Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

NIDS Schema

Normalized Field Type Parser Field Description
resource_id string resourceId$ Full resource string identifying the record
tenant_id string tenantId$ The ID of the tenant that owns this specific to CTPX ID
sensor_type string sensorType$ Type of device that generated this event. Ex: redcloak, iSensor
sensor_event_id string sensorEventId$ Event ID of original_data assigned by the sensor
sensor_tenant string sensorTenant$ A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id
sensor_id string sensorId$ An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id, iSensor Dev IP
sensor_cpe string sensorCpe$ CPE of the platform producing the alert. Ex: cpe:2.3:a:secureworks:redcloak::::::::
original_data string originalData$ Original, unadulterated data prior to any transformation.
event_time_usec uint64 eventTimeUsec$ Event time in microseconds (µs)
ingest_time_usec uint64 ingestTimeUsec$ Ingest time in microseconds (µs).
event_time_fidelity TimeFidelity eventTimeFidelity$ Specifies the original precision of the time used to populate event_time_usec
host_id string hostId$ Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address
sensor_version string sensorVersion$ The agent version as string.
enrichments Enrichments enrichments$ Event enrichments
generator_id uint32 generatorId$ The generator_id that created the event (snort based NIDS)
signature_id uint32 signatureId$ The rule ID used to create the event
signature_revision uint32 signatureRevision$ The version of the rule
policy_id uint32 policyId$ The policy ID (snort based NIDS)
message string message$ Title of the event
classification string classification$ event classification from classifications.conf (snort based NIDS)
priority uint32 priority$ Priority placed on the event by the normalizer (based of vendor scale) where 1 is the highest priority and 5 is the lowest.
action string action$ How the packet was handled. Possibly DROP, SDROP, REJECT, ALERT, FW_TRUSTED, ...
impact_flag uint32 impactFlag$ Supercedes action
blocked uint32 blocked$ 1=NotBlocked, 2=Blocked, 3=WouldHaveBlocked
vlan uint32 vlan$ The extracted vlan id from the vlan header in the alerting packet
mpls_label uint32 mplsLabel$ The extracted mpls label from the mpls header in the alerting packet
snort_sensor_id uint32 snortSensorId$ ID of the alerting device
event_id uint32 eventId$ ID of the event assigned by the sensor
event_ref uint32 eventRef$ Reference to another event_id being part of the conversation
source_address string sourceAddress$ @inject_tag: validate:"ip" IP source address
destination_address string destinationAddress$ @inject_tag: validate:"ip" IP destination address
source_port uint32 sourcePort$ @inject_tag: validate:"lt=65536" TCP/UDP source port when protocol == 6
icmp_type uint32 icmpType$ Type of ICMP event when protocol == 1
destination_port uint32 destinationPort$ @inject_tag: validate:"lt=65536" TCP/UDP source port when protocol == 6
icmp_code uint32 icmpCode$ ICMP code when protocol == 99
protocol uint32 protocol IP protocol number
ttl uint32 ttl$ IP packet time-to-live
tos string tos$ IP packet type-of-service flags
packet_id uint32 packetId$ IP packet identifier
ip_len uint32 ipLen$ Length of the alerting packet's IP header
dgm_len uint32 dgmLen$ Packet datagram length for UDP packets
flags string flags$ TCP flags ala tcpdump format string
sequence string sequence$ TCP sequence of alerting packet
ack string ack$ The TCP ACK
window string window$ The size of the receive window
tcp_len uint32 tcpLen$ Size of the TCP packet
tcp_options string tcpOptions$ String formatted TCP options
pcap bytes bytes$ All packets associated with the alert. Base64-encoded and suitable for use (after decoding) with tcpdump, wireshark, et.al.
pcapref string pcapref$ When pcap field is not present, provide a text string explaining on how to obtain the pcap. Example "REST QUERY <IP> with <PATH> having <arguments>"
source_username string sourceUsername$ The username associated with the source.
destination_username string destinationUsername$ The username associated with the destination.
application_name string applicationName$ Application detected by Deep Packet Inspection engine.
direction Nids.Direction direction$ Direction of the network traffic between the source and destination from the perspective of the sensor.
event_metadata KeyValuePairsIndexed eventMetadata$ event_metadata can be provided by the appliance to add context, such as url/filename triggered on, BETTER schema information, etc)
countermeasure_author Nids.author countermeasureAuthor$ countermeasure_author tells you who might have authored the event captured in the nids alert.
log_type string logType$ Vendor provided definition of the log type
src_ipblacklists repeated string srcIpblacklists$ Provides the names of blacklists matched by the source
dest_ipblacklists repeated string destIpblacklists$ Provides the names of blacklists matched by the source
src_ipgeo_summary GeoSummary srcIpgeoSummary$ The geographic location of the source IP
dest_ipgeo_summary GeoSummary destIpgeoSummary$ The geographic location of the destination IP
threat_intelligence_indicators repeated Nids.ThreatIntelligenceIndicators threatIntelligenceIndicators$ Details related to threat intelligence indicators (category, last observed date, source, source url, type e.t.c


Normalized Field Type Parser Field Description
type string type$ Type of TI, e.g. IP address, Email address, url, hash, malware etc
value string value$ Raw value of the TI indicator, e.g. (, FAKEURL.COM may be available for sale or other proposals )
category string category$ Category of the TI like C&C, Keylogger, backdoor, etc
last_observation_time_usec uint64 lastObservationTimeUsec$ Timestamp related to when TI last curated.
source string source$ Human readable source if the TI data, e.g. “Microsoft TIC”
source_url string sourceUrl$ URL that provides information about the TI
family string family$ Provider-generated malware family (for example, 'wannacry', 'notpetya', etc.).


Normalized Field Type Parser Field Description
key string key$
value string value$


Name Number Description
UNKNOWN 0 unused but required for proto3
INBOUND 1 When you have a flow to/from the security control itself. Receive
CLIENT_TO_SERVER 3 When you get a flow from a security control inspecting a flow from point A to B. The security control is not apart of the conversation, just an observer. The security control only know who is the initiator (client) of the connection and who is the receiver (server).


Name Number Description
DEFAULT_ORIGIN 0 unused but required for proto3
VENDOR_OF_SENSOR 1 Whoever manufactured the sensortType is the author of this nids countermeasure.
SCWX_CTU 2 Denotes that the nids countermeasure is from SecureWork's Counter Threat Unit.
EMERGING_THREATS 3 Denotes a countermeasure from https://rules.emergingthreats.net/{: target="_blank"}.


On this page: