🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

HTTP Schema

Normalized Field Type Parser Field Description
resource_id string resourceId$ Full resource string identifying the record
tenant_id string tenantId$ The ID of the tenant that owns this specific to CTPX ID
sensor_type string sensorType$ Type of device that generated this event. Ex: redcloak, iSensor
sensor_event_id string sensorEventId$ Event ID of original_data assigned by the sensor
sensor_tenant string sensorTenant$ A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id
sensor_id string sensorId$ An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id, iSensor Dev IP
sensor_cpe string sensorCpe$ CPE of the platform producing the alert. Ex: cpe:2.3:a:secureworks:redcloak::::::::
original_data string originalData! Original, unadulterated data prior to any transformation.
event_time_usec uint64 eventTimeUsec$ Event time in microseconds (µs)
ingest_time_usec uint64 ingestTimeUsec$ Ingest time in microseconds (µs).
event_time_fidelity TimeFidelity eventTimeFidelity$ Specifies the original precision of the time used to populate event_time_usec
host_id string hostId$ Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address
sensor_version string sensorVersion$ The agent version as string.
source_mac string sensorMac$ Source MAC Address in text canonical format
destination_mac string destinationMac$ Destination MAC Address in text canonical format
source_address string sourceAddress$ @inject_tag: validate:"ip" IP Address of the source
destination_address string destinationAddres$ @inject_tag: validate:"ip" IP Address of the destination
source_port uint32 sourcePort$ @inject_tag: validate:"lt=65536" Port of the source
destination_port uint32 destinationPort$ @inject_tag: validate:"lt=65536" Port of the destination
protocol uint32 protocol$ Transfer protocol (tcp/udp/sctp/etc) @inject_tag: validate:"lt=256"
tx_packet_count uint64 txPacketCount$ Number of packets transferred
tx_byte_count uint64 txByteCount$ Number of bytes transferred
rx_packet_count uint64 rxPacketCount$ Number of packets received
rx_byte_count uint64 rxByteCount$ Number of bytes received
source_username string sourceUsername$ The username associated with the source.
destination_username string destinationUsername$ The username associated with the destination.
true_source_address string trueSourceAddress$ The single IP calculated as the true source of the http request.
l7_protocol string l7Protocol$ protocol http/https/http2/http3/etc
uri_scheme string uriScheme$ The normalized uri scheme such as 'http' or 'https'. Data assigned here is expected to be all lower case.
http_method string httpMethod$ HTTP request method, e.g. 'GET', 'POST', 'PUT', 'DELETE', etc.
uri_userinfo string uriUserinfo$ The uri userinfo in the form of username:password
uri_host string uriHost$ The normalized uri host such as 'www.example.com'. Data assiged here is expected to be all lower case and should not include colon and port if present.
uri_port string uriPort$ The uri port is the port found in the uri
uri_path string uriPath$ The normalized uri path such as '/forum/questions/'
uri_query string uriQuery$ The normalized uri query such as 'tag=networking&order=newest' This should not include a leading '?' or fragment or the '#' that denotes the start of the fragment in the URL.
uri_fragment string uriFragment$ The uri fragment such as 'top'. Should not include the '#' that denotes the start of the fragment in the URL.
index_of_top_private_domain sint32 indexOfTopPrivateDomain$ The character index in uri_host where the top private domain starts. For www.microsoft.com, this will be 4. For www.store.example.co.uk this will be 10. A negative value indicates that the top private domain could not be determined.
is_top_private_domain_parsed bool isTopPrivateDomainParsed$ True if the parser was run to find the top private domain. If false, disregard index_of_top_private_domain.
user_agent string userAgent$ The User-Agent string used in the request.
referer string referer$ The referral field
sensor_type_actions Http.actions sensorTypeActions$ The action the appliance took if any.
blocked uint32 blocked$ 1=NotBlocked, 2=Blocked, 3=WouldHaveBlocked
request_direction Http.Direction requestDirection$ The direction in relation to the client's asset as perceived by the appliance or normalizer (based off of the http request). INBOUND means the associated HTTP request is inbound to the client’s asset. OUTBOUND means the associated HTTP request is outbound from the client’s asset.
uri_host_raw string uriHostRaw$ raw URI host from the original data source; may include colon and port if that was in the data source URI
uri_path_raw string uriPathRaw$ raw URI path from the original data source.
uri_query_raw string uriQueryRaw$ raw URI query from the original data source. This should not include a leading '?'
response_code uint32 responseCode$ The http response code returned (if present)
response_text string responseText$ The http response code text (if present)
http_request_headers KeyValuePairsIndexed httpRequestHeaders$ Request headers (including values) that are present, but not in an individual field. Such as "X-MyCustom-Header"
http_response_headers KeyValuePairsIndexed httpResponseHeaders$ Response headers (including values) such as date, expires, server, set-cookie, vary, etc
event_metadata KeyValuePairsIndexed eventMetadata$ event_metadata can be provided by the data source to add context, such as url classification, maliciousness, etc.)
src_ipgeo_summary GeoSummary The geographic location of the source IP
dest_ipgeo_summary GeoSummary The geographic location of the destination IP

Http.RequestHeadersEntry

Normalized Field Type Parser Field Description
key string key$
value string value$

Http.ResponseHeadersEntry

Normalized Field Type Parser Field Description
key string key$
value string value$

Http.VendorExtraContextEntry

Normalized Field Type Parser Field Description
key string key$
value string value$

Http.Direction

The direction in relation to the client's asset as perceived by the appliance or normalizer.

Name Number Description
UNKNOWN 0 unused but required for proto3 (DEFAULT)
INBOUND 1 The associated http request was inbound
OUTBOUND 2 The associated http request was outbound

Http.actions

The action the appliance took if any.

Name Number Description
HTTP_UNKNOWN 0 unused but required for proto3 (DEFAULT)
HTTP_BLOCKED 1 The appliance dropped the transaction.
HTTP_ALLOWED 2 The appliance allowed the transaction.

 

On this page: