: true type: keyword - name: netsessid overwrite: true type: keyword - name: num overwrite: true type: keyword - name: number1 overwrite: true type: keyword - name: number2 overwrite: true type: keyword - name: nwwn overwrite: true type: keyword - name: object overwrite: true type: keyword - name: operation overwrite: true type: keyword - name: opkt overwrite: true type: keyword - name: orig_from overwrite: true type: keyword - name: owner_id overwrite: true type: keyword - name: p_action overwrite: true type: keyword - name: p_filter overwrite: true type: keyword - name: p_group_object overwrite: true type: keyword - name: p_id overwrite: true type: keyword - name: p_msgid1 overwrite: true type: keyword - name: p_msgid2 overwrite: true type: keyword - name: p_result1 overwrite: true type: keyword - name: password_chg overwrite: true type: keyword - name: password_expire overwrite: true type: keyword - name: permgranted overwrite: true type: keyword - name: permwanted overwrite: true type: keyword - name: pgid overwrite: true type: keyword - name: policyUUID overwrite: true type: keyword - name: prog_asp_num overwrite: true type: keyword - name: program overwrite: true type: keyword - name: real_data overwrite: true type: keyword - name: rec_asp_device overwrite: true type: keyword - name: rec_asp_num overwrite: true type: keyword - name: rec_library overwrite: true type: keyword - name: recordnum overwrite: true type: keyword - name: ruid overwrite: true type: keyword - name: sburb overwrite: true type: keyword - name: sdomain_fld overwrite: true type: keyword - name: sec overwrite: true type: keyword - name: sensorname overwrite: true type: keyword - name: seqnum overwrite: true type: keyword - name: session overwrite: true type: keyword - name: sessiontype overwrite: true type: keyword - name: sigUUID overwrite: true type: keyword - name: spi overwrite: true type: keyword - name: srcburb overwrite: true type: keyword - name: srcdom overwrite: true type: keyword - name: srcservice overwrite: true type: keyword - name: state overwrite: true type: keyword - name: status1 overwrite: true type: keyword - name: svcno overwrite: true type: keyword - name: system overwrite: true type: keyword - name: tbdstr1 overwrite: true type: keyword - name: tgtdom overwrite: true type: keyword - name: tgtdomain overwrite: true type: keyword - name: threshold overwrite: true type: keyword - name: type1 overwrite: true type: keyword - name: udb_class overwrite: true type: keyword - name: url_fld overwrite: true type: keyword - name: user_div overwrite: true type: keyword - name: userid overwrite: true type: keyword - name: username_fld overwrite: true type: keyword - name: utcstamp overwrite: true type: keyword - name: v_instafname overwrite: true type: keyword - name: virt_data overwrite: true type: keyword - name: vpnid overwrite: true type: keyword - name: autorun_type overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number overwrite: true type: long description: Valid Credit Card Numbers only - name: content overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number overwrite: true type: long description: Employee Identification Numbers only - name: found overwrite: true type: keyword description: This is used to capture the results of regex match - name: language overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src overwrite: true type: keyword description: This key captures source parameter - name: search_text overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value overwrite: true type: keyword description: SNMP set request value - name: streams overwrite: true type: long description: This key captures number of streams in session - name: db overwrite: true type: group fields: - name: index overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name overwrite: true type: keyword description: This key is used to capture the table name - name: db_id overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite overwrite: true type: long description: This key is used for the number of logical writes - name: pread overwrite: true type: long description: This key is used for the number of physical writes - name: network overwrite: true type: group fields: - name: alias_host overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain overwrite: true type: keyword - name: host_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr overwrite: true type: ip description: Deprecated - name: faddr overwrite: true type: keyword - name: lhost overwrite: true type: keyword - name: origin overwrite: true type: keyword - name: remote_domain_id overwrite: true type: keyword - name: addr overwrite: true type: keyword - name: dns_a_record overwrite: true type: keyword - name: dns_ptr_record overwrite: true type: keyword - name: fhost overwrite: true type: keyword - name: fport overwrite: true type: keyword - name: laddr overwrite: true type: keyword - name: linterface overwrite: true type: keyword - name: phost overwrite: true type: keyword - name: ad_computer_dst overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record overwrite: true type: keyword - name: dns_id overwrite: true type: keyword - name: dns_opcode overwrite: true type: keyword - name: dns_resp overwrite: true type: keyword - name: dns_type overwrite: true type: keyword - name: domain1 overwrite: true type: keyword - name: host_type overwrite: true type: keyword - name: packet_length overwrite: true type: keyword - name: host_orig overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations overwrite: true type: group fields: - name: ec_activity overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat overwrite: true type: long description: This key captures the Event category number - name: event_cat_name overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category overwrite: true type: keyword description: This used to capture investigation category - name: inv_context overwrite: true type: keyword description: This used to capture investigation context - name: ioc overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters overwrite: true type: group fields: - name: dclass_c1 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity overwrite: true type: group fields: - name: auth_method overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org overwrite: true type: keyword description: This key captures the User organization - name: dn_dst overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept overwrite: true type: keyword description: User's Department Names only - name: user_sid_src overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email overwrite: true type: group fields: - name: email_dst overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file overwrite: true type: group fields: - name: privilege overwrite: true type: keyword description: Deprecated, use permissions - name: attachment overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem overwrite: true type: keyword - name: binary overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp overwrite: true type: keyword - name: directory_dst overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name overwrite: true type: keyword description: This is used to capture name of the task - name: web overwrite: true type: group fields: - name: fqdn overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host overwrite: true type: keyword - name: reputation_num overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain overwrite: true type: keyword description: Web referer's domain - name: web_ref_query overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain overwrite: true type: keyword - name: web_ref_page overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst overwrite: true type: keyword - name: cn_rpackets overwrite: true type: keyword - name: urlpage overwrite: true type: keyword - name: urlroot overwrite: true type: keyword - name: p_url overwrite: true type: keyword - name: p_user_agent overwrite: true type: keyword - name: p_web_cookie overwrite: true type: keyword - name: p_web_method overwrite: true type: keyword - name: p_web_referer overwrite: true type: keyword - name: web_extension_tmp overwrite: true type: keyword - name: web_page overwrite: true type: keyword - name: threat overwrite: true type: group fields: - name: threat_category overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto overwrite: true type: group fields: - name: crypto overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike overwrite: true type: keyword description: IKE negotiation phase. - name: scheme overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer overwrite: true type: keyword - name: cert_host_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src overwrite: true type: keyword description: Deprecated, use version - name: d_certauth overwrite: true type: keyword - name: s_certauth overwrite: true type: keyword - name: ike_cookie1 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum overwrite: true type: keyword - name: cert_host_cat overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize overwrite: true type: keyword - name: cert_username overwrite: true type: keyword - name: https_insact overwrite: true type: keyword - name: https_valid overwrite: true type: keyword - name: cert_ca overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless overwrite: true type: group fields: - name: wlan_ssid overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel overwrite: true type: long description: This is used to capture the channel names - name: wlan_name overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage overwrite: true type: group fields: - name: disk_volume overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical overwrite: true type: group fields: - name: org_dst overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare overwrite: true type: group fields: - name: patient_fname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint overwrite: true type: group fields: - name: host_state overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value overwrite: true type: keyword description: This key captures values or decorators used within a registry entry - key: o365 title: Office 365 description: > Module for handling logs from Office 365. fields: - name: o365.audit type: group default_field: false description: > Fields from Office 365 Management API audit logs. fields: - name: AADGroupId type: keyword - name: Actor type: array fields: - name: ID type: keyword - name: Type type: keyword - name: ActorContextId type: keyword - name: ActorIpAddress type: keyword - name: ActorUserId type: keyword - name: ActorYammerUserId type: keyword - name: AlertEntityId type: keyword - name: AlertId type: keyword - name: AlertLinks type: array - name: AlertType type: keyword - name: AppId type: keyword - name: ApplicationDisplayName type: keyword - name: ApplicationId type: keyword - name: AzureActiveDirectoryEventType type: keyword - name: ExchangeMetaData.* type: object - name: Category type: keyword - name: ClientAppId type: keyword - name: ClientInfoString type: keyword - name: ClientIP type: keyword - name: ClientIPAddress type: keyword - name: Comments type: text norms: false - name: CommunicationType type: keyword - name: CorrelationId type: keyword - name: CreationTime type: keyword - name: CustomUniqueId type: keyword - name: Data type: keyword - name: DataType type: keyword - name: DoNotDistributeEvent type: boolean - name: EntityType type: keyword - name: ErrorNumber type: keyword - name: EventData type: keyword - name: EventSource type: keyword - name: ExceptionInfo.* type: object - name: ExtendedProperties.* type: object - name: ExternalAccess type: keyword - name: FromApp type: boolean - name: GroupName type: keyword - name: Id type: keyword - name: ImplicitShare type: keyword - name: IncidentId type: keyword - name: InternalLogonType type: keyword - name: InterSystemsId type: keyword - name: IntraSystemId type: keyword - name: IsDocLib type: boolean - name: Item.* type: object - name: Item.*.* type: object - name: ItemCount type: long - name: ItemName type: keyword - name: ItemType type: keyword - name: ListBaseTemplateType type: keyword - name: ListBaseType type: keyword - name: ListColor type: keyword - name: ListIcon type: keyword - name: ListId type: keyword - name: ListTitle type: keyword - name: ListItemUniqueId type: keyword - name: LogonError type: keyword - name: LogonType type: keyword - name: LogonUserSid type: keyword - name: MailboxGuid type: keyword - name: MailboxOwnerMasterAccountSid type: keyword - name: MailboxOwnerSid type: keyword - name: MailboxOwnerUPN type: keyword - name: Members type: array - name: Members.* type: object - name: ModifiedProperties.*.* type: object - name: Name type: keyword - name: ObjectId type: keyword - name: Operation type: keyword - name: OrganizationId type: keyword - name: OrganizationName type: keyword - name: OriginatingServer type: keyword - name: Parameters.* type: object - name: PolicyDetails type: array - name: PolicyId type: keyword - name: RecordType type: keyword - name: ResultStatus type: keyword - name: SensitiveInfoDetectionIsIncluded type: keyword - name: SharePointMetaData.* type: object - name: SessionId type: keyword - name: Severity type: keyword - name: Site type: keyword - name: SiteUrl type: keyword - name: Source type: keyword - name: SourceFileExtension type: keyword - name: SourceFileName type: keyword - name: SourceRelativeUrl type: keyword - name: Status type: keyword - name: SupportTicketId type: keyword - name: Target type: array fields: - name: ID type: keyword - name: Type type: keyword - name: TargetContextId type: keyword - name: TargetUserOrGroupName type: keyword - name: TargetUserOrGroupType type: keyword - name: TeamName type: keyword - name: TeamGuid type: keyword - name: TemplateTypeId type: keyword - name: UniqueSharingId type: keyword - name: UserAgent type: keyword - name: UserId type: keyword - name: UserKey type: keyword - name: UserType type: keyword - name: Version type: keyword - name: WebId type: keyword - name: Workload type: keyword - name: YammerNetworkId type: keyword - key: okta title: Okta description: > Module for handling system logs from Okta. fields: - name: okta type: group default_field: false description: > Fields from Okta. fields: - name: uuid title: UUID short: The unique identifier of the Okta LogEvent. description: > The unique identifier of the Okta LogEvent. type: keyword - name: event_type title: Event Type short: The type of the LogEvent. description: > The type of the LogEvent. type: keyword - name: version title: Version short: The version of the LogEvent. description: > The version of the LogEvent. type: keyword - name: severity title: Severity short: The severity of the LogEvent. description: > The severity of the LogEvent. Must be one of DEBUG, INFO, WARN, or ERROR. type: keyword - name: display_message title: Display Message short: The display message of the LogEvent. description: > The display message of the LogEvent. type: keyword - name: actor title: Actor short: Fields of the actor for the LogEvent. description: > Fields that let you store information of the actor for the LogEvent. type: group fields: - name: id type: keyword description: > Identifier of the actor. - name: type type: keyword description: > Type of the actor. - name: alternate_id type: keyword description: > Alternate identifier of the actor. - name: display_name type: keyword description: > Display name of the actor. - name: client title: Client short: Fields about the client of the actor. description: > Fields that let you store information about the client of the actor. type: group fields: - name: ip type: ip description: > The IP address of the client. - name: user_agent description: > Fields about the user agent information of the client. type: group fields: - name: raw_user_agent type: keyword description: > The raw informaton of the user agent. - name: os type: keyword description: > The OS informaton. - name: browser type: keyword description: > The browser informaton of the client. - name: zone type: keyword description: > The zone information of the client. - name: device type: keyword description: > The information of the client device. - name: id type: keyword description: > The identifier of the client. - name: outcome title: Outcome of the LogEvent. short: Fields that let you store information about the outcome. description: > Fields that let you store information about the outcome. type: group fields: - name: reason type: keyword description: > The reason of the outcome. - name: result type: keyword description: > The result of the outcome. Must be one of: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. - name: target title: Target short: The list of targets. description: > The list of targets. type: flattened fields: - name: id type: keyword description: > Identifier of the actor. - name: type type: keyword description: > Type of the actor. - name: alternate_id type: keyword description: > Alternate identifier of the actor. - name: display_name type: keyword description: > Display name of the actor. - name: transaction title: Transaction short: Fields that let you store information about related transaction. description: > Fields that let you store information about related transaction. type: group fields: - name: id type: keyword description: > Identifier of the transaction. - name: type type: keyword description: > The type of transaction. Must be one of "WEB", "JOB". - name: debug_context title: Debug Context short: Fields that let you store information about the debug context. description: > Fields that let you store information about the debug context. type: group fields: - name: debug_data description: > The debug data. type: group fields: - name: device_fingerprint type: keyword description: > The fingerprint of the device. - name: request_id type: keyword description: > The identifier of the request. - name: request_uri type: keyword description: > The request URI. - name: threat_suspected type: keyword description: > Threat suspected. - name: url type: keyword description: > The URL. - name: suspicious_activity description: > The suspicious activity fields from the debug data. type: group fields: - name: browser type: keyword description: > The browser used. - name: event_city type: keyword description: > The city where the suspicious activity took place. - name: event_country type: keyword description: > The country where the suspicious activity took place. - name: event_id type: keyword description: > The event ID. - name: event_ip type: ip description: > The IP of the suspicious event. - name: event_latitude type: float description: > The latitude where the suspicious activity took place. - name: event_longitude type: float description: > The longitude where the suspicious activity took place. - name: event_state type: keyword description: > The state where the suspicious activity took place. - name: event_transaction_id type: keyword description: > The event transaction ID. - name: event_type type: keyword description: > The event type. - name: os type: keyword description: > The OS of the system from where the suspicious activity occured. - name: timestamp type: date description: > The timestamp of when the activity occurred. - name: authentication_context title: Authentication Context short: Fields that let you store information about authentication context. description: > Fields that let you store information about authentication context. type: group fields: - name: authentication_provider type: keyword description: > The information about the authentication provider. Must be one of OKTA_AUTHENTICATION_PROVIDER, ACTIVE_DIRECTORY, LDAP, FEDERATION, SOCIAL, FACTOR_PROVIDER. - name: authentication_step type: integer description: > The authentication step. - name: credential_provider type: keyword description: > The information about credential provider. Must be one of OKTA_CREDENTIAL_PROVIDER, RSA, SYMANTEC, GOOGLE, DUO, YUBIKEY. - name: credential_type type: keyword description: > The information about credential type. Must be one of OTP, SMS, PASSWORD, ASSERTION, IWA, EMAIL, OAUTH2, JWT, CERTIFICATE, PRE_SHARED_SYMMETRIC_KEY, OKTA_CLIENT_SESSION, DEVICE_UDID. - name: issuer description: > The information about the issuer. type: array fields: - name: id type: keyword description: > The identifier of the issuer. - name: type type: keyword description: > The type of the issuer. - name: external_session_id type: keyword description: > The session identifer of the external session if any. - name: interface type: keyword description: > The interface used. e.g., Outlook, Office365, wsTrust - name: security_context title: Security Context short: Fields that let you store information about security context. description: > Fields that let you store information about security context. type: group fields: - name: as type: group description: > The autonomous system. fields: - name: number type: integer description: > The AS number. - name: organization type: group description: > The organization that owns the AS number. fields: - name: name type: keyword description: > The organization name. - name: isp type: keyword description: > The Internet Service Provider. - name: domain type: keyword description: > The domain name. - name: is_proxy type: boolean description: > Whether it is a proxy or not. - name: request title: Request short: Fields that let you store information about the request. description: > Fields that let you store information about the request, in the form of list of ip_chain. type: group fields: - name: ip_chain description: > List of ip_chain objects. type: group fields: - name: ip type: ip description: > IP address. - name: version type: keyword description: > IP version. Must be one of V4, V6. - name: source type: keyword description: > Source information. - name: geographical_context description: > Geographical information. type: group fields: - name: city type: keyword description: The city. - name: state type: keyword description: The state. - name: postal_code type: keyword description: The postal code. - name: country type: keyword description: The country. - name: geolocation description: > Geolocation information. type: geo_point - key: oracle title: Oracle description: > Oracle Module fields: - name: oracle type: group description: > Fields from Oracle logs. fields: - name: database_audit type: group release: beta description: > Module for parsing Oracle Database audit logs fields: - name: status type: keyword description: > Database Audit Status. - name: session_id type: keyword description: > Indicates the audit session ID number. - name: client.terminal type: keyword description: > If available, the client terminal type, for example "pty". - name: client.address type: keyword description: > The IP Address or Domain used by the client. - name: client.user type: keyword description: > The user running the client or connection to the database. - name: database.user type: keyword description: > The database user used to authenticate. - name: privilege type: keyword description: > The privilege group related to the database user. - name: entry.id type: keyword description: > Indicates the current audit entry number, assigned to each audit trail record. The audit entry.id sequence number is shared between fine-grained audit records and regular audit records. - name: database.host type: keyword description: > Client host machine name. - name: action type: keyword description: > The action performed during the audit event. This could for example be the raw query. - name: action_number type: keyword description: > Action is a numeric value representing the action the user performed. The corresponding name of the action type is in the AUDIT_ACTIONS table. For example, action 100 refers to LOGON. - name: database.id type: keyword description: > Database identifier calculated when the database is created. It corresponds to the DBID column of the V$DATABASE data dictionary view. - name: length type: long description: > Refers to the total number of bytes used in this audit record. This number includes the trailing newline bytes (\n), if any, at the end of the audit record. - key: panw title: panw description: > Module for Palo Alto Networks (PAN-OS) fields: - name: panw type: group description: > Fields from the panw module. fields: - name: panos type: group description: > Fields for the Palo Alto Networks PAN-OS logs. fields: - name: ruleset type: keyword description: > Name of the rule that matched this session. - name: source type: group description: > Fields to extend the top-level source object. fields: - name: zone type: keyword description: > Source zone for this session. - name: interface type: keyword description: > Source interface for this session. - name: nat type: group description: > Post-NAT source address, if source NAT is performed. fields: - name: ip type: ip description: > Post-NAT source IP. - name: port type: long description: > Post-NAT source port. - name: destination type: group description: > Fields to extend the top-level destination object. fields: - name: zone type: keyword description: > Destination zone for this session. - name: interface type: keyword description: > Destination interface for this session. - name: nat type: group description: > Post-NAT destination address, if destination NAT is performed. fields: - name: ip type: ip description: > Post-NAT destination IP. - name: port type: long description: > Post-NAT destination port. - name: endreason type: keyword description: > The reason a session terminated. - name: network type: group description: > Fields to extend the top-level network object. fields: - name: pcap_id type: keyword description: > Packet capture ID for a threat. - name: nat type: group fields: - name: community_id type: keyword description: > Community ID flow-hash for the NAT 5-tuple. - name: file type: group description: > Fields to extend the top-level file object. fields: - name: hash description: > Binary hash for a threat file sent to be analyzed by the WildFire service. type: keyword - name: url type: group description: > Fields to extend the top-level url object. fields: - name: category type: keyword description: > For threat URLs, it's the URL category. For WildFire, the verdict on the file and is either 'malicious', 'grayware', or 'benign'. - name: flow_id type: keyword description: > Internal numeric identifier for each session. - name: sequence_number type: long description: > Log entry identifier that is incremented sequentially. Unique for each log type. - name: threat.resource type: keyword description: > URL or file name for a threat. - name: threat.id type: keyword description: > Palo Alto Networks identifier for the threat. - name: threat.name type: keyword description: > Palo Alto Networks name for the threat. - name: action type: keyword description: >- Action taken for the session. - name: type description: >- Specifies the type of the log - name: sub_type description: >- Specifies the sub type of the log - name: virtual_sys type: keyword default_field: false description: > Virtual system instance - name: client_os_ver type: keyword default_field: false description: > The client device’s OS version. - name: client_os type: keyword default_field: false description: > The client device’s OS version. - name: client_ver type: keyword default_field: false description: > The client’s GlobalProtect app version. - name: stage type: keyword default_field: false example: before-login description: > A string showing the stage of the connection - name: actionflags type: keyword default_field: false description: > A bit field indicating if the log was forwarded to Panorama. - name: error type: keyword default_field: false description: > A string showing that error that has occurred in any event. - name: error_code type: integer default_field: false description: > An integer associated with any errors that occurred. - name: repeatcnt type: integer default_field: false description: > The number of sessions with the same source IP address, destination IP address, application, and subtype that GlobalProtect has detected within the last five seconds.An integer associated with any errors that occurred. - name: serial_number type: keyword default_field: false description: > The serial number of the user’s machine or device. - name: auth_method type: keyword default_field: false example: LDAP description: > A string showing the authentication type - name: datasource type: keyword default_field: false description: > Source from which mapping information is collected. - name: datasourcetype type: keyword default_field: false description: > Mechanism used to identify the IP/User mappings within a data source. - name: datasourcename type: keyword default_field: false description: > User-ID source that sends the IP (Port)-User Mapping. - name: factorno type: integer default_field: false description: > Indicates the use of primary authentication (1) or additional factors (2, 3). - name: factortype type: keyword default_field: false description: > Vendor used to authenticate a user when Multi Factor authentication is present. - name: factorcompletiontime type: date default_field: false description: > Time the authentication was completed. - name: ugflags type: keyword default_field: false description: | Displays whether the user group that was found during user group mapping. Supported values are: User Group Found—Indicates whether the user could be mapped to a group. Duplicate User—Indicates whether duplicate users were found in a user group. Displays N/A if no user group is found. - name: device_group_hierarchy type: group default_field: false description: > A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. fields: - name: level_1 type: keyword default_field: false description: > A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. - name: level_2 type: keyword default_field: false description: > A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. - name: level_3 type: keyword default_field: false description: > A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. - name: level_4 type: keyword default_field: false description: > A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. - name: timeout type: integer default_field: false description: > Timeout after which the IP/User Mappings are cleared. - name: vsys_id type: keyword default_field: false description: > A unique identifier for a virtual system on a Palo Alto Networks firewall. - name: vsys_name type: keyword default_field: false description: > The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems. - name: description type: keyword default_field: false description: > Additional information for any event that has occurred. - name: tunnel_type type: keyword default_field: false description: > The type of tunnel (either SSLVPN or IPSec). - name: connect_method type: keyword default_field: false description: > A string showing the how the GlobalProtect app connects to Gateway - name: matchname type: keyword default_field: false description: > Name of the HIP object or profile. - name: matchtype type: keyword default_field: false description: > Whether the hip field represents a HIP object or a HIP profile. - name: priority type: keyword default_field: false description: > The priority order of the gateway that is based on highest (1), high (2), medium (3), low (4), or lowest (5) to which the GlobalProtect app can connect. - name: response_time type: keyword default_field: false description: > The SSL response time of the selected gateway that is measured in milliseconds on the endpoint during tunnel setup. - name: attempted_gateways type: keyword default_field: false description: > The fields that are collected for each gateway connection attempt with the gateway name, SSL response time, and priority - name: gateway type: keyword default_field: false description: > The name of the gateway that is specified on the portal configuration. - name: selection_type type: keyword default_field: false description: > The connection method that is selected to connect to the gateway. - key: proofpoint title: Proofpoint Email Security description: > proofpoint fields. fields: - name: network.interface.name overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa overwrite: true type: group default_field: false fields: - name: internal overwrite: true type: group fields: - name: msg overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid overwrite: true type: keyword - name: event_desc overwrite: true type: keyword - name: message overwrite: true type: keyword description: This key captures the contents of instant messages - name: time overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id overwrite: true type: long description: Deprecated key defined only in table map. - name: did overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time overwrite: true type: group fields: - name: event_time overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month overwrite: true type: keyword - name: day overwrite: true type: keyword - name: endtime overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str overwrite: true type: keyword description: A text string version of the duration - name: date overwrite: true type: keyword - name: year overwrite: true type: keyword - name: recorded_time overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime overwrite: true type: keyword - name: effective_time overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time overwrite: true type: keyword description: Deprecated, use duration.time - name: hour overwrite: true type: keyword - name: min overwrite: true type: keyword - name: timestamp overwrite: true type: keyword - name: event_queue_time overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 overwrite: true type: keyword - name: tzone overwrite: true type: keyword - name: eventtime overwrite: true type: keyword - name: gmtdate overwrite: true type: keyword - name: gmttime overwrite: true type: keyword - name: p_date overwrite: true type: keyword - name: p_month overwrite: true type: keyword - name: p_time overwrite: true type: keyword - name: p_time2 overwrite: true type: keyword - name: p_year overwrite: true type: keyword - name: expire_time_str overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp overwrite: true type: date description: Deprecated key defined only in table map. - name: misc overwrite: true type: group fields: - name: action overwrite: true type: keyword - name: result overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name overwrite: true type: keyword description: This is used to capture name of object - name: obj_type overwrite: true type: keyword description: This is used to capture type of object - name: event_source overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name overwrite: true type: keyword description: This key captures the Rule Name - name: context overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space overwrite: true type: keyword - name: client overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 overwrite: true type: keyword - name: msgIdPart2 overwrite: true type: keyword - name: change_old overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule overwrite: true type: keyword description: This key captures the Rule number - name: device_name overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log overwrite: true type: keyword description: This key captures the Name of the event log - name: OS overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 overwrite: true type: keyword - name: filter overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname overwrite: true type: keyword description: This key captures the name of the virus - name: content_type overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id overwrite: true type: keyword - name: reason overwrite: true type: keyword - name: status overwrite: true type: keyword - name: mail_id overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout overwrite: true type: keyword - name: p_msgid overwrite: true type: keyword - name: data_type overwrite: true type: keyword - name: msgIdPart4 overwrite: true type: keyword - name: error overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index overwrite: true type: keyword - name: listnum overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype overwrite: true type: keyword - name: observed_val overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count overwrite: true type: keyword - name: number overwrite: true type: keyword - name: sigcat overwrite: true type: keyword - name: type overwrite: true type: keyword - name: comments overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number overwrite: true type: long description: This key captures File Identification number - name: expected_val overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst overwrite: true type: keyword description: Destination SPI Index - name: spi_src overwrite: true type: keyword description: Source SPI Index - name: code overwrite: true type: keyword - name: agent_id overwrite: true type: keyword description: This key is used to capture agent id - name: message_body overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone overwrite: true type: keyword - name: sig_id_str overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd overwrite: true type: keyword - name: misc overwrite: true type: keyword - name: name overwrite: true type: keyword - name: cpu overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid overwrite: true type: keyword - name: im_client overwrite: true type: keyword - name: im_userid overwrite: true type: keyword - name: pid overwrite: true type: keyword - name: priority overwrite: true type: keyword - name: context_subject overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target overwrite: true type: keyword - name: cve overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos overwrite: true type: long description: This key describes the type of service - name: vm_target overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace overwrite: true type: keyword description: This key captures Workspace Description - name: command overwrite: true type: keyword - name: event_category overwrite: true type: keyword - name: facilityname overwrite: true type: keyword - name: forensic_info overwrite: true type: keyword - name: jobname overwrite: true type: keyword - name: mode overwrite: true type: keyword - name: policy overwrite: true type: keyword - name: policy_waiver overwrite: true type: keyword - name: second overwrite: true type: keyword - name: space1 overwrite: true type: keyword - name: subcategory overwrite: true type: keyword - name: tbdstr2 overwrite: true type: keyword - name: alert_id overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult overwrite: true type: long description: This key captures the Filter Result - name: payload_dst overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid overwrite: true type: keyword description: SNMP Object Identifier - name: sql overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id overwrite: true type: keyword - name: acl_op overwrite: true type: keyword - name: acl_pos overwrite: true type: keyword - name: acl_table overwrite: true type: keyword - name: admin overwrite: true type: keyword - name: alarm_id overwrite: true type: keyword - name: alarmname overwrite: true type: keyword - name: app_id overwrite: true type: keyword - name: audit overwrite: true type: keyword - name: audit_object overwrite: true type: keyword - name: auditdata overwrite: true type: keyword - name: benchmark overwrite: true type: keyword - name: bypass overwrite: true type: keyword - name: cache overwrite: true type: keyword - name: cache_hit overwrite: true type: keyword - name: cefversion overwrite: true type: keyword - name: cfg_attr overwrite: true type: keyword - name: cfg_obj overwrite: true type: keyword - name: cfg_path overwrite: true type: keyword - name: changes overwrite: true type: keyword - name: client_ip overwrite: true type: keyword - name: clustermembers overwrite: true type: keyword - name: cn_acttimeout overwrite: true type: keyword - name: cn_asn_src overwrite: true type: keyword - name: cn_bgpv4nxthop overwrite: true type: keyword - name: cn_ctr_dst_code overwrite: true type: keyword - name: cn_dst_tos overwrite: true type: keyword - name: cn_dst_vlan overwrite: true type: keyword - name: cn_engine_id overwrite: true type: keyword - name: cn_engine_type overwrite: true type: keyword - name: cn_f_switch overwrite: true type: keyword - name: cn_flowsampid overwrite: true type: keyword - name: cn_flowsampintv overwrite: true type: keyword - name: cn_flowsampmode overwrite: true type: keyword - name: cn_inacttimeout overwrite: true type: keyword - name: cn_inpermbyts overwrite: true type: keyword - name: cn_inpermpckts overwrite: true type: keyword - name: cn_invalid overwrite: true type: keyword - name: cn_ip_proto_ver overwrite: true type: keyword - name: cn_ipv4_ident overwrite: true type: keyword - name: cn_l_switch overwrite: true type: keyword - name: cn_log_did overwrite: true type: keyword - name: cn_log_rid overwrite: true type: keyword - name: cn_max_ttl overwrite: true type: keyword - name: cn_maxpcktlen overwrite: true type: keyword - name: cn_min_ttl overwrite: true type: keyword - name: cn_minpcktlen overwrite: true type: keyword - name: cn_mpls_lbl_1 overwrite: true type: keyword - name: cn_mpls_lbl_10 overwrite: true type: keyword - name: cn_mpls_lbl_2 overwrite: true type: keyword - name: cn_mpls_lbl_3 overwrite: true type: keyword - name: cn_mpls_lbl_4 overwrite: true type: keyword - name: cn_mpls_lbl_5 overwrite: true type: keyword - name: cn_mpls_lbl_6 overwrite: true type: keyword - name: cn_mpls_lbl_7 overwrite: true type: keyword - name: cn_mpls_lbl_8 overwrite: true type: keyword - name: cn_mpls_lbl_9 overwrite: true type: keyword - name: cn_mplstoplabel overwrite: true type: keyword - name: cn_mplstoplabip overwrite: true type: keyword - name: cn_mul_dst_byt overwrite: true type: keyword - name: cn_mul_dst_pks overwrite: true type: keyword - name: cn_muligmptype overwrite: true type: keyword - name: cn_sampalgo overwrite: true type: keyword - name: cn_sampint overwrite: true type: keyword - name: cn_seqctr overwrite: true type: keyword - name: cn_spackets overwrite: true type: keyword - name: cn_src_tos overwrite: true type: keyword - name: cn_src_vlan overwrite: true type: keyword - name: cn_sysuptime overwrite: true type: keyword - name: cn_template_id overwrite: true type: keyword - name: cn_totbytsexp overwrite: true type: keyword - name: cn_totflowexp overwrite: true type: keyword - name: cn_totpcktsexp overwrite: true type: keyword - name: cn_unixnanosecs overwrite: true type: keyword - name: cn_v6flowlabel overwrite: true type: keyword - name: cn_v6optheaders overwrite: true type: keyword - name: comp_class overwrite: true type: keyword - name: comp_name overwrite: true type: keyword - name: comp_rbytes overwrite: true type: keyword - name: comp_sbytes overwrite: true type: keyword - name: cpu_data overwrite: true type: keyword - name: criticality overwrite: true type: keyword - name: cs_agency_dst overwrite: true type: keyword - name: cs_analyzedby overwrite: true type: keyword - name: cs_av_other overwrite: true type: keyword - name: cs_av_primary overwrite: true type: keyword - name: cs_av_secondary overwrite: true type: keyword - name: cs_bgpv6nxthop overwrite: true type: keyword - name: cs_bit9status overwrite: true type: keyword - name: cs_context overwrite: true type: keyword - name: cs_control overwrite: true type: keyword - name: cs_data overwrite: true type: keyword - name: cs_datecret overwrite: true type: keyword - name: cs_dst_tld overwrite: true type: keyword - name: cs_eth_dst_ven overwrite: true type: keyword - name: cs_eth_src_ven overwrite: true type: keyword - name: cs_event_uuid overwrite: true type: keyword - name: cs_filetype overwrite: true type: keyword - name: cs_fld overwrite: true type: keyword - name: cs_if_desc overwrite: true type: keyword - name: cs_if_name overwrite: true type: keyword - name: cs_ip_next_hop overwrite: true type: keyword - name: cs_ipv4dstpre overwrite: true type: keyword - name: cs_ipv4srcpre overwrite: true type: keyword - name: cs_lifetime overwrite: true type: keyword - name: cs_log_medium overwrite: true type: keyword - name: cs_loginname overwrite: true type: keyword - name: cs_modulescore overwrite: true type: keyword - name: cs_modulesign overwrite: true type: keyword - name: cs_opswatresult overwrite: true type: keyword - name: cs_payload overwrite: true type: keyword - name: cs_registrant overwrite: true type: keyword - name: cs_registrar overwrite: true type: keyword - name: cs_represult overwrite: true type: keyword - name: cs_rpayload overwrite: true type: keyword - name: cs_sampler_name overwrite: true type: keyword - name: cs_sourcemodule overwrite: true type: keyword - name: cs_streams overwrite: true type: keyword - name: cs_targetmodule overwrite: true type: keyword - name: cs_v6nxthop overwrite: true type: keyword - name: cs_whois_server overwrite: true type: keyword - name: cs_yararesult overwrite: true type: keyword - name: description overwrite: true type: keyword - name: devvendor overwrite: true type: keyword - name: distance overwrite: true type: keyword - name: dstburb overwrite: true type: keyword - name: edomain overwrite: true type: keyword - name: edomaub overwrite: true type: keyword - name: euid overwrite: true type: keyword - name: facility overwrite: true type: keyword - name: finterface overwrite: true type: keyword - name: flags overwrite: true type: keyword - name: gaddr overwrite: true type: keyword - name: id3 overwrite: true type: keyword - name: im_buddyname overwrite: true type: keyword - name: im_croomid overwrite: true type: keyword - name: im_croomtype overwrite: true type: keyword - name: im_members overwrite: true type: keyword - name: im_username overwrite: true type: keyword - name: ipkt overwrite: true type: keyword - name: ipscat overwrite: true type: keyword - name: ipspri overwrite: true type: keyword - name: latitude overwrite: true type: keyword - name: linenum overwrite: true type: keyword - name: list_name overwrite: true type: keyword - name: load_data overwrite: true type: keyword - name: location_floor overwrite: true type: keyword - name: location_mark overwrite: true type: keyword - name: log_id overwrite: true type: keyword - name: log_type overwrite: true type: keyword - name: logid overwrite: true type: keyword - name: logip overwrite: true type: keyword - name: logname overwrite: true type: keyword - name: longitude overwrite: true type: keyword - name: lport overwrite: true type: keyword - name: mbug_data overwrite: true type: keyword - name: misc_name overwrite: true type: keyword - name: msg_type overwrite: true type: keyword - name: msgid overwrite: true type: keyword - name: netsessid overwrite: true type: keyword - name: num overwrite: true type: keyword - name: number1 overwrite: true type: keyword - name: number2 overwrite: true type: keyword - name: nwwn overwrite: true type: keyword - name: object overwrite: true type: keyword - name: operation overwrite: true type: keyword - name: opkt overwrite: true type: keyword - name: orig_from overwrite: true type: keyword - name: owner_id overwrite: true type: keyword - name: p_action overwrite: true type: keyword - name: p_filter overwrite: true type: keyword - name: p_group_object overwrite: true type: keyword - name: p_id overwrite: true type: keyword - name: p_msgid1 overwrite: true type: keyword - name: p_msgid2 overwrite: true type: keyword - name: p_result1 overwrite: true type: keyword - name: password_chg overwrite: true type: keyword - name: password_expire overwrite: true type: keyword - name: permgranted overwrite: true type: keyword - name: permwanted overwrite: true type: keyword - name: pgid overwrite: true type: keyword - name: policyUUID overwrite: true type: keyword - name: prog_asp_num overwrite: true type: keyword - name: program overwrite: true type: keyword - name: real_data overwrite: true type: keyword - name: rec_asp_device overwrite: true type: keyword - name: rec_asp_num overwrite: true type: keyword - name: rec_library overwrite: true type: keyword - name: recordnum overwrite: true type: keyword - name: ruid overwrite: true type: keyword - name: sburb overwrite: true type: keyword - name: sdomain_fld overwrite: true type: keyword - name: sec overwrite: true type: keyword - name: sensorname overwrite: true type: keyword - name: seqnum overwrite: true type: keyword - name: session overwrite: true type: keyword - name: sessiontype overwrite: true type: keyword - name: sigUUID overwrite: true type: keyword - name: spi overwrite: true type: keyword - name: srcburb overwrite: true type: keyword - name: srcdom overwrite: true type: keyword - name: srcservice overwrite: true type: keyword - name: state overwrite: true type: keyword - name: status1 overwrite: true type: keyword - name: svcno overwrite: true type: keyword - name: system overwrite: true type: keyword - name: tbdstr1 overwrite: true type: keyword - name: tgtdom overwrite: true type: keyword - name: tgtdomain overwrite: true type: keyword - name: threshold overwrite: true type: keyword - name: type1 overwrite: true type: keyword - name: udb_class overwrite: true type: keyword - name: url_fld overwrite: true type: keyword - name: user_div overwrite: true type: keyword - name: userid overwrite: true type: keyword - name: username_fld overwrite: true type: keyword - name: utcstamp overwrite: true type: keyword - name: v_instafname overwrite: true type: keyword - name: virt_data overwrite: true type: keyword - name: vpnid overwrite: true type: keyword - name: autorun_type overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number overwrite: true type: long description: Valid Credit Card Numbers only - name: content overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number overwrite: true type: long description: Employee Identification Numbers only - name: found overwrite: true type: keyword description: This is used to capture the results of regex match - name: language overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src overwrite: true type: keyword description: This key captures source parameter - name: search_text overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value overwrite: true type: keyword description: SNMP set request value - name: streams overwrite: true type: long description: This key captures number of streams in session - name: db overwrite: true type: group fields: - name: index overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name overwrite: true type: keyword description: This key is used to capture the table name - name: db_id overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite overwrite: true type: long description: This key is used for the number of logical writes - name: pread overwrite: true type: long description: This key is used for the number of physical writes - name: network overwrite: true type: group fields: - name: alias_host overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain overwrite: true type: keyword - name: host_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr overwrite: true type: ip description: Deprecated - name: faddr overwrite: true type: keyword - name: lhost overwrite: true type: keyword - name: origin overwrite: true type: keyword - name: remote_domain_id overwrite: true type: keyword - name: addr overwrite: true type: keyword - name: dns_a_record overwrite: true type: keyword - name: dns_ptr_record overwrite: true type: keyword - name: fhost overwrite: true type: keyword - name: fport overwrite: true type: keyword - name: laddr overwrite: true type: keyword - name: linterface overwrite: true type: keyword - name: phost overwrite: true type: keyword - name: ad_computer_dst overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record overwrite: true type: keyword - name: dns_id overwrite: true type: keyword - name: dns_opcode overwrite: true type: keyword - name: dns_resp overwrite: true type: keyword - name: dns_type overwrite: true type: keyword - name: domain1 overwrite: true type: keyword - name: host_type overwrite: true type: keyword - name: packet_length overwrite: true type: keyword - name: host_orig overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations overwrite: true type: group fields: - name: ec_activity overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat overwrite: true type: long description: This key captures the Event category number - name: event_cat_name overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category overwrite: true type: keyword description: This used to capture investigation category - name: inv_context overwrite: true type: keyword description: This used to capture investigation context - name: ioc overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters overwrite: