Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Encrypt Schema

Normalized Field Type Parser Field Description
resource_id string resourceId$ Full resource string identifying the record
tenant_id string tenantId$ The ID of the tenant that owns this specific to CTPX ID
sensor_type string sensorType$ Type of device that generated this event. Ex: redcloak, iSensor
sensor_event_id string sensorEventId$ Event ID of original_data assigned by the sensor
sensor_tenant string sensorTenant$ A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id
sensor_id string sensorId$ An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id, iSensor Dev IP
sensor_cpe string sensorCpe$ CPE of the platform producing the alert. Ex: cpe:2.3:a:secureworks:redcloak::::::::
original_data string originalData$ Original, unadulterated data prior to any transformation.
event_time_usec uint64 eventTimeUsec$ Event time in microseconds (<C2><B5>s)
ingest_time_usec uint64 ingestTimeUsec$ Ingest time in microseconds (<C2><B5>s).
event_time_fidelity TimeFidelity eventTimeFidelity$ Specifies the original precision of the time used to populate event_time_usec
host_id string hostId$ Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address
protocol Encrypt.Protocol protocol The cryptographic protocol
tls_version Encrypt.TlsVersion tlsVersion$ TLS Version
certificate_version int32 certificateVersion$ Certificate version (ex: 3)
serial_number string serialNumber$ Certificate Serial number
certificate_subject string certificateSubject$ Certificate Subject
subject_order string subjectOrder$ Certificate Subject Order (C:ST:L:O:OU:CN:E)
certificate_issuer string certificateIssuer$ Certificate Issuer
issuer_order string issueOrder$ Certificate Issuer Order (C:ST:L:O:OU:CN:E)
subject_common_name string subjectCommonName$ Certificate Subject CommonName (CN)
subject_organizational_unit string subjectOrganizationalUnit$ Certificate Subject OrganizationalUnit (OU)
subject_organization string subjectOrganization$ Certificate Subject Organization (O)
subject_locality string subjectLocality$ Certificate Subject Locality (L)
subject_state string subjectState$ Certificate Subject StateOrProvinceName (S)
subject_country string subjectCountry$ Certificate Subject CountryName (C)
subject_email string subjectEmail$ Certificate Subject Email Address
issuer_common_name string issuerCommonName$ Certificate Issuer CommonName (CN)
issuer_organizational_unit string issuerOrganizationalUnit$ Certificate Issuer OrganizationalUnit (OU)
issuer_organization string issuerOrganization$ Certificate Issuer Organization (O)
issuer_locality string issuerLocality$ Certificate Issuer Locality (L)
issuer_state string issuerState$ Certificate Issuer StateOrProvinceName (S)
issuer_country string issuerCountry$ Certificate Issuer CountryName (C)
issuer_email string issuerEmail$ Certificate Issuer Email Address
valid_from_usec uint64 validFromUsec$ Timestamp before when certificate is not valid, in microseconds (µs)
valid_through_usec uint64 validThroughUsec$ Timestamp after when certificate is not valid, in microseconds (µs)
valid_from_string string validFromString$ Timestamp before when certificate is not valid, in string format (YYYYMMDDHHMMSSZ)
valid_through_string string validThroughString$ Timestamp after when certificate is not valid, in string format (YYYYMMDDHHMMSSZ)
ja3 string ja3$ JA3 hash
ja3s string ja3s$ JA3S hash
fingerprint FileHash fingerprint$ Certificate fingerprint
sensor_version string sensorVersion$ The agent version as string. (because of existing field, we have to index unaligned with base)
source_address string sourceAddress$ @inject_tag: validate:"ip" IP Address of the source
destination_address string destinationAddress$ @inject_tag: validate:"ip" IP Address of the destination
source_port uint32 sourcePort$ @inject_tag: validate:"lt=65536" Port of the source
destination_port uint32 destinationPort$ @inject_tag: validate:"lt=65536" Port of the destination
source_ipgeo_summary GeoSummary sourceIpgeoSummary$ The geographic location of the source IP
destination_ipgeo_summary GeoSummary destinationIpgeoSummary$ The geographic location of the destination IP
event_type string eventType$ The event type provided by the data source
event_metadata KeyValuePairsIndexed eventMetadata$ event_metadata can be provided by the data source to add context


Certificate properties

Name Number Description
UNKNOWN_PROTOCOL 0 internal: unused but required for proto3


Name Number Description
TLS_UNKNOWN 0 internal: unused but required for proto3
TLS_10 1 TLSv1.0
TLS_11 2 TLSv1.1
TLS_12 3 TLSv1.2
TLS_13 4 TLSv1.3


On this page: