DNS Schema
| Normalized Field | Type | Parser Field | Description |
|---|---|---|---|
| resource_id | string | resourceId$ | Full resource string identifying the record |
| tenant_id | string | tenantId$ | The ID of the tenant that owns this specific to CTPX ID |
| sensor_type | string | sensorType$ | Type of device that generated this event. Ex: redcloak, iSensor |
| sensor_event_id | string | sensorEventId$ | Event ID of original_data assigned by the sensor |
| sensor_tenant | string | sensorTenant$ | A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id |
| sensor_id | string | sensorId$ | An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id, iSensor Dev IP |
| sensor_cpe | string | sensorCpe$ | CPE of the platform producing the alert. Ex: cpe:2.3:a:secureworks:redcloak:::::::: |
| original_data | string | originalData$ | Original, unadulterated data prior to any transformation. |
| event_time_usec | uint64 | eventTimeUsec$ | Event time in microseconds (µs) |
| ingest_time_usec | uint64 | ingestTimeUsec$ | Ingest time in microseconds (µs). |
| event_time_fidelity | TimeFidelity | eventTimeFidelity$ | Specifies the original precision of the time used to populate event_time_usec |
| host_id | string | hostId$ | Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address |
| sensor_version | string | sensorVersion$ | The agent version as string. |
| source_address | string | sourceAddress$ | Origin of the DNS query. Not set by all agents. internal: this is not present in Redcloak agent events |
| destination_address | string | destinationAddress$ | Address of the DNS Server. Not set by all agents. internal: this is not present in Redcloak agent events |
| query_name | string | queryName$ | Domain name of the host or string queried for type |
| query_type | int32 | queryType$ | Numeric DNS record type of the QUERY defined by RFC1035, et.al. |
| query_class | int32 | queryClass$ | DNS record class |
| responses | DNSQuery.Responses | responses$ | A list of REPLIES in response to the QUERY |
| index_of_top_private_domain | sint32 | indexOfTopPrivateDomain$ | The character index in query_name where the top private domain starts. For www.microsoft.com, this will be 4. For www.store.example.co.uk this will be 10. A negative value indicates that the top private domain could not be determined. |
| is_top_private_domain_parsed | bool | isTopPrivateDomainParsed$ | True if the parser was run to find the top private domain. If false, disregard index_of_top_private_domain. |
| response_code | int32 | responseCode$ | The RCODE if present in the original_data defined by rfc6895, et.al. |
| src_ipblacklists | string | repeated | Provides the names of blacklists matched by the source |
| dest_ipblacklists | string | repeated | Provides the names of blacklists matched by the destination |
| src_ipgeo_summary | GeoSummary | The geographic location of the source IP | |
| dest_ipgeo_summary | GeoSummary | The geographic location of the destination IP | |
| whois_record | whois.WhoisSimple | Internet resource info of the source including IP registration | |
| processCorrelationID | ProcessCorrelationID | ProcessID of the process creating this DNS lookup |
DNSQuery.ResponseRecord ⫘
Type of REPLY in response to the QUERY
| Normalized Field | Type | Parser Field | Description |
|---|---|---|---|
| response_type | int32 | responseType$ | |
| response_data | string | responseData$ |
DNSQuery.Responses ⫘
A list of REPLIES in response to the QUERY
| Normalized Field | Type | Parser Field | Description |
|---|---|---|---|
| records | repeated DNSQuery.ResponseRecord | records$ |