true type: group fields: - name: dclass_c1 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity overwrite: true type: group fields: - name: auth_method overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org overwrite: true type: keyword description: This key captures the User organization - name: dn_dst overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept overwrite: true type: keyword description: User's Department Names only - name: user_sid_src overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email overwrite: true type: group fields: - name: email_dst overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file overwrite: true type: group fields: - name: privilege overwrite: true type: keyword description: Deprecated, use permissions - name: attachment overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem overwrite: true type: keyword - name: binary overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp overwrite: true type: keyword - name: directory_dst overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name overwrite: true type: keyword description: This is used to capture name of the task - name: web overwrite: true type: group fields: - name: fqdn overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host overwrite: true type: keyword - name: reputation_num overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain overwrite: true type: keyword description: Web referer's domain - name: web_ref_query overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain overwrite: true type: keyword - name: web_ref_page overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst overwrite: true type: keyword - name: cn_rpackets overwrite: true type: keyword - name: urlpage overwrite: true type: keyword - name: urlroot overwrite: true type: keyword - name: p_url overwrite: true type: keyword - name: p_user_agent overwrite: true type: keyword - name: p_web_cookie overwrite: true type: keyword - name: p_web_method overwrite: true type: keyword - name: p_web_referer overwrite: true type: keyword - name: web_extension_tmp overwrite: true type: keyword - name: web_page overwrite: true type: keyword - name: threat overwrite: true type: group fields: - name: threat_category overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto overwrite: true type: group fields: - name: crypto overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike overwrite: true type: keyword description: IKE negotiation phase. - name: scheme overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer overwrite: true type: keyword - name: cert_host_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src overwrite: true type: keyword description: Deprecated, use version - name: d_certauth overwrite: true type: keyword - name: s_certauth overwrite: true type: keyword - name: ike_cookie1 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum overwrite: true type: keyword - name: cert_host_cat overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize overwrite: true type: keyword - name: cert_username overwrite: true type: keyword - name: https_insact overwrite: true type: keyword - name: https_valid overwrite: true type: keyword - name: cert_ca overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless overwrite: true type: group fields: - name: wlan_ssid overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel overwrite: true type: long description: This is used to capture the channel names - name: wlan_name overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage overwrite: true type: group fields: - name: disk_volume overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical overwrite: true type: group fields: - name: org_dst overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare overwrite: true type: group fields: - name: patient_fname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint overwrite: true type: group fields: - name: host_state overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value overwrite: true type: keyword description: This key captures values or decorators used within a registry entry - key: rabbitmq title: "RabbitMQ" description: > RabbitMQ Module fields: - name: rabbitmq type: group description: > fields: - name: log type: group description: > RabbitMQ log files fields: - name: pid type: keyword description: The Erlang process id example: <0.222.0> - key: radware title: Radware DefensePro description: > radware fields. fields: - name: network.interface.name overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa overwrite: true type: group default_field: false fields: - name: internal overwrite: true type: group fields: - name: msg overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid overwrite: true type: keyword - name: event_desc overwrite: true type: keyword - name: message overwrite: true type: keyword description: This key captures the contents of instant messages - name: time overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id overwrite: true type: long description: Deprecated key defined only in table map. - name: did overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time overwrite: true type: group fields: - name: event_time overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month overwrite: true type: keyword - name: day overwrite: true type: keyword - name: endtime overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str overwrite: true type: keyword description: A text string version of the duration - name: date overwrite: true type: keyword - name: year overwrite: true type: keyword - name: recorded_time overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime overwrite: true type: keyword - name: effective_time overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time overwrite: true type: keyword description: Deprecated, use duration.time - name: hour overwrite: true type: keyword - name: min overwrite: true type: keyword - name: timestamp overwrite: true type: keyword - name: event_queue_time overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 overwrite: true type: keyword - name: tzone overwrite: true type: keyword - name: eventtime overwrite: true type: keyword - name: gmtdate overwrite: true type: keyword - name: gmttime overwrite: true type: keyword - name: p_date overwrite: true type: keyword - name: p_month overwrite: true type: keyword - name: p_time overwrite: true type: keyword - name: p_time2 overwrite: true type: keyword - name: p_year overwrite: true type: keyword - name: expire_time_str overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp overwrite: true type: date description: Deprecated key defined only in table map. - name: misc overwrite: true type: group fields: - name: action overwrite: true type: keyword - name: result overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name overwrite: true type: keyword description: This is used to capture name of object - name: obj_type overwrite: true type: keyword description: This is used to capture type of object - name: event_source overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name overwrite: true type: keyword description: This key captures the Rule Name - name: context overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space overwrite: true type: keyword - name: client overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 overwrite: true type: keyword - name: msgIdPart2 overwrite: true type: keyword - name: change_old overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule overwrite: true type: keyword description: This key captures the Rule number - name: device_name overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log overwrite: true type: keyword description: This key captures the Name of the event log - name: OS overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 overwrite: true type: keyword - name: filter overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname overwrite: true type: keyword description: This key captures the name of the virus - name: content_type overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id overwrite: true type: keyword - name: reason overwrite: true type: keyword - name: status overwrite: true type: keyword - name: mail_id overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout overwrite: true type: keyword - name: p_msgid overwrite: true type: keyword - name: data_type overwrite: true type: keyword - name: msgIdPart4 overwrite: true type: keyword - name: error overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index overwrite: true type: keyword - name: listnum overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype overwrite: true type: keyword - name: observed_val overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count overwrite: true type: keyword - name: number overwrite: true type: keyword - name: sigcat overwrite: true type: keyword - name: type overwrite: true type: keyword - name: comments overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number overwrite: true type: long description: This key captures File Identification number - name: expected_val overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst overwrite: true type: keyword description: Destination SPI Index - name: spi_src overwrite: true type: keyword description: Source SPI Index - name: code overwrite: true type: keyword - name: agent_id overwrite: true type: keyword description: This key is used to capture agent id - name: message_body overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone overwrite: true type: keyword - name: sig_id_str overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd overwrite: true type: keyword - name: misc overwrite: true type: keyword - name: name overwrite: true type: keyword - name: cpu overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid overwrite: true type: keyword - name: im_client overwrite: true type: keyword - name: im_userid overwrite: true type: keyword - name: pid overwrite: true type: keyword - name: priority overwrite: true type: keyword - name: context_subject overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target overwrite: true type: keyword - name: cve overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos overwrite: true type: long description: This key describes the type of service - name: vm_target overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace overwrite: true type: keyword description: This key captures Workspace Description - name: command overwrite: true type: keyword - name: event_category overwrite: true type: keyword - name: facilityname overwrite: true type: keyword - name: forensic_info overwrite: true type: keyword - name: jobname overwrite: true type: keyword - name: mode overwrite: true type: keyword - name: policy overwrite: true type: keyword - name: policy_waiver overwrite: true type: keyword - name: second overwrite: true type: keyword - name: space1 overwrite: true type: keyword - name: subcategory overwrite: true type: keyword - name: tbdstr2 overwrite: true type: keyword - name: alert_id overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult overwrite: true type: long description: This key captures the Filter Result - name: payload_dst overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid overwrite: true type: keyword description: SNMP Object Identifier - name: sql overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id overwrite: true type: keyword - name: acl_op overwrite: true type: keyword - name: acl_pos overwrite: true type: keyword - name: acl_table overwrite: true type: keyword - name: admin overwrite: true type: keyword - name: alarm_id overwrite: true type: keyword - name: alarmname overwrite: true type: keyword - name: app_id overwrite: true type: keyword - name: audit overwrite: true type: keyword - name: audit_object overwrite: true type: keyword - name: auditdata overwrite: true type: keyword - name: benchmark overwrite: true type: keyword - name: bypass overwrite: true type: keyword - name: cache overwrite: true type: keyword - name: cache_hit overwrite: true type: keyword - name: cefversion overwrite: true type: keyword - name: cfg_attr overwrite: true type: keyword - name: cfg_obj overwrite: true type: keyword - name: cfg_path overwrite: true type: keyword - name: changes overwrite: true type: keyword - name: client_ip overwrite: true type: keyword - name: clustermembers overwrite: true type: keyword - name: cn_acttimeout overwrite: true type: keyword - name: cn_asn_src overwrite: true type: keyword - name: cn_bgpv4nxthop overwrite: true type: keyword - name: cn_ctr_dst_code overwrite: true type: keyword - name: cn_dst_tos overwrite: true type: keyword - name: cn_dst_vlan overwrite: true type: keyword - name: cn_engine_id overwrite: true type: keyword - name: cn_engine_type overwrite: true type: keyword - name: cn_f_switch overwrite: true type: keyword - name: cn_flowsampid overwrite: true type: keyword - name: cn_flowsampintv overwrite: true type: keyword - name: cn_flowsampmode overwrite: true type: keyword - name: cn_inacttimeout overwrite: true type: keyword - name: cn_inpermbyts overwrite: true type: keyword - name: cn_inpermpckts overwrite: true type: keyword - name: cn_invalid overwrite: true type: keyword - name: cn_ip_proto_ver overwrite: true type: keyword - name: cn_ipv4_ident overwrite: true type: keyword - name: cn_l_switch overwrite: true type: keyword - name: cn_log_did overwrite: true type: keyword - name: cn_log_rid overwrite: true type: keyword - name: cn_max_ttl overwrite: true type: keyword - name: cn_maxpcktlen overwrite: true type: keyword - name: cn_min_ttl overwrite: true type: keyword - name: cn_minpcktlen overwrite: true type: keyword - name: cn_mpls_lbl_1 overwrite: true type: keyword - name: cn_mpls_lbl_10 overwrite: true type: keyword - name: cn_mpls_lbl_2 overwrite: true type: keyword - name: cn_mpls_lbl_3 overwrite: true type: keyword - name: cn_mpls_lbl_4 overwrite: true type: keyword - name: cn_mpls_lbl_5 overwrite: true type: keyword - name: cn_mpls_lbl_6 overwrite: true type: keyword - name: cn_mpls_lbl_7 overwrite: true type: keyword - name: cn_mpls_lbl_8 overwrite: true type: keyword - name: cn_mpls_lbl_9 overwrite: true type: keyword - name: cn_mplstoplabel overwrite: true type: keyword - name: cn_mplstoplabip overwrite: true type: keyword - name: cn_mul_dst_byt overwrite: true type: keyword - name: cn_mul_dst_pks overwrite: true type: keyword - name: cn_muligmptype overwrite: true type: keyword - name: cn_sampalgo overwrite: true type: keyword - name: cn_sampint overwrite: true type: keyword - name: cn_seqctr overwrite: true type: keyword - name: cn_spackets overwrite: true type: keyword - name: cn_src_tos overwrite: true type: keyword - name: cn_src_vlan overwrite: true type: keyword - name: cn_sysuptime overwrite: true type: keyword - name: cn_template_id overwrite: true type: keyword - name: cn_totbytsexp overwrite: true type: keyword - name: cn_totflowexp overwrite: true type: keyword - name: cn_totpcktsexp overwrite: true type: keyword - name: cn_unixnanosecs overwrite: true type: keyword - name: cn_v6flowlabel overwrite: true type: keyword - name: cn_v6optheaders overwrite: true type: keyword - name: comp_class overwrite: true type: keyword - name: comp_name overwrite: true type: keyword - name: comp_rbytes overwrite: true type: keyword - name: comp_sbytes overwrite: true type: keyword - name: cpu_data overwrite: true type: keyword - name: criticality overwrite: true type: keyword - name: cs_agency_dst overwrite: true type: keyword - name: cs_analyzedby overwrite: true type: keyword - name: cs_av_other overwrite: true type: keyword - name: cs_av_primary overwrite: true type: keyword - name: cs_av_secondary overwrite: true type: keyword - name: cs_bgpv6nxthop overwrite: true type: keyword - name: cs_bit9status overwrite: true type: keyword - name: cs_context overwrite: true type: keyword - name: cs_control overwrite: true type: keyword - name: cs_data overwrite: true type: keyword - name: cs_datecret overwrite: true type: keyword - name: cs_dst_tld overwrite: true type: keyword - name: cs_eth_dst_ven overwrite: true type: keyword - name: cs_eth_src_ven overwrite: true type: keyword - name: cs_event_uuid overwrite: true type: keyword - name: cs_filetype overwrite: true type: keyword - name: cs_fld overwrite: true type: keyword - name: cs_if_desc overwrite: true type: keyword - name: cs_if_name overwrite: true type: keyword - name: cs_ip_next_hop overwrite: true type: keyword - name: cs_ipv4dstpre overwrite: true type: keyword - name: cs_ipv4srcpre overwrite: true type: keyword - name: cs_lifetime overwrite: true type: keyword - name: cs_log_medium overwrite: true type: keyword - name: cs_loginname overwrite: true type: keyword - name: cs_modulescore overwrite: true type: keyword - name: cs_modulesign overwrite: true type: keyword - name: cs_opswatresult overwrite: true type: keyword - name: cs_payload overwrite: true type: keyword - name: cs_registrant overwrite: true type: keyword - name: cs_registrar overwrite: true type: keyword - name: cs_represult overwrite: true type: keyword - name: cs_rpayload overwrite: true type: keyword - name: cs_sampler_name overwrite: true type: keyword - name: cs_sourcemodule overwrite: true type: keyword - name: cs_streams overwrite: true type: keyword - name: cs_targetmodule overwrite: true type: keyword - name: cs_v6nxthop overwrite: true type: keyword - name: cs_whois_server overwrite: true type: keyword - name: cs_yararesult overwrite: true type: keyword - name: description overwrite: true type: keyword - name: devvendor overwrite: true type: keyword - name: distance overwrite: true type: keyword - name: dstburb overwrite: true type: keyword - name: edomain overwrite: true type: keyword - name: edomaub overwrite: true type: keyword - name: euid overwrite: true type: keyword - name: facility overwrite: true type: keyword - name: finterface overwrite: true type: keyword - name: flags overwrite: true type: keyword - name: gaddr overwrite: true type: keyword - name: id3 overwrite: true type: keyword - name: im_buddyname overwrite: true type: keyword - name: im_croomid overwrite: true type: keyword - name: im_croomtype overwrite: true type: keyword - name: im_members overwrite: true type: keyword - name: im_username overwrite: true type: keyword - name: ipkt overwrite: true type: keyword - name: ipscat overwrite: true type: keyword - name: ipspri overwrite: true type: keyword - name: latitude overwrite: true type: keyword - name: linenum overwrite: true type: keyword - name: list_name overwrite: true type: keyword - name: load_data overwrite: true type: keyword - name: location_floor overwrite: true type: keyword - name: location_mark overwrite: true type: keyword - name: log_id overwrite: true type: keyword - name: log_type overwrite: true type: keyword - name: logid overwrite: true type: keyword - name: logip overwrite: true type: keyword - name: logname overwrite: true type: keyword - name: longitude overwrite: true type: keyword - name: lport overwrite: true type: keyword - name: mbug_data overwrite: true type: keyword - name: misc_name overwrite: true type: keyword - name: msg_type overwrite: true type: keyword - name: msgid overwrite: true type: keyword - name: netsessid overwrite: true type: keyword - name: num overwrite: true type: keyword - name: number1 overwrite: true type: keyword - name: number2 overwrite: true type: keyword - name: nwwn overwrite: true type: keyword - name: object overwrite: true type: keyword - name: operation overwrite: true type: keyword - name: opkt overwrite: true type: keyword - name: orig_from overwrite: true type: keyword - name: owner_id overwrite: true type: keyword - name: p_action overwrite: true type: keyword - name: p_filter overwrite: true type: keyword - name: p_group_object overwrite: true type: keyword - name: p_id overwrite: true type: keyword - name: p_msgid1 overwrite: true type: keyword - name: p_msgid2 overwrite: true type: keyword - name: p_result1 overwrite: true type: keyword - name: password_chg overwrite: true type: keyword - name: password_expire overwrite: true type: keyword - name: permgranted overwrite: true type: keyword - name: permwanted overwrite: true type: keyword - name: pgid overwrite: true type: keyword - name: policyUUID overwrite: true type: keyword - name: prog_asp_num overwrite: true type: keyword - name: program overwrite: true type: keyword - name: real_data overwrite: true type: keyword - name: rec_asp_device overwrite: true type: keyword - name: rec_asp_num overwrite: true type: keyword - name: rec_library overwrite: true type: keyword - name: recordnum overwrite: true type: keyword - name: ruid overwrite: true type: keyword - name: sburb overwrite: true type: keyword - name: sdomain_fld overwrite: true type: keyword - name: sec overwrite: true type: keyword - name: sensorname overwrite: true type: keyword - name: seqnum overwrite: true type: keyword - name: session overwrite: true type: keyword - name: sessiontype overwrite: true type: keyword - name: sigUUID overwrite: true type: keyword - name: spi overwrite: true type: keyword - name: srcburb overwrite: true type: keyword - name: srcdom overwrite: true type: keyword - name: srcservice overwrite: true type: keyword - name: state overwrite: true type: keyword - name: status1 overwrite: true type: keyword - name: svcno overwrite: true type: keyword - name: system overwrite: true type: keyword - name: tbdstr1 overwrite: true type: keyword - name: tgtdom overwrite: true type: keyword - name: tgtdomain overwrite: true type: keyword - name: threshold overwrite: true type: keyword - name: type1 overwrite: true type: keyword - name: udb_class overwrite: true type: keyword - name: url_fld overwrite: true type: keyword - name: user_div overwrite: true type: keyword - name: userid overwrite: true type: keyword - name: username_fld overwrite: true type: keyword - name: utcstamp overwrite: true type: keyword - name: v_instafname overwrite: true type: keyword - name: virt_data overwrite: true type: keyword - name: vpnid overwrite: true type: keyword - name: autorun_type overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number overwrite: true type: long description: Valid Credit Card Numbers only - name: content overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number overwrite: true type: long description: Employee Identification Numbers only - name: found overwrite: true type: keyword description: This is used to capture the results of regex match - name: language overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src overwrite: true type: keyword description: This key captures source parameter - name: search_text overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value overwrite: true type: keyword description: SNMP set request value - name: streams overwrite: true type: long description: This key captures number of streams in session - name: db overwrite: true type: group fields: - name: index overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name overwrite: true type: keyword description: This key is used to capture the table name - name: db_id overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite overwrite: true type: long description: This key is used for the number of logical writes - name: pread overwrite: true type: long description: This key is used for the number of physical writes - name: network overwrite: true type: group fields: - name: alias_host overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain overwrite: true type: keyword - name: host_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr overwrite: true type: ip description: Deprecated - name: faddr overwrite: true type: keyword - name: lhost overwrite: true type: keyword - name: origin overwrite: true type: keyword - name: remote_domain_id overwrite: true type: keyword - name: addr overwrite: true type: keyword - name: dns_a_record overwrite: true type: keyword - name: dns_ptr_record overwrite: true type: keyword - name: fhost overwrite: true type: keyword - name: fport overwrite: true type: keyword - name: laddr overwrite: true type: keyword - name: linterface overwrite: true type: keyword - name: phost overwrite: true type: keyword - name: ad_computer_dst overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record overwrite: true type: keyword - name: dns_id overwrite: true type: keyword - name: dns_opcode overwrite: true type: keyword - name: dns_resp overwrite: true type: keyword - name: dns_type overwrite: true type: keyword - name: domain1 overwrite: true type: keyword - name: host_type overwrite: true type: keyword - name: packet_length overwrite: true type: keyword - name: host_orig overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations overwrite: true type: group fields: - name: ec_activity overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat overwrite: true type: long description: This key captures the Event category number - name: event_cat_name overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category overwrite: true type: keyword description: This used to capture investigation category - name: inv_context overwrite: true type: keyword description: This used to capture investigation context - name: ioc overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters overwrite: true type: group fields: - name: dclass_c1 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity overwrite: true type: group fields: - name: auth_method overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org overwrite: true type: keyword description: This key captures the User organization - name: dn_dst overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept overwrite: true type: keyword description: User's Department Names only - name: user_sid_src overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email overwrite: true type: group fields: - name: email_dst overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file overwrite: true type: group fields: - name: privilege overwrite: true type: keyword description: Deprecated, use permissions - name: attachment overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem overwrite: true type: keyword - name: binary overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp overwrite: true type: keyword - name: directory_dst overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name overwrite: true type: keyword description: This is used to capture name of the task - name: web overwrite: true type: group fields: - name: fqdn overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host overwrite: true type: keyword - name: reputation_num overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain overwrite: true type: keyword description: Web referer's domain - name: web_ref_query overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain overwrite: true type: keyword - name: web_ref_page overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst overwrite: true type: keyword - name: cn_rpackets overwrite: true type: keyword - name: urlpage overwrite: true type: keyword - name: urlroot overwrite: true type: keyword - name: p_url overwrite: true type: keyword - name: p_user_agent overwrite: true type: keyword - name: p_web_cookie overwrite: true type: keyword - name: p_web_method overwrite: true type: keyword - name: p_web_referer overwrite: true type: keyword - name: web_extension_tmp overwrite: true type: keyword - name: web_page overwrite: true type: keyword - name: threat overwrite: true type: group fields: - name: threat_category overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto overwrite: true type: group fields: - name: crypto overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike overwrite: true type: keyword description: IKE negotiation phase. - name: scheme overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer overwrite: true type: keyword - name: cert_host_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src overwrite: true type: keyword description: Deprecated, use version - name: d_certauth overwrite: true type: keyword - name: s_certauth overwrite: true type: keyword - name: ike_cookie1 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum overwrite: true type: keyword - name: cert_host_cat overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize overwrite: true type: keyword - name: cert_username overwrite: true type: keyword - name: https_insact overwrite: true type: keyword - name: https_valid overwrite: true type: keyword - name: cert_ca overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless overwrite: true type: group fields: - name: wlan_ssid overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel overwrite: true type: long description: This is used to capture the channel names - name: wlan_name overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage overwrite: true type: group fields: - name: disk_volume overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical overwrite: true type: group fields: - name: org_dst overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare overwrite: true type: group fields: - name: patient_fname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint overwrite: true type: group fields: - name: host_state overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value overwrite: true type: keyword description: This key captures values or decorators used within a registry entry - key: snort title: Snort/Sourcefire description: > snort fields. fields: - name: network.interface.name overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa overwrite: true type: group default_field: false fields: - name: internal overwrite: true type: group fields: - name: msg overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid overwrite: true type: keyword - name: event_desc overwrite: true type: keyword - name: message overwrite: true type: keyword description: This key captures the contents of instant messages - name: time overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id overwrite: true type: long description: Deprecated key defined only in table map. - name: did overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time overwrite: true type: group fields: - name: event_time overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month overwrite: true type: keyword - name: day overwrite: true type: keyword - name: endtime overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str overwrite: true type: keyword description: A text string version of the duration - name: date overwrite: true type: keyword - name: year overwrite: true type: keyword - name: recorded_time overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime overwrite: true type: keyword - name: effective_time overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time overwrite: true type: keyword description: Deprecated, use duration.time - name: hour overwrite: true type: keyword - name: min overwrite: true type: keyword - name: timestamp overwrite: true type: keyword - name: event_queue_time overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 overwrite: true type: keyword - name: tzone overwrite: true type: keyword - name: eventtime overwrite: true type: keyword - name: gmtdate overwrite: true type: keyword - name: gmttime overwrite: true type: keyword - name: p_date overwrite: true type: keyword - name: p_month overwrite: true type: keyword - name: p_time overwrite: true type: keyword - name: p_time2 overwrite: true type: keyword - name: p_year overwrite: true type: keyword - name: expire_time_str overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp overwrite: true type: date description: Deprecated key defined only in table map. - name: misc overwrite: true type: group fields: - name: action overwrite: true type: keyword - name: result overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name overwrite: true type: keyword description: This is used to capture name of object - name: obj_type overwrite: true type: keyword description: This is used to capture type of object - name: event_source overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name overwrite: true type: keyword description: This key captures the Rule Name - name: context overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space overwrite: true type: keyword - name: client overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 overwrite: true type: keyword - name: msgIdPart2 overwrite: true type: keyword - name: change_old overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule overwrite: true type: keyword description: This key captures the Rule number - name: device_name overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log overwrite: true type: keyword description: This key captures the Name of the event log - name: OS overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 overwrite: true type: keyword - name: filter overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname overwrite: true type: keyword description: This key captures the name of the virus - name: content_type overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id overwrite: true type: keyword - name: reason overwrite: true type: keyword - name: status overwrite: true type: keyword - name: mail_id overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout overwrite: true type: keyword - name: p_msgid overwrite: true type: keyword - name: data_type overwrite: true type: keyword - name: msgIdPart4 overwrite: true type: keyword - name: error overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index overwrite: true type: keyword - name: listnum overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype overwrite: true type: keyword - name: observed_val overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count overwrite: true type: keyword - name: number overwrite: true type: keyword - name: sigcat overwrite: true type: keyword - name: type overwrite: true type: keyword - name: comments overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number overwrite: true type: long description: This key captures File Identification number - name: expected_val overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst overwrite: true type: keyword description: Destination SPI Index - name: spi_src overwrite: true type: keyword description: Source SPI Index - name: code overwrite: true type: keyword - name: agent_id overwrite: true type: keyword description: This key is used to capture agent id - name: message_body overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone overwrite: true type: keyword - name: sig_id_str overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd overwrite: true type: keyword - name: misc overwrite: true type: keyword - name: name overwrite: true type: keyword - name: cpu overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid overwrite: true type: keyword - name: im_client overwrite: true type: keyword - name: im_userid overwrite: true type: keyword - name: pid overwrite: true type: keyword - name: priority overwrite: true type: keyword - name: context_subject overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target overwrite: true type: keyword - name: cve overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos overwrite: true type: long description: This key describes the type of service - name: vm_target overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace overwrite: true type: keyword description: This key captures Workspace Description - name: command overwrite: true type: keyword - name: event_category overwrite: true type: keyword - name: facilityname overwrite: true type: keyword - name: forensic_info overwrite: true type: keyword - name: jobname overwrite: true type: keyword - name: mode overwrite: true type: keyword - name: policy overwrite: true type: keyword - name: policy_waiver overwrite: true type: keyword - name: second overwrite: true type: keyword - name: space1 overwrite: true type: keyword - name: subcategory overwrite: true type: keyword - name: tbdstr2 overwrite: true type: keyword - name: alert_id overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult overwrite: true type: long description: This key captures the Filter Result - name: payload_dst overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid overwrite: true type: keyword description: SNMP Object Identifier - name: sql overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id overwrite: true type: keyword - name: acl_op overwrite: true type: keyword - name: acl_pos overwrite: true type: keyword - name: acl_table overwrite: true type: keyword - name: admin overwrite: true type: keyword - name: alarm_id overwrite: true type: keyword - name: alarmname overwrite: true type: keyword - name: app_id overwrite: true type: keyword - name: audit overwrite: true type: keyword - name: audit_object overwrite: true type: keyword - name: auditdata overwrite: true type: keyword - name: benchmark overwrite: true type: keyword - name: bypass overwrite: true type: keyword - name: cache overwrite: true type: keyword - name: cache_hit overwrite: true type: keyword - name: cefversion overwrite: true type: keyword - name: cfg_attr overwrite: true type: keyword - name: cfg_obj overwrite: true type: keyword - name: cfg_path overwrite: true type: keyword - name: changes overwrite: true type: keyword - name: client_ip overwrite: true type: keyword - name: clustermembers overwrite: true type: keyword - name: cn_acttimeout overwrite: true type: keyword - name: cn_asn_src overwrite: true type: keyword - name: cn_bgpv4nxthop overwrite: true type: keyword - name: cn_ctr_dst_code overwrite: true type: keyword - name: cn_dst_tos overwrite: true type: keyword - name: cn_dst_vlan overwrite: true type: keyword - name: cn_engine_id overwrite: true type: keyword - name: cn_engine_type overwrite: true type: keyword - name: cn_f_switch overwrite: true type: keyword - name: cn_flowsampid overwrite: true type: keyword - name: cn_flowsampintv overwrite: true type: keyword - name: cn_flowsampmode overwrite: true type: keyword - name: cn_inacttimeout overwrite: true type: keyword - name: cn_inpermbyts overwrite: true type: keyword - name: cn_inpermpckts overwrite: true type: keyword - name: cn_invalid overwrite: true type: keyword - name: cn_ip_proto_ver overwrite: true type: keyword - name: cn_ipv4_ident overwrite: true type: keyword - name: cn_l_switch overwrite: true type: keyword - name: cn_log_did overwrite: true type: keyword - name: cn_log_rid overwrite: true type: keyword - name: cn_max_ttl overwrite: true type: keyword - name: cn_maxpcktlen overwrite: true type: keyword - name: cn_min_ttl overwrite: true type: keyword - name: cn_minpcktlen overwrite: true type: keyword - name: cn_mpls_lbl_1 overwrite: true type: keyword - name: cn_mpls_lbl_10 overwrite: true type: keyword - name: cn_mpls_lbl_2 overwrite: true type: keyword - name: cn_mpls_lbl_3 overwrite: true type: keyword - name: cn_mpls_lbl_4 overwrite: true type: keyword - name: cn_mpls_lbl_5 overwrite: true type: keyword - name: cn_mpls_lbl_6 overwrite: true type: keyword - name: cn_mpls_lbl_7 overwrite: true type: keyword - name: cn_mpls_lbl_8 overwrite: true type: keyword - name: cn_mpls_lbl_9 overwrite: true type: keyword - name: cn_mplstoplabel overwrite: true type: keyword - name: cn_mplstoplabip overwrite: true type: keyword - name: cn_mul_dst_byt overwrite: true type: keyword - name: cn_mul_dst_pks overwrite: true type: keyword - name: cn_muligmptype overwrite: true type: keyword - name: cn_sampalgo overwrite: true type: keyword - name: cn_sampint overwrite: true type: keyword - name: cn_seqctr overwrite: true type: keyword - name: cn_spackets overwrite: true type: keyword - name: cn_src_tos overwrite: true type: keyword - name: cn_src_vlan overwrite: true type: keyword - name: cn_sysuptime overwrite: true type: keyword - name: cn_template_id overwrite: true type: keyword - name: cn_totbytsexp overwrite: true type: keyword - name: cn_totflowexp overwrite: true type: keyword - name: cn_totpcktsexp overwrite: true type: keyword - name: cn_unixnanosecs overwrite: true type: keyword - name: cn_v6flowlabel overwrite: true type: keyword - name: cn_v6optheaders overwrite: true type: keyword - name: comp_class overwrite: true type: keyword - name: comp_name overwrite: true type: keyword - name: comp_rbytes overwrite: true type: keyword - name: comp_sbytes overwrite: true type: keyword - name: cpu_data overwrite: true type: keyword - name: criticality overwrite: true type: keyword - name: cs_agency_dst overwrite: true type: keyword - name: cs_analyzedby overwrite: true type: keyword - name: cs_av_other overwrite: true type: keyword - name: cs_av_primary overwrite: true type: keyword - name: cs_av_secondary overwrite: true type: keyword - name: cs_bgpv6nxthop overwrite: true type: keyword - name: cs_bit9status overwrite: true type: keyword - name: cs_context overwrite: true type: keyword - name: cs_control overwrite: true type: keyword - name: cs_data overwrite: true type: keyword - name: cs_datecret overwrite: true type: keyword - name: cs_dst_tld overwrite: true type: keyword - name: cs_eth_dst_ven overwrite: true type: keyword - name: cs_eth_src_ven overwrite: true type: keyword - name: cs_event_uuid overwrite: true type: keyword - name: cs_filetype overwrite: true type: keyword - name: cs_fld overwrite: true type: keyword - name: cs_if_desc overwrite: true type: keyword - name: cs_if_name overwrite: true type: keyword - name: cs_ip_next_hop overwrite: true type: keyword - name: cs_ipv4dstpre overwrite: true type: keyword - name: cs_ipv4srcpre overwrite: true type: keyword - name: cs_lifetime overwrite: true type: keyword - name: cs_log_medium overwrite: true type: keyword - name: cs_loginname overwrite: true type: keyword - name: cs_modulescore overwrite: true type: keyword - name: cs_modulesign overwrite: true type: keyword - name: cs_opswatresult overwrite: true type: keyword - name: cs_payload overwrite: true type: keyword - name: cs_registrant overwrite: true type: keyword - name: cs_registrar overwrite: true type: keyword - name: cs_represult overwrite: true type: keyword - name: cs_rpayload overwrite: true type: keyword - name: cs_sampler_name overwrite: true type: keyword - name: cs_sourcemodule overwrite: true type: keyword - name: cs_streams overwrite: true type: keyword - name: cs_targetmodule overwrite: true type: keyword - name: cs_v6nxthop overwrite: true type: keyword - name: cs_whois_server overwrite: true type: keyword - name: cs_yararesult overwrite: true type: keyword - name: description overwrite: true type: keyword - name: devvendor overwrite: true type: keyword - name: distance overwrite: true type: keyword - name: dstburb overwrite: true type: keyword - name: edomain overwrite: true type: keyword - name: edomaub overwrite: true type: keyword - name: euid overwrite: true type: keyword - name: facility overwrite: true type: keyword - name: finterface overwrite: true type: keyword - name: flags overwrite: true type: keyword - name: gaddr overwrite: true type: keyword - name: id3 overwrite: true type: keyword - name: im_buddyname overwrite: true type: keyword - name: im_croomid overwrite: true type: keyword - name: im_croomtype overwrite: true type: keyword - name: im_members overwrite: true type: keyword - name: im_username overwrite: true type: keyword - name: ipkt overwrite: true type: keyword - name: ipscat overwrite: true type: keyword - name: ipspri overwrite: true type: keyword - name: latitude overwrite: true type: keyword - name: linenum overwrite: true type: keyword - name: list_name overwrite: true type: keyword - name: load_data overwrite: true type: keyword - name: location_floor overwrite: true type: keyword - name: location_mark overwrite: true type: keyword - name: log_id overwrite: true type: keyword - name: log_type overwrite: true type: keyword - name: logid overwrite: true type: keyword - name: logip overwrite: true type: keyword - name: logname overwrite: true type: keyword - name: longitude overwrite: true type: keyword - name: lport overwrite: true type: keyword - name: mbug_data overwrite: true type: keyword - name: misc_name overwrite: true type: keyword - name: msg_type overwrite: true type: keyword - name: msgid overwrite: true type: keyword - name: netsessid overwrite: true type: keyword - name: num overwrite: true type: keyword - name: number1 overwrite: true type: keyword - name: number2 overwrite: true type: keyword - name: nwwn overwrite: true type: keyword - name: object overwrite: true type: keyword - name: operation overwrite: true type: keyword - name: opkt overwrite: true type: keyword - name: orig_from overwrite: true type: keyword - name: owner_id overwrite: true type: keyword - name: p_action overwrite: true type: keyword - name: p_filter overwrite: true type: keyword - name: p_group_object overwrite: true type: keyword - name: p_id overwrite: true type: keyword - name: p_msgid1 overwrite: true type: keyword - name: p_msgid2 overwrite: true type: keyword - name: p_result1 overwrite: true type: keyword - name: password_chg overwrite: true type: keyword - name: password_expire overwrite: true type: keyword - name: permgranted overwrite: true type: keyword - name: permwanted overwrite: true type: keyword - name: pgid overwrite: true type: keyword - name: policyUUID overwrite: true type: keyword - name: prog_asp_num overwrite: true type: keyword - name: program overwrite: true type: keyword - name: real_data overwrite: true type: keyword - name: rec_asp_device overwrite: true type: keyword - name: rec_asp_num overwrite: true type: keyword - name: rec_library overwrite: true type: keyword - name: recordnum overwrite: true type: keyword - name: ruid overwrite: true type: keyword - name: sburb overwrite: true type: keyword - name: sdomain_fld overwrite: true type: keyword - name: sec overwrite: true type: keyword - name: sensorname overwrite: true type: keyword - name: seqnum overwrite: true type: keyword - name: session overwrite: true type: keyword - name: sessiontype overwrite: true type: keyword - name: sigUUID overwrite: true type: keyword - name: spi overwrite: true type: keyword - name: srcburb overwrite: true type: keyword - name: srcdom overwrite: true type: keyword - name: srcservice overwrite: true type: keyword - name: state overwrite: true type: keyword - name: status1 overwrite: true type: keyword - name: svcno overwrite: true type: keyword - name: system overwrite: true type: keyword - name: tbdstr1 overwrite: true type: keyword - name: tgtdom overwrite: true type: keyword - name: tgtdomain overwrite: true type: keyword - name: threshold overwrite: true type: keyword - name: type1 overwrite: true type: keyword - name: udb_class overwrite: true type: keyword - name: url_fld overwrite: true type: keyword - name: user_div overwrite: true type: keyword - name: userid overwrite: true type: keyword - name: username_fld overwrite: true type: keyword - name: utcstamp overwrite: true type: keyword - name: v_instafname overwrite: true type: keyword - name: virt_data overwrite: true type: keyword - name: vpnid overwrite: true type: keyword - name: autorun_type overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number overwrite: true type: long description: Valid Credit Card Numbers only - name: content overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number overwrite: true type: long description: Employee Identification Numbers only - name: found overwrite: true type: keyword description: This is used to capture the results of regex match - name: language overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src overwrite: true type: keyword description: This key captures source parameter - name: search_text overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value overwrite: true type: keyword description: SNMP set request value - name: streams overwrite: true type: long description: This key captures number of streams in session - name: db overwrite: true type: group fields: - name: index overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name overwrite: true type: keyword description: This key is used to capture the table name - name: db_id overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite overwrite: true type: long description: This key is used for the number of logical writes - name: pread overwrite: true type: long description: This key is used for the number of physical writes - name: network overwrite: true type: group fields: - name: alias_host overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain overwrite: true type: keyword - name: host_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr overwrite: true type: ip description: Deprecated - name: faddr overwrite: true type: keyword - name: lhost overwrite: true type: keyword - name: origin overwrite: true type: keyword - name: remote_domain_id overwrite: true type: keyword - name: addr overwrite: true type: keyword - name: dns_a_record overwrite: true type: keyword - name: dns_ptr_record overwrite: true type: keyword - name: fhost overwrite: true type: keyword - name: fport overwrite: true type: keyword - name: laddr overwrite: true type: keyword - name: linterface overwrite: true type: keyword - name: phost overwrite: true type: keyword - name: ad_computer_dst overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record overwrite: true type: keyword - name: dns_id overwrite: true type: keyword - name: dns_opcode overwrite: true type: keyword - name: dns_resp overwrite: true type: keyword - name: dns_type overwrite: true type: keyword - name: domain1 overwrite: true type: keyword - name: host_type overwrite: true type: keyword - name: packet_length overwrite: true type: keyword - name: host_orig overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations overwrite: true type: group fields: - name: ec_activity overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat overwrite: true type: long description: This key captures the Event category number - name: event_cat_name overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category overwrite: true type: keyword description: This used to capture investigation category - name: inv_context overwrite: true type: keyword description: This used to capture investigation context - name: ioc overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters overwrite: true type: group fields: - name: dclass_c1 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity overwrite: true type: group fields: - name: auth_method overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org overwrite: true type: keyword description: This key captures the User organization - name: dn_dst overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept overwrite: true type: keyword description: User's Department Names only - name: user_sid_src overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email overwrite: true type: group fields: - name: email_dst overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file overwrite: true type: group fields: - name: privilege overwrite: true type: keyword description: Deprecated, use permissions - name: attachment overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem overwrite: true type: keyword - name: binary overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp overwrite: true type: keyword - name: directory_dst overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name overwrite: true type: keyword description: This is used to capture name of the task - name: web overwrite: true type: group fields: - name: fqdn overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host overwrite: true type: keyword - name: reputation_num overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain overwrite: true type: keyword description: Web referer's domain - name: web_ref_query overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain overwrite: true type: keyword - name: web_ref_page overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst overwrite: true type: keyword - name: cn_rpackets overwrite: true type: keyword - name: urlpage overwrite: true type: keyword - name: urlroot overwrite: true type: keyword - name: p_url overwrite: true type: keyword - name: p_user_agent overwrite: true type: keyword - name: p_web_cookie overwrite: true type: keyword - name: p_web_method overwrite: true type: keyword - name: p_web_referer overwrite: true type: keyword - name: web_extension_tmp overwrite: true type: keyword - name: web_page overwrite: true type: keyword - name: threat overwrite: true type: group fields: - name: threat_category overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto overwrite: true type: group fields: - name: crypto overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike overwrite: true type: keyword description: IKE negotiation phase. - name: scheme overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer overwrite: true type: keyword - name: cert_host_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src overwrite: true type: keyword description: Deprecated, use version - name: d_certauth overwrite: true type: keyword - name: s_certauth overwrite: true type: keyword - name: ike_cookie1 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum overwrite: true type: keyword - name: cert_host_cat overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize overwrite: true type: keyword - name: cert_username overwrite: true type: keyword - name: https_insact overwrite: true type: keyword - name: https_valid overwrite: true type: keyword - name: cert_ca overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless overwrite: true type: group fields: - name: wlan_ssid overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel overwrite: true type: long description: This is used to capture the channel names - name: wlan_name overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage overwrite: true type: group fields: - name: disk_volume overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical overwrite: true type: group fields: - name: org_dst overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare overwrite: true type: group fields: - name: patient_fname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint overwrite: true type: group fields: - name: host_state overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value overwrite: true type: keyword description: This key captures values or decorators used within a registry entry - key: snyk title: Snyk description: > Snyk module fields: - name: snyk type: group release: beta description: > Module for parsing Snyk project vulnerabilities. fields: - name: projects type: flattened description: > Array with all related projects objects. - name: related.projects type: keyword description: > Array of all the related project ID's. - name: audit type: group release: beta description: > Module for parsing Snyk audit logs. fields: - name: org_id type: keyword description: > ID of the related Organization related to the event. - name: project_id type: keyword description: > ID of the project related to the event. - name: content type: flattened description: > Overview of the content that was changed, both old and new values. - name: vulnerabilities type: group release: beta description: > Module for parsing Snyk project vulnerabilities. fields: - name: cvss3 type: keyword description: > CSSv3 scores. - name: disclosure_time type: date description: > The time this vulnerability was originally disclosed to the package maintainers. - name: exploit_maturity type: keyword description: > The Snyk exploit maturity level. - name: id type: keyword description: > The vulnerability reference ID. - name: is_ignored type: boolean description: > If the vulnerability report has been ignored. - name: is_patchable type: boolean description: > If vulnerability is fixable by using a Snyk supplied patch. - name: is_patched type: boolean description: > If the vulnerability has been patched. - name: is_pinnable type: boolean description: > If the vulnerability is fixable by pinning a transitive dependency. - name: is_upgradable type: boolean description: > If the vulnerability fixable by upgrading a dependency. - name: language type: keyword description: > The package's programming language. - name: package type: keyword description: > The package identifier according to its package manager. - name: package_manager type: keyword description: > The package manager. - name: patches type: flattened description: > Patches required to resolve the issue created by Snyk. - name: priority_score type: long description: > The CVS priority score. - name: publication_time type: date description: > The vulnerability publication time. - name: jira_issue_url type: keyword description: > Link to the related Jira issue. - name: original_severity type: long description: > The original severity of the vulnerability. - name: reachability type: keyword description: > If the vulnerable function from the library is used in the code scanned. Can either be No Info, Potentially reachable and Reachable. - name: title type: keyword description: > The issue title. - name: type type: keyword description: > The issue type. Can be either "license" or "vulnerability". - name: unique_severities_list type: keyword description: > A list of related unique severities. - name: version type: keyword description: > The package version this issue is applicable to. - name: introduced_date type: date description: > The date the vulnerability was initially found. - name: is_fixed type: boolean description: > If the related vulnerability has been resolved. - name: credit type: keyword description: > Reference to the person that original found the vulnerability. - name: semver type: flattened description: > One or more semver ranges this issue is applicable to. The format varies according to package manager. - name: identifiers.alternative type: keyword description: > Additional vulnerability identifiers. - name: identifiers.cwe type: keyword description: > CWE vulnerability identifiers. - key: sonicwall title: Sonicwall-FW description: > sonicwall fields. fields: - name: network.interface.name overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa overwrite: true type: group default_field: false fields: - name: internal overwrite: true type: group fields: - name: msg overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid overwrite: true type: keyword - name: event_desc overwrite: true type: keyword - name: message overwrite: true type: keyword description: This key captures the contents of instant messages - name: time overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id overwrite: true type: long description: Deprecated key defined only in table map. - name: did overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time overwrite: true type: group fields: - name: event_time overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month overwrite: true type: keyword - name: day overwrite: true type: keyword - name: endtime overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str overwrite: true type: keyword description: A text string version of the duration - name: date overwrite: true type: keyword - name: year overwrite: true type: keyword - name: recorded_time overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime overwrite: true type: keyword - name: effective_time overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time overwrite: true type: keyword description: Deprecated, use duration.time - name: hour overwrite: true type: keyword - name: min overwrite: true type: keyword - name: timestamp overwrite: true type: keyword - name: event_queue_time overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 overwrite: true type: keyword - name: tzone overwrite: true type: keyword - name: eventtime overwrite: true type: keyword - name: gmtdate overwrite: true type: keyword - name: gmttime overwrite: true type: keyword - name: p_date overwrite: true type: keyword - name: p_month overwrite: true type: keyword - name: p_time overwrite: true type: keyword - name: p_time2 overwrite: true type: keyword - name: p_year overwrite: true type: keyword - name: expire_time_str overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp overwrite: true type: date description: Deprecated key defined only in table map. - name: misc overwrite: true type: group fields: - name: action overwrite: true type: keyword - name: result overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name overwrite: true type: keyword description: This is used to capture name of object - name: obj_type overwrite: true type: keyword description: This is used to capture type of object - name: event_source overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name overwrite: true type: keyword description: This key captures the Rule Name - name: context overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space overwrite: true type: keyword - name: client overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 overwrite: true type: keyword - name: msgIdPart2 overwrite: true type: keyword - name: change_old overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule overwrite: true type: keyword description: This key captures the Rule number - name: device_name overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log overwrite: true type: keyword description: This key captures the Name of the event log - name: OS overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 overwrite: true type: keyword - name: filter overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname overwrite: true type: keyword description: This key captures the name of the virus - name: content_type overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id overwrite: true type: keyword - name: reason overwrite: true type: keyword - name: status overwrite: true type: keyword - name: mail_id overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout overwrite: true type: keyword - name: p_msgid overwrite: true type: keyword - name: data_type overwrite: true type: keyword - name: msgIdPart4 overwrite: true type: keyword - name: error overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index overwrite: true type: keyword - name: listnum overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype overwrite: true type: keyword - name: observed_val overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count overwrite: true type: keyword - name: number overwrite: true type: keyword - name: sigcat overwrite: true type: keyword - name: type overwrite: true type: keyword - name: comments overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number overwrite: true type: long description: This key captures File Identification number - name: expected_val overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst overwrite: true type: keyword description: Destination SPI Index - name: spi_src overwrite: true type: keyword description: Source SPI Index - name: code overwrite: true type: keyword - name: agent_id overwrite: true type: keyword description: This key is used to capture agent id - name: message_body overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone overwrite: true type: keyword - name: sig_id_str overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd overwrite: true type: keyword - name: misc overwrite: true type: keyword - name: name overwrite: true type: keyword - name: cpu overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid overwrite: true type: keyword - name: im_client overwrite: true type: keyword - name: im_userid overwrite: true type: keyword - name: pid overwrite: true type: keyword - name: priority overwrite: true type: keyword - name: context_subject overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target overwrite: true type: keyword - name: cve overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos overwrite: true type: long description: This key describes the type of service - name: vm_target overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace overwrite: true type: keyword description: This key captures Workspace Description - name: command overwrite: true type: keyword - name: event_category overwrite: true type: keyword - name: facilityname overwrite: true type: keyword - name: forensic_info overwrite: true type: keyword - name: jobname overwrite: true type: keyword - name: mode overwrite: true type: keyword - name: policy overwrite: true type: keyword - name: policy_waiver overwrite: true type: keyword - name: second overwrite: true type: keyword - name: space1 overwrite: true type: keyword - name: subcategory overwrite: true type: keyword - name: tbdstr2 overwrite: true type: keyword - name: alert_id overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult overwrite: true type: long description: This key captures the Filter Result - name: payload_dst overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid overwrite: true type: keyword description: SNMP Object Identifier - name: sql overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id overwrite: true type: keyword - name: acl_op overwrite: true type: keyword - name: acl_pos overwrite: true type: keyword - name: acl_table overwrite: true type: keyword - name: admin overwrite: true type: keyword - name: alarm_id overwrite: true type: keyword - name: alarmname overwrite: true type: keyword - name: app_id overwrite: true type: keyword - name: audit overwrite: true type: keyword - name: audit_object overwrite: true type: keyword - name: auditdata overwrite: true type: keyword - name: benchmark overwrite: true type: keyword - name: bypass overwrite: true type: keyword - name: cache overwrite: true type: keyword - name: cache_hit overwrite: true type: keyword - name: cefversion overwrite: true type: keyword - name: cfg_attr overwrite: true type: keyword - name: cfg_obj overwrite: true type: keyword - name: cfg_path overwrite: true type: keyword - name: changes overwrite: true type: keyword - name: client_ip overwrite: true type: keyword - name: clustermembers overwrite: true type: keyword - name: cn_acttimeout overwrite: true type: keyword - name: cn_asn_src overwrite: true type: keyword - name: cn_bgpv4nxthop overwrite: true type: keyword - name: cn_ctr_dst_code overwrite: true type: keyword - name: cn_dst_tos overwrite: true type: keyword - name: cn_dst_vlan overwrite: true type: keyword - name: cn_engine_id overwrite: true type: keyword - name: cn_engine_type overwrite: true type: keyword - name: cn_f_switch overwrite: true type: keyword - name: cn_flowsampid overwrite: true type: keyword - name: cn_flowsampintv overwrite: true type: keyword - name: cn_flowsampmode overwrite: true type: keyword - name: cn_inacttimeout overwrite: true type: keyword - name: cn_inpermbyts overwrite: true type: keyword - name: cn_inpermpckts overwrite: true type: keyword - name: cn_invalid overwrite: true type: keyword - name: cn_ip_proto_ver overwrite: true type: keyword - name: cn_ipv4_ident overwrite: true type: keyword - name: cn_l_switch overwrite: true type: keyword - name: cn_log_did overwrite: true type: keyword - name: cn_log_rid overwrite: true type: keyword - name: cn_max_ttl overwrite: true type: keyword - name: cn_maxpcktlen overwrite: true type: keyword - name: cn_min_ttl overwrite: true type: keyword - name: cn_minpcktlen overwrite: true type: keyword - name: cn_mpls_lbl_1 overwrite: true type: keyword - name: cn_mpls_lbl_10 overwrite: true type: keyword - name: cn_mpls_lbl_2 overwrite: true type: keyword - name: cn_mpls_lbl_3 overwrite: true type: keyword - name: cn_mpls_lbl_4 overwrite: true type: keyword - name: cn_mpls_lbl_5 overwrite: true type: keyword - name: cn_mpls_lbl_6 overwrite: true type: keyword - name: cn_mpls_lbl_7 overwrite: true type: keyword - name: cn_mpls_lbl_8 overwrite: true type: keyword - name: cn_mpls_lbl_9 overwrite: true type: keyword - name: cn_mplstoplabel overwrite: true type: keyword - name: cn_mplstoplabip overwrite: true type: keyword - name: cn_mul_dst_byt overwrite: true type: keyword - name: cn_mul_dst_pks overwrite: true type: keyword - name: cn_muligmptype overwrite: true type: keyword - name: cn_sampalgo overwrite: true type: keyword - name: cn_sampint overwrite: true type: keyword - name: cn_seqctr overwrite: true type: keyword - name: cn_spackets overwrite: true type: keyword - name: cn_src_tos overwrite: true type: keyword - name: cn_src_vlan overwrite: true type: keyword - name: cn_sysuptime overwrite: true type: keyword - name: cn_template_id overwrite: true type: keyword - name: cn_totbytsexp overwrite: true type: keyword - name: cn_totflowexp overwrite: true type: keyword - name: cn_totpcktsexp overwrite: true type: keyword - name: cn_unixnanosecs overwrite: true type: keyword - name: cn_v6flowlabel overwrite: true type: keyword - name: cn_v6optheaders overwrite: true type: keyword - name: comp_class overwrite: true type: keyword - name: comp_name overwrite: true type: keyword - name: comp_rbytes overwrite: true type: keyword - name: comp_sbytes overwrite: true type: keyword - name: cpu_data overwrite: true type: keyword - name: criticality overwrite: true type: keyword - name: cs_agency_dst overwrite: true type: keyword - name: cs_analyzedby overwrite: true type: keyword - name: cs_av_other overwrite: true type: keyword - name: cs_av_primary overwrite: true type: keyword - name: cs_av_secondary overwrite: true type: keyword - name: cs_bgpv6nxthop overwrite: true type: keyword - name: cs_bit9status overwrite: true type: keyword - name: cs_context overwrite: true type: keyword - name: cs_control overwrite: true type: keyword - name: cs_data overwrite: true type: keyword - name: cs_datecret overwrite: true type: keyword - name: cs_dst_tld overwrite: true type: keyword - name: cs_eth_dst_ven overwrite: true type: keyword - name: cs_eth_src_ven overwrite: true type: keyword - name: cs_event_uuid overwrite: true type: keyword - name: cs_filetype overwrite: true type: keyword - name: cs_fld overwrite: true type: keyword - name: cs_if_desc overwrite: true type: keyword - name: cs_if_name overwrite: true type: keyword - name: cs_ip_next_hop overwrite: true type: keyword - name: cs_ipv4dstpre overwrite: true type: keyword - name: cs_ipv4srcpre overwrite: true type: keyword - name: cs_lifetime overwrite: true type: keyword - name: cs_log_medium overwrite: true type: keyword - name: cs_loginname overwrite: true type: keyword - name: cs_modulescore overwrite: true type: keyword - name: cs_modulesign overwrite: true type: keyword - name: cs_opswatresult overwrite: true type: keyword - name: cs_payload overwrite: true type: keyword - name: cs_registrant overwrite: true type: keyword - name: cs_registrar overwrite: true type: keyword - name: cs_represult overwrite: true type: keyword - name: cs_rpayload overwrite: true type: keyword - name: cs_sampler_name overwrite: true type: keyword - name: cs_sourcemodule overwrite: true type: keyword - name: cs_streams overwrite: true type: keyword - name: cs_targetmodule overwrite: true type: keyword - name: cs_v6nxthop overwrite: true type: keyword - name: cs_whois_server overwrite: true type: keyword - name: cs_yararesult overwrite: true type: keyword - name: description overwrite: true type: keyword - name: devvendor overwrite: true type: keyword - name: distance overwrite: true type: keyword - name: dstburb overwrite: true type: keyword - name: edomain overwrite: true type: keyword - name: edomaub overwrite: true type: keyword - name: euid overwrite: true type: keyword - name: facility overwrite: true type: keyword - name: finterface overwrite: true type: keyword - name: flags overwrite: true type: keyword - name: gaddr overwrite: true type: keyword - name: id3 overwrite: true type: keyword - name: im_buddyname overwrite: true type: keyword - name: im_croomid overwrite: true type: keyword - name: im_croomtype overwrite: true type: keyword - name: im_members overwrite: true type: keyword - name: im_username overwrite: true type: keyword - name: ipkt overwrite: true type: keyword - name: ipscat overwrite: true type: keyword - name: ipspri overwrite: true type: keyword - name: latitude overwrite: true type: keyword - name: linenum overwrite: true type: keyword - name: list_name overwrite: true type: keyword - name: load_data overwrite: true type: keyword - name: location_floor overwrite: true type: keyword - name: location_mark overwrite: true type: keyword - name: log_id overwrite: true type: keyword - name: log_type overwrite: true type: keyword - name: logid overwrite: true type: keyword - name: logip overwrite: true type: keyword - name: logname overwrite: true type: keyword - name: longitude overwrite: true type: keyword - name: lport overwrite: true type: keyword - name: mbug_data overwrite: true type: keyword - name: misc_name overwrite: true type: keyword - name: msg_type overwrite: true type: keyword - name: msgid overwrite: true type: keyword - name: netsessid overwrite: true type: keyword - name: num overwrite: true type: keyword - name: number1 overwrite: true type: keyword - name: number2 overwrite: true type: keyword - name: nwwn overwrite: true type: keyword - name: object overwrite: true type: keyword - name: operation overwrite: true type: keyword - name: opkt overwrite: true type: keyword - name: orig_from overwrite: true type: keyword - name: owner_id overwrite: true type: keyword - name: p_action overwrite: true type: keyword - name: p_filter overwrite: true type: keyword - name: p_group_object overwrite: true type: keyword - name: p_id overwrite: true type: keyword - name: p_msgid1 overwrite: true type: keyword - name: p_msgid2 overwrite: true type: keyword - name: p_result1 overwrite: true type: keyword - name: password_chg overwrite: true type: keyword - name: password_expire overwrite: true type: keyword - name: permgranted overwrite: true type: keyword - name: permwanted overwrite: true type: keyword - name: pgid overwrite: true type: keyword - name: policyUUID overwrite: true type: keyword - name: prog_asp_num overwrite: true type: keyword - name: program overwrite: true type: keyword - name: real_data overwrite: true type: keyword - name: rec_asp_device overwrite: true type: keyword - name: rec_asp_num overwrite: true type: keyword - name: rec_library overwrite: true type: keyword - name: recordnum overwrite: true type: keyword - name: ruid overwrite: true type: keyword - name: sburb overwrite: true type: keyword - name: sdomain_fld overwrite: true type: keyword - name: sec overwrite: true type: keyword - name: sensorname overwrite: true type: keyword - name: seqnum overwrite: true type: keyword - name: session overwrite: true type: keyword - name: sessiontype overwrite: true type: keyword - name: sigUUID overwrite: true type: keyword - name: spi overwrite: true type: keyword - name: srcburb overwrite: true type: keyword - name: srcdom overwrite: true type: keyword - name: srcservice overwrite: true type: keyword - name: state overwrite: true type: keyword - name: status1 overwrite: true type: keyword - name: svcno overwrite: true type: keyword - name: system overwrite: true type: keyword - name: tbdstr1 overwrite: true type: keyword - name: tgtdom overwrite: true type: keyword - name: tgtdomain overwrite: true type: keyword - name: threshold overwrite: true type: keyword - name: type1 overwrite: true type: keyword - name: udb_class overwrite: true type: keyword - name: url_fld overwrite: true type: keyword - name: user_div overwrite: true type: keyword - name: userid overwrite: true type: keyword - name: username_fld overwrite: true type: keyword - name: utcstamp overwrite: true type: keyword - name: v_instafname overwrite: true type: keyword - name: virt_data overwrite: true type: keyword - name: vpnid overwrite: true type: keyword - name: autorun_type overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number overwrite: true type: long description: Valid Credit Card Numbers only - name: content overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number overwrite: true type: long description: Employee Identification Numbers only - name: found overwrite: true type: keyword description: This is used to capture the results of regex match - name: language overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src overwrite: true type: keyword description: This key captures source parameter - name: search_text overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value overwrite: true type: keyword description: SNMP set request value - name: streams overwrite: true type: long description: This key captures number of streams in session - name: db overwrite: true type: group fields: - name: index overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name overwrite: true type: keyword description: This key is used to capture the table name - name: db_id overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite overwrite: true type: long description: This key is used for the number of logical writes - name: pread overwrite: true type: long description: This key is used for the number of physical writes - name: network overwrite: true type: group fields: - name: alias_host overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain overwrite: true type: keyword - name: host_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr overwrite: true type: ip description: Deprecated - name: faddr overwrite: true type: keyword - name: lhost overwrite: true type: keyword - name: origin overwrite: true type: keyword - name: remote_domain_id overwrite: true type: keyword - name: addr overwrite: true type: keyword - name: dns_a_record overwrite: true type: keyword - name: dns_ptr_record overwrite: true type: keyword - name: fhost overwrite: true type: keyword - name: fport overwrite: true type: keyword - name: laddr overwrite: true type: keyword - name: linterface overwrite: true type: keyword - name: phost overwrite: true type: keyword - name: ad_computer_dst overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record overwrite: true type: keyword - name: dns_id overwrite: true type: keyword - name: dns_opcode overwrite: true type: keyword - name: dns_resp overwrite: true type: keyword - name: dns_type overwrite: true type: keyword - name: domain1 overwrite: true type: keyword - name: host_type overwrite: true type: keyword - name: packet_length overwrite: true type: keyword - name: host_orig overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations overwrite: true type: group fields: - name: ec_activity overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat overwrite: true type: long description: This key captures the Event category number - name: event_cat_name overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category overwrite: true type: keyword description: This used to capture investigation category - name: inv_context overwrite: true type: keyword description: This used to capture investigation context - name: ioc overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters overwrite: true type: group fields: - name: dclass_c1 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity overwrite: true type: group fields: - name: auth_method overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org overwrite: true type: keyword description: This key captures the User organization - name: dn_dst overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept overwrite: true type: keyword description: User's Department Names only - name: user_sid_src overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email overwrite: true type: group fields: - name: email_dst overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file overwrite: true type: group fields: - name: privilege overwrite: true type: keyword description: Deprecated, use permissions - name: attachment overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem overwrite: true type: keyword - name: binary overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp overwrite: true type: keyword - name: directory_dst overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name overwrite: true type: keyword description: This is used to capture name of the task - name: web overwrite: true type: group fields: - name: fqdn overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host overwrite: true type: keyword - name: reputation_num overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain overwrite: true type: keyword description: Web referer's domain - name: web_ref_query overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain overwrite: true type: keyword - name: web_ref_page overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst overwrite: true type: keyword - name: cn_rpackets overwrite: true type: keyword - name: urlpage overwrite: true type: keyword - name: urlroot overwrite: true type: keyword - name: p_url overwrite: true type: keyword - name: p_user_agent overwrite: true type: keyword - name: p_web_cookie overwrite: true type: keyword - name: p_web_method overwrite: true type: keyword - name: p_web_referer overwrite: true type: keyword - name: web_extension_tmp overwrite: true type: keyword - name: web_page overwrite: true type: keyword - name: threat overwrite: true type: group fields: - name: threat_category overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto overwrite: true type: group fields: - name: crypto overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike overwrite: true type: keyword description: IKE negotiation phase. - name: scheme overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer overwrite: true type: keyword - name: cert_host_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src overwrite: true type: keyword description: Deprecated, use version - name: d_certauth overwrite: true type: keyword - name: s_certauth overwrite: true type: keyword - name: ike_cookie1 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum overwrite: true type: keyword - name: cert_host_cat overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize overwrite: true type: keyword - name: cert_username overwrite: true type: keyword - name: https_insact overwrite: true type: keyword - name: https_valid overwrite: true type: keyword - name: cert_ca overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless overwrite: true type: group fields: - name: wlan_ssid overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel overwrite: true type: long description: This is used to capture the channel names - name: wlan_name overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage overwrite: true type: group fields: - name: disk_volume overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical overwrite: true type: group fields: - name: org_dst overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare overwrite: true type: group fields: - name: patient_fname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint overwrite: true type: group fields: - name: host_state overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value overwrite: true type: keyword description: This key captures values or decorators used within a registry entry - key: sophos title: "sophos" description: > sophos Module fields: - name: network.interface.name overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa overwrite: true type: group default_field: false fields: - name: internal overwrite: true type: group fields: - name: msg overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid overwrite: true type: keyword - name: event_desc overwrite: true type: keyword - name: message overwrite: true type: keyword description: This key captures the contents of instant messages - name: time overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id overwrite: true type: long description: Deprecated key defined only in table map. - name: did overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time overwrite: true type: group fields: - name: event_time overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month overwrite: true type: keyword - name: day overwrite: true type: keyword - name: endtime overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str overwrite: true type: keyword description: A text string version of the duration - name: date overwrite: true type: keyword - name: year overwrite: true type: keyword - name: recorded_time overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime overwrite: true type: keyword - name: effective_time overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time overwrite: true type: keyword description: Deprecated, use duration.time - name: hour overwrite: true type: keyword - name: min overwrite: true type: keyword - name: timestamp overwrite: true type: keyword - name: event_queue_time overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 overwrite: true type: keyword - name: tzone overwrite: true type: keyword - name: eventtime overwrite: true type: keyword - name: gmtdate overwrite: true type: keyword - name: gmttime overwrite: true type: keyword - name: p_date overwrite: true type: keyword - name: p_month overwrite: true type: keyword - name: p_time overwrite: true type: keyword - name: p_time2 overwrite: true type: keyword - name: p_year overwrite: true type: keyword - name: expire_time_str overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp overwrite: true type: date description: Deprecated key defined only in table map. - name: misc overwrite: true type: group fields: - name: action overwrite: true type: keyword - name: result overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name overwrite: true type: keyword description: This is used to capture name of object - name: obj_type overwrite: true type: keyword description: This is used to capture type of object - name: event_source overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name overwrite: true type: keyword description: This key captures the Rule Name - name: context overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space overwrite: true type: keyword - name: client overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 overwrite: true type: keyword - name: msgIdPart2 overwrite: true type: keyword - name: change_old overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule overwrite: true type: keyword description: This key captures the Rule number - name: device_name overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log overwrite: true type: keyword description: This key captures the Name of the event log - name: OS overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 overwrite: true type: keyword - name: filter overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname overwrite: true type: keyword description: This key captures the name of the virus - name: content_type overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id overwrite: true type: keyword - name: reason overwrite: true type: keyword - name: status overwrite: true type: keyword - name: mail_id overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout overwrite: true type: keyword - name: p_msgid overwrite: true type: keyword - name: data_type overwrite: true type: keyword - name: msgIdPart4 overwrite: true type: keyword - name: error overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index overwrite: true type: keyword - name: listnum overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype overwrite: true type: keyword - name: observed_val overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count overwrite: true type: keyword - name: number overwrite: true type: keyword - name: sigcat overwrite: true type: keyword - name: type overwrite: true type: keyword - name: comments overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number overwrite: true type: long description: This key captures File Identification number - name: expected_val overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst overwrite: true type: keyword description: Destination SPI Index - name: spi_src overwrite: true type: keyword description: Source SPI Index - name: code overwrite: true type: keyword - name: agent_id overwrite: true type: keyword description: This key is used to capture agent id - name: message_body overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone overwrite: true type: keyword - name: sig_id_str overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd overwrite: true type: keyword - name: misc overwrite: true type: keyword - name: name overwrite: true type: keyword - name: cpu overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid overwrite: true type: keyword - name: im_client overwrite: true type: keyword - name: im_userid overwrite: true type: keyword - name: pid overwrite: true type: keyword - name: priority overwrite: true type: keyword - name: context_subject overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target overwrite: true type: keyword - name: cve overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos overwrite: true type: long description: This key describes the type of service - name: vm_target overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace overwrite: true type: keyword description: This key captures Workspace Description - name: command overwrite: true type: keyword - name: event_category overwrite: true type: keyword - name: facilityname overwrite: true type: keyword - name: forensic_info overwrite: true type: keyword - name: jobname overwrite: true type: keyword - name: mode overwrite: true type: keyword - name: policy overwrite: true type: keyword - name: policy_waiver overwrite: true type: keyword - name: second overwrite: true type: keyword - name: space1 overwrite: true type: keyword - name: subcategory overwrite: true type: keyword - name: tbdstr2 overwrite: true type: keyword - name: alert_id overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult overwrite: true type: long description: This key captures the Filter Result - name: payload_dst overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid overwrite: true type: keyword description: SNMP Object Identifier - name: sql overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id overwrite: true type: keyword - name: acl_op overwrite: true type: keyword - name: acl_pos overwrite: true type: keyword - name: acl_table overwrite: true type: keyword - name: admin overwrite: true type: keyword - name: alarm_id overwrite: true type: keyword - name: alarmname overwrite: true type: keyword - name: app_id overwrite: true type: keyword - name: audit overwrite: true type: keyword - name: audit_object overwrite: true type: keyword - name: auditdata overwrite: true type: keyword - name: benchmark overwrite: true type: keyword - name: bypass overwrite: true type: keyword - name: cache overwrite: true type: keyword - name: cache_hit overwrite: true type: keyword - name: cefversion overwrite: true type: keyword - name: cfg_attr overwrite: true type: keyword - name: cfg_obj overwrite: true type: keyword - name: cfg_path overwrite: true type: keyword - name: changes overwrite: true type: keyword - name: client_ip overwrite: true type: keyword - name: clustermembers overwrite: true type: keyword - name: cn_acttimeout overwrite: true type: keyword - name: cn_asn_src overwrite: true type: keyword - name: cn_bgpv4nxthop overwrite: true type: keyword - name: cn_ctr_dst_code overwrite: true type: keyword - name: cn_dst_tos overwrite: true type: keyword - name: cn_dst_vlan overwrite: true type: keyword - name: cn_engine_id overwrite: true type: keyword - name: cn_engine_type overwrite: true type: keyword - name: cn_f_switch overwrite: true type: keyword - name: cn_flowsampid overwrite: true type: keyword - name: cn_flowsampintv overwrite: true type: keyword - name: cn_flowsampmode overwrite: true type: keyword - name: cn_inacttimeout overwrite: true type: keyword - name: cn_inpermbyts overwrite: true type: keyword - name: cn_inpermpckts overwrite: true type: keyword - name: cn_invalid overwrite: true type: keyword - name: cn_ip_proto_ver overwrite: true type: keyword - name: cn_ipv4_ident overwrite: true type: keyword - name: cn_l_switch overwrite: true type: keyword - name: cn_log_did overwrite: true type: keyword - name: cn_log_rid overwrite: true type: keyword - name: cn_max_ttl overwrite: true type: keyword - name: cn_maxpcktlen overwrite: true type: keyword - name: cn_min_ttl overwrite: true type: keyword - name: cn_minpcktlen overwrite: true type: keyword - name: cn_mpls_lbl_1 overwrite: true type: keyword - name: cn_mpls_lbl_10 overwrite: true type: keyword - name: cn_mpls_lbl_2 overwrite: true type: keyword - name: cn_mpls_lbl_3 overwrite: true type: keyword - name: cn_mpls_lbl_4 overwrite: true type: keyword - name: cn_mpls_lbl_5 overwrite: true type: keyword - name: cn_mpls_lbl_6 overwrite: true type: keyword - name: cn_mpls_lbl_7 overwrite: true type: keyword - name: cn_mpls_lbl_8 overwrite: true type: keyword - name: cn_mpls_lbl_9 overwrite: true type: keyword - name: cn_mplstoplabel overwrite: true type: keyword - name: cn_mplstoplabip overwrite: true type: keyword - name: cn_mul_dst_byt overwrite: true type: keyword - name: cn_mul_dst_pks overwrite: true type: keyword - name: cn_muligmptype overwrite: true type: keyword - name: cn_sampalgo overwrite: true type: keyword - name: cn_sampint overwrite: true type: keyword - name: cn_seqctr overwrite: true type: keyword - name: cn_spackets overwrite: true type: keyword - name: cn_src_tos overwrite: true type: keyword - name: cn_src_vlan overwrite: true type: keyword - name: cn_sysuptime overwrite: true type: keyword - name: cn_template_id overwrite: true type: keyword - name: cn_totbytsexp overwrite: true type: keyword - name: cn_totflowexp overwrite: true type: keyword - name: cn_totpcktsexp overwrite: true type: keyword - name: cn_unixnanosecs overwrite: true type: keyword - name: cn_v6flowlabel overwrite: true type: keyword - name: cn_v6optheaders overwrite: true type: keyword - name: comp_class overwrite: true type: keyword - name: comp_name overwrite: true type: keyword - name: comp_rbytes overwrite: true type: keyword - name: comp_sbytes overwrite: true type: keyword - name: cpu_data overwrite: true type: keyword - name: criticality overwrite: true type: keyword - name: cs_agency_dst overwrite: true type: keyword - name: cs_analyzedby overwrite: true type: keyword - name: cs_av_other overwrite: true type: keyword - name: cs_av_primary overwrite: true type: keyword - name: cs_av_secondary overwrite: true type: keyword - name: cs_bgpv6nxthop overwrite: true type: keyword - name: cs_bit9status overwrite: true type: keyword - name: cs_context overwrite: true type: keyword - name: cs_control overwrite: true type: keyword - name: cs_data overwrite: true type: keyword - name: cs_datecret overwrite: true type: keyword - name: cs_dst_tld overwrite: true type: keyword - name: cs_eth_dst_ven overwrite: true type: keyword - name: cs_eth_src_ven overwrite: true type: keyword - name: cs_event_uuid overwrite: true type: keyword - name: cs_filetype overwrite: true type: keyword - name: cs_fld overwrite: true type: keyword - name: cs_if_desc overwrite: true type: keyword - name: cs_if_name overwrite: true type: keyword - name: cs_ip_next_hop overwrite: true type: keyword - name: cs_ipv4dstpre overwrite: true type: keyword - name: cs_ipv4srcpre overwrite: true type: keyword - name: cs_lifetime overwrite: true type: keyword - name: cs_log_medium overwrite: true type: keyword - name: cs_loginname overwrite: true type: keyword - name: cs_modulescore overwrite: true type: keyword - name: cs_modulesign overwrite: true type: keyword - name: cs_opswatresult overwrite: true type: keyword - name: cs_payload overwrite: true type: keyword - name: cs_registrant overwrite: true type: keyword - name: cs_registrar overwrite: true type: keyword - name: cs_represult overwrite: true type: keyword - name: cs_rpayload overwrite: true type: keyword - name: cs_sampler_name overwrite: true type: keyword - name: cs_sourcemodule overwrite: true type: keyword - name: cs_streams overwrite: true type: keyword - name: cs_targetmodule overwrite: true type: keyword - name: cs_v6nxthop overwrite: true type: keyword - name: cs_whois_server overwrite: true type: keyword - name: cs_yararesult overwrite: true type: keyword - name: description overwrite: true type: keyword - name: devvendor overwrite: true type: keyword - name: distance overwrite: true type: keyword - name: dstburb overwrite: true type: keyword - name: edomain overwrite: true type: keyword - name: edomaub overwrite: true type: keyword - name: euid overwrite: true type: keyword - name: facility overwrite: true type: keyword - name: finterface overwrite: true type: keyword - name: flags overwrite: true type: keyword - name: gaddr overwrite: true type: keyword - name: id3 overwrite: true type: keyword - name: im_buddyname overwrite: true type: keyword - name: im_croomid overwrite: true type: keyword - name: im_croomtype overwrite: true type: keyword - name: im_members overwrite: true type: keyword - name: im_username overwrite: true type: keyword - name: ipkt overwrite: true type: keyword - name: ipscat overwrite: true type: keyword - name: ipspri overwrite: true type: keyword - name: latitude overwrite: true type: keyword - name: linenum overwrite: true type: keyword - name: list_name overwrite: true type: keyword - name: load_data overwrite: true type: keyword - name: location_floor overwrite: true type: keyword - name: location_mark overwrite: true type: keyword - name: log_id overwrite: true type: keyword - name: log_type overwrite: true type: keyword - name: logid overwrite: true type: keyword - name: logip overwrite: true type: keyword - name: logname overwrite: true type: keyword - name: longitude overwrite: true type: keyword - name: lport overwrite: true type: keyword - name: mbug_data overwrite: true type: keyword - name: misc_name overwrite: true type: keyword - name: msg_type overwrite: true type: keyword - name: msgid overwrite: true type: keyword - name: netsessid overwrite: true type: keyword - name: num overwrite: true type: keyword - name: number1 overwrite: true type: keyword - name: number2 overwrite: true type: keyword - name: nwwn overwrite: true type: keyword - name: object overwrite: true type: keyword - name: operation overwrite: true type: keyword - name: opkt overwrite: true type: keyword - name: orig_from overwrite: true type: keyword - name: owner_id overwrite: true type: keyword - name: p_action overwrite: true type: keyword - name: p_filter overwrite: true type: keyword - name: p_group_object overwrite: true type: keyword - name: p_id overwrite: true type: keyword - name: p_msgid1 overwrite: true type: keyword - name: p_msgid2 overwrite: true type: keyword - name: p_result1 overwrite: true type: keyword - name: password_chg overwrite: true type: keyword - name: password_expire overwrite: true type: keyword - name: permgranted overwrite: true type: keyword - name: permwanted overwrite: true type: keyword - name: pgid overwrite: true type: keyword - name: policyUUID overwrite: true type: keyword - name: prog_asp_num overwrite: true type: keyword - name: program overwrite: true type: keyword - name: real_data overwrite: true type: keyword - name: rec_asp_device overwrite: true type: keyword - name: rec_asp_num overwrite: true type: keyword - name: rec_library overwrite: true type: keyword - name: recordnum overwrite: true type: keyword - name: ruid overwrite: true type: keyword - name: sburb overwrite: true type: keyword - name: sdomain_fld overwrite: true type: keyword - name: sec overwrite: true type: keyword - name: sensorname overwrite: true type: keyword - name: seqnum overwrite: true type: keyword - name: session overwrite: true type: keyword - name: sessiontype overwrite: true type: keyword - name: sigUUID overwrite: true type: keyword - name: spi overwrite: true type: keyword - name: srcburb overwrite: true type: keyword - name: srcdom overwrite: true type: keyword - name: srcservice overwrite: true type: keyword - name: state overwrite: true type: keyword - name: status1 overwrite: true type: keyword - name: svcno overwrite: true type: keyword - name: system overwrite: true type: keyword - name: tbdstr1 overwrite: true type: keyword - name: tgtdom overwrite: true type: keyword - name: tgtdomain overwrite: true type: keyword - name: threshold overwrite: true type: keyword - name: type1 overwrite: true type: keyword - name: udb_class overwrite: true type: keyword - name: url_fld overwrite: true type: keyword - name: user_div overwrite: true type: keyword - name: userid overwrite: true type: keyword - name: username_fld overwrite: true type: keyword - name: utcstamp overwrite: true type: keyword - name: v_instafname overwrite: true type: keyword - name: virt_data overwrite: true type: keyword - name: vpnid overwrite: true type: keyword - name: autorun_type overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number overwrite: true type: long description: Valid Credit Card Numbers only - name: content overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number overwrite: true type: long description: Employee Identification Numbers only - name: found overwrite: true type: keyword description: This is used to capture the results of regex match - name: language overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src overwrite: true type: keyword description: This key captures source parameter - name: search_text overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value overwrite: true type: keyword description: SNMP set request value - name: streams overwrite: true type: long description: This key captures number of streams in session - name: db overwrite: true type: group fields: - name: index overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name overwrite: true type: keyword description: This key is used to capture the table name - name: db_id overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite overwrite: true type: long description: This key is used for the number of logical writes - name: pread overwrite: true type: long description: This key is used for the number of physical writes - name: network overwrite: true type: group fields: - name: alias_host overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain overwrite: true type: keyword - name: host_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr overwrite: true type: ip description: Deprecated - name: faddr overwrite: true type: keyword - name: lhost overwrite: true type: keyword - name: origin overwrite: true type: keyword - name: remote_domain_id overwrite: true type: keyword - name: addr overwrite: true type: keyword - name: dns_a_record overwrite: true type: keyword - name: dns_ptr_record overwrite: true type: keyword - name: fhost overwrite: true type: keyword - name: fport overwrite: true type: keyword - name: laddr overwrite: true type: keyword - name: linterface overwrite: true type: keyword - name: phost overwrite: true type: keyword - name: ad_computer_dst overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record overwrite: true type: keyword - name: dns_id overwrite: true type: keyword - name: dns_opcode overwrite: true type: keyword - name: dns_resp overwrite: true type: keyword - name: dns_type overwrite: true type: keyword - name: domain1 overwrite: true type: keyword - name: host_type overwrite: true type: keyword - name: packet_length overwrite: true type: keyword - name: host_orig overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations overwrite: true type: group fields: - name: ec_activity overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat overwrite: true type: long description: This key captures the Event category number - name: event_cat_name overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category overwrite: true type: keyword description: This used to capture investigation category - name: inv_context overwrite: true type: keyword description: This used to capture investigation context - name: ioc overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters overwrite: true type: group fields: - name: dclass_c1 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity overwrite: true type: group fields: - name: auth_method overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org overwrite: true type: keyword description: This key captures the User organization - name: dn_dst overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept overwrite: true type: keyword description: User's Department Names only - name: user_sid_src overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email overwrite: true type: group fields: - name: email_dst overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file overwrite: true type: group fields: - name: privilege overwrite: true type: keyword description: Deprecated, use permissions - name: attachment overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem overwrite: true type: keyword - name: binary overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp overwrite: true type: keyword - name: directory_dst overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name overwrite: true type: keyword description: This is used to capture name of the task - name: web overwrite: true type: group fields: - name: fqdn overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host overwrite: true type: keyword - name: reputation_num overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain overwrite: true type: keyword description: Web referer's domain - name: web_ref_query overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain overwrite: true type: keyword - name: web_ref_page overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst overwrite: true type: keyword - name: cn_rpackets overwrite: true type: keyword - name: urlpage overwrite: true type: keyword - name: urlroot overwrite: true type: keyword - name: p_url overwrite: true type: keyword - name: p_user_agent overwrite: true type: keyword - name: p_web_cookie overwrite: true type: keyword - name: p_web_method overwrite: true type: keyword - name: p_web_referer overwrite: true type: keyword - name: web_extension_tmp overwrite: true type: keyword - name: web_page overwrite: true type: keyword - name: threat overwrite: true type: group fields: - name: threat_category overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto overwrite: true type: group fields: - name: crypto overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike overwrite: true type: keyword description: IKE negotiation phase. - name: scheme overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer overwrite: true type: keyword - name: cert_host_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src overwrite: true type: keyword description: Deprecated, use version - name: d_certauth overwrite: true type: keyword - name: s_certauth overwrite: true type: keyword - name: ike_cookie1 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum overwrite: true type: keyword - name: cert_host_cat overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize overwrite: true type: keyword - name: cert_username overwrite: true type: keyword - name: https_insact overwrite: true type: keyword - name: https_valid overwrite: true type: keyword - name: cert_ca overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless overwrite: true type: group fields: - name: wlan_ssid overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel overwrite: true type: long description: This is used to capture the channel names - name: wlan_name overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage overwrite: true type: group fields: - name: disk_volume overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical overwrite: true type: group fields: - name: org_dst overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare overwrite: true type: group fields: - name: patient_fname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint overwrite: true type: group fields: - name: host_state overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value overwrite: true type: keyword description: This key captures values or decorators used within a registry entry - name: sophos.xg type: group release: beta default_field: false description: > Module for parsing sophosxg syslog. fields: - name: device type: keyword description: > device - name: date type: date description: > Date (yyyy-mm-dd) when the event occurred - name: timezone type: keyword description: > Time (hh:mm:ss) when the event occurred - name: device_name type: keyword description: > Model number of the device - name: device_id type: keyword description: > Serial number of the device - name: log_id type: keyword description: > Unique 12 characters code (0101011) - name: log_type type: keyword description: > Type of event e.g. firewall event - name: log_component type: keyword description: > Component responsible for logging e.g. Firewall rule - name: log_subtype type: keyword description: > Sub type of event - name: hb_health type: keyword description: > Heartbeat status - name: priority type: keyword description: > Severity level of traffic - name: status type: keyword description: > Ultimate status of traffic – Allowed or Denied - name: duration type: long description: > Durability of traffic (seconds) - name: fw_rule_id type: integer description: > Firewall Rule ID which is applied on the traffic - name: user_name type: keyword description: > user_name - name: user_group type: keyword description: > Group name to which the user belongs - name: iap type: keyword description: > Internet Access policy ID applied on the traffic - name: ips_policy_id type: integer description: > IPS policy ID applied on the traffic - name: policy_type type: keyword description: > Policy type applied to the traffic - name: appfilter_policy_id type: integer description: > Application Filter policy applied on the traffic - name: application_filter_policy type: integer description: > Application Filter policy applied on the traffic - name: application type: keyword description: > Application name - name: application_name type: keyword description: > Application name - name: application_risk type: keyword description: > Risk level assigned to the application - name: application_technology type: keyword description: > Technology of the application - name: application_category type: keyword description: > Application is resolved by signature or synchronized application - name: appresolvedby type: keyword description: > Technology of the application - name: app_is_cloud type: keyword description: > Application is Cloud - name: in_interface type: keyword description: > Interface for incoming traffic, e.g., Port A - name: out_interface type: keyword description: > Interface for outgoing traffic, e.g., Port B - name: src_ip type: ip description: > Original source IP address of traffic - name: src_mac type: keyword description: > Original source MAC address of traffic - name: src_country_code type: keyword description: > Code of the country to which the source IP belongs - name: dst_ip type: ip description: > Original destination IP address of traffic - name: dst_country_code type: keyword description: > Code of the country to which the destination IP belongs - name: protocol type: keyword description: > Protocol number of traffic - name: src_port type: integer description: > Original source port of TCP and UDP traffic - name: dst_port type: integer description: > Original destination port of TCP and UDP traffic - name: icmp_type type: keyword description: > ICMP type of ICMP traffic - name: icmp_code type: keyword description: > ICMP code of ICMP traffic - name: sent_pkts type: long description: > Total number of packets sent - name: received_pkts type: long description: > Total number of packets received - name: sent_bytes type: long description: > Total number of bytes sent - name: recv_bytes type: long description: > Total number of bytes received - name: trans_src_ip type: ip description: > Translated source IP address for outgoing traffic - name: trans_src_port type: integer description: > Translated source port for outgoing traffic - name: trans_dst_ip type: ip description: > Translated destination IP address for outgoing traffic - name: trans_dst_port type: integer description: > Translated destination port for outgoing traffic - name: srczonetype type: keyword description: > Type of source zone, e.g., LAN - name: srczone type: keyword description: > Name of source zone - name: dstzonetype type: keyword description: > Type of destination zone, e.g., WAN - name: dstzone type: keyword description: > Name of destination zone - name: dir_disp type: keyword description: > TPacket direction. Possible values:“org”, “reply”, “” - name: connevent type: keyword description: > Event on which this log is generated - name: conn_id type: integer description: > Unique identifier of connection - name: vconn_id type: integer description: > Connection ID of the master connection - name: idp_policy_id type: integer description: > IPS policy ID which is applied on the traffic - name: idp_policy_name type: keyword description: > IPS policy name i.e. IPS policy name which is applied on the traffic - name: signature_id type: keyword description: > Signature ID - name: signature_msg type: keyword description: > Signature messsage - name: classification type: keyword description: > Signature classification - name: rule_priority type: keyword description: > Priority of IPS policy - name: platform type: keyword description: > Platform of the traffic. - name: category type: keyword description: > IPS signature category. - name: target type: keyword description: > Platform of the traffic. - name: eventid type: keyword description: > ATP Evenet ID - name: ep_uuid type: keyword description: > Endpoint UUID - name: threatname type: keyword description: > ATP threatname - name: sourceip type: ip description: > Original source IP address of traffic - name: destinationip type: ip description: > Original destination IP address of traffic - name: login_user type: keyword description: > ATP login user - name: eventtype type: keyword description: > ATP event type - name: execution_path type: keyword description: > ATP execution path - name: av_policy_name type: keyword description: > Malware scanning policy name which is applied on the traffic - name: from_email_address type: keyword description: > Sender email address - name: to_email_address type: keyword description: > Receipeint email address - name: subject type: keyword description: > Email subject - name: mailsize type: integer description: > mailsize - name: virus type: keyword description: > virus name - name: ftp_url type: keyword description: > FTP URL from which virus was downloaded - name: ftp_direction type: keyword description: > Direction of FTP transfer: Upload or Download - name: filesize type: integer description: > Size of the file that contained virus - name: filepath type: keyword description: > Path of the file containing virus - name: filename type: keyword description: > File name associated with the event - name: ftpcommand type: keyword description: > FTP command used when virus was found - name: url type: keyword description: > URL from which virus was downloaded - name: domainname type: keyword description: > Domain from which virus was downloaded - name: quarantine type: keyword description: > Path and filename of the file quarantined - name: src_domainname type: keyword description: > Sender domain name - name: dst_domainname type: keyword description: > Receiver domain name - name: reason type: keyword description: > Reason why the record was detected as spam/malicious - name: referer type: keyword description: > Referer - name: spamaction type: keyword description: > Spam Action - name: mailid type: keyword description: > mailid - name: quarantine_reason type: keyword description: > Quarantine reason - name: status_code type: keyword description: > Status code - name: override_token type: keyword description: > Override token - name: con_id type: integer description: > Unique identifier of connection - name: override_authorizer type: keyword description: > Override authorizer - name: transactionid type: keyword description: > Transaction ID of the AV scan. - name: upload_file_type type: keyword description: > Upload file type - name: upload_file_name type: keyword description: > Upload file name - name: httpresponsecode type: long description: > code of HTTP response - name: user_gp type: keyword description: > Group name to which the user belongs. - name: category_type type: keyword description: > Type of category under which website falls - name: download_file_type type: keyword description: > Download file type - name: exceptions type: keyword description: > List of the checks excluded by web exceptions. - name: contenttype type: keyword description: > Type of the content - name: override_name type: keyword description: > Override name - name: activityname type: keyword description: > Web policy activity that matched and caused the policy result. - name: download_file_name type: keyword description: > Download file name - name: sha1sum type: keyword description: > SHA1 checksum of the item being analyzed - name: message_id type: keyword description: > Message ID - name: connid type: keyword description: > Connection ID - name: message type: keyword description: > Message - name: email_subject type: keyword description: > Email Subject - name: file_path type: keyword description: > File path - name: dstdomain type: keyword description: > Destination Domain - name: file_size type: integer description: > File Size - name: transaction_id type: keyword description: > Transaction ID - name: website type: keyword description: > Website - name: file_name type: keyword description: > Filename - name: context_prefix type: keyword description: > Content Prefix - name: site_category type: keyword description: > Site Category - name: context_suffix type: keyword description: > Context Suffix - name: dictionary_name type: keyword description: > Dictionary Name - name: action type: keyword description: > Event Action - name: user type: keyword description: > User - name: context_match type: keyword description: > Context Match - name: direction type: keyword description: > Direction - name: auth_client type: keyword description: > Auth Client - name: auth_mechanism type: keyword description: > Auth mechanism - name: connectionname type: keyword description: > Connectionname - name: remotenetwork type: keyword description: > remotenetwork - name: localgateway type: keyword description: > Localgateway - name: localnetwork type: keyword description: > Localnetwork - name: connectiontype type: keyword description: > Connectiontype - name: oldversion type: keyword description: > Oldversion - name: newversion type: keyword description: > Newversion - name: ipaddress type: keyword description: > Ipaddress - name: client_physical_address type: keyword description: > Client physical address - name: client_host_name type: keyword description: > Client host name - name: raw_data type: keyword description: > Raw data - name: Mode type: keyword description: > Mode - name: sessionid type: keyword description: > Sessionid - name: starttime type: date description: > Starttime - name: remote_ip type: ip description: > Remote IP - name: timestamp type: date description: > timestamp - name: SysLog_SERVER_NAME type: keyword description: > SysLog SERVER NAME - name: backup_mode type: keyword description: > Backup mode - name: source type: keyword description: > Source - name: server type: keyword description: > Server - name: host type: keyword description: > Host - name: responsetime type: long description: > Responsetime - name: cookie type: keyword description: > cookie - name: querystring type: keyword description: > querystring - name: extra type: keyword description: > extra - name: PHPSESSID type: keyword description: > PHPSESSID - name: start_time type: date description: > Start time - name: eventtime type: date description: > Event time - name: red_id type: keyword description: > RED ID - name: branch_name type: keyword description: > Branch Name - name: updatedip type: ip description: > updatedip - name: idle_cpu type: float description: > idle ## - name: system_cpu type: float description: > system - name: user_cpu type: float description: > system - name: used type: integer description: > used - name: unit type: keyword description: > unit - name: total_memory type: integer description: > Total Memory - name: free type: integer description: > free - name: transmittederrors type: keyword description: > transmitted errors - name: receivederrors type: keyword description: > received errors - name: receivedkbits type: long description: > received kbits - name: transmittedkbits type: long description: > transmitted kbits - name: transmitteddrops type: long description: > transmitted drops - name: receiveddrops type: long description: > received drops - name: collisions type: long description: > collisions - name: interface type: keyword description: > interface - name: Configuration type: float description: > Configuration - name: Reports type: float description: > Reports - name: Signature type: float description: > Signature - name: Temp type: float description: > Temp - name: users type: keyword description: > users - name: ssid type: keyword description: > ssid - name: ap type: keyword description: > ap - name: clients_conn_ssid type: keyword description: > clients connection ssid - name: sqli type: keyword description: > The related SQLI caught by the WAF - name: xss type: keyword description: > The related XSS caught by the WAF - key: squid title: Squid description: > squid fields. fields: - name: network.interface.name overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa overwrite: true type: group default_field: false fields: - name: internal overwrite: true type: group fields: - name: msg overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid overwrite: true type: keyword - name: event_desc overwrite: true type: keyword - name: message overwrite: true type: keyword description: This key captures the contents of instant messages - name: time overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id overwrite: true type: long description: Deprecated key defined only in table map. - name: did overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time overwrite: true type: group fields: - name: event_time overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month overwrite: true type: keyword - name: day overwrite: true type: keyword - name: endtime overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str overwrite: true type: keyword description: A text string version of the duration - name: date overwrite: true type: keyword - name: year overwrite: true type: keyword - name: recorded_time overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime overwrite: true type: keyword - name: effective_time overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time overwrite: true type: keyword description: Deprecated, use duration.time - name: hour overwrite: true type: keyword - name: min overwrite: true type: keyword - name: timestamp overwrite: true type: keyword - name: event_queue_time overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 overwrite: true type: keyword - name: tzone overwrite: true type: keyword - name: eventtime overwrite: true type: keyword - name: gmtdate overwrite: true type: keyword - name: gmttime overwrite: true type: keyword - name: p_date overwrite: true type: keyword - name: p_month overwrite: true type: keyword - name: p_time overwrite: true type: keyword - name: p_time2 overwrite: true type: keyword - name: p_year overwrite: true type: keyword - name: expire_time_str overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp overwrite: true type: date description: Deprecated key defined only in table map. - name: misc overwrite: true type: group fields: - name: action overwrite: true type: keyword - name: result overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name overwrite: true type: keyword description: This is used to capture name of object - name: obj_type overwrite: true type: keyword description: This is used to capture type of object - name: event_source overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name overwrite: true type: keyword description: This key captures the Rule Name - name: context overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space overwrite: true type: keyword - name: client overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 overwrite: true type: keyword - name: msgIdPart2 overwrite: true type: keyword - name: change_old overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule overwrite: true type: keyword description: This key captures the Rule number - name: device_name overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log overwrite: true type: keyword description: This key captures the Name of the event log - name: OS overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 overwrite: true type: keyword - name: filter overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname overwrite: true type: keyword description: This key captures the name of the virus - name: content_type overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id overwrite: true type: keyword - name: reason overwrite: true type: keyword - name: status overwrite: true type: keyword - name: mail_id overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout overwrite: true type: keyword - name: p_msgid overwrite: true type: keyword - name: data_type overwrite: true type: keyword - name: msgIdPart4 overwrite: true type: keyword - name: error overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index overwrite: true type: keyword - name: listnum overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype overwrite: true type: keyword - name: observed_val overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count overwrite: true type: keyword - name: number overwrite: true type: keyword - name: sigcat overwrite: true type: keyword - name: type overwrite: true type: keyword - name: comments overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number overwrite: true type: long description: This key captures File Identification number - name: expected_val overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst overwrite: true type: keyword description: Destination SPI Index - name: spi_src overwrite: true type: keyword description: Source SPI Index - name: code overwrite: true type: keyword - name: agent_id overwrite: true type: keyword description: This key is used to capture agent id - name: message_body overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone overwrite: true type: keyword - name: sig_id_str overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd overwrite: true type: keyword - name: misc overwrite: true type: keyword - name: name overwrite: true type: keyword - name: cpu overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid overwrite: true type: keyword - name: im_client overwrite: true type: keyword - name: im_userid overwrite: true type: keyword - name: pid overwrite: true type: keyword - name: priority overwrite: true type: keyword - name: context_subject overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target overwrite: true type: keyword - name: cve overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos overwrite: true type: long description: This key describes the type of service - name: vm_target overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace overwrite: true type: keyword description: This key captures Workspace Description - name: command overwrite: true type: keyword - name: event_category overwrite: true type: keyword - name: facilityname overwrite: true type: keyword - name: forensic_info overwrite: true type: keyword - name: jobname overwrite: true type: keyword - name: mode overwrite: true type: keyword - name: policy overwrite: true type: keyword - name: policy_waiver overwrite: true type: keyword - name: second overwrite: true type: keyword - name: space1 overwrite: true type: keyword - name: subcategory overwrite: true type: keyword - name: tbdstr2 overwrite: true type: keyword - name: alert_id overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult overwrite: true type: long description: This key captures the Filter Result - name: payload_dst overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid overwrite: true type: keyword description: SNMP Object Identifier - name: sql overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id overwrite: true type: keyword - name: acl_op overwrite: true type: keyword - name: acl_pos overwrite: true type: keyword - name: acl_table overwrite: true type: keyword - name: admin overwrite: true type: keyword - name: alarm_id overwrite: true type: keyword - name: alarmname overwrite: true type: keyword - name: app_id overwrite: true type: keyword - name: audit overwrite: true type: keyword - name: audit_object overwrite: true type: keyword - name: auditdata overwrite: true type: keyword - name: benchmark overwrite: true type: keyword - name: bypass overwrite: true type: keyword - name: cache overwrite: true type: keyword - name: cache_hit overwrite: true type: keyword - name: cefversion overwrite: true type: keyword - name: cfg_attr overwrite: true type: keyword - name: cfg_obj overwrite: true type: keyword - name: cfg_path overwrite: true type: keyword - name: changes overwrite: true type: keyword - name: client_ip overwrite: true type: keyword - name: clustermembers overwrite: true type: keyword - name: cn_acttimeout overwrite: true type: keyword - name: cn_asn_src overwrite: true type: keyword - name: cn_bgpv4nxthop overwrite: true type: keyword - name: cn_ctr_dst_code overwrite: true type: keyword - name: cn_dst_tos overwrite: true type: keyword - name: cn_dst_vlan overwrite: true type: keyword - name: cn_engine_id overwrite: true type: keyword - name: cn_engine_type overwrite: true type: keyword - name: cn_f_switch overwrite: true type: keyword - name: cn_flowsampid overwrite: true type: keyword - name: cn_flowsampintv overwrite: true type: keyword - name: cn_flowsampmode overwrite: true type: keyword - name: cn_inacttimeout overwrite: true type: keyword - name: cn_inpermbyts overwrite: true type: keyword - name: cn_inpermpckts overwrite: true type: keyword - name: cn_invalid overwrite: true type: keyword - name: cn_ip_proto_ver overwrite: true type: keyword - name: cn_ipv4_ident overwrite: true type: keyword - name: cn_l_switch overwrite: true type: keyword - name: cn_log_did overwrite: true type: keyword - name: cn_log_rid overwrite: true type: keyword - name: cn_max_ttl overwrite: true type: keyword - name: cn_maxpcktlen overwrite: true type: keyword - name: cn_min_ttl overwrite: true type: keyword - name: cn_minpcktlen overwrite: true type: keyword - name: cn_mpls_lbl_1 overwrite: true type: keyword - name: cn_mpls_lbl_10 overwrite: true type: keyword - name: cn_mpls_lbl_2 overwrite: true type: keyword - name: cn_mpls_lbl_3 overwrite: true type: keyword - name: cn_mpls_lbl_4 overwrite: true type: keyword - name: cn_mpls_lbl_5 overwrite: true type: keyword - name: cn_mpls_lbl_6 overwrite: true type: keyword - name: cn_mpls_lbl_7 overwrite: true type: keyword - name: cn_mpls_lbl_8 overwrite: true type: keyword - name: cn_mpls_lbl_9 overwrite: true type: keyword - name: cn_mplstoplabel overwrite: true type: keyword - name: cn_mplstoplabip overwrite: true type: keyword - name: cn_mul_dst_byt overwrite: true type: keyword - name: cn_mul_dst_pks overwrite: true type: keyword - name: cn_muligmptype overwrite: true type: keyword - name: cn_sampalgo overwrite: true type: keyword - name: cn_sampint overwrite: true type: keyword - name: cn_seqctr overwrite: true type: keyword - name: cn_spackets overwrite: true type: keyword - name: cn_src_tos overwrite: true type: keyword - name: cn_src_vlan overwrite: true type: keyword - name: cn_sysuptime overwrite: true type: keyword - name: cn_template_id overwrite: true type: keyword - name: cn_totbytsexp overwrite: true type: keyword - name: cn_totflowexp overwrite: true type: keyword - name: cn_totpcktsexp overwrite: true type: keyword - name: cn_unixnanosecs overwrite: true type: keyword - name: cn_v6flowlabel overwrite: true type: keyword - name: cn_v6optheaders overwrite: true type: keyword - name: comp_class overwrite: true type: keyword - name: comp_name overwrite: true type: keyword - name: comp_rbytes overwrite: true type: keyword - name: comp_sbytes overwrite: true type: keyword - name: cpu_data overwrite: true type: keyword - name: criticality overwrite: true type: keyword - name: cs_agency_dst overwrite: true type: keyword - name: cs_analyzedby overwrite: true type: keyword - name: cs_av_other overwrite: true type: keyword - name: cs_av_primary overwrite: true type: keyword - name: cs_av_secondary overwrite: true type: keyword - name: cs_bgpv6nxthop overwrite: true type: keyword - name: cs_bit9status overwrite: true type: keyword - name: cs_context overwrite: true type: keyword - name: cs_control overwrite: true type: keyword - name: cs_data overwrite: true type: keyword - name: cs_datecret overwrite: true type: keyword - name: cs_dst_tld overwrite: true type: keyword - name: cs_eth_dst_ven overwrite: true type: keyword - name: cs_eth_src_ven overwrite: true type: keyword - name: cs_event_uuid overwrite: true type: keyword - name: cs_filetype overwrite: true type: keyword - name: cs_fld overwrite: true type: keyword - name: cs_if_desc overwrite: true type: keyword - name: cs_if_name overwrite: true type: keyword - name: cs_ip_next_hop overwrite: true type: keyword - name: cs_ipv4dstpre overwrite: true type: keyword - name: cs_ipv4srcpre overwrite: true type: keyword - name: cs_lifetime overwrite: true type: keyword - name: cs_log_medium overwrite: true type: keyword - name: cs_loginname overwrite: true type: keyword - name: cs_modulescore overwrite: true type: keyword - name: cs_modulesign overwrite: true type: keyword - name: cs_opswatresult overwrite: true type: keyword - name: cs_payload overwrite: true type: keyword - name: cs_registrant overwrite: true type: keyword - name: cs_registrar overwrite: true type: keyword - name: cs_represult overwrite: true type: keyword - name: cs_rpayload overwrite: true type: keyword - name: cs_sampler_name overwrite: true type: keyword - name: cs_sourcemodule overwrite: true type: keyword - name: cs_streams overwrite: true type: keyword - name: cs_targetmodule overwrite: true type: keyword - name: cs_v6nxthop overwrite: true type: keyword - name: cs_whois_server overwrite: true type: keyword - name: cs_yararesult overwrite: true type: keyword - name: description overwrite: true type: keyword - name: devvendor overwrite: true type: keyword - name: distance overwrite: true type: keyword - name: dstburb overwrite: true type: keyword - name: edomain overwrite: true type: keyword - name: edomaub overwrite: true type: keyword - name: euid overwrite: true type: keyword - name: facility overwrite: true type: keyword - name: finterface overwrite: true type: keyword - name: flags overwrite: true type: keyword - name: gaddr overwrite: true type: keyword - name: id3 overwrite: true type: keyword - name: im_buddyname overwrite: true type: keyword - name: im_croomid overwrite: true type: keyword - name: im_croomtype overwrite: true type: keyword - name: im_members overwrite: true type: keyword - name: im_username overwrite: true type: keyword - name: ipkt overwrite: true type: keyword - name: ipscat overwrite: true type: keyword - name: ipspri overwrite: true type: keyword - name: latitude overwrite: true type: keyword - name: linenum overwrite: true type: keyword - name: list_name overwrite: true type: keyword - name: load_data overwrite: true type: keyword - name: location_floor overwrite: true type: keyword - name: location_mark overwrite: true type: keyword - name: log_id overwrite: true type: keyword - name: log_type overwrite: true type: keyword - name: logid overwrite: true type: keyword - name: logip overwrite: true type: keyword - name: logname overwrite: true type: keyword - name: longitude overwrite: true type: keyword - name: lport overwrite: true type: keyword - name: mbug_data overwrite: true type: keyword - name: misc_name overwrite: true type: keyword - name: msg_type overwrite: true type: keyword - name: msgid overwrite: true type: keyword - name: netsessid overwrite: true type: keyword - name: num overwrite: true type: keyword - name: number1 overwrite: true type: keyword - name: number2 overwrite: true type: keyword - name: nwwn overwrite: true type: keyword - name: object overwrite: true type: keyword - name: operation overwrite: true type: keyword - name: opkt overwrite: true type: keyword - name: orig_from overwrite: true type: keyword - name: owner_id overwrite: true type: keyword - name: p_action overwrite: true type: keyword - name: p_filter overwrite: true type: keyword - name: p_group_object overwrite: true type: keyword - name: p_id overwrite: true type: keyword - name: p_msgid1 overwrite: true type: keyword - name: p_msgid2 overwrite: true type: keyword - name: p_result1 overwrite: true type: keyword - name: password_chg overwrite: true type: keyword - name: password_expire overwrite: true type: keyword - name: permgranted overwrite: true type: keyword - name: permwanted overwrite: true type: keyword - name: pgid overwrite: true type: keyword - name: policyUUID overwrite: true type: keyword - name: prog_asp_num overwrite: true type: keyword - name: program overwrite: true type: keyword - name: real_data overwrite: true type: keyword - name: rec_asp_device overwrite: true type: keyword - name: rec_asp_num overwrite: true type: keyword - name: rec_library overwrite: true type: keyword - name: recordnum overwrite: true type: keyword - name: ruid overwrite: true type: keyword - name: sburb overwrite: true type: keyword - name: sdomain_fld overwrite: true type: keyword - name: sec overwrite: true type: keyword - name: sensorname overwrite: true type: keyword - name: seqnum overwrite: true type: keyword - name: session overwrite: true type: keyword - name: sessiontype overwrite: true type: keyword - name: sigUUID overwrite: true type: keyword - name: spi overwrite: true type: keyword - name: srcburb overwrite: true type: keyword - name: srcdom overwrite: true type: keyword - name: srcservice overwrite: true type: keyword - name: state overwrite: true type: keyword - name: status1 overwrite: true type: keyword - name: svcno overwrite: true type: keyword - name: system overwrite: true type: keyword - name: tbdstr1 overwrite: true type: keyword - name: tgtdom overwrite: true type: keyword - name: tgtdomain overwrite: true type: keyword - name: threshold overwrite: true type: keyword - name: type1 overwrite: true type: keyword - name: udb_class overwrite: true type: keyword - name: url_fld overwrite: true type: keyword - name: user_div overwrite: true type: keyword - name: userid overwrite: true type: keyword - name: username_fld overwrite: true type: keyword - name: utcstamp overwrite: true type: keyword - name: v_instafname overwrite: true type: keyword - name: virt_data overwrite: true type: keyword - name: vpnid overwrite: true type: keyword - name: autorun_type overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number overwrite: true type: long description: Valid Credit Card Numbers only - name: content overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number overwrite: true type: long description: Employee Identification Numbers only - name: found overwrite: true type: keyword description: This is used to capture the results of regex match - name: language overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src overwrite: true type: keyword description: This key captures source parameter - name: search_text overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value overwrite: true type: keyword description: SNMP set request value - name: streams overwrite: true type: long description: This key captures number of streams in session - name: db overwrite: true type: group fields: - name: index overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name overwrite: true type: keyword description: This key is used to capture the table name - name: db_id overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite overwrite: true type: long description: This key is used for the number of logical writes - name: pread overwrite: true type: long description: This key is used for the number of physical writes - name: network overwrite: true type: group fields: - name: alias_host overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain overwrite: true type: keyword - name: host_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr overwrite: true type: ip description: Deprecated - name: faddr overwrite: true type: keyword - name: lhost overwrite: true type: keyword - name: origin overwrite: true type: keyword - name: remote_domain_id overwrite: true type: keyword - name: addr overwrite: true type: keyword - name: dns_a_record overwrite: true type: keyword - name: dns_ptr_record overwrite: true type: keyword - name: fhost overwrite: true type: keyword - name: fport overwrite: true type: keyword - name: laddr overwrite: true type: keyword - name: linterface overwrite: true type: keyword - name: phost overwrite: true type: keyword - name: ad_computer_dst overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record overwrite: true type: keyword - name: dns_id overwrite: true type: keyword - name: dns_opcode overwrite: true type: keyword - name: dns_resp overwrite: true type: keyword - name: dns_type overwrite: true type: keyword - name: domain1 overwrite: true type: keyword - name: host_type overwrite: true type: keyword - name: packet_length overwrite: true type: keyword - name: host_orig overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations overwrite: true type: group fields: - name: ec_activity overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat overwrite: true type: long description: This key captures the Event category number - name: event_cat_name overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category overwrite: true type: keyword description: This used to capture investigation category - name: inv_context overwrite: true type: keyword description: This used to capture investigation context - name: ioc overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters overwrite: true type: group fields: - name: dclass_c1 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity overwrite: true type: group fields: - name: auth_method overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org overwrite: true type: keyword description: This key captures the User organization - name: dn_dst overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept overwrite: true type: keyword description: User's Department Names only - name: user_sid_src overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email overwrite: true type: group fields: - name: email_dst overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file overwrite: true type: group fields: - name: privilege overwrite: true type: keyword description: Deprecated, use permissions - name: attachment overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem overwrite: true type: keyword - name: binary overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp overwrite: true type: keyword - name: directory_dst overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name overwrite: true type: keyword description: This is used to capture name of the task - name: web overwrite: true type: group fields: - name: fqdn overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host overwrite: true type: keyword - name: reputation_num overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain overwrite: true type: keyword description: Web referer's domain - name: web_ref_query overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain overwrite: true type: keyword - name: web_ref_page overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst overwrite: true type: keyword - name: cn_rpackets overwrite: true type: keyword - name: urlpage overwrite: true type: keyword - name: urlroot overwrite: true type: keyword - name: p_url overwrite: true type: keyword - name: p_user_agent overwrite: true type: keyword - name: p_web_cookie overwrite: true type: keyword - name: p_web_method overwrite: true type: keyword - name: p_web_referer overwrite: true type: keyword - name: web_extension_tmp overwrite: true type: keyword - name: web_page overwrite: true type: keyword - name: threat overwrite: true type: group fields: - name: threat_category overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto overwrite: true type: group fields: - name: crypto overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike overwrite: true type: keyword description: IKE negotiation phase. - name: scheme overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer overwrite: true type: keyword - name: cert_host_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src overwrite: true type: keyword description: Deprecated, use version - name: d_certauth overwrite: true type: keyword - name: s_certauth overwrite: true type: keyword - name: ike_cookie1 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum overwrite: true type: keyword - name: cert_host_cat overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize overwrite: true type: keyword - name: cert_username overwrite: true type: keyword - name: https_insact overwrite: true type: keyword - name: https_valid overwrite: true type: keyword - name: cert_ca overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless overwrite: true type: group fields: - name: wlan_ssid overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel overwrite: true type: long description: This is used to capture the channel names - name: wlan_name overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage overwrite: true type: group fields: - name: disk_volume overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical overwrite: true type: group fields: - name: org_dst overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare overwrite: true type: group fields: - name: patient_fname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint overwrite: true type: group fields: - name: host_state overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value overwrite: true type: keyword description: This key captures values or decorators used within a registry entry - key: suricata title: Suricata description: > Module for handling the EVE JSON logs produced by Suricata. fields: - name: suricata type: group description: > Fields from the Suricata EVE log file. fields: - name: eve type: group description: > Fields exported by the EVE JSON logs fields: - name: event_type type: keyword - name: app_proto_orig type: keyword - name: tcp type: group fields: - name: tcp_flags type: keyword - name: psh type: boolean - name: tcp_flags_tc type: keyword - name: ack type: boolean - name: syn type: boolean - name: state type: keyword - name: tcp_flags_ts type: keyword - name: rst type: boolean - name: fin type: boolean - name: fileinfo type: group fields: - name: sha1 type: keyword - name: tx_id type: long - name: state type: keyword - name: stored type: boolean - name: gaps type: boolean - name: sha256 type: keyword - name: md5 type: keyword - name: icmp_type type: long - name: pcap_cnt type: long - name: dns type: group fields: - name: type type: keyword - name: rrtype type: keyword - name: rrname type: keyword - name: rdata type: keyword - name: tx_id type: long - name: ttl type: long - name: rcode type: keyword - name: id type: long - name: flow_id type: keyword - name: email type: group fields: - name: status type: keyword - name: icmp_code type: long - name: http type: group fields: - name: redirect type: keyword - name: protocol type: keyword - name: http_content_type type: keyword - name: in_iface type: keyword - name: alert type: group fields: - name: metadata type: flattened description: Metadata about the alert. - name: category type: keyword - name: rev type: long - name: gid type: long - name: signature type: keyword - name: signature_id type: long - name: protocols type: keyword - name: attack_target type: keyword - name: capec_id type: keyword - name: cwe_id type: keyword - name: malware type: keyword - name: cve type: keyword - name: cvss_v2_base type: keyword - name: cvss_v2_temporal type: keyword - name: cvss_v3_base type: keyword - name: cvss_v3_temporal type: keyword - name: priority type: keyword - name: hostile type: keyword - name: infected type: keyword - name: created_at type: date - name: updated_at type: date - name: classtype type: keyword - name: rule_source type: keyword - name: sid type: keyword - name: affected_product type: keyword - name: deployment type: keyword - name: former_category type: keyword - name: mitre_tool_id type: keyword - name: performance_impact type: keyword - name: signature_severity type: keyword - name: tag type: keyword - name: ssh type: group fields: - name: client type: group fields: - name: proto_version type: keyword - name: software_version type: keyword - name: server type: group fields: - name: proto_version type: keyword - name: software_version type: keyword - name: stats type: group fields: - name: capture type: group fields: - name: kernel_packets type: long - name: kernel_drops type: long - name: kernel_ifdrops type: long - name: uptime type: long - name: detect type: group fields: - name: alert type: long - name: http type: group fields: - name: memcap type: long - name: memuse type: long - name: file_store type: group fields: - name: open_files type: long - name: defrag type: group fields: - name: max_frag_hits type: long - name: ipv4 type: group fields: - name: timeouts type: long - name: fragments type: long - name: reassembled type: long - name: ipv6 type: group fields: - name: timeouts type: long - name: fragments type: long - name: reassembled type: long - name: flow type: group fields: - name: tcp_reuse type: long - name: udp type: long - name: memcap type: long - name: emerg_mode_entered type: long - name: emerg_mode_over type: long - name: tcp type: long - name: icmpv6 type: long - name: icmpv4 type: long - name: spare type: long - name: memuse type: long - name: tcp type: group fields: - name: pseudo_failed type: long - name: ssn_memcap_drop type: long - name: insert_data_overlap_fail type: long - name: sessions type: long - name: pseudo type: long - name: synack type: long - name: insert_data_normal_fail type: long - name: syn type: long - name: memuse type: long - name: invalid_checksum type: long - name: segment_memcap_drop type: long - name: overlap type: long - name: insert_list_fail type: long - name: rst type: long - name: stream_depth_reached type: long - name: reassembly_memuse type: long - name: reassembly_gap type: long - name: overlap_diff_data type: long - name: no_flow type: long - name: decoder type: group fields: - name: avg_pkt_size type: long - name: bytes type: long - name: tcp type: long - name: raw type: long - name: ppp type: long - name: vlan_qinq type: long - name: 'null' type: long - name: ltnull type: group fields: - name: unsupported_type type: long - name: pkt_too_small type: long - name: invalid type: long - name: gre type: long - name: ipv4 type: long - name: ipv6 type: long - name: pkts type: long - name: ipv6_in_ipv6 type: long - name: ipraw type: group fields: - name: invalid_ip_version type: long - name: pppoe type: long - name: udp type: long - name: dce type: group fields: - name: pkt_too_small type: long - name: vlan type: long - name: sctp type: long - name: max_pkt_size type: long - name: teredo type: long - name: mpls type: long - name: sll type: long - name: icmpv6 type: long - name: icmpv4 type: long - name: erspan type: long - name: ethernet type: long - name: ipv4_in_ipv6 type: long - name: ieee8021ah type: long - name: dns type: group fields: - name: memcap_global type: long - name: memcap_state type: long - name: memuse type: long - name: flow_mgr type: group fields: - name: rows_busy type: long - name: flows_timeout type: long - name: flows_notimeout type: long - name: rows_skipped type: long - name: closed_pruned type: long - name: new_pruned type: long - name: flows_removed type: long - name: bypassed_pruned type: long - name: est_pruned type: long - name: flows_timeout_inuse type: long - name: flows_checked type: long - name: rows_maxlen type: long - name: rows_checked type: long - name: rows_empty type: long - name: app_layer type: group fields: - name: flow type: group fields: - name: tls type: long - name: ftp type: long - name: http type: long - name: failed_udp type: long - name: dns_udp type: long - name: dns_tcp type: long - name: smtp type: long - name: failed_tcp type: long - name: msn type: long - name: ssh type: long - name: imap type: long - name: dcerpc_udp type: long - name: dcerpc_tcp type: long - name: smb type: long - name: tx type: group fields: - name: tls type: long - name: ftp type: long - name: http type: long - name: dns_udp type: long - name: dns_tcp type: long - name: smtp type: long - name: ssh type: long - name: dcerpc_udp type: long - name: dcerpc_tcp type: long - name: smb type: long - name: tls type: group fields: - name: notbefore type: date - name: issuerdn type: keyword - name: sni type: keyword - name: version type: keyword - name: session_resumed type: boolean - name: fingerprint type: keyword - name: serial type: keyword - name: notafter type: date - name: subject type: keyword - name: ja3s type: group default_field: false fields: - name: string type: keyword - name: hash type: keyword - name: ja3 type: group default_field: false fields: - name: string type: keyword - name: hash type: keyword - name: app_proto_ts type: keyword - name: flow type: group fields: - name: age type: long - name: state type: keyword - name: reason type: keyword - name: alerted type: boolean - name: tx_id type: long - name: app_proto_tc type: keyword - name: smtp type: group fields: - name: rcpt_to type: keyword - name: mail_from type: keyword - name: helo type: keyword - name: app_proto_expected type: keyword - name: flags type: group fields: - key: threatintel title: threatintel release: beta description: > Threat intelligence Filebeat Module. fields: - name: threatintel default_field: false type: group description: > Fields from the threatintel Filebeat module. fields: - name: indicator.first_seen type: date description: > The date and time when intelligence source first reported sighting this indicator. - name: indicator.last_seen type: date description: > The date and time when intelligence source last reported sighting this indicator. - name: indicator.sightings type: long description: > Number of times this indicator was observed conducting threat activity. - name: indicator.type type: keyword description: > Type of indicator as represented by Cyber Observable in STIX 2.0. Expected values * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * process * software * url * user-account * windows-registry-key * x-509-certificate - name: indicator.description type: keyword description: > Describes the type of action conducted by the threat. - name: indicator.scanner_stats type: long description: > Count of AV/EDR vendors that successfully detected malicious file or URL. - name: indicator.provider type: keyword description: > Identifies the name of the intelligence provider. - name: indicator.confidence type: keyword description: > Identifies the confidence rating assigned by the provider using STIX confidence scales. Expected values * Not Specified, None, Low, Medium, High * 0-10 * Admirality Scale (1-6) * DNI Scale (5-95) * WEP Scale (Impossible - Certain) - name: indicator.module type: keyword description: > Identifies the name of specific module this data is coming from. - name: indicator.dataset type: keyword description: > Identifies the name of specific dataset from the intelligence source. - name: indicator.reference type: keyword description: > Reference URL linking to additional information about this indicator. - name: indicator.ip type: ip description: > Identifies a threat indicator as an IP address (irrespective of direction). - name: indicator.port type: long description: > Identifies a threat indicator as a port number (irrespective of direction). - name: indicator.email.address type: keyword description: > Identifies a threat indicator as an email address (irrespective of direction). - name: indicator.marking.tlp type: keyword description: > Traffic Light Protocol sharing markings. Expected values are: * White * Green * Amber * Red - name: indicator.matched type: group fields: - name: atomic type: keyword description: > Identifies the atomic indicator that matched a local environment endpoint or network event. - name: field type: keyword description: > Identifies the field of the atomic indicator that matched a local environment endpoint or network event. - name: type type: keyword description: > Identifies the type of the atomic indicator that matched a local environment endpoint or network event. - name: indicator.as type: group fields: - name: number type: long description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. example: 15169 - name: organization.name type: keyword ignore_above: 1024 multi_fields: - name: text type: text norms: false description: Organization name. example: Google LLC - name: indicator.registry type: group fields: - name: data.strings type: keyword ignore_above: 1024 description: > Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). example: '["C:\rta\red_ttp\bin\myapp.exe"]' - name: path type: keyword ignore_above: 1024 description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger - name: value type: keyword ignore_above: 1024 description: Name of the value written. example: Debugger - name: key type: keyword ignore_above: 1024 description: Registry key value - name: indicator.geo type: group fields: - name: city_name type: keyword ignore_above: 1024 description: City name. example: Montreal - name: continent_name type: keyword ignore_above: 1024 description: Name of the continent. example: North America - name: country_iso_code type: keyword ignore_above: 1024 description: Country ISO code. example: CA - name: country_name type: keyword ignore_above: 1024 description: Country name. example: Canada - name: location type: geo_point description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: region_iso_code type: keyword ignore_above: 1024 description: Region ISO code. example: CA-QC - name: region_name type: keyword ignore_above: 1024 description: Region name. example: Quebec - name: indicator.file.pe.imphash type: keyword ignore_above: 1024 description: "A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html." example: 0c6803c4e922103c4dca5963aad36ddf - name: indicator.file type: group fields: - name: hash type: group fields: - name: tlsh type: keyword description: > The file's import tlsh, if available. - name: ssdeep type: keyword description: > The file's ssdeep hash, if available. - name: md5 type: keyword description: > The file's md5 hash, if available. - name: sha1 type: keyword description: > The file's sha1 hash, if available. - name: sha256 type: keyword description: > The file's sha256 hash, if available. - name: sha384 type: keyword description: > The file's sha384 hash, if available. - name: sha512 type: keyword description: > The file's sha512 hash, if available. - name: type type: keyword ignore_above: 1024 description: > The file type. - name: size type: long description: > The file's total size. - name: name type: keyword description: > The file's name. - name: extension type: keyword description: > The file's extension. - name: mime_type type: keyword description: > The file's MIME type. - name: indicator.url type: group fields: - name: domain type: keyword description: > Domain of the url, such as "www.elastic.co". - name: extension type: keyword ignore_above: 1024 description: > The field contains the file extension from the original request - name: fragment type: keyword ignore_above: 1024 description: > Portion of the url after the `#`, such as "top". - name: full type: keyword description: > If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - name: original type: keyword description: > Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. - name: password type: keyword ignore_above: 1024 description: > Password of the request. - name: path type: keyword description: > Path of the request, such as "/search". - name: port type: long format: string description: > Port of the request, such as 443. - name: query type: keyword ignore_above: 1024 description: > The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: registered_domain type: keyword description: > The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: scheme type: keyword ignore_above: 1024 description: > Scheme of the request, such as "https". - name: subdomain type: keyword ignore_above: 1024 description: > The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: top_level_domain type: keyword ignore_above: 1024 description: > The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: username type: keyword ignore_above: 1024 description: > Username of the request. - name: indicator.x509 type: group fields: - name: serial_number type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA - name: issuer type: keyword ignore_above: 1024 description: Name of issuing certificate authority. Could be either Distinguished Name (DN) or Common Name (CN), depending on source. