resource_id |
string |
resourceId$ |
Full resource string identifying the record |
tenant_id |
string |
tenantId$ |
The ID of the tenant that owns this specific to CTPX ID |
sensor_type |
string |
sensorType$ |
Type of device that generated this event. Ex: redcloak, iSensor |
sensor_event_id |
string |
sensorEventId$ |
Event ID of original_data assigned by the sensor |
sensor_tenant |
string |
sensorTenant$ |
A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id |
sensor_id |
string |
sensorId$ |
An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id, iSensor Dev IP |
sensor_cpe |
string |
sensorCpe$ |
CPE of the platform producing the alert. Ex: cpe:2.3:a:secureworks:redcloak:::::::: |
original_data |
string |
originalData$ |
Original, unadulterated data prior to any transformation. |
event_time_usec |
uint64 |
eventTimeUsec$ |
Event time in microseconds (<C2><B5>s) |
ingest_time_usec |
uint64 |
ingestTimeUsec$ |
Ingest time in microseconds (<C2><B5>s). |
event_time_fidelity |
TimeFidelity |
eventTimeFidelity$ |
Specifies the original precision of the time used to populate event_time_usec |
host_id |
string |
hostId$ |
Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address |
protocol |
Encrypt.Protocol |
protocol |
The cryptographic protocol |
tls_version |
Encrypt.TlsVersion |
tlsVersion$ |
TLS Version |
certificate_version |
int32 |
certificateVersion$ |
Certificate version (ex: 3) |
serial_number |
string |
serialNumber$ |
Certificate Serial number |
certificate_subject |
string |
certificateSubject$ |
Certificate Subject |
subject_order |
string |
subjectOrder$ |
Certificate Subject Order (C:ST:L:O:OU:CN:E) |
certificate_issuer |
string |
certificateIssuer$ |
Certificate Issuer |
issuer_order |
string |
issueOrder$ |
Certificate Issuer Order (C:ST:L:O:OU:CN:E) |
subject_common_name |
string |
subjectCommonName$ |
Certificate Subject CommonName (CN) |
subject_organizational_unit |
string |
subjectOrganizationalUnit$ |
Certificate Subject OrganizationalUnit (OU) |
subject_organization |
string |
subjectOrganization$ |
Certificate Subject Organization (O) |
subject_locality |
string |
subjectLocality$ |
Certificate Subject Locality (L) |
subject_state |
string |
subjectState$ |
Certificate Subject StateOrProvinceName (S) |
subject_country |
string |
subjectCountry$ |
Certificate Subject CountryName (C) |
subject_email |
string |
subjectEmail$ |
Certificate Subject Email Address |
issuer_common_name |
string |
issuerCommonName$ |
Certificate Issuer CommonName (CN) |
issuer_organizational_unit |
string |
issuerOrganizationalUnit$ |
Certificate Issuer OrganizationalUnit (OU) |
issuer_organization |
string |
issuerOrganization$ |
Certificate Issuer Organization (O) |
issuer_locality |
string |
issuerLocality$ |
Certificate Issuer Locality (L) |
issuer_state |
string |
issuerState$ |
Certificate Issuer StateOrProvinceName (S) |
issuer_country |
string |
issuerCountry$ |
Certificate Issuer CountryName (C) |
issuer_email |
string |
issuerEmail$ |
Certificate Issuer Email Address |
valid_from_usec |
uint64 |
validFromUsec$ |
Timestamp before when certificate is not valid, in microseconds (µs) |
valid_through_usec |
uint64 |
validThroughUsec$ |
Timestamp after when certificate is not valid, in microseconds (µs) |
valid_from_string |
string |
validFromString$ |
Timestamp before when certificate is not valid, in string format (YYYYMMDDHHMMSSZ) |
valid_through_string |
string |
validThroughString$ |
Timestamp after when certificate is not valid, in string format (YYYYMMDDHHMMSSZ) |
ja3 |
string |
ja3$ |
JA3 hash |
ja3s |
string |
ja3s$ |
JA3S hash |
fingerprint |
FileHash |
fingerprint$ |
Certificate fingerprint |
sensor_version |
string |
sensorVersion$ |
The agent version as string. (because of existing field, we have to index unaligned with base) |
source_address |
string |
sourceAddress$ |
@inject_tag: validate:"ip" IP Address of the source |
destination_address |
string |
destinationAddress$ |
@inject_tag: validate:"ip" IP Address of the destination |
source_port |
uint32 |
sourcePort$ |
@inject_tag: validate:"lt=65536" Port of the source |
destination_port |
uint32 |
destinationPort$ |
@inject_tag: validate:"lt=65536" Port of the destination |
source_ipgeo_summary |
GeoSummary |
sourceIpgeoSummary$ |
The geographic location of the source IP |
destination_ipgeo_summary |
GeoSummary |
destinationIpgeoSummary$ |
The geographic location of the destination IP |
event_type |
string |
eventType$ |
The event type provided by the data source |
event_metadata |
KeyValuePairsIndexed |
eventMetadata$ |
event_metadata can be provided by the data source to add context |