| resource_id |
string |
resourceId$ |
Full resource string identifying the record |
| tenant_id |
string |
tenantId$ |
The ID of the tenant that owns this specific to CTPX ID |
| sensor_type |
string |
sensorType$ |
Type of device that generated this event. Ex: redcloak, iSensor |
| sensor_event_id |
string |
sensorEventId$ |
Event ID of original_data assigned by the sensor |
| sensor_tenant |
string |
sensorTenant$ |
A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id |
| sensor_id |
string |
sensorId$ |
An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id, iSensor Dev IP |
| sensor_cpe |
string |
sensorCpe$ |
CPE of the platform producing the alert. Ex: cpe:2.3:a:secureworks:redcloak:::::::: |
| original_data |
string |
originalData$ |
Original, unadulterated data prior to any transformation. |
| event_time_usec |
uint64 |
eventTimeUsec$ |
Event time in microseconds (µs) |
| ingest_time_usec |
uint64 |
ingestTimeUsec$ |
Ingest time in microseconds (µs). |
| event_time_fidelity |
TimeFidelity |
eventTimeFidelity$ |
Specifies the original precision of the time used to populate event_time_usec |
| host_id |
string |
hostId$ |
Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address |
| sensor_version |
string |
sensorVersion$ |
The agent version as string. |
| source_mac |
string |
sourceMac$ |
Source MAC Address in text canonical format |
| destination_mac |
string |
destinationMac$ |
Destination MAC Address in text canonical format |
| source_address |
string |
sourceAddress$ |
@inject_tag: validate:"ip" IP Address of the source |
| destination_address |
string |
destinationAddress$ |
@inject_tag: validate:"ip" IP Address of the destination |
| source_port |
uint32 |
sourcePort$ |
@inject_tag: validate:"lt=65536" Port of the source |
| destination_port |
uint32 |
destinationPort$ |
@inject_tag: validate:"lt=65536" Port of the destination |
| protocol |
uint32 |
protocol$ |
Transfer protocol @inject_tag: validate:"lt=256" |
| tx_packet_count |
uint64 |
txPacketCount$ |
Number of packets transferred |
| tx_byte_count |
uint64 |
txByteCount$ |
Number of bytes transferred |
| rx_packet_count |
uint64 |
rxPacketCount$ |
Number of packets received |
| rx_byte_count |
uint64 |
rxByteCount$ |
Number of bytes received |
| direction |
Netflow.Direction |
direction$ |
Direction of the network traffic between the source and destination from the perspective of the sensor. Ex: INBOUND, OUTBOUND |
| start_timestamp_usec |
uint64 |
startTimestampUsec$ |
microseconds of the flow start |
| end_timestamp_usec |
uint64 |
endTimestampUsec$ |
microseconds of the flow end |
| src_ipblacklists |
repeated string |
srcIpblacklists$ |
Provides the names of blacklists matched by the source |
| dest_ipblacklists |
repeated string |
destIpblacklists$ |
Provides the names of blacklists matched by the destination |
| src_ipgeo_summary |
GeoSummary |
srcIpgeoSummary$ |
The geographic location of the source IP |
| dest_ipgeo_summary |
GeoSummary |
destIpgeoSummary$ |
The geographic location of the destination IP |
| source_nat_address |
string |
sourceNatAddress$ |
If Network Address translation is done, what is the source IP used |
| destination_nat_address |
string |
destinationNatAddress$ |
If Network Address translation is done, what is the destination IP used |
| source_nat_port |
uint32 |
sourceNatPort$ |
If Network Address translation is done, what is the source port used |
| destination_nat_port |
uint32 |
destinationNatPort$ |
If Network Address translation is done, what is the destination port used |
| application_name |
string |
applicationName$ |
Application detected by Deep Packet Inspection engine such as PaloAlto's APP-ID |
| flow_action |
Netflow.fw_action |
flowAction$ |
Provides an enum to define what the firewall might have done to the flow, if free form text is needed, see connection_end_reason = 206; 0 - FW_UNKNOWN - Not used. 1 - FW_BLOCKED - Flow dropped (firewall blocked the TCP handshake or the UDP packet) 2 - FW_ALLOWED - Flow was not denied by the firewall. 3 - FW_RESET_CLIENT_TO_SERVER - Firewall sent a RST packet to the server. (TCP probe). 4 - FW_RESET_SERVER_TO_CLIENT - Firewall sent a RST packet to the client. (TCP probe). 5 - FW_RESET_BOTH - Firewall sent a RST packet to both client and server. (TCP probe). 6 - FW_ICMP_CLIENT - ICMP destination host unreachable sent to client. (UDP probe). |
| connection_end_reason |
string |
connectionEndReason$ |
Provides details on why the session ended if flow_action was not enough example: tcp-rst-from-client (Paloalto), TCP Reset - I (ASA) |
| community_id_hash |
string |
communityIdHash$ |
Allows us to relate netflow record to other records like IDS alerts: https://github.com/corelight/community-id-spec{: target="_blank"} |
| event_metadata |
KeyValuePairsIndexed |
eventMetadata$ |
event_metadata can be provided by the data source to add context, such firewall rule name or source interface. |
| processCorrelationID |
ProcessCorrelationID |
processCorrelationId$ |
ProcessCorrelationID of the process creating this netflow session |
| process_image_path |
string |
processImagePath$ |
Image patch of the process initiating this netflow |