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA - name: subject type: keyword ignore_above: 1024 description: Name of the certificate subject entity. Could be either Distinguished Name (DN) or Common Name (CN), depending on source. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net - name: alternative_names type: keyword ignore_above: 1024 description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. example: "*.elastic.co" - name: indicator.signature type: keyword description: > Malware family of sample (if available). - name: abusemalware type: group description: > Fields for AbuseCH Malware Threat Intel fields: - name: file_type type: keyword description: > File type guessed by URLhaus. - name: signature type: keyword description: > Malware familiy. - name: urlhaus_download type: keyword description: > Location (URL) where you can download a copy of this file. - name: virustotal.result type: keyword description: > AV detection ration. - name: virustotal.percent type: float description: > AV detection in percent. - name: virustotal.link type: keyword description: > Link to the Virustotal report. - name: abuseurl type: group description: > Fields for AbuseCH Malware Threat Intel fields: - name: id type: keyword description: > The ID of the url. - name: urlhaus_reference type: keyword description: > Link to URLhaus entry. - name: url_status type: keyword description: > The current status of the URL. Possible values are: online, offline and unknown. - name: threat type: keyword description: > The threat corresponding to this malware URL. - name: blacklists.surbl type: keyword description: > SURBL blacklist status. Possible values are: listed and not_listed - name: blacklists.spamhaus_dbl type: keyword description: > Spamhaus DBL blacklist status. - name: reporter type: keyword description: > The Twitter handle of the reporter that has reported this malware URL (or anonymous). - name: larted type: boolean description: > Indicates whether the malware URL has been reported to the hosting provider (true or false) - name: tags type: keyword description: > A list of tags associated with the queried malware URL - name: anomali type: group description: > Fields for Anomali Threat Intel fields: - name: id type: keyword description: > The ID of the indicator. - name: name type: keyword description: > The name of the indicator. - name: pattern type: keyword description: > The pattern ID of the indicator. - name: valid_from type: date description: > When the indicator was first found or is considered valid. - name: modified type: date description: > When the indicator was last modified - name: labels type: keyword description: > The labels related to the indicator - name: indicator type: keyword description: > The value of the indicator, for example if the type is domain, this would be the value. - name: description type: keyword description: > A description of the indicator. - name: title type: keyword description: > Title describing the indicator. - name: content type: keyword description: > Extra text or descriptive content related to the indicator. - name: type type: keyword description: > The indicator type, can for example be "domain, email, FileHash-SHA256". - name: object_marking_refs type: keyword description: > The STIX reference object. - name: anomalithreatstream type: group description: > Fields for Anomali ThreatStream default_field: false fields: - name: classification type: keyword description: > Indicates whether an indicator is private or from a public feed and available publicly. Possible values: private, public. example: private - name: confidence type: short description: > The measure of the accuracy (from 0 to 100) assigned by ThreatStream's predictive analytics technology to indicators. - name: detail2 type: text description: > Detail text for indicator. example: Imported by user 42. - name: id type: keyword description: > The ID of the indicator. - name: import_session_id type: keyword description: > ID of the import session that created the indicator on ThreatStream. - name: itype type: keyword description: > Indicator type. Possible values: "apt_domain", "apt_email", "apt_ip", "apt_url", "bot_ip", "c2_domain", "c2_ip", "c2_url", "i2p_ip", "mal_domain", "mal_email", "mal_ip", "mal_md5", "mal_url", "parked_ip", "phish_email", "phish_ip", "phish_url", "scan_ip", "spam_domain", "ssh_ip", "suspicious_domain", "tor_ip" and "torrent_tracker_url". - name: maltype type: wildcard description: > Information regarding a malware family, a CVE ID, or another attack or threat, associated with the indicator. - name: md5 type: keyword description: > Hash for the indicator. - name: resource_uri type: keyword description: > Relative URI for the indicator details. - name: severity type: keyword description: > Criticality associated with the threat feed that supplied the indicator. Possible values: low, medium, high, very-high. - name: source type: keyword description: > Source for the indicator. example: Analyst - name: source_feed_id type: keyword description: > ID for the integrator source. - name: state type: keyword description: > State for this indicator. example: active - name: trusted_circle_ids type: keyword description: > ID of the trusted circle that imported the indicator. - name: update_id type: keyword description: > Update ID. - name: url type: keyword description: > URL for the indicator. - name: value_type type: keyword description: > Data type of the indicator. Possible values: ip, domain, url, email, md5. - name: malwarebazaar type: group description: > Fields for Malware Bazaar Threat Intel fields: - name: file_type type: keyword description: > File type guessed by Malware Bazaar. - name: signature type: keyword description: > Malware familiy. - name: tags type: keyword description: > A list of tags associated with the queried malware sample. - name: intelligence type: group fields: - name: downloads type: long description: > Number of downloads from MalwareBazaar. - name: uploads type: long description: > Number of uploads from MalwareBazaar. - name: mail type: group fields: - name: Generic type: keyword description: > Malware seen in generic spam traffic. - name: IT type: keyword description: > Malware seen in IT spam traffic. - name: anonymous type: long description: > Identifies if the sample was submitted anonymously. - name: code_sign type: keyword description: > Code signing information for the sample. - name: misp type: group description: > Fields for MISP Threat Intel fields: - name: id type: keyword description: > Attribute ID. - name: orgc_id type: keyword description: > Organization Community ID of the event. - name: org_id type: keyword description: > Organization ID of the event. - name: threat_level_id type: long description: > Threat level from 5 to 1, where 1 is the most critical. - name: info type: keyword description: > Additional text or information related to the event. - name: published type: boolean description: > When the event was published. - name: uuid type: keyword description: > The UUID of the event object. - name: date type: date description: > The date of when the event object was created. - name: attribute_count type: long description: > How many attributes are included in a single event object. - name: timestamp type: date description: > The timestamp of when the event object was created. - name: distribution type: keyword description: > Distribution type related to MISP. - name: proposal_email_lock type: boolean description: > Settings configured on MISP for email lock on this event object. - name: locked type: boolean description: > If the current MISP event object is locked or not. - name: publish_timestamp type: date description: > At what time the event object was published - name: sharing_group_id type: keyword description: > The ID of the grouped events or sources of the event. - name: disable_correlation type: boolean description: > If correlation is disabled on the MISP event object. - name: extends_uuid type: keyword description: > The UUID of the event object it might extend. - name: org.id type: keyword description: > The organization ID related to the event object. - name: org.name type: keyword description: > The organization name related to the event object. - name: org.uuid type: keyword description: > The UUID of the organization related to the event object. - name: org.local type: boolean description: > If the event object is local or from a remote source. - name: orgc.id type: keyword description: > The Organization Community ID in which the event object was reported from. - name: orgc.name type: keyword description: > The Organization Community name in which the event object was reported from. - name: orgc.uuid type: keyword description: > The Organization Community UUID in which the event object was reported from. - name: orgc.local type: boolean description: > If the Organization Community was local or synced from a remote source. - name: attribute.id type: keyword description: > The ID of the attribute related to the event object. - name: attribute.type type: keyword description: > The type of the attribute related to the event object. For example email, ipv4, sha1 and such. - name: attribute.category type: keyword description: > The category of the attribute related to the event object. For example "Network Activity". - name: attribute.to_ids type: boolean description: > If the attribute should be automatically synced with an IDS. - name: attribute.uuid type: keyword description: > The UUID of the attribute related to the event. - name: attribute.event_id type: keyword description: > The local event ID of the attribute related to the event. - name: attribute.distribution type: long description: > How the attribute has been distributed, represented by integer numbers. - name: attribute.timestamp type: date description: > The timestamp in which the attribute was attached to the event object. - name: attribute.comment type: keyword description: > Comments made to the attribute itself. - name: attribute.sharing_group_id type: keyword description: > The group ID of the sharing group related to the specific attribute. - name: attribute.deleted type: boolean description: > If the attribute has been removed from the event object. - name: attribute.disable_correlation type: boolean description: > If correlation has been enabled on the attribute related to the event object. - name: attribute.object_id type: keyword description: > The ID of the Object in which the attribute is attached. - name: attribute.object_relation type: keyword description: > The type of relation the attribute has with the event object itself. - name: attribute.value type: keyword description: > The value of the attribute, depending on the type like "url, sha1, email-src". - name: otx type: group description: > Fields for OTX Threat Intel fields: - name: id type: keyword description: > The ID of the indicator. - name: indicator type: keyword description: > The value of the indicator, for example if the type is domain, this would be the value. - name: description type: keyword description: > A description of the indicator. - name: title type: keyword description: > Title describing the indicator. - name: content type: keyword description: > Extra text or descriptive content related to the indicator. - name: type type: keyword description: > The indicator type, can for example be "domain, email, FileHash-SHA256". - name: recordedfuture type: group default_field: false description: > Fields for Recorded Future Threat Intel fields: - name: entity type: group description: > Entity that represents a threat. fields: - name: id type: keyword description: > Entity ID. example: "ip:192.0.2.13" - name: name type: keyword description: > Entity name. Value for the entity. example: "192.0.2.13" - name: type type: keyword description: > Entity type. example: "IpAddress" - name: intelCard type: keyword description: > Link to the Recorded Future Intelligence Card for to this indicator. - name: ip_range type: ip_range description: > Range of IPs for this indicator. example: '192.0.2.0/16' - name: risk type: group description: > Risk fields. fields: - name: criticality type: byte description: > Risk criticality (0-4). - name: criticalityLabel type: keyword description: > Risk criticality label. One of None, Unusual, Suspicious, Malicious, Very Malicious. - name: evidenceDetails type: flattened description: > Risk's evidence details. - name: score type: short description: > Risk score (0-99). - name: riskString type: keyword description: > Number of Risk Rules observed as a factor of total number of rules. example: "1/54" - name: riskSummary type: keyword ignore_above: 1024 description: > Risk summary. example: "1 of 54 Risk Rules currently observed." multi_fields: - name: text type: text norms: false default_field: false - name: rules type: long description: > Number of rules observed. - key: tomcat title: Apache Tomcat description: > tomcat fields. fields: - name: network.interface.name overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa overwrite: true type: group default_field: false fields: - name: internal overwrite: true type: group fields: - name: msg overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid overwrite: true type: keyword - name: event_desc overwrite: true type: keyword - name: message overwrite: true type: keyword description: This key captures the contents of instant messages - name: time overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id overwrite: true type: long description: Deprecated key defined only in table map. - name: did overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time overwrite: true type: group fields: - name: event_time overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month overwrite: true type: keyword - name: day overwrite: true type: keyword - name: endtime overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str overwrite: true type: keyword description: A text string version of the duration - name: date overwrite: true type: keyword - name: year overwrite: true type: keyword - name: recorded_time overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime overwrite: true type: keyword - name: effective_time overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time overwrite: true type: keyword description: Deprecated, use duration.time - name: hour overwrite: true type: keyword - name: min overwrite: true type: keyword - name: timestamp overwrite: true type: keyword - name: event_queue_time overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 overwrite: true type: keyword - name: tzone overwrite: true type: keyword - name: eventtime overwrite: true type: keyword - name: gmtdate overwrite: true type: keyword - name: gmttime overwrite: true type: keyword - name: p_date overwrite: true type: keyword - name: p_month overwrite: true type: keyword - name: p_time overwrite: true type: keyword - name: p_time2 overwrite: true type: keyword - name: p_year overwrite: true type: keyword - name: expire_time_str overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp overwrite: true type: date description: Deprecated key defined only in table map. - name: misc overwrite: true type: group fields: - name: action overwrite: true type: keyword - name: result overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name overwrite: true type: keyword description: This is used to capture name of object - name: obj_type overwrite: true type: keyword description: This is used to capture type of object - name: event_source overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name overwrite: true type: keyword description: This key captures the Rule Name - name: context overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space overwrite: true type: keyword - name: client overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 overwrite: true type: keyword - name: msgIdPart2 overwrite: true type: keyword - name: change_old overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule overwrite: true type: keyword description: This key captures the Rule number - name: device_name overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log overwrite: true type: keyword description: This key captures the Name of the event log - name: OS overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 overwrite: true type: keyword - name: filter overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname overwrite: true type: keyword description: This key captures the name of the virus - name: content_type overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id overwrite: true type: keyword - name: reason overwrite: true type: keyword - name: status overwrite: true type: keyword - name: mail_id overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout overwrite: true type: keyword - name: p_msgid overwrite: true type: keyword - name: data_type overwrite: true type: keyword - name: msgIdPart4 overwrite: true type: keyword - name: error overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index overwrite: true type: keyword - name: listnum overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype overwrite: true type: keyword - name: observed_val overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count overwrite: true type: keyword - name: number overwrite: true type: keyword - name: sigcat overwrite: true type: keyword - name: type overwrite: true type: keyword - name: comments overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number overwrite: true type: long description: This key captures File Identification number - name: expected_val overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst overwrite: true type: keyword description: Destination SPI Index - name: spi_src overwrite: true type: keyword description: Source SPI Index - name: code overwrite: true type: keyword - name: agent_id overwrite: true type: keyword description: This key is used to capture agent id - name: message_body overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone overwrite: true type: keyword - name: sig_id_str overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd overwrite: true type: keyword - name: misc overwrite: true type: keyword - name: name overwrite: true type: keyword - name: cpu overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid overwrite: true type: keyword - name: im_client overwrite: true type: keyword - name: im_userid overwrite: true type: keyword - name: pid overwrite: true type: keyword - name: priority overwrite: true type: keyword - name: context_subject overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target overwrite: true type: keyword - name: cve overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos overwrite: true type: long description: This key describes the type of service - name: vm_target overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace overwrite: true type: keyword description: This key captures Workspace Description - name: command overwrite: true type: keyword - name: event_category overwrite: true type: keyword - name: facilityname overwrite: true type: keyword - name: forensic_info overwrite: true type: keyword - name: jobname overwrite: true type: keyword - name: mode overwrite: true type: keyword - name: policy overwrite: true type: keyword - name: policy_waiver overwrite: true type: keyword - name: second overwrite: true type: keyword - name: space1 overwrite: true type: keyword - name: subcategory overwrite: true type: keyword - name: tbdstr2 overwrite: true type: keyword - name: alert_id overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult overwrite: true type: long description: This key captures the Filter Result - name: payload_dst overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid overwrite: true type: keyword description: SNMP Object Identifier - name: sql overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id overwrite: true type: keyword - name: acl_op overwrite: true type: keyword - name: acl_pos overwrite: true type: keyword - name: acl_table overwrite: true type: keyword - name: admin overwrite: true type: keyword - name: alarm_id overwrite: true type: keyword - name: alarmname overwrite: true type: keyword - name: app_id overwrite: true type: keyword - name: audit overwrite: true type: keyword - name: audit_object overwrite: true type: keyword - name: auditdata overwrite: true type: keyword - name: benchmark overwrite: true type: keyword - name: bypass overwrite: true type: keyword - name: cache overwrite: true type: keyword - name: cache_hit overwrite: true type: keyword - name: cefversion overwrite: true type: keyword - name: cfg_attr overwrite: true type: keyword - name: cfg_obj overwrite: true type: keyword - name: cfg_path overwrite: true type: keyword - name: changes overwrite: true type: keyword - name: client_ip overwrite: true type: keyword - name: clustermembers overwrite: true type: keyword - name: cn_acttimeout overwrite: true type: keyword - name: cn_asn_src overwrite: true type: keyword - name: cn_bgpv4nxthop overwrite: true type: keyword - name: cn_ctr_dst_code overwrite: true type: keyword - name: cn_dst_tos overwrite: true type: keyword - name: cn_dst_vlan overwrite: true type: keyword - name: cn_engine_id overwrite: true type: keyword - name: cn_engine_type overwrite: true type: keyword - name: cn_f_switch overwrite: true type: keyword - name: cn_flowsampid overwrite: true type: keyword - name: cn_flowsampintv overwrite: true type: keyword - name: cn_flowsampmode overwrite: true type: keyword - name: cn_inacttimeout overwrite: true type: keyword - name: cn_inpermbyts overwrite: true type: keyword - name: cn_inpermpckts overwrite: true type: keyword - name: cn_invalid overwrite: true type: keyword - name: cn_ip_proto_ver overwrite: true type: keyword - name: cn_ipv4_ident overwrite: true type: keyword - name: cn_l_switch overwrite: true type: keyword - name: cn_log_did overwrite: true type: keyword - name: cn_log_rid overwrite: true type: keyword - name: cn_max_ttl overwrite: true type: keyword - name: cn_maxpcktlen overwrite: true type: keyword - name: cn_min_ttl overwrite: true type: keyword - name: cn_minpcktlen overwrite: true type: keyword - name: cn_mpls_lbl_1 overwrite: true type: keyword - name: cn_mpls_lbl_10 overwrite: true type: keyword - name: cn_mpls_lbl_2 overwrite: true type: keyword - name: cn_mpls_lbl_3 overwrite: true type: keyword - name: cn_mpls_lbl_4 overwrite: true type: keyword - name: cn_mpls_lbl_5 overwrite: true type: keyword - name: cn_mpls_lbl_6 overwrite: true type: keyword - name: cn_mpls_lbl_7 overwrite: true type: keyword - name: cn_mpls_lbl_8 overwrite: true type: keyword - name: cn_mpls_lbl_9 overwrite: true type: keyword - name: cn_mplstoplabel overwrite: true type: keyword - name: cn_mplstoplabip overwrite: true type: keyword - name: cn_mul_dst_byt overwrite: true type: keyword - name: cn_mul_dst_pks overwrite: true type: keyword - name: cn_muligmptype overwrite: true type: keyword - name: cn_sampalgo overwrite: true type: keyword - name: cn_sampint overwrite: true type: keyword - name: cn_seqctr overwrite: true type: keyword - name: cn_spackets overwrite: true type: keyword - name: cn_src_tos overwrite: true type: keyword - name: cn_src_vlan overwrite: true type: keyword - name: cn_sysuptime overwrite: true type: keyword - name: cn_template_id overwrite: true type: keyword - name: cn_totbytsexp overwrite: true type: keyword - name: cn_totflowexp overwrite: true type: keyword - name: cn_totpcktsexp overwrite: true type: keyword - name: cn_unixnanosecs overwrite: true type: keyword - name: cn_v6flowlabel overwrite: true type: keyword - name: cn_v6optheaders overwrite: true type: keyword - name: comp_class overwrite: true type: keyword - name: comp_name overwrite: true type: keyword - name: comp_rbytes overwrite: true type: keyword - name: comp_sbytes overwrite: true type: keyword - name: cpu_data overwrite: true type: keyword - name: criticality overwrite: true type: keyword - name: cs_agency_dst overwrite: true type: keyword - name: cs_analyzedby overwrite: true type: keyword - name: cs_av_other overwrite: true type: keyword - name: cs_av_primary overwrite: true type: keyword - name: cs_av_secondary overwrite: true type: keyword - name: cs_bgpv6nxthop overwrite: true type: keyword - name: cs_bit9status overwrite: true type: keyword - name: cs_context overwrite: true type: keyword - name: cs_control overwrite: true type: keyword - name: cs_data overwrite: true type: keyword - name: cs_datecret overwrite: true type: keyword - name: cs_dst_tld overwrite: true type: keyword - name: cs_eth_dst_ven overwrite: true type: keyword - name: cs_eth_src_ven overwrite: true type: keyword - name: cs_event_uuid overwrite: true type: keyword - name: cs_filetype overwrite: true type: keyword - name: cs_fld overwrite: true type: keyword - name: cs_if_desc overwrite: true type: keyword - name: cs_if_name overwrite: true type: keyword - name: cs_ip_next_hop overwrite: true type: keyword - name: cs_ipv4dstpre overwrite: true type: keyword - name: cs_ipv4srcpre overwrite: true type: keyword - name: cs_lifetime overwrite: true type: keyword - name: cs_log_medium overwrite: true type: keyword - name: cs_loginname overwrite: true type: keyword - name: cs_modulescore overwrite: true type: keyword - name: cs_modulesign overwrite: true type: keyword - name: cs_opswatresult overwrite: true type: keyword - name: cs_payload overwrite: true type: keyword - name: cs_registrant overwrite: true type: keyword - name: cs_registrar overwrite: true type: keyword - name: cs_represult overwrite: true type: keyword - name: cs_rpayload overwrite: true type: keyword - name: cs_sampler_name overwrite: true type: keyword - name: cs_sourcemodule overwrite: true type: keyword - name: cs_streams overwrite: true type: keyword - name: cs_targetmodule overwrite: true type: keyword - name: cs_v6nxthop overwrite: true type: keyword - name: cs_whois_server overwrite: true type: keyword - name: cs_yararesult overwrite: true type: keyword - name: description overwrite: true type: keyword - name: devvendor overwrite: true type: keyword - name: distance overwrite: true type: keyword - name: dstburb overwrite: true type: keyword - name: edomain overwrite: true type: keyword - name: edomaub overwrite: true type: keyword - name: euid overwrite: true type: keyword - name: facility overwrite: true type: keyword - name: finterface overwrite: true type: keyword - name: flags overwrite: true type: keyword - name: gaddr overwrite: true type: keyword - name: id3 overwrite: true type: keyword - name: im_buddyname overwrite: true type: keyword - name: im_croomid overwrite: true type: keyword - name: im_croomtype overwrite: true type: keyword - name: im_members overwrite: true type: keyword - name: im_username overwrite: true type: keyword - name: ipkt overwrite: true type: keyword - name: ipscat overwrite: true type: keyword - name: ipspri overwrite: true type: keyword - name: latitude overwrite: true type: keyword - name: linenum overwrite: true type: keyword - name: list_name overwrite: true type: keyword - name: load_data overwrite: true type: keyword - name: location_floor overwrite: true type: keyword - name: location_mark overwrite: true type: keyword - name: log_id overwrite: true type: keyword - name: log_type overwrite: true type: keyword - name: logid overwrite: true type: keyword - name: logip overwrite: true type: keyword - name: logname overwrite: true type: keyword - name: longitude overwrite: true type: keyword - name: lport overwrite: true type: keyword - name: mbug_data overwrite: true type: keyword - name: misc_name overwrite: true type: keyword - name: msg_type overwrite: true type: keyword - name: msgid overwrite: true type: keyword - name: netsessid overwrite: true type: keyword - name: num overwrite: true type: keyword - name: number1 overwrite: true type: keyword - name: number2 overwrite: true type: keyword - name: nwwn overwrite: true type: keyword - name: object overwrite: true type: keyword - name: operation overwrite: true type: keyword - name: opkt overwrite: true type: keyword - name: orig_from overwrite: true type: keyword - name: owner_id overwrite: true type: keyword - name: p_action overwrite: true type: keyword - name: p_filter overwrite: true type: keyword - name: p_group_object overwrite: true type: keyword - name: p_id overwrite: true type: keyword - name: p_msgid1 overwrite: true type: keyword - name: p_msgid2 overwrite: true type: keyword - name: p_result1 overwrite: true type: keyword - name: password_chg overwrite: true type: keyword - name: password_expire overwrite: true type: keyword - name: permgranted overwrite: true type: keyword - name: permwanted overwrite: true type: keyword - name: pgid overwrite: true type: keyword - name: policyUUID overwrite: true type: keyword - name: prog_asp_num overwrite: true type: keyword - name: program overwrite: true type: keyword - name: real_data overwrite: true type: keyword - name: rec_asp_device overwrite: true type: keyword - name: rec_asp_num overwrite: true type: keyword - name: rec_library overwrite: true type: keyword - name: recordnum overwrite: true type: keyword - name: ruid overwrite: true type: keyword - name: sburb overwrite: true type: keyword - name: sdomain_fld overwrite: true type: keyword - name: sec overwrite: true type: keyword - name: sensorname overwrite: true type: keyword - name: seqnum overwrite: true type: keyword - name: session overwrite: true type: keyword - name: sessiontype overwrite: true type: keyword - name: sigUUID overwrite: true type: keyword - name: spi overwrite: true type: keyword - name: srcburb overwrite: true type: keyword - name: srcdom overwrite: true type: keyword - name: srcservice overwrite: true type: keyword - name: state overwrite: true type: keyword - name: status1 overwrite: true type: keyword - name: svcno overwrite: true type: keyword - name: system overwrite: true type: keyword - name: tbdstr1 overwrite: true type: keyword - name: tgtdom overwrite: true type: keyword - name: tgtdomain overwrite: true type: keyword - name: threshold overwrite: true type: keyword - name: type1 overwrite: true type: keyword - name: udb_class overwrite: true type: keyword - name: url_fld overwrite: true type: keyword - name: user_div overwrite: true type: keyword - name: userid overwrite: true type: keyword - name: username_fld overwrite: true type: keyword - name: utcstamp overwrite: true type: keyword - name: v_instafname overwrite: true type: keyword - name: virt_data overwrite: true type: keyword - name: vpnid overwrite: true type: keyword - name: autorun_type overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number overwrite: true type: long description: Valid Credit Card Numbers only - name: content overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number overwrite: true type: long description: Employee Identification Numbers only - name: found overwrite: true type: keyword description: This is used to capture the results of regex match - name: language overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src overwrite: true type: keyword description: This key captures source parameter - name: search_text overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value overwrite: true type: keyword description: SNMP set request value - name: streams overwrite: true type: long description: This key captures number of streams in session - name: db overwrite: true type: group fields: - name: index overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name overwrite: true type: keyword description: This key is used to capture the table name - name: db_id overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite overwrite: true type: long description: This key is used for the number of logical writes - name: pread overwrite: true type: long description: This key is used for the number of physical writes - name: network overwrite: true type: group fields: - name: alias_host overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain overwrite: true type: keyword - name: host_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr overwrite: true type: ip description: Deprecated - name: faddr overwrite: true type: keyword - name: lhost overwrite: true type: keyword - name: origin overwrite: true type: keyword - name: remote_domain_id overwrite: true type: keyword - name: addr overwrite: true type: keyword - name: dns_a_record overwrite: true type: keyword - name: dns_ptr_record overwrite: true type: keyword - name: fhost overwrite: true type: keyword - name: fport overwrite: true type: keyword - name: laddr overwrite: true type: keyword - name: linterface overwrite: true type: keyword - name: phost overwrite: true type: keyword - name: ad_computer_dst overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record overwrite: true type: keyword - name: dns_id overwrite: true type: keyword - name: dns_opcode overwrite: true type: keyword - name: dns_resp overwrite: true type: keyword - name: dns_type overwrite: true type: keyword - name: domain1 overwrite: true type: keyword - name: host_type overwrite: true type: keyword - name: packet_length overwrite: true type: keyword - name: host_orig overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations overwrite: true type: group fields: - name: ec_activity overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat overwrite: true type: long description: This key captures the Event category number - name: event_cat_name overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category overwrite: true type: keyword description: This used to capture investigation category - name: inv_context overwrite: true type: keyword description: This used to capture investigation context - name: ioc overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters overwrite: true type: group fields: - name: dclass_c1 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity overwrite: true type: group fields: - name: auth_method overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org overwrite: true type: keyword description: This key captures the User organization - name: dn_dst overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept overwrite: true type: keyword description: User's Department Names only - name: user_sid_src overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email overwrite: true type: group fields: - name: email_dst overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file overwrite: true type: group fields: - name: privilege overwrite: true type: keyword description: Deprecated, use permissions - name: attachment overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem overwrite: true type: keyword - name: binary overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp overwrite: true type: keyword - name: directory_dst overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name overwrite: true type: keyword description: This is used to capture name of the task - name: web overwrite: true type: group fields: - name: fqdn overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host overwrite: true type: keyword - name: reputation_num overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain overwrite: true type: keyword description: Web referer's domain - name: web_ref_query overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain overwrite: true type: keyword - name: web_ref_page overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst overwrite: true type: keyword - name: cn_rpackets overwrite: true type: keyword - name: urlpage overwrite: true type: keyword - name: urlroot overwrite: true type: keyword - name: p_url overwrite: true type: keyword - name: p_user_agent overwrite: true type: keyword - name: p_web_cookie overwrite: true type: keyword - name: p_web_method overwrite: true type: keyword - name: p_web_referer overwrite: true type: keyword - name: web_extension_tmp overwrite: true type: keyword - name: web_page overwrite: true type: keyword - name: threat overwrite: true type: group fields: - name: threat_category overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto overwrite: true type: group fields: - name: crypto overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike overwrite: true type: keyword description: IKE negotiation phase. - name: scheme overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer overwrite: true type: keyword - name: cert_host_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src overwrite: true type: keyword description: Deprecated, use version - name: d_certauth overwrite: true type: keyword - name: s_certauth overwrite: true type: keyword - name: ike_cookie1 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum overwrite: true type: keyword - name: cert_host_cat overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize overwrite: true type: keyword - name: cert_username overwrite: true type: keyword - name: https_insact overwrite: true type: keyword - name: https_valid overwrite: true type: keyword - name: cert_ca overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless overwrite: true type: group fields: - name: wlan_ssid overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel overwrite: true type: long description: This is used to capture the channel names - name: wlan_name overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage overwrite: true type: group fields: - name: disk_volume overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical overwrite: true type: group fields: - name: org_dst overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare overwrite: true type: group fields: - name: patient_fname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint overwrite: true type: group fields: - name: host_state overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value overwrite: true type: keyword description: This key captures values or decorators used within a registry entry - key: zeek title: Zeek description: > Module for handling logs produced by Zeek/Bro fields: - name: zeek type: group description: > Fields from Zeek/Bro logs after normalization fields: - name: session_id type: keyword description: > A unique identifier of the session - name: capture_loss type: group description: > Fields exported by the Zeek capture_loss log fields: - name: ts_delta type: integer description: | The time delay between this measurement and the last. - name: peer type: keyword description: | In the event that there are multiple Bro instances logging to the same host, this distinguishes each peer with its individual name. - name: gaps type: integer description: | Number of missed ACKs from the previous measurement interval. - name: acks type: integer description: | Total number of ACKs seen in the previous measurement interval. - name: percent_lost type: double description: | Percentage of ACKs seen where the data being ACKed wasn't seen. - name: connection type: group default_field: false description: > Fields exported by the Zeek Connection log fields: - name: local_orig type: boolean description: > Indicates whether the session is originated locally. - name: local_resp type: boolean description: > Indicates whether the session is responded locally. - name: missed_bytes type: long description: > Missed bytes for the session. - name: state type: keyword description: > Code indicating the state of the session. - name: state_message type: keyword description: > The state of the session. - name: icmp type: group fields: - name: type type: integer description: > ICMP message type. - name: code type: integer description: > ICMP message code. - name: history type: keyword description: > Flags indicating the history of the session. - name: vlan type: integer description: > VLAN identifier. - name: inner_vlan type: integer description: > VLAN identifier. - name: dce_rpc type: group default_field: false description: > Fields exported by the Zeek DCE_RPC log fields: - name: rtt type: integer description: | Round trip time from the request to the response. If either the request or response wasn't seen, this will be null. - name: named_pipe type: keyword description: | Remote pipe name. - name: endpoint type: keyword description: | Endpoint name looked up from the uuid. - name: operation type: keyword description: | Operation seen in the call. - name: dhcp type: group default_field: false description: > Fields exported by the Zeek DHCP log fields: - name: domain type: keyword description: > Domain given by the server in option 15. - name: duration type: double description: | Duration of the DHCP session representing the time from the first message to the last, in seconds. - name: hostname type: keyword description: > Name given by client in Hostname option 12. - name: client_fqdn type: keyword description: > FQDN given by client in Client FQDN option 81. - name: lease_time type: integer description: > IP address lease interval in seconds. - name: address type: group description: > Addresses seen in this DHCP exchange. fields: - name: assigned type: ip description: > IP address assigned by the server. - name: client type: ip description: | IP address of the client. If a transaction is only a client sending INFORM messages then there is no lease information exchanged so this is helpful to know who sent the messages. Getting an address in this field does require that the client sources at least one DHCP message using a non-broadcast address. - name: mac type: keyword description: > Client's hardware address. - name: requested type: ip description: > IP address requested by the client. - name: server type: ip description: > IP address of the DHCP server. - name: msg type: group fields: - name: types type: keyword description: > List of DHCP message types seen in this exchange. - name: origin type: ip description: | (present if policy/protocols/dhcp/msg-orig.bro is loaded) The address that originated each message from the msg.types field. - name: client type: keyword description: | Message typically accompanied with a DHCP_DECLINE so the client can tell the server why it rejected an address. - name: server type: keyword description: | Message typically accompanied with a DHCP_NAK to let the client know why it rejected the request. - name: software type: group fields: - name: client type: keyword description: | (present if policy/protocols/dhcp/software.bro is loaded) Software reported by the client in the vendor_class option. - name: server type: keyword description: | (present if policy/protocols/dhcp/software.bro is loaded) Software reported by the client in the vendor_class option. - name: id type: group fields: - name: circuit type: keyword description: | (present if policy/protocols/dhcp/sub-opts.bro is loaded) Added by DHCP relay agents which terminate switched or permanent circuits. It encodes an agent-local identifier of the circuit from which a DHCP client-to-server packet was received. Typically it should represent a router or switch interface number. - name: remote_agent type: keyword description: | (present if policy/protocols/dhcp/sub-opts.bro is loaded) A globally unique identifier added by relay agents to identify the remote host end of the circuit. - name: subscriber type: keyword description: | (present if policy/protocols/dhcp/sub-opts.bro is loaded) The subscriber ID is a value independent of the physical network configuration so that a customer's DHCP configuration can be given to them correctly no matter where they are physically connected. - name: dnp3 type: group default_field: false description: > Fields exported by the Zeek DNP3 log fields: - name: function type: group fields: - name: request type: keyword description: | The name of the function message in the request. - name: reply type: keyword description: | The name of the function message in the reply. - name: id type: integer description: | The response's internal indication number. - name: dns type: group description: > Fields exported by the Zeek DNS log fields: - name: trans_id type: keyword description: > DNS transaction identifier. - name: rtt type: double description: > Round trip time for the query and response. - name: query type: keyword description: > The domain name that is the subject of the DNS query. - name: qclass type: long description: > The QCLASS value specifying the class of the query. - name: qclass_name type: keyword description: > A descriptive name for the class of the query. - name: qtype type: long description: > A QTYPE value specifying the type of the query. - name: qtype_name type: keyword description: > A descriptive name for the type of the query. - name: rcode type: long description: > The response code value in DNS response messages. - name: rcode_name type: keyword description: > A descriptive name for the response code value. - name: AA type: boolean description: | The Authoritative Answer bit for response messages specifies that the responding name server is an authority for the domain name in the question section. - name: TC type: boolean description: > The Truncation bit specifies that the message was truncated. - name: RD type: boolean description: | The Recursion Desired bit in a request message indicates that the client wants recursive service for this query. - name: RA type: boolean description: | The Recursion Available bit in a response message indicates that the name server supports recursive queries. - name: answers type: keyword description: > The set of resource descriptions in the query answer. - name: TTLs type: double description: > The caching intervals of the associated RRs described by the answers field. - name: rejected type: boolean description: > Indicates whether the DNS query was rejected by the server. - name: total_answers type: integer description: > The total number of resource records in the reply. - name: total_replies type: integer description: > The total number of resource records in the reply message. - name: saw_query type: boolean description: > Whether the full DNS query has been seen. - name: saw_reply type: boolean description: > Whether the full DNS reply has been seen. - name: dpd type: group default_field: false description: > Fields exported by the Zeek DPD log fields: - name: analyzer type: keyword description: > The analyzer that generated the violation. - name: failure_reason type: keyword description: > The textual reason for the analysis failure. - name: packet_segment type: keyword description: | (present if policy/frameworks/dpd/packet-segment-logging.bro is loaded) A chunk of the payload that most likely resulted in the protocol violation. - name: files type: group description: > Fields exported by the Zeek Files log. fields: - name: fuid type: keyword description: > A file unique identifier. - name: tx_host type: ip description: > The host that transferred the file. - name: rx_host type: ip description: > The host that received the file. - name: session_ids type: keyword description: > The sessions that have this file. - name: source type: keyword description: | An identification of the source of the file data. E.g. it may be a network protocol over which it was transferred, or a local file path which was read, or some other input source. - name: depth type: long description: | A value to represent the depth of this file in relation to its source. In SMTP, it is the depth of the MIME attachment on the message. In HTTP, it is the depth of the request within the TCP connection. - name: analyzers type: keyword description: > A set of analysis types done during the file analysis. - name: mime_type type: keyword description: > Mime type of the file. - name: filename type: keyword description: > Name of the file if available. - name: local_orig type: boolean description: | If the source of this file is a network connection, this field indicates if the data originated from the local network or not. - name: is_orig type: boolean description: | If the source of this file is a network connection, this field indicates if the file is being sent by the originator of the connection or the responder. - name: duration type: double description: > The duration the file was analyzed for. Not the duration of the session. - name: seen_bytes type: long description: > Number of bytes provided to the file analysis engine for the file. - name: total_bytes type: long description: > Total number of bytes that are supposed to comprise the full file. - name: missing_bytes type: long description: | The number of bytes in the file stream that were completely missed during the process of analysis. - name: overflow_bytes type: long description: | The number of bytes in the file stream that were not delivered to stream file analyzers. This could be overlapping bytes or bytes that couldn't be reassembled. - name: timedout type: boolean description: > Whether the file analysis timed out at least once for the file. - name: parent_fuid type: keyword description: | Identifier associated with a container file from which this one was extracted as part of the file analysis. - name: md5 type: keyword description: > An MD5 digest of the file contents. - name: sha1 type: keyword description: > A SHA1 digest of the file contents. - name: sha256 type: keyword description: > A SHA256 digest of the file contents. - name: extracted type: keyword description: > Local filename of extracted file. - name: extracted_cutoff type: boolean description: > Indicate whether the file being extracted was cut off hence not extracted completely. - name: extracted_size type: long description: > The number of bytes extracted to disk. - name: entropy type: double description: > The information density of the contents of the file. - name: ftp type: group default_field: false description: > Fields exported by the Zeek FTP log fields: - name: user type: keyword description: | User name for the current FTP session. - name: password type: keyword description: | Password for the current FTP session if captured. - name: command type: keyword description: | Command given by the client. - name: arg type: keyword description: | Argument for the command if one is given. - name: file type: group fields: - name: size type: long description: | Size of the file if the command indicates a file transfer. - name: mime_type type: keyword description: | Sniffed mime type of file. - name: fuid type: keyword description: | (present if base/protocols/ftp/files.bro is loaded) File unique ID. - name: reply type: group fields: - name: code type: integer description: | Reply code from the server in response to the command. - name: msg type: keyword description: | Reply message from the server in response to the command. - name: data_channel type: group description: | Expected FTP data channel. fields: - name: passive type: boolean description: | Whether PASV mode is toggled for control channel. - name: originating_host type: