DNS Schema
Normalized Field | Type | Parser Field | Description |
---|---|---|---|
resource_id | string | resourceId$ | Full resource string identifying the record |
tenant_id | string | tenantId$ | The ID of the tenant that owns this specific to CTPX ID |
sensor_type | string | sensorType$ | Type of device that generated this event. Ex: redcloak, iSensor |
sensor_event_id | string | sensorEventId$ | Event ID of original_data assigned by the sensor |
sensor_tenant | string | sensorTenant$ | A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id |
sensor_id | string | sensorId$ | An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id, iSensor Dev IP |
sensor_cpe | string | sensorCpe$ | CPE of the platform producing the alert. Ex: cpe:2.3:a:secureworks:redcloak:::::::: |
original_data | string | originalData$ | Original, unadulterated data prior to any transformation. |
event_time_usec | uint64 | eventTimeUsec$ | Event time in microseconds (µs) |
ingest_time_usec | uint64 | ingestTimeUsec$ | Ingest time in microseconds (µs). |
event_time_fidelity | TimeFidelity | eventTimeFidelity$ | Specifies the original precision of the time used to populate event_time_usec |
host_id | string | hostId$ | Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address |
sensor_version | string | sensorVersion$ | The agent version as string. |
source_address | string | sourceAddress$ | Origin of the DNS query. Not set by all agents. internal: this is not present in Redcloak agent events |
destination_address | string | destinationAddress$ | Address of the DNS Server. Not set by all agents. internal: this is not present in Redcloak agent events |
query_name | string | queryName$ | Domain name of the host or string queried for type |
query_type | int32 | queryType$ | Numeric DNS record type of the QUERY defined by RFC1035, et.al. |
query_class | int32 | queryClass$ | DNS record class |
responses | DNSQuery.Responses | responses$ | A list of REPLIES in response to the QUERY |
index_of_top_private_domain | sint32 | indexOfTopPrivateDomain$ | The character index in query_name where the top private domain starts. For www.microsoft.com, this will be 4. For www.store.example.co.uk this will be 10. A negative value indicates that the top private domain could not be determined. |
is_top_private_domain_parsed | bool | isTopPrivateDomainParsed$ | True if the parser was run to find the top private domain. If false, disregard index_of_top_private_domain. |
response_code | int32 | responseCode$ | The RCODE if present in the original_data defined by rfc6895, et.al. |
src_ipblacklists | string | repeated | Provides the names of blacklists matched by the source |
dest_ipblacklists | string | repeated | Provides the names of blacklists matched by the destination |
src_ipgeo_summary | GeoSummary | The geographic location of the source IP | |
dest_ipgeo_summary | GeoSummary | The geographic location of the destination IP | |
whois_record | whois.WhoisSimple | Internet resource info of the source including IP registration | |
processCorrelationID | ProcessCorrelationID | ProcessID of the process creating this DNS lookup |
DNSQuery.ResponseRecord ⫘
Type of REPLY in response to the QUERY
Normalized Field | Type | Parser Field | Description |
---|---|---|---|
response_type | int32 | responseType$ | |
response_data | string | responseData$ |
DNSQuery.Responses ⫘
A list of REPLIES in response to the QUERY
Normalized Field | Type | Parser Field | Description |
---|---|---|---|
records | repeated DNSQuery.ResponseRecord | records$ |