resource_id |
string |
resourceId$ |
Full resource string identifying the record |
tenant_id |
string |
tenantId$ |
The ID of the tenant that owns this specific to CTPX ID |
sensor_type |
string |
sensorType$ |
Type of device that generated this event. Ex: redcloak |
sensor_event_id |
string |
sensorEventId$ |
Event ID of original_data assigned by the sensor |
sensor_tenant |
string |
sensorTenant$ |
A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id |
sensor_id |
string |
sensorId$ |
An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id |
sensor_cpe |
string |
sensorCpe$ |
CPE of the platform producing the alert. Ex: cpe:2.3:a:secureworks:redcloak:::::::: |
original_data |
string |
originalData$ |
Original, unadulterated data prior to any transformation. |
event_time_usec |
uint64 |
eventTimeUsec$ |
Event time in microseconds (µs) |
ingest_time_usec |
uint64 |
ingestTimeUsec$ |
Ingest time in microseconds (µs). |
event_time_fidelity |
TimeFidelity |
eventTimeFidelity$ |
Specifies the original precision of the time used to populate event_time_usec |
host_id |
string |
hostId$ |
Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address |
sensor_version |
string |
sensorVersion$ |
The agent version as string. |
source_mac |
string |
sourceMac$ |
Source MAC Address in text canonical format |
destination_mac |
string |
destinationMac$ |
Destination MAC Address in text canonical format |
source_address |
string |
sourceAddress$ |
@inject_tag: validate:"ip" IP Address of the source |
destination_address |
string |
destinationAddress$ |
@inject_tag: validate:"ip" IP Address of the destination |
source_port |
uint32 |
sourcePort$ |
@inject_tag: validate:"lt=65536" Port of the source |
destination_port |
uint32 |
destinationPort$ |
@inject_tag: validate:"lt=65536" Port of the destination |
protocol |
uint32 |
protocol$ |
Transfer protocol @inject_tag: validate:"lt=256" |
tx_packet_count |
uint64 |
txPacketCount$ |
Number of packets transferred |
tx_byte_count |
uint64 |
txByteCount$ |
Number of bytes transferred |
rx_packet_count |
uint64 |
rxPacketCount$ |
Number of packets received |
rx_byte_count |
uint64 |
rxByteCount$ |
Number of bytes received |
direction |
Netflow.Direction |
direction$ |
Direction of the network traffic between the source and destination from the perspective of the sensor. Ex: INBOUND, OUTBOUND |
start_timestamp_usec |
uint64 |
startTimestampUsec$ |
microseconds of the flow start |
end_timestamp_usec |
uint64 |
endTimestampUsec$ |
microseconds of the flow end |
src_ipblacklists |
repeated string |
srcIpblacklists$ |
Provides the names of blacklists matched by the source |
dest_ipblacklists |
repeated string |
destIpblacklists$ |
Provides the names of blacklists matched by the destination |
src_ipgeo_summary |
GeoSummary |
srcIpgeoSummary$ |
The geographic location of the source IP |
dest_ipgeo_summary |
GeoSummary |
destIpgeoSummary$ |
The geographic location of the destination IP |
source_nat_address |
string |
sourceNatAddress$ |
If Network Address translation is done, what is the source IP used |
destination_nat_address |
string |
destinationNatAddress$ |
If Network Address translation is done, what is the destination IP used |
source_nat_port |
uint32 |
sourceNatPort$ |
If Network Address translation is done, what is the source port used |
destination_nat_port |
uint32 |
destinationNatPort$ |
If Network Address translation is done, what is the destination port used |
application_name |
string |
applicationName$ |
Application detected by Deep Packet Inspection engine such as PaloAlto's APP-ID |
flow_action |
Netflow.fw_action |
flowAction$ |
Provides an enum to define what the firewall might have done to the flow, if free form text is needed, see connection_end_reason = 206; 0 - FW_UNKNOWN - Not used. 1 - FW_BLOCKED - Flow dropped (firewall blocked the TCP handshake or the UDP packet) 2 - FW_ALLOWED - Flow was not denied by the firewall. 3 - FW_RESET_CLIENT_TO_SERVER - Firewall sent a RST packet to the server. (TCP probe). 4 - FW_RESET_SERVER_TO_CLIENT - Firewall sent a RST packet to the client. (TCP probe). 5 - FW_RESET_BOTH - Firewall sent a RST packet to both client and server. (TCP probe). 6 - FW_ICMP_CLIENT - ICMP destination host unreachable sent to client. (UDP probe). |
connection_end_reason |
string |
connectionEndReason$ |
Provides details on why the session ended if flow_action was not enough example: tcp-rst-from-client (Paloalto), TCP Reset - I (ASA) |
community_id_hash |
string |
communityIdHash$ |
Allows us to relate netflow record to other records like IDS alerts: https://github.com/corelight/community-id-spec{: target="_blank"} |
event_metadata |
KeyValuePairsIndexed |
eventMetadata$ |
event_metadata can be provided by the data source to add context, such firewall rule name or source interface. |
processCorrelationID |
ProcessCorrelationID |
processCorrelationId$ |
ProcessCorrelationID of the process creating this netflow session |
process_image_path |
string |
processImagePath$ |
Image patch of the process initiating this netflow |