ip description: | The host that will be initiating the data connection. - name: response_host type: ip description: | The host that will be accepting the data connection. - name: response_port type: integer description: | The port at which the acceptor is listening for the data connection. - name: cwd type: keyword description: | Current working directory that this session is in. By making the default value '.', we can indicate that unless something more concrete is discovered that the existing but unknown directory is ok to use. - name: cmdarg type: group description: | Command that is currently waiting for a response. fields: - name: cmd type: keyword description: | Command. - name: arg type: keyword description: | Argument for the command if one was given. - name: seq type: integer description: | Counter to track how many commands have been executed. - name: pending_commands type: integer description: | Queue for commands that have been sent but not yet responded to are tracked here. - name: passive type: boolean description: | Indicates if the session is in active or passive mode. - name: capture_password type: boolean description: | Determines if the password will be captured for this request. - name: last_auth_requested type: keyword description: | present if base/protocols/ftp/gridftp.bro is loaded. Last authentication/security mechanism that was used. - name: http type: group description: > Fields exported by the Zeek HTTP log fields: - name: trans_depth type: integer description: > Represents the pipelined depth into the connection of this request/response transaction. - name: status_msg type: keyword description: > Status message returned by the server. - name: info_code type: integer description: > Last seen 1xx informational reply code returned by the server. - name: info_msg type: keyword description: > Last seen 1xx informational reply message returned by the server. - name: tags type: keyword description: | A set of indicators of various attributes discovered and related to a particular request/response pair. - name: password type: keyword description: > Password if basic-auth is performed for the request. - name: captured_password type: boolean description: > Determines if the password will be captured for this request. - name: proxied type: keyword description: > All of the headers that may indicate if the HTTP request was proxied. - name: range_request type: boolean description: > Indicates if this request can assume 206 partial content in response. - name: client_header_names type: keyword description: | The vector of HTTP header names sent by the client. No header values are included here, just the header names. - name: server_header_names type: keyword description: | The vector of HTTP header names sent by the server. No header values are included here, just the header names. - name: orig_fuids type: keyword description: > An ordered vector of file unique IDs from the originator. - name: orig_mime_types type: keyword description: > An ordered vector of mime types from the originator. - name: orig_filenames type: keyword description: > An ordered vector of filenames from the originator. - name: resp_fuids type: keyword description: > An ordered vector of file unique IDs from the responder. - name: resp_mime_types type: keyword description: > An ordered vector of mime types from the responder. - name: resp_filenames type: keyword description: > An ordered vector of filenames from the responder. - name: orig_mime_depth type: integer description: > Current number of MIME entities in the HTTP request message body. - name: resp_mime_depth type: integer description: > Current number of MIME entities in the HTTP response message body. - name: intel type: group default_field: false description: > Fields exported by the Zeek Intel log. fields: - name: seen type: group fields: - name: indicator type: keyword description: > The intelligence indicator. - name: indicator_type type: keyword description: > The type of data the indicator represents. - name: host type: keyword description: > If the indicator type was Intel::ADDR, then this field will be present. - name: conn type: keyword description: > If the data was discovered within a connection, the connection record should go here to give context to the data. - name: where type: keyword description: > Where the data was discovered. - name: node type: keyword description: > The name of the node where the match was discovered. - name: uid type: keyword description: > If the data was discovered within a connection, the connection uid should go here to give context to the data. If the conn field is provided, this will be automatically filled out. - name: f type: object description: > If the data was discovered within a file, the file record should go here to provide context to the data. - name: fuid type: keyword description: > If the data was discovered within a file, the file uid should go here to provide context to the data. If the file record f is provided, this will be automatically filled out. - name: matched type: keyword description: > Event to represent a match in the intelligence data from data that was seen. - name: sources type: keyword description: > Sources which supplied data for this match. - name: fuid type: keyword description: > If a file was associated with this intelligence hit, this is the uid for the file. - name: file_mime_type type: keyword description: > A mime type if the intelligence hit is related to a file. If the $f field is provided this will be automatically filled out. - name: file_desc type: keyword description: > Frequently files can be described to give a bit more context. If the $f field is provided this field will be automatically filled out. - name: irc type: group default_field: false description: > Fields exported by the Zeek IRC log fields: - name: nick type: keyword description: | Nickname given for the connection. - name: user type: keyword description: | Username given for the connection. - name: command type: keyword description: | Command given by the client. - name: value type: keyword description: | Value for the command given by the client. - name: addl type: keyword description: | Any additional data for the command. - name: dcc type: group fields: - name: file type: group fields: - name: name type: keyword description: | Present if base/protocols/irc/dcc-send.bro is loaded. DCC filename requested. - name: size type: long description: | Present if base/protocols/irc/dcc-send.bro is loaded. Size of the DCC transfer as indicated by the sender. - name: mime_type type: keyword description: | present if base/protocols/irc/dcc-send.bro is loaded. Sniffed mime type of the file. - name: fuid type: keyword description: | present if base/protocols/irc/files.bro is loaded. File unique ID. - name: kerberos type: group default_field: false description: > Fields exported by the Zeek Kerberos log fields: - name: request_type type: keyword description: > Request type - Authentication Service (AS) or Ticket Granting Service (TGS). - name: client type: keyword description: > Client name. - name: service type: keyword description: > Service name. - name: success type: boolean description: > Request result. - name: error type: group fields: - name: code type: integer description: > Error code. - name: msg type: keyword description: > Error message. - name: valid type: group fields: - name: from type: date description: > Ticket valid from. - name: until type: date description: > Ticket valid until. - name: days type: integer description: > Number of days the ticket is valid for. - name: cipher type: keyword description: > Ticket encryption type. - name: forwardable type: boolean description: > Forwardable ticket requested. - name: renewable type: boolean description: > Renewable ticket requested. - name: ticket type: group fields: - name: auth type: keyword description: > Hash of ticket used to authorize request/transaction. - name: new type: keyword description: > Hash of ticket returned by the KDC. - name: cert type: group fields: - name: client type: group fields: - name: value type: keyword description: > Client certificate. - name: fuid type: keyword description: > File unique ID of client cert. - name: subject type: keyword description: > Subject of client certificate. - name: server type: group fields: - name: value type: keyword description: > Server certificate. - name: fuid type: keyword description: > File unique ID of server certificate. - name: subject type: keyword description: > Subject of server certificate. - name: modbus type: group default_field: false description: > Fields exported by the Zeek modbus log. fields: - name: function type: keyword description: | The name of the function message that was sent. - name: exception type: keyword description: | The exception if the response was a failure. - name: track_address type: integer description: | Present if policy/protocols/modbus/track-memmap.bro is loaded. Modbus track address. - name: mysql type: group default_field: false description: > Fields exported by the Zeek MySQL log. fields: - name: cmd type: keyword description: | The command that was issued. - name: arg type: keyword description: | The argument issued to the command. - name: success type: boolean description: | Whether the command succeeded. - name: rows type: integer description: | The number of affected rows, if any. - name: response type: keyword description: | Server message, if any. - name: notice type: group description: > Fields exported by the Zeek Notice log. fields: - name: connection_id type: keyword description: > Identifier of the related connection session. - name: icmp_id type: keyword description: > Identifier of the related ICMP session. - name: file.id type: keyword description: > An identifier associated with a single file that is related to this notice. - name: file.parent_id type: keyword description: > Identifier associated with a container file from which this one was extracted. - name: file.source type: keyword description: | An identification of the source of the file data. E.g. it may be a network protocol over which it was transferred, or a local file path which was read, or some other input source. - name: file.mime_type type: keyword description: > A mime type if the notice is related to a file. - name: file.is_orig type: boolean description: | If the source of this file is a network connection, this field indicates if the file is being sent by the originator of the connection or the responder. - name: file.seen_bytes type: long description: > Number of bytes provided to the file analysis engine for the file. - name: ffile.total_bytes type: long description: > Total number of bytes that are supposed to comprise the full file. - name: file.missing_bytes type: long description: | The number of bytes in the file stream that were completely missed during the process of analysis. - name: file.overflow_bytes type: long description: | The number of bytes in the file stream that were not delivered to stream file analyzers. This could be overlapping bytes or bytes that couldn't be reassembled. - name: fuid type: keyword description: > A file unique ID if this notice is related to a file. - name: note type: keyword description: > The type of the notice. - name: msg type: keyword description: > The human readable message for the notice. - name: sub type: keyword description: > The human readable sub-message. - name: n type: long description: > Associated count, or a status code. - name: peer_name type: keyword description: > Name of remote peer that raised this notice. - name: peer_descr type: text description: > Textual description for the peer that raised this notice. - name: actions type: keyword description: > The actions which have been applied to this notice. - name: email_body_sections type: text description: | By adding chunks of text into this element, other scripts can expand on notices that are being emailed. - name: email_delay_tokens type: keyword description: | Adding a string token to this set will cause the built-in emailing functionality to delay sending the email either the token has been removed or the email has been delayed for the specified time duration. - name: identifier type: keyword description: > This field is provided when a notice is generated for the purpose of deduplicating notices. - name: suppress_for type: double description: > This field indicates the length of time that this unique notice should be suppressed. - name: dropped type: boolean description: > Indicate if the source IP address was dropped and denied network access. - name: ntlm type: group default_field: false description: > Fields exported by the Zeek NTLM log. fields: - name: domain type: keyword description: > Domain name given by the client. - name: hostname type: keyword description: > Hostname given by the client. - name: success type: boolean description: > Indicate whether or not the authentication was successful. - name: username type: keyword description: > Username given by the client. - name: server type: group fields: - name: name type: group fields: - name: dns type: keyword description: > DNS name given by the server in a CHALLENGE. - name: netbios type: keyword description: > NetBIOS name given by the server in a CHALLENGE. - name: tree type: keyword description: > Tree name given by the server in a CHALLENGE. - name: ntp type: group default_field: false description: > Fields exported by the Zeek NTP log. fields: - name: version type: integer description: > The NTP version number (1, 2, 3, 4). - name: mode type: integer description: > The NTP mode being used. - name: stratum type: integer description: > The stratum (primary server, secondary server, etc.). - name: poll type: double description: > The maximum interval between successive messages in seconds. - name: precision type: double description: > The precision of the system clock in seconds. - name: root_delay type: double description: > Total round-trip delay to the reference clock in seconds. - name: root_disp type: double description: > Total dispersion to the reference clock in seconds. - name: ref_id type: keyword description: > For stratum 0, 4 character string used for debugging. For stratum 1, ID assigned to the reference clock by IANA. Above stratum 1, when using IPv4, the IP address of the reference clock. Note that the NTP protocol did not originally specify a large enough field to represent IPv6 addresses, so they use the first four bytes of the MD5 hash of the reference clock’s IPv6 address (i.e. an IPv4 address here is not necessarily IPv4). - name: ref_time type: date description: > Time when the system clock was last set or correct. - name: org_time type: date description: > Time at the client when the request departed for the NTP server. - name: rec_time type: date description: > Time at the server when the request arrived from the NTP client. - name: xmt_time type: date description: > Time at the server when the response departed for the NTP client. - name: num_exts type: integer description: > Number of extension fields (which are not currently parsed). - name: ocsp type: group default_field: false description: | Fields exported by the Zeek OCSP log Online Certificate Status Protocol (OCSP). Only created if policy script is loaded. fields: - name: file_id type: keyword description: | File id of the OCSP reply. - name: hash type: group fields: - name: algorithm type: keyword description: | Hash algorithm used to generate issuerNameHash and issuerKeyHash. - name: issuer type: group fields: - name: name type: keyword description: | Hash of the issuer's distingueshed name. - name: key type: keyword description: | Hash of the issuer's public key. - name: serial_number type: keyword description: | Serial number of the affected certificate. - name: status type: keyword description: | Status of the affected certificate. - name: revoke type: group fields: - name: time type: date description: | Time at which the certificate was revoked. - name: reason type: keyword description: | Reason for which the certificate was revoked. - name: update type: group fields: - name: this type: date description: | The time at which the status being shows is known to have been correct. - name: next type: date description: | The latest time at which new information about the status of the certificate will be available. - name: pe type: group default_field: false description: > Fields exported by the Zeek pe log. fields: - name: client type: keyword description: > The client's version string. - name: id type: keyword description: > File id of this portable executable file. - name: machine type: keyword description: > The target machine that the file was compiled for. - name: compile_time type: date description: > The time that the file was created at. - name: os type: keyword description: > The required operating system. - name: subsystem type: keyword description: > The subsystem that is required to run this file. - name: is_exe type: boolean description: > Is the file an executable, or just an object file? - name: is_64bit type: boolean description: > Is the file a 64-bit executable? - name: uses_aslr type: boolean description: > Does the file support Address Space Layout Randomization? - name: uses_dep type: boolean description: > Does the file support Data Execution Prevention? - name: uses_code_integrity type: boolean description: > Does the file enforce code integrity checks? - name: uses_seh type: boolean description: > Does the file use structured exception handing? - name: has_import_table type: boolean description: > Does the file have an import table? - name: has_export_table type: boolean description: > Does the file have an export table? - name: has_cert_table type: boolean description: > Does the file have an attribute certificate table? - name: has_debug_data type: boolean description: > Does the file have a debug table? - name: section_names type: keyword description: > The names of the sections, in order. - name: radius type: group default_field: false description: > Fields exported by the Zeek Radius log. fields: - name: username type: keyword description: | The username, if present. - name: mac type: keyword description: | MAC address, if present. - name: framed_addr type: ip description: | The address given to the network access server, if present. This is only a hint from the RADIUS server and the network access server is not required to honor the address. - name: remote_ip type: ip description: | Remote IP address, if present. This is collected from the Tunnel-Client-Endpoint attribute. - name: connect_info type: keyword description: | Connect info, if present. - name: reply_msg type: keyword description: | Reply message from the server challenge. This is frequently shown to the user authenticating. - name: result type: keyword description: | Successful or failed authentication. - name: ttl type: integer description: | The duration between the first request and either the "Access-Accept" message or an error. If the field is empty, it means that either the request or response was not seen. - name: logged type: boolean description: | Whether this has already been logged and can be ignored. - name: rdp type: group default_field: false description: > Fields exported by the Zeek RDP log. fields: - name: cookie type: keyword description: | Cookie value used by the client machine. This is typically a username. - name: result type: keyword description: | Status result for the connection. It's a mix between RDP negotation failure messages and GCC server create response messages. - name: security_protocol type: keyword description: | Security protocol chosen by the server. - name: keyboard_layout type: keyword description: | Keyboard layout (language) of the client machine. - name: client type: group fields: - name: build type: keyword description: | RDP client version used by the client machine. - name: client_name type: keyword description: | Name of the client machine. - name: product_id type: keyword description: | Product ID of the client machine. - name: desktop type: group fields: - name: width type: integer description: | Desktop width of the client machine. - name: height type: integer description: | Desktop height of the client machine. - name: color_depth type: keyword description: | The color depth requested by the client in the high_color_depth field. - name: cert type: group fields: - name: type type: keyword description: | If the connection is being encrypted with native RDP encryption, this is the type of cert being used. - name: count type: integer description: | The number of certs seen. X.509 can transfer an entire certificate chain. - name: permanent type: boolean description: | Indicates if the provided certificate or certificate chain is permanent or temporary. - name: encryption type: group fields: - name: level type: keyword description: | Encryption level of the connection. - name: method type: keyword description: | Encryption method of the connection. - name: done type: boolean description: | Track status of logging RDP connections. - name: ssl type: boolean description: | (present if policy/protocols/rdp/indicate_ssl.bro is loaded) Flag the connection if it was seen over SSL. - name: rfb type: group default_field: false description: > Fields exported by the Zeek RFB log. fields: - name: version type: group fields: - name: client type: group fields: - name: major type: keyword description: | Major version of the client. - name: minor type: keyword description: | Minor version of the client. - name: server type: group fields: - name: major type: keyword description: | Major version of the server. - name: minor type: keyword description: | Minor version of the server. - name: auth type: group fields: - name: success type: boolean description: | Whether or not authentication was successful. - name: method type: keyword description: | Identifier of authentication method used. - name: share_flag type: boolean description: | Whether the client has an exclusive or a shared session. - name: desktop_name type: keyword description: | Name of the screen that is being shared. - name: width type: integer description: | Width of the screen that is being shared. - name: height type: integer description: | Height of the screen that is being shared. - name: signature type: group default_field: false description: > Fields exported by the Zeek Signature log. fields: - name: note type: keyword description: > Notice associated with signature event. - name: sig_id type: keyword description: > The name of the signature that matched. - name: event_msg type: keyword description: > A more descriptive message of the signature-matching event. - name: sub_msg type: keyword description: > Extracted payload data or extra message. - name: sig_count type: integer description: > Number of sigs, usually from summary count. - name: host_count type: integer description: > Number of hosts, from a summary count. - name: sip type: group default_field: false description: > Fields exported by the Zeek SIP log. fields: - name: transaction_depth type: integer description: > Represents the pipelined depth into the connection of this request/response transaction. - name: sequence type: group fields: - name: method type: keyword description: > Verb used in the SIP request (INVITE, REGISTER etc.). - name: number type: keyword description: > Contents of the CSeq: header from the client. - name: uri type: keyword description: > URI used in the request. - name: date type: keyword description: > Contents of the Date: header from the client. - name: request type: group fields: - name: from type: keyword description: > Contents of the request From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged. - name: to type: keyword description: > Contents of the To: header. - name: path type: keyword description: > The client message transmission path, as extracted from the headers. - name: body_length type: long description: > Contents of the Content-Length: header from the client. - name: response type: group fields: - name: from type: keyword description: > Contents of the response From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged. - name: to type: keyword description: > Contents of the response To: header. - name: path type: keyword description: > The server message transmission path, as extracted from the headers. - name: body_length type: long description: > Contents of the Content-Length: header from the server. - name: reply_to type: keyword description: > Contents of the Reply-To: header. - name: call_id type: keyword description: > Contents of the Call-ID: header from the client. - name: subject type: keyword description: > Contents of the Subject: header from the client. - name: user_agent type: keyword description: > Contents of the User-Agent: header from the client. - name: status type: group fields: - name: code type: integer description: > Status code returned by the server. - name: msg type: keyword description: > Status message returned by the server. - name: warning type: keyword description: > Contents of the Warning: header. - name: content_type type: keyword description: > Contents of the Content-Type: header from the server. - name: smb_cmd type: group default_field: false description: > Fields exported by the Zeek smb_cmd log. fields: - name: command type: keyword description: | The command sent by the client. - name: sub_command type: keyword description: | The subcommand sent by the client, if present. - name: argument type: keyword description: | Command argument sent by the client, if any. - name: status type: keyword description: | Server reply to the client's command. - name: rtt type: double description: | Round trip time from the request to the response. - name: version type: keyword description: | Version of SMB for the command. - name: username type: keyword description: | Authenticated username, if available. - name: tree type: keyword description: | If this is related to a tree, this is the tree that was used for the current command. - name: tree_service type: keyword description: | The type of tree (disk share, printer share, named pipe, etc.). - name: file type: group description: | If the command referenced a file, store it here. fields: - name: name type: keyword description: | Filename if one was seen. - name: action type: keyword description: | Action this log record represents. - name: uid type: keyword description: | UID of the referenced file. - name: host type: group fields: - name: tx type: ip description: | Address of the transmitting host. - name: rx type: ip description: | Address of the receiving host. - name: smb1_offered_dialects type: keyword description: | Present if base/protocols/smb/smb1-main.bro is loaded. Dialects offered by the client. - name: smb2_offered_dialects type: integer description: | Present if base/protocols/smb/smb2-main.bro is loaded. Dialects offered by the client. - name: smb_files type: group default_field: false description: > Fields exported by the Zeek SMB Files log. fields: - name: action type: keyword description: > Action this log record represents. - name: fid type: integer description: > ID referencing this file. - name: name type: keyword description: > Filename if one was seen. - name: path type: keyword description: > Path pulled from the tree this file was transferred to or from. - name: previous_name type: keyword description: > If the rename action was seen, this will be the file's previous name. - name: size type: long description: > Byte size of the file. - name: times type: group description: > Timestamps of the file. fields: - name: accessed type: date description: > The file's access time. - name: changed type: date description: > The file's change time. - name: created type: date description: > The file's create time. - name: modified type: date description: > The file's modify time. - name: uuid type: keyword description: > UUID referencing this file if DCE/RPC. - name: smb_mapping type: group default_field: false description: > Fields exported by the Zeek SMB_Mapping log. fields: - name: path type: keyword description: > Name of the tree path. - name: service type: keyword description: > The type of resource of the tree (disk share, printer share, named pipe, etc.). - name: native_file_system type: keyword description: > File system of the tree. - name: share_type type: keyword description: | If this is SMB2, a share type will be included. For SMB1, the type of share will be deduced and included as well. - name: smtp type: group default_field: false description: > Fields exported by the Zeek SMTP log. fields: - name: transaction_depth type: integer description: > A count to represent the depth of this message transaction in a single connection where multiple messages were transferred. - name: helo type: keyword description: > Contents of the Helo header. - name: mail_from type: keyword description: > Email addresses found in the MAIL FROM header. - name: rcpt_to type: keyword description: > Email addresses found in the RCPT TO header. - name: date type: date description: > Contents of the Date header. - name: from type: keyword description: > Contents of the From header. - name: to type: keyword description: > Contents of the To header. - name: cc type: keyword description: > Contents of the CC header. - name: reply_to type: keyword description: > Contents of the ReplyTo header. - name: msg_id type: keyword description: > Contents of the MsgID header. - name: in_reply_to type: keyword description: > Contents of the In-Reply-To header. - name: subject type: keyword description: > Contents of the Subject header. - name: x_originating_ip type: keyword description: > Contents of the X-Originating-IP header. - name: first_received type: keyword description: | Contents of the first Received header. - name: second_received type: keyword description: | Contents of the second Received header. - name: last_reply type: keyword description: | The last message that the server sent to the client. - name: path type: ip description: | The message transmission path, as extracted from the headers. - name: user_agent type: keyword description: | Value of the User-Agent header from the client. - name: tls type: boolean description: | Indicates that the connection has switched to using TLS. - name: process_received_from type: boolean description: | Indicates if the "Received: from" headers should still be processed. - name: has_client_activity type: boolean description: | Indicates if client activity has been seen, but not yet logged. - name: fuids type: keyword description: | (present if base/protocols/smtp/files.bro is loaded) An ordered vector of file unique IDs seen attached to the message. - name: is_webmail type: boolean description: | Indicates if the message was sent through a webmail interface. - name: snmp type: group default_field: false description: > Fields exported by the Zeek SNMP log. fields: - name: duration type: double description: > The amount of time between the first packet beloning to the SNMP session and the latest one seen. - name: version type: keyword description: > The version of SNMP being used. - name: community type: keyword description: > The community string of the first SNMP packet associated with the session. This is used as part of SNMP's (v1 and v2c) administrative/security framework. See RFC 1157 or RFC 1901. - name: get type: group fields: - name: requests type: integer description: > The number of variable bindings in GetRequest/GetNextRequest PDUs seen for the session. - name: bulk_requests type: integer description: > The number of variable bindings in GetBulkRequest PDUs seen for the session. - name: responses type: integer description: > The number of variable bindings in GetResponse/Response PDUs seen for the session. - name: set type: group fields: - name: requests type: integer description: > The number of variable bindings in SetRequest PDUs seen for the session. - name: display_string type: keyword description: > A system description of the SNMP responder endpoint. - name: up_since type: date description: > The time at which the SNMP responder endpoint claims it's been up since. - name: socks type: group default_field: false description: > Fields exported by the Zeek SOCKS log. fields: - name: version type: integer description: | Protocol version of SOCKS. - name: user type: keyword description: | Username used to request a login to the proxy. - name: password type: keyword description: | Password used to request a login to the proxy. - name: status type: keyword description: | Server status for the attempt at using the proxy. - name: request type: group fields: - name: host type: keyword description: | Client requested SOCKS address. Could be an address, a name or both. - name: port type: integer description: | Client requested port. - name: bound type: group fields: - name: host type: keyword description: | Server bound address. Could be an address, a name or both. - name: port type: integer description: | Server bound port. - name: capture_password type: boolean description: | Determines if the password will be captured for this request. - name: ssh type: group default_field: false description: > Fields exported by the Zeek SSH log. fields: - name: client type: keyword description: > The client's version string. - name: direction type: keyword description: | Direction of the connection. If the client was a local host logging into an external host, this would be OUTBOUND. INBOUND would be set for the opposite situation. - name: host_key type: keyword description: > The server's key thumbprint. - name: server type: keyword description: > The server's version string. - name: version type: integer description: > SSH major version (1 or 2). - name: algorithm type: group description: > Cipher algorithms used in this session. fields: - name: cipher type: keyword description: > The encryption algorithm in use. - name: compression type: keyword description: > The compression algorithm in use. - name: host_key type: keyword description: > The server host key's algorithm. - name: key_exchange type: keyword description: > The key exchange algorithm in use. - name: mac type: keyword description: > The signing (MAC) algorithm in use. - name: auth type: group fields: - name: attempts type: integer description: | The number of authentication attemps we observed. There's always at least one, since some servers might support no authentication at all. It's important to note that not all of these are failures, since some servers require two-factor auth (e.g. password AND pubkey). - name: success type: boolean description: > Authentication result. - name: ssl type: group default_field: false description: > Fields exported by the Zeek SSL log. fields: - name: version type: keyword description: > SSL/TLS version that was logged. - name: cipher type: keyword description: > SSL/TLS cipher suite that was logged. - name: curve type: keyword description: > Elliptic curve that was logged when using ECDH/ECDHE. - name: resumed type: boolean description: | Flag to indicate if the session was resumed reusing the key material exchanged in an earlier connection. - name: next_protocol type: keyword description: > Next protocol the server chose using the application layer next protocol extension. - name: established type: boolean description: > Flag to indicate if this ssl session has been established successfully. - name: validation type: group fields: - name: status type: keyword description: > Result of certificate validation for this connection. - name: code type: keyword description: > Result of certificate validation for this connection, given as OpenSSL validation code. - name: last_alert type: keyword description: > Last alert that was seen during the connection. - name: server type: group fields: - name: name type: keyword description: | Value of the Server Name Indicator SSL/TLS extension. It indicates the server name that the client was requesting. - name: cert_chain type: keyword description: > Chain of certificates offered by the server to validate its complete signing chain. - name: cert_chain_fuids type: keyword description: > An ordered vector of certificate file identifiers for the certificates offered by the server. - name: issuer type: group description: > Subject of the signer of the X.509 certificate offered by the server. fields: - name: common_name type: keyword description: > Common name of the signer of the X.509 certificate offered by the server. - name: country type: keyword description: > Country code of the signer of the X.509 certificate offered by the server. - name: locality type: keyword description: > Locality of the signer of the X.509 certificate offered by the server. - name: organization type: keyword description: > Organization of the signer of the X.509 certificate offered by the server. - name: organizational_unit type: keyword description: > Organizational unit of the signer of the X.509 certificate offered by the server. - name: state type: keyword description: > State or province name of the signer of the X.509 certificate offered by the server. - name: subject type: group description: > Subject of the X.509 certificate offered by the server. fields: - name: common_name type: keyword description: > Common name of the X.509 certificate offered by the server. - name: country type: keyword description: > Country code of the X.509 certificate offered by the server. - name: locality type: keyword description: > Locality of the X.509 certificate offered by the server. - name: organization type: keyword description: > Organization of the X.509 certificate offered by the server. - name: organizational_unit type: keyword description: > Organizational unit of the X.509 certificate offered by the server. - name: state type: keyword description: > State or province name of the X.509 certificate offered by the server. - name: client type: group fields: - name: cert_chain type: keyword description: > Chain of certificates offered by the client to validate its complete signing chain. - name: cert_chain_fuids type: keyword description: > An ordered vector of certificate file identifiers for the certificates offered by the client. - name: issuer type: group description: > Subject of the signer of the X.509 certificate offered by the client. fields: - name: common_name type: keyword description: > Common name of the signer of the X.509 certificate offered by the client. - name: country type: keyword description: > Country code of the signer of the X.509 certificate offered by the client. - name: locality type: keyword description: > Locality of the signer of the X.509 certificate offered by the client. - name: organization type: keyword description: > Organization of the signer of the X.509 certificate offered by the client. - name: organizational_unit type: keyword description: > Organizational unit of the signer of the X.509 certificate offered by the client. - name: state type: keyword description: > State or province name of the signer of the X.509 certificate offered by the client. - name: subject type: group description: > Subject of the X.509 certificate offered by the client. fields: - name: common_name type: keyword description: > Common name of the X.509 certificate offered by the client. - name: country type: keyword description: > Country code of the X.509 certificate offered by the client. - name: locality type: keyword description: > Locality of the X.509 certificate offered by the client. - name: organization type: keyword description: > Organization of the X.509 certificate offered by the client. - name: organizational_unit type: keyword description: > Organizational unit of the X.509 certificate offered by the client. - name: state type: keyword description: > State or province name of the X.509 certificate offered by the client. - name: stats type: group default_field: false description: > Fields exported by the Zeek stats log. fields: - name: peer type: keyword description: | Peer that generated this log. Mostly for clusters. - name: memory type: integer description: | Amount of memory currently in use in MB. - name: packets type: group fields: - name: processed type: long description: | Number of packets processed since the last stats interval. - name: dropped type: long description: | Number of packets dropped since the last stats interval if reading live traffic. - name: received type: long description: | Number of packets seen on the link since the last stats interval if reading live traffic. - name: bytes type: group fields: - name: received type: long description: | Number of bytes received since the last stats interval if reading live traffic. - name: connections type: group fields: - name: tcp type: group fields: - name: active type: integer description: | TCP connections currently in memory. - name: count type: integer description: | TCP connections seen since last stats interval. - name: udp type: group fields: - name: active type: integer description: | UDP connections currently in memory. - name: count type: integer description: | UDP connections seen since last stats interval. - name: icmp type: group fields: - name: active type: integer description: | ICMP connections currently in memory. - name: count type: integer description: | ICMP connections seen since last stats interval. - name: events type: group fields: - name: processed type: integer description: | Number of events processed since the last stats interval. - name: queued type: integer description: | Number of events that have been queued since the last stats interval. - name: timers type: group fields: - name: count type: integer description: | Number of timers scheduled since last stats interval. - name: active type: integer description: | Current number of scheduled timers. - name: files type: group fields: - name: count type: integer description: | Number of files seen since last stats interval. - name: active type: integer description: | Current number of files actively being seen. - name: dns_requests type: group fields: - name: count type: integer description: | Number of DNS requests seen since last stats interval. - name: active type: integer description: | Current number of DNS requests awaiting a reply. - name: reassembly_size type: group fields: - name: tcp type: integer description: | Current size of TCP data in reassembly. - name: file type: integer description: | Current size of File data in reassembly. - name: frag type: integer description: | Current size of packet fragment data in reassembly. - name: unknown type: integer description: | Current size of unknown data in reassembly (this is only PIA buffer right now). - name: timestamp_lag type: integer description: | Lag between the wall clock and packet timestamps if reading live traffic. - name: syslog type: group default_field: false description: > Fields exported by the Zeek syslog log. fields: - name: facility type: keyword description: > Syslog facility for the message. - name: severity type: keyword description: > Syslog severity for the message. - name: message type: keyword description: > The plain text message. - name: tunnel type: group default_field: false description: > Fields exported by the Zeek SSH log. fields: - name: type type: keyword description: > The type of tunnel. - name: action type: keyword description: > The type of activity that occurred. - name: weird type: group default_field: false description: > Fields exported by the Zeek Weird log. fields: - name: name type: keyword description: | The name of the weird that occurred. - name: additional_info type: keyword description: | Additional information accompanying the weird if any. - name: notice type: boolean description: | Indicate if this weird was also turned into a notice. - name: peer type: keyword description: | The peer that originated this weird. This is helpful in cluster deployments if a particular cluster node is having trouble to help identify which node is having trouble. - name: identifier type: keyword description: | This field is to be provided when a weird is generated for the purpose of deduplicating weirds. The identifier string should be unique for a single instance of the weird. This field is used to define when a weird is conceptually a duplicate of a previous weird. - name: x509 type: group default_field: false description: > Fields exported by the Zeek x509 log. fields: - name: id type: keyword description: > File id of this certificate. - name: certificate type: group description: > Basic information about the certificate. fields: - name: version type: integer description: > Version number. - name: serial type: keyword description: > Serial number. - name: subject type: group description: > Subject. fields: - name: country type: keyword description: > Country provided in the certificate subject. - name: common_name type: keyword description: > Common name provided in the certificate subject. - name: locality type: keyword description: > Locality provided in the certificate subject. - name: organization type: keyword description: > Organization provided in the certificate subject. - name: organizational_unit type: keyword description: > Organizational unit provided in the certificate subject. - name: state type: keyword description: > State or province provided in the certificate subject. - name: issuer type: group description: > Issuer. fields: - name: country type: keyword description: > Country provided in the certificate issuer field. - name: common_name type: keyword description: > Common name provided in the certificate issuer field. - name: locality type: keyword description: > Locality provided in the certificate issuer field. - name: organization type: keyword description: > Organization provided in the certificate issuer field. - name: organizational_unit type: keyword description: > Organizational unit provided in the certificate issuer field. - name: state type: keyword description: > State or province provided in the certificate issuer field. - name: common_name type: keyword description: > Last (most specific) common name. - name: valid type: group description: > Certificate validity timestamps fields: - name: from type: date description: > Timestamp before when certificate is not valid. - name: until type: date description: > Timestamp after when certificate is not valid. - name: key type: group fields: - name: algorithm type: keyword description: > Name of the key algorithm. - name: type type: keyword description: > Key type, if key parseable by openssl (either rsa, dsa or ec). - name: length type: integer description: > Key length in bits. - name: signature_algorithm type: keyword description: > Name of the signature algorithm. - name: exponent type: keyword description: > Exponent, if RSA-certificate. - name: curve type: keyword description: > Curve, if EC-certificate. - name: san type: group description: > Subject alternative name extension of the certificate. fields: - name: dns type: keyword description: > List of DNS entries in SAN. - name: uri type: keyword description: > List of URI entries in SAN. - name: email type: keyword description: > List of email entries in SAN. - name: ip type: ip description: > List of IP entries in SAN. - name: other_fields type: boolean description: > True if the certificate contained other, not recognized or parsed name fields. - name: basic_constraints type: group description: > Basic constraints extension of the certificate. fields: - name: certificate_authority type: boolean description: > CA flag set or not. - name: path_length type: integer description: > Maximum path length. - name: log_cert type: boolean description: | Present if policy/protocols/ssl/log-hostcerts-only.bro is loaded Logging of certificate is suppressed if set to F. - key: zookeeper title: "ZooKeeper" release: beta description: > ZooKeeper Module fields: - name: zookeeper type: group description: > fields: - name: audit type: group description: > ZooKeeper Audit logs. release: beta fields: - name: session type: keyword description: > Client session id - name: znode type: keyword description: > Path of the znode - name: znode_type type: keyword description: > Type of znode in case of creation operation - name: acl type: keyword description: > String representation of znode ACL like cdrwa(create, delete,read, write, admin). This is logged only for setAcl operation - name: result type: keyword description: > Result of the operation. Possible values are (success/failure/invoked). Result "invoked" is used for serverStop operation because stop is logged before ensuring that server actually stopped. - name: user type: keyword description: > Comma separated list of users who are associate with a client session - name: log type: group description: > ZooKeeper logs. release: beta fields: - key: zoom title: Zoom description: > Module for handling incoming Zoom webhook requests fields: - name: zoom type: group release: beta default_field: false description: > Module for parsing Zoom API Webhooks. fields: - name: master_account_id type: keyword description: > Master Account related to a specific Sub Account - name: sub_account_id type: keyword description: > Related Sub Account - name: operator_id type: keyword description: > UserID that triggered the event - name: operator type: keyword description: > Username/Email related to the user that triggered the event - name: account_id type: keyword description: > Related accountID to the event - name: timestamp type: date description: > Timestamp related to the event - name: creation_type type: keyword description: > Creation type - name: account.owner_id type: keyword description: > UserID of the user whose sub account was created/disassociated - name: account.email type: keyword description: > Email related to the user the action was performed on - name: account.owner_email type: keyword description: > Email of the user whose sub account was created/disassociated - name: account.account_name type: keyword description: > When an account name is updated, this is the new value set - name: account.account_alias type: keyword description: > When an account alias is updated, this is the new value set - name: account.account_support_name type: keyword description: > When an account support_name is updated, this is the new value set - name: account.account_support_email type: keyword description: > When an account support_email is updated, this is the new value set - name: chat_channel.name type: keyword description: > The name of the channel that has been added/modified/deleted - name: chat_channel.id type: keyword description: > The ID of the channel that has been added/modified/deleted - name: chat_channel.type type: keyword description: > Type of channel related to the event. Can be 1(Invite-Only), 2(Private) or 3(Public) - name: chat_message.id type: keyword description: > Unique ID of the related chat message - name: chat_message.type type: keyword description: > Type of message, can be either "to_contact" or "to_channel" - name: chat_message.session_id type: keyword description: > SessionID for the channel related to the message - name: chat_message.contact_email type: keyword description: > Email address related to the user sending the message - name: chat_message.contact_id type: keyword description: > UserID belonging to the user receiving a message - name: chat_message.channel_id type: keyword description: > ChannelID related to the message - name: chat_message.channel_name type: keyword description: > Channel name related to the message - name: chat_message.message type: keyword description: > A string containing the full message that was sent - name: meeting.id type: keyword description: > Unique ID of the related meeting - name: meeting.uuid type: keyword description: > The UUID of the related meeting - name: meeting.host_id type: keyword description: > The UserID of the configured meeting host - name: meeting.topic type: keyword description: > Topic of the related meeting - name: meeting.type type: keyword description: > Type of meeting created - name: meeting.start_time type: date description: > Date and time the meeting started - name: meeting.timezone type: keyword description: > Which timezone is used for the meeting timestamps - name: meeting.duration type: long description: > The duration of a meeting in minutes - name: meeting.issues type: keyword description: > When a user reports an issue with the meeting, for example: "Unstable audio quality" - name: meeting.password type: keyword description: > Password related to the meeting - name: phone.id type: keyword description: > Unique ID for the phone or conversation - name: phone.user_id type: keyword description: > UserID for the phone owner related to a Call Log being completed - name: phone.download_url type: keyword description: > Download URL for the voicemail - name: phone.ringing_start_time type: date description: > The timestamp when a ringtone was established to the callee - name: phone.connected_start_time type: date description: > The date and time when a ringtone was established to the callee - name: phone.answer_start_time type: date description: > The date and time when the call was answered - name: