resource_id |
string |
resourceId$ |
Full resource string identifying the record |
tenant_id |
string |
tenantId$ |
The ID of the tenant that owns this specific to CTPX ID |
sensor_type |
string |
sensorType$ |
Type of device that generated this event. Ex: redcloak, iSensor |
sensor_event_id |
string |
sensorEventId$ |
Event ID of original_data assigned by the sensor |
sensor_tenant |
string |
sensorTenant$ |
A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id |
sensor_id |
string |
sensorId$ |
An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id, iSensor Dev IP |
sensor_cpe |
string |
sensorCpe$ |
CPE of the platform producing the alert. Ex: cpe:2.3:a:secureworks:redcloak:::::::: |
original_data |
string |
originalData$ |
Original, unadulterated data prior to any transformation. |
event_time_usec |
uint64 |
eventTimeUsec$ |
Event time in microseconds (µs) |
ingest_time_usec |
uint64 |
ingestTimeUsec$ |
Ingest time in microseconds (µs). |
event_time_fidelity |
TimeFidelity |
eventTimeFidelity$ |
Specifies the original precision of the time used to populate event_time_usec |
host_id |
string |
hostId$ |
Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address |
sensor_version |
string |
sensorVersion$ |
The agent version as string. |
enrichments |
Enrichments |
enrichments$ |
Event enrichments |
generator_id |
uint32 |
generatorId$ |
The generator_id that created the event (snort based NIDS) |
signature_id |
uint32 |
signatureId$ |
The rule ID used to create the event |
signature_revision |
uint32 |
signatureRevision$ |
The version of the rule |
policy_id |
uint32 |
policyId$ |
The policy ID (snort based NIDS) |
message |
string |
message$ |
Title of the event |
classification |
string |
classification$ |
event classification from classifications.conf (snort based NIDS) |
priority |
uint32 |
priority$ |
Priority placed on the event by the normalizer (based of vendor scale) where 1 is the highest priority and 5 is the lowest. |
action |
string |
action$ |
How the packet was handled. Possibly DROP, SDROP, REJECT, ALERT, FW_TRUSTED, ... |
impact_flag |
uint32 |
impactFlag$ |
Supercedes action |
blocked |
uint32 |
blocked$ |
1=NotBlocked, 2=Blocked, 3=WouldHaveBlocked |
vlan |
uint32 |
vlan$ |
The extracted vlan id from the vlan header in the alerting packet |
mpls_label |
uint32 |
mplsLabel$ |
The extracted mpls label from the mpls header in the alerting packet |
snort_sensor_id |
uint32 |
snortSensorId$ |
ID of the alerting device |
event_id |
uint32 |
eventId$ |
ID of the event assigned by the sensor |
event_ref |
uint32 |
eventRef$ |
Reference to another event_id being part of the conversation |
source_address |
string |
sourceAddress$ |
@inject_tag: validate:"ip" IP source address |
destination_address |
string |
destinationAddress$ |
@inject_tag: validate:"ip" IP destination address |
source_port |
uint32 |
sourcePort$ |
@inject_tag: validate:"lt=65536" TCP/UDP source port when protocol == 6 |
icmp_type |
uint32 |
icmpType$ |
Type of ICMP event when protocol == 1 |
destination_port |
uint32 |
destinationPort$ |
@inject_tag: validate:"lt=65536" TCP/UDP source port when protocol == 6 |
icmp_code |
uint32 |
icmpCode$ |
ICMP code when protocol == 99 |
protocol |
uint32 |
protocol |
IP protocol number |
ttl |
uint32 |
ttl$ |
IP packet time-to-live |
tos |
string |
tos$ |
IP packet type-of-service flags |
packet_id |
uint32 |
packetId$ |
IP packet identifier |
ip_len |
uint32 |
ipLen$ |
Length of the alerting packet's IP header |
dgm_len |
uint32 |
dgmLen$ |
Packet datagram length for UDP packets |
flags |
string |
flags$ |
TCP flags ala tcpdump format string |
sequence |
string |
sequence$ |
TCP sequence of alerting packet |
ack |
string |
ack$ |
The TCP ACK |
window |
string |
window$ |
The size of the receive window |
tcp_len |
uint32 |
tcpLen$ |
Size of the TCP packet |
tcp_options |
string |
tcpOptions$ |
String formatted TCP options |
pcap |
bytes |
bytes$ |
All packets associated with the alert. Base64-encoded and suitable for use (after decoding) with tcpdump, wireshark, et.al. |
pcapref |
string |
pcapref$ |
When pcap field is not present, provide a text string explaining on how to obtain the pcap. Example "REST QUERY <IP> with <PATH> having <arguments>" |
source_username |
string |
sourceUsername$ |
The username associated with the source. |
destination_username |
string |
destinationUsername$ |
The username associated with the destination. |
application_name |
string |
applicationName$ |
Application detected by Deep Packet Inspection engine. |
direction |
Nids.Direction |
direction$ |
Direction of the network traffic between the source and destination from the perspective of the sensor. |
event_metadata |
KeyValuePairsIndexed |
eventMetadata$ |
event_metadata can be provided by the appliance to add context, such as url/filename triggered on, BETTER schema information, etc) |
countermeasure_author |
Nids.author |
countermeasureAuthor$ |
countermeasure_author tells you who might have authored the event captured in the nids alert. |
log_type |
string |
logType$ |
Vendor provided definition of the log type |
src_ipblacklists |
repeated string |
srcIpblacklists$ |
Provides the names of blacklists matched by the source |
dest_ipblacklists |
repeated string |
destIpblacklists$ |
Provides the names of blacklists matched by the source |
src_ipgeo_summary |
GeoSummary |
srcIpgeoSummary$ |
The geographic location of the source IP |
dest_ipgeo_summary |
GeoSummary |
destIpgeoSummary$ |
The geographic location of the destination IP |
threat_intelligence_indicators |
repeated Nids.ThreatIntelligenceIndicators |
threatIntelligenceIndicators$ |
Details related to threat intelligence indicators (category, last observed date, source, source url, type e.t.c |