resource_id |
string |
resourceId$ |
Full resource string identifying the record |
tenant_id |
string |
tenantId$ |
The ID of the tenant |
sensor_type |
string |
sensorType$ |
Type of device that generated this event. Ex: redcloak, iSensor |
sensor_event_id |
string |
sensorEventId$ |
Event ID of original_data assigned by the sensor |
sensor_tenant |
string |
sensorTenant$ |
A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id |
sensor_id |
string |
sensorId$ |
An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id, iSensor Dev IP |
sensor_cpe |
string |
sensorCpe$ |
CPE of the platform producing the alert. Ex: cpe:2.3:a:secureworks:redcloak:::::::: |
original_data |
string |
originalData$ |
Original, unadulterated data prior to any transformation. |
event_time_usec |
uint64 |
eventTimeUsec$ |
Event time in microseconds (µs) |
ingest_time_usec |
uint64 |
ingestTimeUsec$ |
Ingest time in microseconds (µs). |
event_time_fidelity |
TimeFidelity |
eventTimeFidelity$ |
Specifies the original precision of the time used to populate event_time_usec |
host_id |
string |
hostId$ |
Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address |
threat_type |
Antivirus.ThreatType |
threatType$ |
|
action_taken |
Antivirus.ActionTaken |
actionTaken$ |
|
threat_name |
string |
threatName$ |
Threat name as reported by the antivirus product. |
agent_priority |
string |
agentPriority$ |
Priority assigned to the threat by the agent/vendor. |
agent_confidence_score |
float |
agentConfidenceScore$ |
Alert confidence score provided by the agent/vendor. Recommended value range of 0-1, which equates to a percentage. |
threat_category |
Antivirus.ThreatCategory |
threatCategory$ |
|
policy_name |
string |
policyName$ |
Name of the policy applied on the reporting agent. |
process_name |
string |
procesName$ |
Information to identify the offending process, file, or network source/destination. Name of a malicious process found running in memory. |
file_path |
string |
filePath$ |
File file and path of an infected file. |
file_hash |
FileHash |
fileHash$ |
File has of an infected file - useful for checking against vendor HASHes in case of an out of date policy. |
url_string |
string |
urlString$ |
URL of malicious traffic. |
user_name |
string |
userName$ |
Username of the running process/logged in user/file owner. |
agent_device_id |
string |
agentDeviceId$ |
Device identifier eg GUID - this id is assigned by the agent, not Secureworks. |
agent_device_score |
int32 |
agentDeviceScore$ |
Device score for AV products which allow you to add a score to differentiate between mission-critical and low risk hosts. |
os |
OperatingSystem |
os$.os$ |
Operating system, architecture on which process executed. |
agent_alert_url |
string |
agentAlertUrl$ |
URL for documentation of threat (not the threat itself). |
file_create_time_usec |
uint64 |
fileCreateTimeUsec$ |
Time the file containing the virus was created. |
file_modified_time_usec |
uint64 |
fileModifiedTimeUsec$ |
Time the file containing the virus was modified. |
vendor_alert_type |
string |
vendorAlertType$ |
Vendor-provided description of the alert type (ex. Abnormal, Suspicious, Communications Alert, etc.). |
agent_version |
string |
agentVersion$ |
Version of the agent that reported the event. |
computer_name |
string |
computerName$ |
Hostname of the affected endpoint |
vendor_signature_id |
uint32 |
vendorSignatureId$ |
The rule ID provided by the vendor that was used to create the event |
event_metadata |
KeyValuePairsIndexed |
|
event_metadata can be provided by the data source to add context |