phone.call_end_time type: date description: > The date and time when the call ended - name: phone.call_id type: keyword description: > Unique ID of the related call - name: phone.duration type: long description: > Duration of a voicemail in minutes - name: phone.caller.id type: keyword description: > UserID of the caller related to the voicemail/call - name: phone.caller.user_id type: keyword description: > UserID of the person which initiated the call - name: phone.caller.number_type type: keyword description: > The type of number, can be 1(Internal) or 2(External) - name: phone.caller.name type: keyword description: > The name of the related callee - name: phone.caller.phone_number type: keyword description: > Phone Number of the caller related to the call - name: phone.caller.extension_type type: keyword description: > Extension type of the caller number, can be user, callQueue, autoReceptionist or shareLineGroup - name: phone.caller.extension_number type: keyword description: > Extension number of the caller - name: phone.caller.timezone type: keyword description: > Timezone of the caller - name: phone.caller.device_type type: keyword description: > Device type used by the caller - name: phone.callee.id type: keyword description: > UserID of the callee related to the voicemail/call - name: phone.callee.user_id type: keyword description: > UserID of the related callee of a voicemail/call - name: phone.callee.name type: keyword description: > The name of the related callee - name: phone.callee.number_type type: keyword description: > The type of number, can be 1(Internal) or 2(External) - name: phone.callee.phone_number type: keyword description: > Phone Number of the callee related to the call - name: phone.callee.extension_type type: keyword description: > Extension type of the callee number, can be user, callQueue, autoReceptionist or shareLineGroup - name: phone.callee.extension_number type: keyword description: > Extension number of the callee related to the call - name: phone.callee.timezone type: keyword description: > Timezone of the callee related to the call - name: phone.callee.device_type type: keyword description: > Device type used by the callee related to the call - name: phone.date_time type: date description: > Date and time of the related phone event - name: recording.id type: keyword description: > Unique ID of the related recording - name: recording.uuid type: keyword description: > UUID of the related recording - name: recording.host_id type: keyword description: > UserID of the host of the meeting that was recorded - name: recording.topic type: keyword description: > Topic of the meeting related to the recording - name: recording.type type: keyword description: > Type of recording, can be multiple type of values, please check Zoom documentation - name: recording.start_time type: date description: > The date and time when the recording started - name: recording.timezone type: keyword description: > The timezone used for the recording date - name: recording.duration type: long description: > Duration of the recording in minutes - name: recording.share_url type: keyword description: > The URL to access the recording - name: recording.total_size type: long description: > Total size of the recording in bytes - name: recording.recording_count type: long description: > Number of recording files related to the recording - name: recording.recording_file.recording_start type: date description: > The date and time the recording started - name: recording.recording_file.recording_end type: date description: > The date and time the recording finished - name: recording.host_email type: keyword description: > Email address of the host related to the meeting that was recorded - name: user.id type: keyword description: > UserID related to the user event - name: user.first_name type: keyword description: > User first name related to the user event - name: user.last_name type: keyword description: > User last name related to the user event - name: user.email type: keyword description: > User email related to the user event - name: user.type type: keyword description: > User type related to the user event - name: user.phone_number type: keyword description: > User phone number related to the user event - name: user.phone_country type: keyword description: > User country code related to the user event - name: user.company type: keyword description: > User company related to the user event - name: user.pmi type: keyword description: > User personal meeting ID related to the user event - name: user.use_pmi type: boolean description: > If a user has PMI enabled - name: user.pic_url type: keyword description: > Full URL to the profile picture used by the user - name: user.vanity_name type: keyword description: > Name of the personal meeting room related to the user event - name: user.timezone type: keyword description: > Timezone configured for the user - name: user.language type: keyword description: > Language configured for the user - name: user.host_key type: keyword description: > Host key set for the user - name: user.role type: keyword description: > The configured role for the user - name: user.dept type: keyword description: > The configured departement for the user - name: user.presence_status type: keyword description: > Current presence status of user - name: user.personal_notes type: keyword description: > Personal notes for the User - name: user.client_type type: keyword description: > Type of client used by the user. Can be browser, mac, win, iphone or android - name: user.version type: keyword description: > Version of the client used by the user - name: webinar.id type: keyword description: > Unique ID for the related webinar - name: webinar.join_url type: keyword description: > The URL configured to join the webinar - name: webinar.uuid type: keyword description: > UUID for the related webinar - name: webinar.host_id type: keyword description: > UserID for the configured host of the webinar - name: webinar.topic type: keyword description: > Meeting topic of the related webinar - name: webinar.type type: keyword description: > Type of webinar created. Can be either 5(Webinar), 6(Recurring webinar without fixed time) or 9(Recurring webinar with fixed time) - name: webinar.start_time type: date description: > The date and time when the webinar started - name: webinar.timezone type: keyword description: > Timezone used for the dates related to the webinar - name: webinar.duration type: long description: > Duration of the webinar in minutes - name: webinar.agenda type: keyword description: > The configured agenda of the webinar - name: webinar.password type: keyword description: > Password configured to access the webinar - name: webinar.issues type: keyword description: > Any reported issues about a webinar is reported in this field - name: zoomroom.id type: keyword description: > Unique ID of the Zoom room - name: zoomroom.room_name type: keyword description: > The configured name of the Zoom room - name: zoomroom.calendar_name type: keyword description: > Calendar name of the Zoom room - name: zoomroom.calendar_id type: keyword description: > Unique ID of the calendar used by the Zoom room - name: zoomroom.event_id type: keyword description: > Unique ID of the calendar event associated with the Zoom Room - name: zoomroom.change_key type: keyword description: > Key used by Microsoft products integration that represents a specific version of a calendar - name: zoomroom.resource_email type: keyword description: > Email address associated with the calendar in use by the Zoom room - name: zoomroom.email type: keyword description: > Email address associated with the Zoom room itself - name: zoomroom.issue type: keyword description: > Any reported alerts or issues related to the Zoom room or its equipment - name: zoomroom.alert_type type: keyword description: > An integer value representing the type of alert. The list of alert types can be found in the Zoom documentation - name: zoomroom.component type: keyword description: > An integer value representing the type of equipment or component, The list of component types can be found in the Zoom documentation - name: zoomroom.alert_kind type: keyword description: > An integer value showing if the Zoom room alert has been either 1(Triggered) or 2(Cleared) - name: registrant.id type: keyword description: > Unique ID of the user registering to a meeting or webinar - name: registrant.status type: keyword description: > Status of the specific user registration - name: registrant.email type: keyword description: > Email of the user registering to a meeting or webinar - name: registrant.first_name type: keyword description: > First name of the user registering to a meeting or webinar - name: registrant.last_name type: keyword description: > Last name of the user registering to a meeting or webinar - name: registrant.address type: keyword description: > Address of the user registering to a meeting or webinar - name: registrant.city type: keyword description: > City of the user registering to a meeting or webinar - name: registrant.country type: keyword description: > Country of the user registering to a meeting or webinar - name: registrant.zip type: keyword description: > Zip code of the user registering to a meeting or webinar - name: registrant.state type: keyword description: > State of the user registering to a meeting or webinar - name: registrant.phone type: keyword description: > Phone number of the user registering to a meeting or webinar - name: registrant.industry type: keyword description: > Related industry of the user registering to a meeting or webinar - name: registrant.org type: keyword description: > Organization related to the user registering to a meeting or webinar - name: registrant.job_title type: keyword description: > Job title of the user registering to a meeting or webinar - name: registrant.purchasing_time_frame type: keyword description: > Choosen purchase timeframe of the user registering to a meeting or webinar - name: registrant.role_in_purchase_process type: keyword description: > Choosen role in a purchase process related to the user registering to a meeting or webinar - name: registrant.no_of_employees type: keyword description: > Number of employees choosen by the user registering to a meeting or webinar - name: registrant.comments type: keyword description: > Comments left by the user registering to a meeting or webinar - name: registrant.join_url type: keyword description: > The URL that the registrant can use to join the webinar - name: participant.id type: keyword description: > Unique ID of the participant related to a meeting - name: participant.user_id type: keyword description: > UserID of the participant related to a meeting - name: participant.user_name type: keyword description: > Username of the participant related to a meeting - name: participant.join_time type: date description: > The date and time a participant joined a meeting - name: participant.leave_time type: date description: > The date and time a participant left a meeting - name: participant.sharing_details.link_source type: keyword description: > Method of sharing with dropbox integration - name: participant.sharing_details.content type: keyword description: > Type of content that was shared - name: participant.sharing_details.file_link type: keyword description: > The file link that was shared - name: participant.sharing_details.date_time type: keyword description: > Timestamp the sharing started - name: participant.sharing_details.source type: keyword description: > The file source that was share - name: old_values type: flattened description: > Includes the old values when updating a object like user, meeting, account or webinar - name: settings type: flattened description: > The current active settings related to a object like user, meeting, account or webinar - key: zscaler title: Zscaler NSS description: > zscaler fields. fields: - name: network.interface.name overwrite: true type: keyword default_field: false description: > Name of the network interface where the traffic has been observed. - name: rsa overwrite: true type: group default_field: false fields: - name: internal overwrite: true type: group fields: - name: msg overwrite: true type: keyword description: This key is used to capture the raw message that comes into the Log Decoder - name: messageid overwrite: true type: keyword - name: event_desc overwrite: true type: keyword - name: message overwrite: true type: keyword description: This key captures the contents of instant messages - name: time overwrite: true type: date description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level overwrite: true type: long description: Deprecated key defined only in table map. - name: msg_id overwrite: true type: keyword description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid overwrite: true type: keyword description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_server overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_val overwrite: true type: keyword description: Deprecated key defined only in table map. - name: resource overwrite: true type: keyword description: Deprecated key defined only in table map. - name: obj_id overwrite: true type: keyword description: Deprecated key defined only in table map. - name: statement overwrite: true type: keyword description: Deprecated key defined only in table map. - name: audit_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: entry overwrite: true type: keyword description: Deprecated key defined only in table map. - name: hcode overwrite: true type: keyword description: Deprecated key defined only in table map. - name: inode overwrite: true type: long description: Deprecated key defined only in table map. - name: resource_class overwrite: true type: keyword description: Deprecated key defined only in table map. - name: dead overwrite: true type: long description: Deprecated key defined only in table map. - name: feed_desc overwrite: true type: keyword description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name overwrite: true type: keyword description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class overwrite: true type: keyword description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host overwrite: true type: keyword description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip overwrite: true type: ip description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 overwrite: true type: ip description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type overwrite: true type: keyword description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id overwrite: true type: long description: Deprecated key defined only in table map. - name: did overwrite: true type: keyword description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res overwrite: true type: long description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: feed_category overwrite: true type: keyword description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip overwrite: true type: ip description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 overwrite: true type: ip description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id overwrite: true type: keyword description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid overwrite: true type: keyword description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime overwrite: true type: date description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res overwrite: true type: long description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium overwrite: true type: long description: "This key is used to identify if it\u2019s a log/packet session\ \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ \ 32 = log, 33 = correlation session, < 32 is packet session" - name: node_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: nwe_callback_id overwrite: true type: keyword description: This key denotes that event is endpoint related - name: parse_error overwrite: true type: keyword description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res overwrite: true type: long description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src overwrite: true type: keyword description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid overwrite: true type: long description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split overwrite: true type: keyword description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site overwrite: true type: keyword description: Deprecated key defined only in table map. - name: size overwrite: true type: long description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile overwrite: true type: keyword description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res overwrite: true type: long description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word overwrite: true type: keyword description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time overwrite: true type: group fields: - name: event_time overwrite: true type: date description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time overwrite: true type: double description: This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str overwrite: true type: keyword description: This key is used to capture the incomplete time mentioned in a session as a string - name: starttime overwrite: true type: date description: This key is used to capture the Start time mentioned in a session in a standard form - name: month overwrite: true type: keyword - name: day overwrite: true type: keyword - name: endtime overwrite: true type: date description: This key is used to capture the End time mentioned in a session in a standard form - name: timezone overwrite: true type: keyword description: This key is used to capture the timezone of the Event Time - name: duration_str overwrite: true type: keyword description: A text string version of the duration - name: date overwrite: true type: keyword - name: year overwrite: true type: keyword - name: recorded_time overwrite: true type: date description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime overwrite: true type: keyword - name: effective_time overwrite: true type: date description: This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time overwrite: true type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time overwrite: true type: keyword description: Deprecated, use duration.time - name: hour overwrite: true type: keyword - name: min overwrite: true type: keyword - name: timestamp overwrite: true type: keyword - name: event_queue_time overwrite: true type: date description: This key is the Time that the event was queued. - name: p_time1 overwrite: true type: keyword - name: tzone overwrite: true type: keyword - name: eventtime overwrite: true type: keyword - name: gmtdate overwrite: true type: keyword - name: gmttime overwrite: true type: keyword - name: p_date overwrite: true type: keyword - name: p_month overwrite: true type: keyword - name: p_time overwrite: true type: keyword - name: p_time2 overwrite: true type: keyword - name: p_year overwrite: true type: keyword - name: expire_time_str overwrite: true type: keyword description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp overwrite: true type: date description: Deprecated key defined only in table map. - name: misc overwrite: true type: group fields: - name: action overwrite: true type: keyword - name: result overwrite: true type: keyword description: This key is used to capture the outcome/result string value of an action in a session. - name: severity overwrite: true type: keyword description: This key is used to capture the severity given the session - name: event_type overwrite: true type: keyword description: This key captures the event category type as specified by the event source. - name: reference_id overwrite: true type: keyword description: This key is used to capture an event id from the session directly - name: version overwrite: true type: keyword description: This key captures Version of the application or OS which is generating the event. - name: disposition overwrite: true type: keyword description: This key captures the The end state of an action. - name: result_code overwrite: true type: keyword description: This key is used to capture the outcome/result numeric value of an action in a session - name: category overwrite: true type: keyword description: This key is used to capture the category of an event given by the vendor in the session - name: obj_name overwrite: true type: keyword description: This is used to capture name of object - name: obj_type overwrite: true type: keyword description: This is used to capture type of object - name: event_source overwrite: true type: keyword description: "This key captures Source of the event that\u2019s not a hostname" - name: log_session_id overwrite: true type: keyword description: This key is used to capture a sessionid from the session directly - name: group overwrite: true type: keyword description: This key captures the Group Name value - name: policy_name overwrite: true type: keyword description: This key is used to capture the Policy Name only. - name: rule_name overwrite: true type: keyword description: This key captures the Rule Name - name: context overwrite: true type: keyword description: This key captures Information which adds additional context to the event. - name: change_new overwrite: true type: keyword description: "This key is used to capture the new values of the attribute that\u2019\ s changing in a session" - name: space overwrite: true type: keyword - name: client overwrite: true type: keyword description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 overwrite: true type: keyword - name: msgIdPart2 overwrite: true type: keyword - name: change_old overwrite: true type: keyword description: "This key is used to capture the old value of the attribute that\u2019\ s changing in a session" - name: operation_id overwrite: true type: keyword description: An alert number or operation number. The values should be unique and non-repeating. - name: event_state overwrite: true type: keyword description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object overwrite: true type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node overwrite: true type: keyword description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule overwrite: true type: keyword description: This key captures the Rule number - name: device_name overwrite: true type: keyword description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - name: param overwrite: true type: keyword description: This key is the parameters passed as part of a command or application, etc. - name: change_attrib overwrite: true type: keyword description: "This key is used to capture the name of the attribute that\u2019\ s changing in a session" - name: event_computer overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 overwrite: true type: keyword description: This key is for Linked ID to be used as an addition to "reference.id" - name: event_log overwrite: true type: keyword description: This key captures the Name of the event log - name: OS overwrite: true type: keyword description: This key captures the Name of the Operating System - name: terminal overwrite: true type: keyword description: This key captures the Terminal Names only - name: msgIdPart3 overwrite: true type: keyword - name: filter overwrite: true type: keyword description: This key captures Filter used to reduce result set - name: serial_number overwrite: true type: keyword description: This key is the Serial number associated with a physical asset. - name: checksum overwrite: true type: keyword description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user overwrite: true type: keyword description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname overwrite: true type: keyword description: This key captures the name of the virus - name: content_type overwrite: true type: keyword description: This key is used to capture Content Type only. - name: group_id overwrite: true type: keyword description: This key captures Group ID Number (related to the group name) - name: policy_id overwrite: true type: keyword description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys overwrite: true type: keyword description: This key captures Virtual System Name - name: connection_id overwrite: true type: keyword description: This key captures the Connection ID - name: reference_id2 overwrite: true type: keyword description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor overwrite: true type: keyword description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id overwrite: true type: long description: This key captures IDS/IPS Int Signature ID - name: port_name overwrite: true type: keyword description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - name: rule_group overwrite: true type: keyword description: This key captures the Rule group name - name: risk_num overwrite: true type: double description: This key captures a Numeric Risk value - name: trigger_val overwrite: true type: keyword description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 overwrite: true type: keyword description: This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version overwrite: true type: keyword description: This key captures the Version level of a sub-component of a product. - name: content_version overwrite: true type: keyword description: This key captures Version level of a signature or database content. - name: hardware_id overwrite: true type: keyword description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk overwrite: true type: keyword description: This key captures the non-numeric risk value - name: event_id overwrite: true type: keyword - name: reason overwrite: true type: keyword - name: status overwrite: true type: keyword - name: mail_id overwrite: true type: keyword description: This key is used to capture the mailbox id/name - name: rule_uid overwrite: true type: keyword description: This key is the Unique Identifier for a rule. - name: trigger_desc overwrite: true type: keyword description: This key captures the Description of the trigger or threshold condition. - name: inout overwrite: true type: keyword - name: p_msgid overwrite: true type: keyword - name: data_type overwrite: true type: keyword - name: msgIdPart4 overwrite: true type: keyword - name: error overwrite: true type: keyword description: This key captures All non successful Error codes or responses - name: index overwrite: true type: keyword - name: listnum overwrite: true type: keyword description: This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype overwrite: true type: keyword - name: observed_val overwrite: true type: keyword description: This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value overwrite: true type: keyword description: This key captures the contents of the policy. This contains details about the policy - name: pool_name overwrite: true type: keyword description: This key captures the name of a resource pool - name: rule_template overwrite: true type: keyword description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count overwrite: true type: keyword - name: number overwrite: true type: keyword - name: sigcat overwrite: true type: keyword - name: type overwrite: true type: keyword - name: comments overwrite: true type: keyword description: Comment information provided in the log message - name: doc_number overwrite: true type: long description: This key captures File Identification number - name: expected_val overwrite: true type: keyword description: This key captures the Value expected (from the perspective of the device generating the log). - name: job_num overwrite: true type: keyword description: This key captures the Job Number - name: spi_dst overwrite: true type: keyword description: Destination SPI Index - name: spi_src overwrite: true type: keyword description: Source SPI Index - name: code overwrite: true type: keyword - name: agent_id overwrite: true type: keyword description: This key is used to capture agent id - name: message_body overwrite: true type: keyword description: This key captures the The contents of the message body. - name: phone overwrite: true type: keyword - name: sig_id_str overwrite: true type: keyword description: This key captures a string object of the sigid variable. - name: cmd overwrite: true type: keyword - name: misc overwrite: true type: keyword - name: name overwrite: true type: keyword - name: cpu overwrite: true type: long description: This key is the CPU time used in the execution of the event being recorded. - name: event_desc overwrite: true type: keyword description: This key is used to capture a description of an event available directly or inferred - name: sig_id1 overwrite: true type: long description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid overwrite: true type: keyword - name: im_client overwrite: true type: keyword - name: im_userid overwrite: true type: keyword - name: pid overwrite: true type: keyword - name: priority overwrite: true type: keyword - name: context_subject overwrite: true type: keyword description: This key is to be used in an audit context where the subject is the object being identified - name: context_target overwrite: true type: keyword - name: cve overwrite: true type: keyword description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum overwrite: true type: keyword description: This key captures Filter Category Number. Legacy Usage - name: library overwrite: true type: keyword description: This key is used to capture library information in mainframe devices - name: parent_node overwrite: true type: keyword description: This key captures the Parent Node Name. Must be related to node variable. - name: risk_info overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: tcp_flags overwrite: true type: long description: This key is captures the TCP flags set in any packet of session - name: tos overwrite: true type: long description: This key describes the type of service - name: vm_target overwrite: true type: keyword description: VMWare Target **VMWARE** only varaible. - name: workspace overwrite: true type: keyword description: This key captures Workspace Description - name: command overwrite: true type: keyword - name: event_category overwrite: true type: keyword - name: facilityname overwrite: true type: keyword - name: forensic_info overwrite: true type: keyword - name: jobname overwrite: true type: keyword - name: mode overwrite: true type: keyword - name: policy overwrite: true type: keyword - name: policy_waiver overwrite: true type: keyword - name: second overwrite: true type: keyword - name: space1 overwrite: true type: keyword - name: subcategory overwrite: true type: keyword - name: tbdstr2 overwrite: true type: keyword - name: alert_id overwrite: true type: keyword description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: checksum_dst overwrite: true type: keyword description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src overwrite: true type: keyword description: This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult overwrite: true type: long description: This key captures the Filter Result - name: payload_dst overwrite: true type: keyword description: This key is used to capture destination payload - name: payload_src overwrite: true type: keyword description: This key is used to capture source payload - name: pool_id overwrite: true type: keyword description: This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val overwrite: true type: keyword description: This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm overwrite: true type: double description: This key captures Risk Number Community - name: risk_num_next overwrite: true type: double description: This key captures Risk Number NextGen - name: risk_num_sand overwrite: true type: double description: This key captures Risk Number SandBox - name: risk_num_static overwrite: true type: double description: This key captures Risk Number Static - name: risk_suspicious overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: risk_warning overwrite: true type: keyword description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - name: snmp_oid overwrite: true type: keyword description: SNMP Object Identifier - name: sql overwrite: true type: keyword description: This key captures the SQL query - name: vuln_ref overwrite: true type: keyword description: This key captures the Vulnerability Reference details - name: acl_id overwrite: true type: keyword - name: acl_op overwrite: true type: keyword - name: acl_pos overwrite: true type: keyword - name: acl_table overwrite: true type: keyword - name: admin overwrite: true type: keyword - name: alarm_id overwrite: true type: keyword - name: alarmname overwrite: true type: keyword - name: app_id overwrite: true type: keyword - name: audit overwrite: true type: keyword - name: audit_object overwrite: true type: keyword - name: auditdata overwrite: true type: keyword - name: benchmark overwrite: true type: keyword - name: bypass overwrite: true type: keyword - name: cache overwrite: true type: keyword - name: cache_hit overwrite: true type: keyword - name: cefversion overwrite: true type: keyword - name: cfg_attr overwrite: true type: keyword - name: cfg_obj overwrite: true type: keyword - name: cfg_path overwrite: true type: keyword - name: changes overwrite: true type: keyword - name: client_ip overwrite: true type: keyword - name: clustermembers overwrite: true type: keyword - name: cn_acttimeout overwrite: true type: keyword - name: cn_asn_src overwrite: true type: keyword - name: cn_bgpv4nxthop overwrite: true type: keyword - name: cn_ctr_dst_code overwrite: true type: keyword - name: cn_dst_tos overwrite: true type: keyword - name: cn_dst_vlan overwrite: true type: keyword - name: cn_engine_id overwrite: true type: keyword - name: cn_engine_type overwrite: true type: keyword - name: cn_f_switch overwrite: true type: keyword - name: cn_flowsampid overwrite: true type: keyword - name: cn_flowsampintv overwrite: true type: keyword - name: cn_flowsampmode overwrite: true type: keyword - name: cn_inacttimeout overwrite: true type: keyword - name: cn_inpermbyts overwrite: true type: keyword - name: cn_inpermpckts overwrite: true type: keyword - name: cn_invalid overwrite: true type: keyword - name: cn_ip_proto_ver overwrite: true type: keyword - name: cn_ipv4_ident overwrite: true type: keyword - name: cn_l_switch overwrite: true type: keyword - name: cn_log_did overwrite: true type: keyword - name: cn_log_rid overwrite: true type: keyword - name: cn_max_ttl overwrite: true type: keyword - name: cn_maxpcktlen overwrite: true type: keyword - name: cn_min_ttl overwrite: true type: keyword - name: cn_minpcktlen overwrite: true type: keyword - name: cn_mpls_lbl_1 overwrite: true type: keyword - name: cn_mpls_lbl_10 overwrite: true type: keyword - name: cn_mpls_lbl_2 overwrite: true type: keyword - name: cn_mpls_lbl_3 overwrite: true type: keyword - name: cn_mpls_lbl_4 overwrite: true type: keyword - name: cn_mpls_lbl_5 overwrite: true type: keyword - name: cn_mpls_lbl_6 overwrite: true type: keyword - name: cn_mpls_lbl_7 overwrite: true type: keyword - name: cn_mpls_lbl_8 overwrite: true type: keyword - name: cn_mpls_lbl_9 overwrite: true type: keyword - name: cn_mplstoplabel overwrite: true type: keyword - name: cn_mplstoplabip overwrite: true type: keyword - name: cn_mul_dst_byt overwrite: true type: keyword - name: cn_mul_dst_pks overwrite: true type: keyword - name: cn_muligmptype overwrite: true type: keyword - name: cn_sampalgo overwrite: true type: keyword - name: cn_sampint overwrite: true type: keyword - name: cn_seqctr overwrite: true type: keyword - name: cn_spackets overwrite: true type: keyword - name: cn_src_tos overwrite: true type: keyword - name: cn_src_vlan overwrite: true type: keyword - name: cn_sysuptime overwrite: true type: keyword - name: cn_template_id overwrite: true type: keyword - name: cn_totbytsexp overwrite: true type: keyword - name: cn_totflowexp overwrite: true type: keyword - name: cn_totpcktsexp overwrite: true type: keyword - name: cn_unixnanosecs overwrite: true type: keyword - name: cn_v6flowlabel overwrite: true type: keyword - name: cn_v6optheaders overwrite: true type: keyword - name: comp_class overwrite: true type: keyword - name: comp_name overwrite: true type: keyword - name: comp_rbytes overwrite: true type: keyword - name: comp_sbytes overwrite: true type: keyword - name: cpu_data overwrite: true type: keyword - name: criticality overwrite: true type: keyword - name: cs_agency_dst overwrite: true type: keyword - name: cs_analyzedby overwrite: true type: keyword - name: cs_av_other overwrite: true type: keyword - name: cs_av_primary overwrite: true type: keyword - name: cs_av_secondary overwrite: true type: keyword - name: cs_bgpv6nxthop overwrite: true type: keyword - name: cs_bit9status overwrite: true type: keyword - name: cs_context overwrite: true type: keyword - name: cs_control overwrite: true type: keyword - name: cs_data overwrite: true type: keyword - name: cs_datecret overwrite: true type: keyword - name: cs_dst_tld overwrite: true type: keyword - name: cs_eth_dst_ven overwrite: true type: keyword - name: cs_eth_src_ven overwrite: true type: keyword - name: cs_event_uuid overwrite: true type: keyword - name: cs_filetype overwrite: true type: keyword - name: cs_fld overwrite: true type: keyword - name: cs_if_desc overwrite: true type: keyword - name: cs_if_name overwrite: true type: keyword - name: cs_ip_next_hop overwrite: true type: keyword - name: cs_ipv4dstpre overwrite: true type: keyword - name: cs_ipv4srcpre overwrite: true type: keyword - name: cs_lifetime overwrite: true type: keyword - name: cs_log_medium overwrite: true type: keyword - name: cs_loginname overwrite: true type: keyword - name: cs_modulescore overwrite: true type: keyword - name: cs_modulesign overwrite: true type: keyword - name: cs_opswatresult overwrite: true type: keyword - name: cs_payload overwrite: true type: keyword - name: cs_registrant overwrite: true type: keyword - name: cs_registrar overwrite: true type: keyword - name: cs_represult overwrite: true type: keyword - name: cs_rpayload overwrite: true type: keyword - name: cs_sampler_name overwrite: true type: keyword - name: cs_sourcemodule overwrite: true type: keyword - name: cs_streams overwrite: true type: keyword - name: cs_targetmodule overwrite: true type: keyword - name: cs_v6nxthop overwrite: true type: keyword - name: cs_whois_server overwrite: true type: keyword - name: cs_yararesult overwrite: true type: keyword - name: description overwrite: true type: keyword - name: devvendor overwrite: true type: keyword - name: distance overwrite: true type: keyword - name: dstburb overwrite: true type: keyword - name: edomain overwrite: true type: keyword - name: edomaub overwrite: true type: keyword - name: euid overwrite: true type: keyword - name: facility overwrite: true type: keyword - name: finterface overwrite: true type: keyword - name: flags overwrite: true type: keyword - name: gaddr overwrite: true type: keyword - name: id3 overwrite: true type: keyword - name: im_buddyname overwrite: true type: keyword - name: im_croomid overwrite: true type: keyword - name: im_croomtype overwrite: true type: keyword - name: im_members overwrite: true type: keyword - name: im_username overwrite: true type: keyword - name: ipkt overwrite: true type: keyword - name: ipscat overwrite: true type: keyword - name: ipspri overwrite: true type: keyword - name: latitude overwrite: true type: keyword - name: linenum overwrite: true type: keyword - name: list_name overwrite: true type: keyword - name: load_data overwrite: true type: keyword - name: location_floor overwrite: true type: keyword - name: location_mark overwrite: true type: keyword - name: log_id overwrite: true type: keyword - name: log_type overwrite: true type: keyword - name: logid overwrite: true type: keyword - name: logip overwrite: true type: keyword - name: logname overwrite: true type: keyword - name: longitude overwrite: true type: keyword - name: lport overwrite: true type: keyword - name: mbug_data overwrite: true type: keyword - name: misc_name overwrite: true type: keyword - name: msg_type overwrite: true type: keyword - name: msgid overwrite: true type: keyword - name: netsessid overwrite: true type: keyword - name: num overwrite: true type: keyword - name: number1 overwrite: true type: keyword - name: number2 overwrite: true type: keyword - name: nwwn overwrite: true type: keyword - name: object overwrite: true type: keyword - name: operation overwrite: true type: keyword - name: opkt overwrite: true type: keyword - name: orig_from overwrite: true type: keyword - name: owner_id overwrite: true type: keyword - name: p_action overwrite: true type: keyword - name: p_filter overwrite: true type: keyword - name: p_group_object overwrite: true type: keyword - name: p_id overwrite: true type: keyword - name: p_msgid1 overwrite: true type: keyword - name: p_msgid2 overwrite: true type: keyword - name: p_result1 overwrite: true type: keyword - name: password_chg overwrite: true type: keyword - name: password_expire overwrite: true type: keyword - name: permgranted overwrite: true type: keyword - name: permwanted overwrite: true type: keyword - name: pgid overwrite: true type: keyword - name: policyUUID overwrite: true type: keyword - name: prog_asp_num overwrite: true type: keyword - name: program overwrite: true type: keyword - name: real_data overwrite: true type: keyword - name: rec_asp_device overwrite: true type: keyword - name: rec_asp_num overwrite: true type: keyword - name: rec_library overwrite: true type: keyword - name: recordnum overwrite: true type: keyword - name: ruid overwrite: true type: keyword - name: sburb overwrite: true type: keyword - name: sdomain_fld overwrite: true type: keyword - name: sec overwrite: true type: keyword - name: sensorname overwrite: true type: keyword - name: seqnum overwrite: true type: keyword - name: session overwrite: true type: keyword - name: sessiontype overwrite: true type: keyword - name: sigUUID overwrite: true type: keyword - name: spi overwrite: true type: keyword - name: srcburb overwrite: true type: keyword - name: srcdom overwrite: true type: keyword - name: srcservice overwrite: true type: keyword - name: state overwrite: true type: keyword - name: status1 overwrite: true type: keyword - name: svcno overwrite: true type: keyword - name: system overwrite: true type: keyword - name: tbdstr1 overwrite: true type: keyword - name: tgtdom overwrite: true type: keyword - name: tgtdomain overwrite: true type: keyword - name: threshold overwrite: true type: keyword - name: type1 overwrite: true type: keyword - name: udb_class overwrite: true type: keyword - name: url_fld overwrite: true type: keyword - name: user_div overwrite: true type: keyword - name: userid overwrite: true type: keyword - name: username_fld overwrite: true type: keyword - name: utcstamp overwrite: true type: keyword - name: v_instafname overwrite: true type: keyword - name: virt_data overwrite: true type: keyword - name: vpnid overwrite: true type: keyword - name: autorun_type overwrite: true type: keyword description: This is used to capture Auto Run type - name: cc_number overwrite: true type: long description: Valid Credit Card Numbers only - name: content overwrite: true type: keyword description: This key captures the content type from protocol headers - name: ein_number overwrite: true type: long description: Employee Identification Numbers only - name: found overwrite: true type: keyword description: This is used to capture the results of regex match - name: language overwrite: true type: keyword description: This is used to capture list of languages the client support and what it prefers - name: lifetime overwrite: true type: long description: This key is used to capture the session lifetime in seconds. - name: link overwrite: true type: keyword description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match overwrite: true type: keyword description: This key is for regex match name from search.ini - name: param_dst overwrite: true type: keyword description: This key captures the command line/launch argument of the target process or file - name: param_src overwrite: true type: keyword description: This key captures source parameter - name: search_text overwrite: true type: keyword description: This key captures the Search Text used - name: sig_name overwrite: true type: keyword description: This key is used to capture the Signature Name only. - name: snmp_value overwrite: true type: keyword description: SNMP set request value - name: streams overwrite: true type: long description: This key captures number of streams in session - name: db overwrite: true type: group fields: - name: index overwrite: true type: keyword description: This key captures IndexID of the index. - name: instance overwrite: true type: keyword description: This key is used to capture the database server instance name - name: database overwrite: true type: keyword description: This key is used to capture the name of a database or an instance as seen in a session - name: transact_id overwrite: true type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions overwrite: true type: keyword description: This key captures permission or privilege level assigned to a resource. - name: table_name overwrite: true type: keyword description: This key is used to capture the table name - name: db_id overwrite: true type: keyword description: This key is used to capture the unique identifier for a database - name: db_pid overwrite: true type: long description: This key captures the process id of a connection with database server - name: lread overwrite: true type: long description: This key is used for the number of logical reads - name: lwrite overwrite: true type: long description: This key is used for the number of logical writes - name: pread overwrite: true type: long description: This key is used for the number of physical writes - name: network overwrite: true type: group fields: - name: alias_host overwrite: true type: keyword description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain overwrite: true type: keyword - name: host_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Hostname" - name: network_service overwrite: true type: keyword description: This is used to capture layer 7 protocols/service names - name: interface overwrite: true type: keyword description: This key should be used when the source or destination context of an interface is not clear - name: network_port overwrite: true type: long description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - name: eth_host overwrite: true type: keyword description: Deprecated, use alias.mac - name: sinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Interface" - name: dinterface overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Interface" - name: vlan overwrite: true type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src overwrite: true type: keyword description: "This key should only be used when it\u2019s a Source Zone." - name: zone overwrite: true type: keyword description: This key should be used when the source or destination context of a Zone is not clear - name: zone_dst overwrite: true type: keyword description: "This key should only be used when it\u2019s a Destination Zone." - name: gateway overwrite: true type: keyword description: This key is used to capture the IP Address of the gateway - name: icmp_type overwrite: true type: long description: This key is used to capture the ICMP type only - name: mask overwrite: true type: keyword description: This key is used to capture the device network IPmask. - name: icmp_code overwrite: true type: long description: This key is used to capture the ICMP code only - name: protocol_detail overwrite: true type: keyword description: This key should be used to capture additional protocol information - name: dmask overwrite: true type: keyword description: This key is used for Destionation Device network mask - name: port overwrite: true type: long description: This key should only be used to capture a Network Port when the directionality is not clear - name: smask overwrite: true type: keyword description: This key is used for capturing source Network Mask - name: netname overwrite: true type: keyword description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr overwrite: true type: ip description: Deprecated - name: faddr overwrite: true type: keyword - name: lhost overwrite: true type: keyword - name: origin overwrite: true type: keyword - name: remote_domain_id overwrite: true type: keyword - name: addr overwrite: true type: keyword - name: dns_a_record overwrite: true type: keyword - name: dns_ptr_record overwrite: true type: keyword - name: fhost overwrite: true type: keyword - name: fport overwrite: true type: keyword - name: laddr overwrite: true type: keyword - name: linterface overwrite: true type: keyword - name: phost overwrite: true type: keyword - name: ad_computer_dst overwrite: true type: keyword description: Deprecated, use host.dst - name: eth_type overwrite: true type: long description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto overwrite: true type: long description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record overwrite: true type: keyword - name: dns_id overwrite: true type: keyword - name: dns_opcode overwrite: true type: keyword - name: dns_resp overwrite: true type: keyword - name: dns_type overwrite: true type: keyword - name: domain1 overwrite: true type: keyword - name: host_type overwrite: true type: keyword - name: packet_length overwrite: true type: keyword - name: host_orig overwrite: true type: keyword description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload overwrite: true type: keyword description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name overwrite: true type: keyword description: This key should only be used to capture the name of the Virtual LAN - name: investigations overwrite: true type: group fields: - name: ec_activity overwrite: true type: keyword description: This key captures the particular event activity(Ex:Logoff) - name: ec_theme overwrite: true type: keyword description: This key captures the Theme of a particular Event(Ex:Authentication) - name: ec_subject overwrite: true type: keyword description: This key captures the Subject of a particular Event(Ex:User) - name: ec_outcome overwrite: true type: keyword description: This key captures the outcome of a particular Event(Ex:Success) - name: event_cat overwrite: true type: long description: This key captures the Event category number - name: event_cat_name overwrite: true type: keyword description: This key captures the event category name corresponding to the event cat code - name: event_vcat overwrite: true type: keyword description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file overwrite: true type: keyword description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service overwrite: true type: keyword description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session overwrite: true type: keyword description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc overwrite: true type: keyword description: This is used to capture behaviour of compromise - name: eoc overwrite: true type: keyword description: This is used to capture Enablers of Compromise - name: inv_category overwrite: true type: keyword description: This used to capture investigation category - name: inv_context overwrite: true type: keyword description: This used to capture investigation context - name: ioc overwrite: true type: keyword description: This is key capture indicator of compromise - name: counters overwrite: true type: group fields: - name: dclass_c1 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter overwrite: true type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 overwrite: true type: long description: This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str overwrite: true type: keyword description: This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 overwrite: true type: keyword description: This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str overwrite: true type: keyword description: This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity overwrite: true type: group fields: - name: auth_method overwrite: true type: keyword description: This key is used to capture authentication methods used only - name: user_role overwrite: true type: keyword description: This key is used to capture the Role of a user only - name: dn overwrite: true type: keyword description: X.500 (LDAP) Distinguished Name - name: logon_type overwrite: true type: keyword description: This key is used to capture the type of logon method used. - name: profile overwrite: true type: keyword description: This key is used to capture the user profile - name: accesses overwrite: true type: