resource_id |
string |
resourceId$ |
Full resource string identifying the record |
tenant_id |
string |
tenantId$ |
The ID of the tenant that owns this specific to CTPX ID |
sensor_type |
string |
sensorType$ |
Type of device that generated this event. Ex: redcloak, iSensor |
sensor_event_id |
string |
sensorEventId$ |
Event ID of original_data assigned by the sensor |
sensor_tenant |
string |
sensorTenant$ |
A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id |
sensor_id |
string |
sensorId$ |
An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id, iSensor Dev IP |
sensor_cpe |
string |
sensorCpe$ |
CPE of the platform producing the alert. Ex: cpe:2.3:a:secureworks:redcloak:::::::: |
original_data |
string |
originalData! |
Original, unadulterated data prior to any transformation. |
event_time_usec |
uint64 |
eventTimeUsec$ |
Event time in microseconds (µs) |
ingest_time_usec |
uint64 |
ingestTimeUsec$ |
Ingest time in microseconds (µs). |
event_time_fidelity |
TimeFidelity |
eventTimeFidelity$ |
Specifies the original precision of the time used to populate event_time_usec |
host_id |
string |
hostId$ |
Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address |
sensor_version |
string |
sensorVersion$ |
The agent version as string. |
source_mac |
string |
sourceMac$ |
Source MAC Address in text canonical format |
destination_mac |
string |
destinationMac$ |
Destination MAC Address in text canonical format |
source_address |
string |
sourceAddress$ |
@inject_tag: validate:"ip" IP Address of the source |
destination_address |
string |
destinationAddress$ |
@inject_tag: validate:"ip" IP Address of the destination |
source_port |
uint32 |
sourcePort$ |
@inject_tag: validate:"lt=65536" Port of the source |
destination_port |
uint32 |
destinationPort$ |
@inject_tag: validate:"lt=65536" Port of the destination |
protocol |
uint32 |
protocol$ |
Transfer protocol (tcp/udp/sctp/etc) @inject_tag: validate:"lt=256" |
tx_packet_count |
uint64 |
txPacketCount$ |
Number of packets transferred |
tx_byte_count |
uint64 |
txByteCount$ |
Number of bytes transferred |
rx_packet_count |
uint64 |
rxPacketCount$ |
Number of packets received |
rx_byte_count |
uint64 |
rxByteCount$ |
Number of bytes received |
source_username |
string |
sourceUsername$ |
The username associated with the source. |
destination_username |
string |
destinationUsername$ |
The username associated with the destination. |
true_source_address |
string |
trueSourceAddress$ |
The single IP calculated as the true source of the http request. |
l7_protocol |
string |
l7Protocol$ |
protocol http/https/http2/http3/etc |
uri_scheme |
string |
uriScheme$ |
The normalized uri scheme such as 'http' or 'https'. Data assigned here is expected to be all lower case. |
http_method |
string |
httpMethod$ |
HTTP request method, e.g. 'GET', 'POST', 'PUT', 'DELETE', etc. |
uri_userinfo |
string |
uriUserinfo$ |
The uri userinfo in the form of username:password |
uri_host |
string |
uriHost$ |
The normalized uri host such as 'www.example.com'. Data assiged here is expected to be all lower case and should not include colon and port if present. |
uri_port |
string |
uriPort$ |
The uri port is the port found in the uri |
uri_path |
string |
uriPath$ |
The normalized uri path such as '/forum/questions/' |
uri_query |
string |
uriQuery$ |
The normalized uri query such as 'tag=networking&order=newest' This should not include a leading '?' or fragment or the '#' that denotes the start of the fragment in the URL. |
uri_fragment |
string |
uriFragment$ |
The uri fragment such as 'top'. Should not include the '#' that denotes the start of the fragment in the URL. |
index_of_top_private_domain |
sint32 |
indexOfTopPrivateDomain$ |
The character index in uri_host where the top private domain starts. For www.microsoft.com, this will be 4. For www.store.example.co.uk this will be 10. A negative value indicates that the top private domain could not be determined. |
is_top_private_domain_parsed |
bool |
isTopPrivateDomainParsed$ |
True if the parser was run to find the top private domain. If false, disregard index_of_top_private_domain. |
user_agent |
string |
userAgent$ |
The User-Agent string used in the request. |
referer |
string |
referer$ |
The referral field |
sensor_type_actions |
Http.actions |
sensorTypeActions$ |
The action the appliance took if any. |
blocked |
uint32 |
blocked$ |
1=NotBlocked, 2=Blocked, 3=WouldHaveBlocked |
request_direction |
Http.Direction |
requestDirection$ |
The direction in relation to the client's asset as perceived by the appliance or normalizer (based off of the http request). INBOUND means the associated HTTP request is inbound to the client’s asset. OUTBOUND means the associated HTTP request is outbound from the client’s asset. |
uri_host_raw |
string |
uriHostRaw$ |
raw URI host from the original data source; may include colon and port if that was in the data source URI |
uri_path_raw |
string |
uriPathRaw$ |
raw URI path from the original data source. |
uri_query_raw |
string |
uriQueryRaw$ |
raw URI query from the original data source. This should not include a leading '?' |
response_code |
uint32 |
responseCode$ |
The http response code returned (if present) |
response_text |
string |
responseText$ |
The http response code text (if present) |
http_request_headers |
KeyValuePairsIndexed |
httpRequestHeaders$ |
Request headers (including values) that are present, but not in an individual field. Such as "X-MyCustom-Header" |
http_response_headers |
KeyValuePairsIndexed |
httpResponseHeaders$ |
Response headers (including values) such as date, expires, server, set-cookie, vary, etc |
event_metadata |
KeyValuePairsIndexed |
eventMetadata$ |
event_metadata can be provided by the data source to add context, such as url classification, maliciousness, etc.) |
src_ipgeo_summary |
GeoSummary |
|
The geographic location of the source IP |
dest_ipgeo_summary |
GeoSummary |
|
The geographic location of the destination IP |