keyword description: This key is used to capture actual privileges used in accessing an object - name: realm overwrite: true type: keyword description: Radius realm or similar grouping of accounts - name: user_sid_dst overwrite: true type: keyword description: This key captures Destination User Session ID - name: dn_src overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org overwrite: true type: keyword description: This key captures the User organization - name: dn_dst overwrite: true type: keyword description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept overwrite: true type: keyword description: User's Department Names only - name: user_sid_src overwrite: true type: keyword description: This key captures Source User Session ID - name: federated_sp overwrite: true type: keyword description: This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp overwrite: true type: keyword description: This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc overwrite: true type: keyword description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password overwrite: true type: keyword description: This key is for Passwords seen in any session, plain text or encrypted - name: host_role overwrite: true type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap overwrite: true type: keyword description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ t have a clear query or response context" - name: ldap_query overwrite: true type: keyword description: This key is the Search criteria from an LDAP search - name: ldap_response overwrite: true type: keyword description: This key is to capture Results from an LDAP search - name: owner overwrite: true type: keyword description: This is used to capture username the process or service is running as, the author of the task - name: service_account overwrite: true type: keyword description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email overwrite: true type: group fields: - name: email_dst overwrite: true type: keyword description: This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src overwrite: true type: keyword description: This key is used to capture the source email address only, when the source context is not clear use email - name: subject overwrite: true type: keyword description: This key is used to capture the subject string from an Email only. - name: email overwrite: true type: keyword description: This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from overwrite: true type: keyword description: Deprecated key defined only in table map. - name: trans_to overwrite: true type: keyword description: Deprecated key defined only in table map. - name: file overwrite: true type: group fields: - name: privilege overwrite: true type: keyword description: Deprecated, use permissions - name: attachment overwrite: true type: keyword description: This key captures the attachment file name - name: filesystem overwrite: true type: keyword - name: binary overwrite: true type: keyword description: Deprecated key defined only in table map. - name: filename_dst overwrite: true type: keyword description: This is used to capture name of the file targeted by the action - name: filename_src overwrite: true type: keyword description: This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp overwrite: true type: keyword - name: directory_dst overwrite: true type: keyword description: This key is used to capture the directory of the target process or file - name: directory_src overwrite: true type: keyword description: This key is used to capture the directory of the source process or file - name: file_entropy overwrite: true type: double description: This is used to capture entropy vale of a file - name: file_vendor overwrite: true type: keyword description: This is used to capture Company name of file located in version_info - name: task_name overwrite: true type: keyword description: This is used to capture name of the task - name: web overwrite: true type: group fields: - name: fqdn overwrite: true type: keyword description: Fully Qualified Domain Names - name: web_cookie overwrite: true type: keyword description: This key is used to capture the Web cookies specifically. - name: alias_host overwrite: true type: keyword - name: reputation_num overwrite: true type: double description: Reputation Number of an entity. Typically used for Web Domains - name: web_ref_domain overwrite: true type: keyword description: Web referer's domain - name: web_ref_query overwrite: true type: keyword description: This key captures Web referer's query portion of the URL - name: remote_domain overwrite: true type: keyword - name: web_ref_page overwrite: true type: keyword description: This key captures Web referer's page information - name: web_ref_root overwrite: true type: keyword description: Web referer's root URL path - name: cn_asn_dst overwrite: true type: keyword - name: cn_rpackets overwrite: true type: keyword - name: urlpage overwrite: true type: keyword - name: urlroot overwrite: true type: keyword - name: p_url overwrite: true type: keyword - name: p_user_agent overwrite: true type: keyword - name: p_web_cookie overwrite: true type: keyword - name: p_web_method overwrite: true type: keyword - name: p_web_referer overwrite: true type: keyword - name: web_extension_tmp overwrite: true type: keyword - name: web_page overwrite: true type: keyword - name: threat overwrite: true type: group fields: - name: threat_category overwrite: true type: keyword description: This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc overwrite: true type: keyword description: This key is used to capture the threat description from the session directly or inferred - name: alert overwrite: true type: keyword description: This key is used to capture name of the alert - name: threat_source overwrite: true type: keyword description: This key is used to capture source of the threat - name: crypto overwrite: true type: group fields: - name: crypto overwrite: true type: keyword description: This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src overwrite: true type: keyword description: This key is for Source (Client) Cipher - name: cert_subject overwrite: true type: keyword description: This key is used to capture the Certificate organization only - name: peer overwrite: true type: keyword description: This key is for Encryption peer's IP Address - name: cipher_size_src overwrite: true type: long description: This key captures Source (Client) Cipher Size - name: ike overwrite: true type: keyword description: IKE negotiation phase. - name: scheme overwrite: true type: keyword description: This key captures the Encryption scheme used - name: peer_id overwrite: true type: keyword description: "This key is for Encryption peer\u2019s identity" - name: sig_type overwrite: true type: keyword description: This key captures the Signature Type - name: cert_issuer overwrite: true type: keyword - name: cert_host_name overwrite: true type: keyword description: Deprecated key defined only in table map. - name: cert_error overwrite: true type: keyword description: This key captures the Certificate Error String - name: cipher_dst overwrite: true type: keyword description: This key is for Destination (Server) Cipher - name: cipher_size_dst overwrite: true type: long description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src overwrite: true type: keyword description: Deprecated, use version - name: d_certauth overwrite: true type: keyword - name: s_certauth overwrite: true type: keyword - name: ike_cookie1 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - name: ike_cookie2 overwrite: true type: keyword description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - name: cert_checksum overwrite: true type: keyword - name: cert_host_cat overwrite: true type: keyword description: This key is used for the hostname category value of a certificate - name: cert_serial overwrite: true type: keyword description: This key is used to capture the Certificate serial number only - name: cert_status overwrite: true type: keyword description: This key captures Certificate validation status - name: ssl_ver_dst overwrite: true type: keyword description: Deprecated, use version - name: cert_keysize overwrite: true type: keyword - name: cert_username overwrite: true type: keyword - name: https_insact overwrite: true type: keyword - name: https_valid overwrite: true type: keyword - name: cert_ca overwrite: true type: keyword description: This key is used to capture the Certificate signing authority only - name: cert_common overwrite: true type: keyword description: This key is used to capture the Certificate common name only - name: wireless overwrite: true type: group fields: - name: wlan_ssid overwrite: true type: keyword description: This key is used to capture the ssid of a Wireless Session - name: access_point overwrite: true type: keyword description: This key is used to capture the access point name. - name: wlan_channel overwrite: true type: long description: This is used to capture the channel names - name: wlan_name overwrite: true type: keyword description: This key captures either WLAN number/name - name: storage overwrite: true type: group fields: - name: disk_volume overwrite: true type: keyword description: A unique name assigned to logical units (volumes) within a physical disk - name: lun overwrite: true type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. - name: pwwn overwrite: true type: keyword description: This uniquely identifies a port on a HBA. - name: physical overwrite: true type: group fields: - name: org_dst overwrite: true type: keyword description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src overwrite: true type: keyword description: This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare overwrite: true type: group fields: - name: patient_fname overwrite: true type: keyword description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id overwrite: true type: keyword description: This key captures the unique ID for a patient - name: patient_lname overwrite: true type: keyword description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname overwrite: true type: keyword description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint overwrite: true type: group fields: - name: host_state overwrite: true type: keyword description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key overwrite: true type: keyword description: This key captures the path to the registry key - name: registry_value overwrite: true type: keyword description: This key captures values or decorators used within a registry entry - key: aws-cloudwatch title: "aws-cloudwatch" description: > Fields from AWS CloudWatch logs. fields: - name: aws-cloudwatch type: group default_field: false description: > Fields from AWS CloudWatch logs. fields: - name: log_group type: keyword description: The name of the log group to which this event belongs. - name: log_stream type: keyword description: The name of the log stream to which this event belongs. - name: ingestion_time type: keyword description: The time the event was ingested in AWS CloudWatch. - key: s3 title: "s3" description: > S3 fields from s3 input. release: ga fields: - name: bucket.name type: keyword description: > Name of the S3 bucket that this log retrieved from. - name: bucket.arn type: keyword description: > ARN of the S3 bucket that this log retrieved from. - name: object.key type: keyword description: > Name of the S3 object that this log retrieved from. - name: metadata type: flattened description: AWS S3 object metadata values. - key: netflow title: "NetFlow" description: > Fields from NetFlow and IPFIX flows. fields: - name: netflow type: group description: > Fields from NetFlow and IPFIX. fields: - name: type type: keyword description: > The type of NetFlow record described by this event. - name: exporter type: group description: > Metadata related to the exporter device that generated this record. fields: - name: address type: keyword description: > Exporter's network address in IP:port format. - name: source_id type: long description: > Observation domain ID to which this record belongs. - name: timestamp type: date description: > Time and date of export. - name: uptime_millis type: long description: > How long the exporter process has been running, in milliseconds. - name: version type: integer description: > NetFlow version used. - name: octet_delta_count type: long - name: packet_delta_count type: long - name: delta_flow_count type: long - name: protocol_identifier type: short - name: ip_class_of_service type: short - name: tcp_control_bits type: integer - name: source_transport_port type: integer - name: source_ipv4_address type: ip - name: source_ipv4_prefix_length type: short - name: ingress_interface type: long - name: destination_transport_port type: integer - name: destination_ipv4_address type: ip - name: destination_ipv4_prefix_length type: short - name: egress_interface type: long - name: ip_next_hop_ipv4_address type: ip - name: bgp_source_as_number type: long - name: bgp_destination_as_number type: long - name: bgp_next_hop_ipv4_address type: ip - name: post_mcast_packet_delta_count type: long - name: post_mcast_octet_delta_count type: long - name: flow_end_sys_up_time type: long - name: flow_start_sys_up_time type: long - name: post_octet_delta_count type: long - name: post_packet_delta_count type: long - name: minimum_ip_total_length type: long - name: maximum_ip_total_length type: long - name: source_ipv6_address type: ip - name: destination_ipv6_address type: ip - name: source_ipv6_prefix_length type: short - name: destination_ipv6_prefix_length type: short - name: flow_label_ipv6 type: long - name: icmp_type_code_ipv4 type: integer - name: igmp_type type: short - name: sampling_interval type: long - name: sampling_algorithm type: short - name: flow_active_timeout type: integer - name: flow_idle_timeout type: integer - name: engine_type type: short - name: engine_id type: short - name: exported_octet_total_count type: long - name: exported_message_total_count type: long - name: exported_flow_record_total_count type: long - name: ipv4_router_sc type: ip - name: source_ipv4_prefix type: ip - name: destination_ipv4_prefix type: ip - name: mpls_top_label_type type: short - name: mpls_top_label_ipv4_address type: ip - name: sampler_id type: short - name: sampler_mode type: short - name: sampler_random_interval type: long - name: class_id type: long - name: minimum_ttl type: short - name: maximum_ttl type: short - name: fragment_identification type: long - name: post_ip_class_of_service type: short - name: source_mac_address type: keyword - name: post_destination_mac_address type: keyword - name: vlan_id type: integer - name: post_vlan_id type: integer - name: ip_version type: short - name: flow_direction type: short - name: ip_next_hop_ipv6_address type: ip - name: bgp_next_hop_ipv6_address type: ip - name: ipv6_extension_headers type: long - name: mpls_top_label_stack_section type: short - name: mpls_label_stack_section2 type: short - name: mpls_label_stack_section3 type: short - name: mpls_label_stack_section4 type: short - name: mpls_label_stack_section5 type: short - name: mpls_label_stack_section6 type: short - name: mpls_label_stack_section7 type: short - name: mpls_label_stack_section8 type: short - name: mpls_label_stack_section9 type: short - name: mpls_label_stack_section10 type: short - name: destination_mac_address type: keyword - name: post_source_mac_address type: keyword - name: interface_name type: keyword - name: interface_description type: keyword - name: sampler_name type: keyword - name: octet_total_count type: long - name: packet_total_count type: long - name: flags_and_sampler_id type: long - name: fragment_offset type: integer - name: forwarding_status type: short - name: mpls_vpn_route_distinguisher type: short - name: mpls_top_label_prefix_length type: short - name: src_traffic_index type: long - name: dst_traffic_index type: long - name: application_description type: keyword - name: application_id type: short - name: application_name type: keyword - name: post_ip_diff_serv_code_point type: short - name: multicast_replication_factor type: long - name: class_name type: keyword - name: classification_engine_id type: short - name: layer2packet_section_offset type: integer - name: layer2packet_section_size type: integer - name: layer2packet_section_data type: short - name: bgp_next_adjacent_as_number type: long - name: bgp_prev_adjacent_as_number type: long - name: exporter_ipv4_address type: ip - name: exporter_ipv6_address type: ip - name: dropped_octet_delta_count type: long - name: dropped_packet_delta_count type: long - name: dropped_octet_total_count type: long - name: dropped_packet_total_count type: long - name: flow_end_reason type: short - name: common_properties_id type: long - name: observation_point_id type: long - name: icmp_type_code_ipv6 type: integer - name: mpls_top_label_ipv6_address type: ip - name: line_card_id type: long - name: port_id type: long - name: metering_process_id type: long - name: exporting_process_id type: long - name: template_id type: integer - name: wlan_channel_id type: short - name: wlan_ssid type: keyword - name: flow_id type: long - name: observation_domain_id type: long - name: flow_start_seconds type: date - name: flow_end_seconds type: date - name: flow_start_milliseconds type: date - name: flow_end_milliseconds type: date - name: flow_start_microseconds type: date - name: flow_end_microseconds type: date - name: flow_start_nanoseconds type: date - name: flow_end_nanoseconds type: date - name: flow_start_delta_microseconds type: long - name: flow_end_delta_microseconds type: long - name: system_init_time_milliseconds type: date - name: flow_duration_milliseconds type: long - name: flow_duration_microseconds type: long - name: observed_flow_total_count type: long - name: ignored_packet_total_count type: long - name: ignored_octet_total_count type: long - name: not_sent_flow_total_count type: long - name: not_sent_packet_total_count type: long - name: not_sent_octet_total_count type: long - name: destination_ipv6_prefix type: ip - name: source_ipv6_prefix type: ip - name: post_octet_total_count type: long - name: post_packet_total_count type: long - name: flow_key_indicator type: long - name: post_mcast_packet_total_count type: long - name: post_mcast_octet_total_count type: long - name: icmp_type_ipv4 type: short - name: icmp_code_ipv4 type: short - name: icmp_type_ipv6 type: short - name: icmp_code_ipv6 type: short - name: udp_source_port type: integer - name: udp_destination_port type: integer - name: tcp_source_port type: integer - name: tcp_destination_port type: integer - name: tcp_sequence_number type: long - name: tcp_acknowledgement_number type: long - name: tcp_window_size type: integer - name: tcp_urgent_pointer type: integer - name: tcp_header_length type: short - name: ip_header_length type: short - name: total_length_ipv4 type: integer - name: payload_length_ipv6 type: integer - name: ip_ttl type: short - name: next_header_ipv6 type: short - name: mpls_payload_length type: long - name: ip_diff_serv_code_point type: short - name: ip_precedence type: short - name: fragment_flags type: short - name: octet_delta_sum_of_squares type: long - name: octet_total_sum_of_squares type: long - name: mpls_top_label_ttl type: short - name: mpls_label_stack_length type: long - name: mpls_label_stack_depth type: long - name: mpls_top_label_exp type: short - name: ip_payload_length type: long - name: udp_message_length type: integer - name: is_multicast type: short - name: ipv4_ihl type: short - name: ipv4_options type: long - name: tcp_options type: long - name: padding_octets type: short - name: collector_ipv4_address type: ip - name: collector_ipv6_address type: ip - name: export_interface type: long - name: export_protocol_version type: short - name: export_transport_protocol type: short - name: collector_transport_port type: integer - name: exporter_transport_port type: integer - name: tcp_syn_total_count type: long - name: tcp_fin_total_count type: long - name: tcp_rst_total_count type: long - name: tcp_psh_total_count type: long - name: tcp_ack_total_count type: long - name: tcp_urg_total_count type: long - name: ip_total_length type: long - name: post_nat_source_ipv4_address type: ip - name: post_nat_destination_ipv4_address type: ip - name: post_napt_source_transport_port type: integer - name: post_napt_destination_transport_port type: integer - name: nat_originating_address_realm type: short - name: nat_event type: short - name: initiator_octets type: long - name: responder_octets type: long - name: firewall_event type: short - name: ingress_vrfid type: long - name: egress_vrfid type: long - name: vr_fname type: keyword - name: post_mpls_top_label_exp type: short - name: tcp_window_scale type: integer - name: biflow_direction type: short - name: ethernet_header_length type: short - name: ethernet_payload_length type: integer - name: ethernet_total_length type: integer - name: dot1q_vlan_id type: integer - name: dot1q_priority type: short - name: dot1q_customer_vlan_id type: integer - name: dot1q_customer_priority type: short - name: metro_evc_id type: keyword - name: metro_evc_type type: short - name: pseudo_wire_id type: long - name: pseudo_wire_type type: integer - name: pseudo_wire_control_word type: long - name: ingress_physical_interface type: long - name: egress_physical_interface type: long - name: post_dot1q_vlan_id type: integer - name: post_dot1q_customer_vlan_id type: integer - name: ethernet_type type: integer - name: post_ip_precedence type: short - name: collection_time_milliseconds type: date - name: export_sctp_stream_id type: integer - name: max_export_seconds type: date - name: max_flow_end_seconds type: date - name: message_md5_checksum type: short - name: message_scope type: short - name: min_export_seconds type: date - name: min_flow_start_seconds type: date - name: opaque_octets type: short - name: session_scope type: short - name: max_flow_end_microseconds type: date - name: max_flow_end_milliseconds type: date - name: max_flow_end_nanoseconds type: date - name: min_flow_start_microseconds type: date - name: min_flow_start_milliseconds type: date - name: min_flow_start_nanoseconds type: date - name: collector_certificate type: short - name: exporter_certificate type: short - name: data_records_reliability type: boolean - name: observation_point_type type: short - name: new_connection_delta_count type: long - name: connection_sum_duration_seconds type: long - name: connection_transaction_id type: long - name: post_nat_source_ipv6_address type: ip - name: post_nat_destination_ipv6_address type: ip - name: nat_pool_id type: long - name: nat_pool_name type: keyword - name: anonymization_flags type: integer - name: anonymization_technique type: integer - name: information_element_index type: integer - name: p2p_technology type: keyword - name: tunnel_technology type: keyword - name: encrypted_technology type: keyword - name: bgp_validity_state type: short - name: ip_sec_spi type: long - name: gre_key type: long - name: nat_type type: short - name: initiator_packets type: long - name: responder_packets type: long - name: observation_domain_name type: keyword - name: selection_sequence_id type: long - name: selector_id type: long - name: information_element_id type: integer - name: selector_algorithm type: integer - name: sampling_packet_interval type: long - name: sampling_packet_space type: long - name: sampling_time_interval type: long - name: sampling_time_space type: long - name: sampling_size type: long - name: sampling_population type: long - name: sampling_probability type: double - name: data_link_frame_size type: integer - name: ip_header_packet_section type: short - name: ip_payload_packet_section type: short - name: data_link_frame_section type: short - name: mpls_label_stack_section type: short - name: mpls_payload_packet_section type: short - name: selector_id_total_pkts_observed type: long - name: selector_id_total_pkts_selected type: long - name: absolute_error type: double - name: relative_error type: double - name: observation_time_seconds type: date - name: observation_time_milliseconds type: date - name: observation_time_microseconds type: date - name: observation_time_nanoseconds type: date - name: digest_hash_value type: long - name: hash_ip_payload_offset type: long - name: hash_ip_payload_size type: long - name: hash_output_range_min type: long - name: hash_output_range_max type: long - name: hash_selected_range_min type: long - name: hash_selected_range_max type: long - name: hash_digest_output type: boolean - name: hash_initialiser_value type: long - name: selector_name type: keyword - name: upper_ci_limit type: double - name: lower_ci_limit type: double - name: confidence_level type: double - name: information_element_data_type type: short - name: information_element_description type: keyword - name: information_element_name type: keyword - name: information_element_range_begin type: long - name: information_element_range_end type: long - name: information_element_semantics type: short - name: information_element_units type: integer - name: private_enterprise_number type: long - name: virtual_station_interface_id type: short - name: virtual_station_interface_name type: keyword - name: virtual_station_uuid type: short - name: virtual_station_name type: keyword - name: layer2_segment_id type: long - name: layer2_octet_delta_count type: long - name: layer2_octet_total_count type: long - name: ingress_unicast_packet_total_count type: long - name: ingress_multicast_packet_total_count type: long - name: ingress_broadcast_packet_total_count type: long - name: egress_unicast_packet_total_count type: long - name: egress_broadcast_packet_total_count type: long - name: monitoring_interval_start_milli_seconds type: date - name: monitoring_interval_end_milli_seconds type: date - name: port_range_start type: integer - name: port_range_end type: integer - name: port_range_step_size type: integer - name: port_range_num_ports type: integer - name: sta_mac_address type: keyword - name: sta_ipv4_address type: ip - name: wtp_mac_address type: keyword - name: ingress_interface_type type: long - name: egress_interface_type type: long - name: rtp_sequence_number type: integer - name: user_name type: keyword - name: application_category_name type: keyword - name: application_sub_category_name type: keyword - name: application_group_name type: keyword - name: original_flows_present type: long - name: original_flows_initiated type: long - name: original_flows_completed type: long - name: distinct_count_of_source_ip_address type: long - name: distinct_count_of_destination_ip_address type: long - name: distinct_count_of_source_ipv4_address type: long - name: distinct_count_of_destination_ipv4_address type: long - name: distinct_count_of_source_ipv6_address type: long - name: distinct_count_of_destination_ipv6_address type: long - name: value_distribution_method type: short - name: rfc3550_jitter_milliseconds type: long - name: rfc3550_jitter_microseconds type: long - name: rfc3550_jitter_nanoseconds type: long - name: dot1q_dei type: boolean - name: dot1q_customer_dei type: boolean - name: flow_selector_algorithm type: integer - name: flow_selected_octet_delta_count type: long - name: flow_selected_packet_delta_count type: long - name: flow_selected_flow_delta_count type: long - name: selector_id_total_flows_observed type: long - name: selector_id_total_flows_selected type: long - name: sampling_flow_interval type: long - name: sampling_flow_spacing type: long - name: flow_sampling_time_interval type: long - name: flow_sampling_time_spacing type: long - name: hash_flow_domain type: integer - name: transport_octet_delta_count type: long - name: transport_packet_delta_count type: long - name: original_exporter_ipv4_address type: ip - name: original_exporter_ipv6_address type: ip - name: original_observation_domain_id type: long - name: intermediate_process_id type: long - name: ignored_data_record_total_count type: long - name: data_link_frame_type type: integer - name: section_offset type: integer - name: section_exported_octets type: integer - name: dot1q_service_instance_tag type: short - name: dot1q_service_instance_id type: long - name: dot1q_service_instance_priority type: short - name: dot1q_customer_source_mac_address type: keyword - name: dot1q_customer_destination_mac_address type: keyword - name: post_layer2_octet_delta_count type: long - name: post_mcast_layer2_octet_delta_count type: long - name: post_layer2_octet_total_count type: long - name: post_mcast_layer2_octet_total_count type: long - name: minimum_layer2_total_length type: long - name: maximum_layer2_total_length type: long - name: dropped_layer2_octet_delta_count type: long - name: dropped_layer2_octet_total_count type: long - name: ignored_layer2_octet_total_count type: long - name: not_sent_layer2_octet_total_count type: long - name: layer2_octet_delta_sum_of_squares type: long - name: layer2_octet_total_sum_of_squares type: long - name: layer2_frame_delta_count type: long - name: layer2_frame_total_count type: long - name: pseudo_wire_destination_ipv4_address type: ip - name: ignored_layer2_frame_total_count type: long - name: mib_object_value_integer type: integer - name: mib_object_value_octet_string type: short - name: mib_object_value_oid type: short - name: mib_object_value_bits type: short - name: mib_object_value_ip_address type: ip - name: mib_object_value_counter type: long - name: mib_object_value_gauge type: long - name: mib_object_value_time_ticks type: long - name: mib_object_value_unsigned type: long - name: mib_object_identifier type: short - name: mib_sub_identifier type: long - name: mib_index_indicator type: long - name: mib_capture_time_semantics type: short - name: mib_context_engine_id type: short - name: mib_context_name type: keyword - name: mib_object_name type: keyword - name: mib_object_description type: keyword - name: mib_object_syntax type: keyword - name: mib_module_name type: keyword - name: mobile_imsi type: keyword - name: mobile_msisdn type: keyword - name: http_status_code type: integer - name: source_transport_ports_limit type: integer - name: http_request_method type: keyword - name: http_request_host type: keyword - name: http_request_target type: keyword - name: http_message_version type: keyword - name: nat_instance_id type: long - name: internal_address_realm type: short - name: external_address_realm type: short - name: nat_quota_exceeded_event type: long - name: nat_threshold_event type: long - name: http_user_agent type: keyword - name: http_content_type type: keyword - name: http_reason_phrase type: keyword - name: max_session_entries type: long - name: max_bib_entries type: long - name: max_entries_per_user type: long - name: max_subscribers type: long - name: max_fragments_pending_reassembly type: long - name: address_pool_high_threshold type: long - name: address_pool_low_threshold type: long - name: address_port_mapping_high_threshold type: long - name: address_port_mapping_low_threshold type: long - name: address_port_mapping_per_user_high_threshold type: long - name: global_address_mapping_high_threshold type: long - name: vpn_identifier type: short - key: cef title: Decode CEF processor fields description: > Common Event Format (CEF) data. fields: - name: cef type: group description: > By default the `decode_cef` processor writes all data from the CEF message to this `cef` object. It contains the CEF header fields and the extension data. fields: - name: version type: keyword description: > Version of the CEF specification used by the message. - name: device.vendor type: keyword description: > Vendor of the device that produced the message. - name: device.product type: keyword description: > Product of the device that produced the message. - name: device.version type: keyword description: > Version of the product that produced the message. - name: device.event_class_id type: keyword description: > Unique identifier of the event type. - name: severity type: keyword example: Very-High description: > Importance of the event. The valid string values are Unknown, Low, Medium, High, and Very-High. The valid integer values are 0-3=Low, 4-6=Medium, 7- 8=High, and 9-10=Very-High. - name: name type: keyword description: > Short description of the event. - name: extensions type: group description: > Collection of key-value pairs carried in the CEF extension field. default_field: false fields: - name: agentAddress type: ip description: The IP address of the ArcSight connector that processed the event. - name: agentDnsDomain type: keyword description: The DNS domain name of the ArcSight connector that processed the event. - name: agentHostName type: keyword description: The hostname of the ArcSight connector that processed the event. - name: agentId type: keyword description: The agent ID of the ArcSight connector that processed the event. - name: agentMacAddress type: keyword description: The MAC address of the ArcSight connector that processed the event. - name: agentNtDomain type: keyword description: - name: agentReceiptTime type: date description: The time at which information about the event was received by the ArcSight connector. - name: agentTimeZone type: keyword description: The agent time zone of the ArcSight connector that processed the event. - name: agentTranslatedAddress type: ip description: - name: agentTranslatedZoneExternalID type: keyword description: - name: agentTranslatedZoneURI type: keyword description: - name: agentType type: keyword description: The agent type of the ArcSight connector that processed the event - name: agentVersion type: keyword description: The version of the ArcSight connector that processed the event. - name: agentZoneExternalID type: keyword description: - name: agentZoneURI type: keyword description: - name: applicationProtocol type: keyword description: Application level protocol, example values are HTTP, HTTPS, SSHv2, Telnet, POP, IMPA, IMAPS, and so on. - name: baseEventCount type: long description: A count associated with this event. How many times was this same event observed? Count can be omitted if it is 1. - name: bytesIn type: long description: Number of bytes transferred inbound, relative to the source to destination relationship, meaning that data was flowing from source to destination. - name: bytesOut type: long description: Number of bytes transferred outbound relative to the source to destination relationship. For example, the byte number of data flowing from the destination to the source. - name: customerExternalID type: keyword description: - name: customerURI type: keyword description: - name: destinationAddress type: ip description: Identifies the destination address that the event refers to in an IP network. The format is an IPv4 address. - name: destinationDnsDomain type: keyword description: The DNS domain part of the complete fully qualified domain name (FQDN). - name: destinationGeoLatitude type: double description: The latitudinal value from which the destination's IP address belongs. - name: destinationGeoLongitude type: double description: The longitudinal value from which the destination's IP address belongs. - name: destinationHostName type: keyword description: Identifies the destination that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the destination node, when a node is available. - name: destinationMacAddress type: keyword description: Six colon-seperated hexadecimal numbers. - name: destinationNtDomain type: keyword description: The Windows domain name of the destination address. - name: destinationPort type: long description: The valid port numbers are between 0 and 65535. - name: destinationProcessId type: long description: Provides the ID of the destination process associated with the event. For example, if an event contains process ID 105, "105" is the process ID. - name: destinationProcessName type: keyword description: The name of the event's destination process. - name: destinationServiceName type: keyword description: The service targeted by this event. - name: destinationTranslatedAddress type: ip description: Identifies the translated destination that the event refers to in an IP network. - name: destinationTranslatedPort type: long description: Port after it was translated; for example, a firewall. Valid port numbers are 0 to 65535. - name: destinationTranslatedZoneExternalID type: keyword description: - name: destinationTranslatedZoneURI type: keyword description: The URI for the Translated Zone that the destination asset has been assigned to in ArcSight. - name: destinationUserId type: keyword description: Identifies the destination user by ID. For example, in UNIX, the root user is generally associated with user ID 0. - name: destinationUserName type: keyword description: Identifies the destination user by name. This is the user associated with the event's destination. Email addresses are often mapped into the UserName fields. The recipient is a candidate to put into this field. - name: destinationUserPrivileges type: keyword description: The typical values are "Administrator", "User", and "Guest". This identifies the destination user's privileges. In UNIX, for example, activity executed on the root user would be identified with destinationUser Privileges of "Administrator". - name: destinationZoneExternalID type: keyword description: - name: destinationZoneURI type: keyword description: The URI for the Zone that the destination asset has been assigned to in ArcSight. - name: deviceAction type: keyword description: Action taken by the device. - name: deviceAddress type: ip description: Identifies the device address that an event refers to in an IP network. - name: deviceCustomFloatingPoint1Label type: keyword description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - name: deviceCustomFloatingPoint3Label type: keyword description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - name: deviceCustomFloatingPoint4Label type: keyword description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - name: deviceCustomDate1 type: date description: One of two timestamp fields available to map fields that do not apply to any other in this dictionary. - name: deviceCustomDate1Label type: keyword description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - name: deviceCustomDate2 type: date description: One of two timestamp fields available to map fields that do not apply to any other in this dictionary. - name: deviceCustomDate2Label type: keyword description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - name: deviceCustomFloatingPoint1 type: double description: One of four floating point fields available to map fields that do not apply to any other in this dictionary. - name: deviceCustomFloatingPoint2 type: double description: One of four floating point fields available to map fields that do not apply to any other in this dictionary. - name: deviceCustomFloatingPoint2Label type: keyword description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - name: deviceCustomFloatingPoint3 type: double description: One of four floating point fields available to map fields that do not apply to any other in this dictionary. - name: deviceCustomFloatingPoint4 type: double description: One of four floating point fields available to map fields that do not apply to any other in this dictionary. - name: deviceCustomIPv6Address1 type: ip description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. - name: deviceCustomIPv6Address1Label type: keyword description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - name: deviceCustomIPv6Address2 type: ip description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. - name: deviceCustomIPv6Address2Label type: keyword description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - name: deviceCustomIPv6Address3 type: ip description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. - name: deviceCustomIPv6Address3Label type: keyword description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - name: deviceCustomIPv6Address4 type: ip description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. - name: deviceCustomIPv6Address4Label type: keyword description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - name: deviceCustomNumber1 type: long description: One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - name: deviceCustomNumber1Label type: keyword description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - name: deviceCustomNumber2 type: long description: One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - name: deviceCustomNumber2Label type: keyword description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - name: deviceCustomNumber3 type: long description: One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - name: deviceCustomNumber3Label type: keyword description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - name: deviceCustomString1 type: keyword description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - name: deviceCustomString1Label type: keyword description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - name: deviceCustomString2 type: keyword description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - name: deviceCustomString2Label type: keyword description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - name: deviceCustomString3 type: keyword description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - name: deviceCustomString3Label type: keyword description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - name: deviceCustomString4 type: keyword description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - name: deviceCustomString4Label type: keyword description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - name: deviceCustomString5 type: keyword description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - name: deviceCustomString5Label type: keyword description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - name: deviceCustomString6 type: keyword description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - name: deviceCustomString6Label type: keyword description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - name: deviceDirection type: long description: Any information about what direction the observed communication has taken. The following values are supported - "0" for inbound or "1" for outbound. - name: deviceDnsDomain type: keyword description: The DNS domain part of the complete fully qualified domain name (FQDN). - name: deviceEventCategory type: keyword description: Represents the category assigned by the originating device. Devices often use their own categorization schema to classify event. Example "/Monitor/Disk/Read". - name: deviceExternalId type: keyword description: A name that uniquely identifies the device generating this event. - name: deviceFacility type: keyword description: The facility generating this event. For example, Syslog has an explicit facility associated with every event. - name: deviceFlexNumber1 type: long description: One of two alternative number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - name: deviceFlexNumber1Label type: keyword description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - name: deviceFlexNumber2 type: long description: One of two alternative number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - name: deviceFlexNumber2Label type: keyword description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - name: deviceHostName type: keyword description: The format should be a fully qualified domain name (FQDN) associated with the device node, when a node is available. - name: deviceInboundInterface type: keyword description: Interface on which the packet or data entered the device. - name: deviceMacAddress type: keyword description: Six colon-separated hexadecimal numbers. - name: deviceNtDomain type: keyword description: The Windows domain name of the device address. - name: deviceOutboundInterface type: keyword description: Interface on which the packet or data left the device. - name: devicePayloadId type: keyword description: Unique identifier for the payload associated with the event. - name: deviceProcessId type: long description: Provides the ID of the process on the device generating the event. - name: deviceProcessName type: keyword description: Process name associated with the event. An example might be the process generating the syslog entry in UNIX. - name: deviceReceiptTime type: date description: The time at which the event related to the activity was received. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970) - name: deviceTimeZone type: keyword description: The time zone for the device generating the event. - name: deviceTranslatedAddress type: ip description: Identifies the translated device address that the event refers to in an IP network. - name: deviceTranslatedZoneExternalID type: keyword description: - name: deviceTranslatedZoneURI type: keyword description: The URI for the Translated Zone that the device asset has been assigned to in ArcSight. - name: deviceZoneExternalID type: keyword description: - name: deviceZoneURI type: keyword description: Thee URI for the Zone that the device asset has been assigned to in ArcSight. - name: endTime type: date description: The time at which the activity related to the event ended. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st1970). An example would be reporting the end of a session. - name: eventId type: long description: This is a unique ID that ArcSight assigns to each event. - name: eventOutcome type: keyword description: Displays the outcome, usually as 'success' or 'failure'. - name: externalId type: keyword description: The ID used by an originating device. They are usually increasing numbers, associated with events. - name: fileCreateTime type: date description: Time when the file was created. - name: fileHash type: keyword description: Hash of a file. - name: fileId type: keyword description: An ID associated with a file could be the inode. - name: fileModificationTime type: date description: Time when the file was last modified. - name: filename type: keyword description: Name of the file only (without its path). - name: filePath type: keyword description: Full path to the file, including file name itself. - name: filePermission type: keyword description: Permissions of the file. - name: fileSize type: long description: Size of the file. - name: fileType type: keyword description: Type of file (pipe, socket, etc.) - name: flexDate1 type: date description: A timestamp field available to map a timestamp that does not apply to any other defined timestamp field in this dictionary. Use all flex fields sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary. - name: flexDate1Label type: keyword description: The label field is a string and describes the purpose of the flex field. - name: flexString1 type: keyword description: One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary. - name: flexString2 type: keyword description: One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary. - name: flexString1Label type: keyword description: The label field is a string and describes the purpose of the flex field. - name: flexString2Label type: keyword description: The label field is a string and describes the purpose of the flex field. - name: message type: keyword description: An arbitrary message giving more details about the event. Multi-line entries can be produced by using \n as the new line separator. - name: oldFileCreateTime type: date description: Time when old file was created. - name: oldFileHash type: keyword description: Hash of the old file. - name: oldFileId type: keyword description: An ID associated with the old file could be the inode. - name: oldFileModificationTime type: date description: Time when old file was last modified. - name: oldFileName type: keyword description: Name of the old file. - name: oldFilePath type: keyword description: Full path to the old file, including the file name itself. - name: oldFilePermission type: keyword description: Permissions of the old file. - name: oldFileSize type: long description: Size of the old file. - name: oldFileType type: keyword description: Type of the old file (pipe, socket, etc.) - name: rawEvent type: keyword description: - name: Reason type: keyword description: The reason an audit event was generated. For example "bad password" or "unknown user". This could also be an error or return code. Example "0x1234". - name: requestClientApplication type: keyword description: The User-Agent associated with the request. - name: requestContext type: keyword description: Description of the content from which the request originated (for example, HTTP Referrer) - name: requestCookies type: keyword description: Cookies associated with the request. - name: requestMethod type: keyword description: The HTTP method used to access a URL. - name: requestUrl type: keyword description: In the case of an HTTP request, this field contains the URL accessed. The URL should contain the protocol as well. - name: sourceAddress type: ip description: Identifies the source that an event refers to in an IP network. - name: sourceDnsDomain type: keyword description: The DNS domain part of the complete fully qualified domain name (FQDN). - name: sourceGeoLatitude type: double description: - name: sourceGeoLongitude type: double description: - name: sourceHostName type: keyword description: > Identifies the source that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the source node, when a mode is available. Examples: 'host' or 'host.domain.com'. - name: sourceMacAddress type: keyword example: "00:0d:60:af:1b:61" description: Six colon-separated hexadecimal numbers. - name: sourceNtDomain type: keyword description: The Windows domain name for the source address. - name: sourcePort type: long description: The valid port numbers are 0 to 65535. - name: sourceProcessId type: long description: The ID of the source process associated with the event. - name: sourceProcessName type: keyword description: The name of the event's source process. - name: sourceServiceName type: keyword description: The service that is responsible for generating this event. - name: sourceTranslatedAddress type: ip description: Identifies the translated source that the event refers to in an IP network. - name: sourceTranslatedPort type: long description: A port number after being translated by, for example, a firewall. Valid port numbers are 0 to 65535. - name: sourceTranslatedZoneExternalID type: keyword description: - name: sourceTranslatedZoneURI type: keyword description: The URI for the Translated Zone that the destination asset has been assigned to in ArcSight. - name: sourceUserId type: keyword description: Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0. - name: sourceUserName type: keyword description: Identifies the source user by name. Email addresses are also mapped into the UserName fields. The sender is a candidate to put into this field. - name: sourceUserPrivileges type: keyword description: The typical values are "Administrator", "User", and "Guest". It identifies the source user's privileges. In UNIX, for example, activity executed by the root user would be identified with "Administrator". - name: sourceZoneExternalID type: keyword description: - name: sourceZoneURI type: keyword description: The URI for the Zone that the source asset has been assigned to in ArcSight. - name: startTime type: date description: The time when the activity the event referred to started. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970) - name: transportProtocol type: keyword description: Identifies the Layer-4 protocol used. The possible values are protocols such as TCP or UDP. - name: type type: long description: 0 means base event, 1 means aggregated, 2 means correlation, and 3 means action. This field can be omitted for base events (type 0). # ArcSight fields. - name: categoryDeviceType type: keyword description: Device type. Examples - Proxy, IDS, Web Server - name: categoryObject type: keyword description: Object that the event is about. For example it can be an operating sytem, database, file, etc. - name: categoryBehavior type: keyword description: Action or a behavior associated with an event. It's what is being done to the object. - name: categoryTechnique type: keyword description: Technique being used (e.g. /DoS). - name: categoryDeviceGroup type: keyword description: General device group like Firewall. - name: categorySignificance type: keyword description: Characterization of the importance of the event. - name: categoryOutcome type: keyword description: Outcome of the event (e.g. sucess, failure, or attempt). - name: managerReceiptTime type: date description: When the Arcsight ESM received the event. - name: source.service.name type: keyword description: Service that is the source of the event. - name: destination.service.name type: keyword description: Service that is the target of the event.