| resource_id |
string |
resourceId$ |
Full resource string identifying the record |
| tenant_id |
string |
tenantId$ |
The ID of the tenant that owns this specific to CTPX ID |
| sensor_type |
string |
sensorType$ |
Type of device that generated this event. Ex: redcloak, iSensor |
| sensor_event_id |
string |
sensorEventId$ |
Event ID of original_data assigned by the sensor |
| sensor_tenant |
string |
sensorTenant$ |
A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id |
| sensor_id |
string |
sensorId$ |
An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id, iSensor Dev IP |
| sensor_cpe |
string |
sensorCpe$ |
CPE of the platform producing the alert. Ex: cpe:2.3:a:secureworks:redcloak:::::::: |
| original_data |
string |
originalData$ |
Original, unadulterated data prior to any transformation. |
| event_time_usec |
uint64 |
eventTimeUsec$ |
Event time in microseconds (µs) |
| ingest_time_usec |
uint64 |
ingestTimeUsec$ |
Ingest time in microseconds (µs). |
| event_time_fidelity |
TimeFidelity |
eventTimeFidelity$ |
Specifies the original precision of the time used to populate event_time_usec |
| host_id |
string |
hostId$ |
Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address |
| sensor_version |
string |
sensorVersion$ |
The agent version as string. |
| enrichments |
Enrichments |
enrichments$ |
Event enrichments |
| generator_id |
uint32 |
generatorId$ |
The generator_id that created the event (snort based NIDS) |
| signature_id |
uint32 |
signatureId$ |
The rule ID used to create the event |
| signature_revision |
uint32 |
signatureRevision$ |
The version of the rule |
| policy_id |
uint32 |
policyId$ |
The policy ID (snort based NIDS) |
| message |
string |
message$ |
Title of the event |
| classification |
string |
classification$ |
event classification from classifications.conf (snort based NIDS) |
| priority |
uint32 |
priority$ |
Priority placed on the event by the normalizer (based of vendor scale) where 1 is the highest priority and 5 is the lowest. |
| action |
string |
action$ |
How the packet was handled. Possibly DROP, SDROP, REJECT, ALERT, FW_TRUSTED, ... |
| impact_flag |
uint32 |
impactFlag$ |
Supercedes action |
| blocked |
uint32 |
blocked$ |
1=NotBlocked, 2=Blocked, 3=WouldHaveBlocked |
| vlan |
uint32 |
vlan$ |
The extracted vlan id from the vlan header in the alerting packet |
| mpls_label |
uint32 |
mplsLabel$ |
The extracted mpls label from the mpls header in the alerting packet |
| snort_sensor_id |
uint32 |
snortSensorId$ |
ID of the alerting device |
| event_id |
uint32 |
eventId$ |
ID of the event assigned by the sensor |
| event_ref |
uint32 |
eventRef$ |
Reference to another event_id being part of the conversation |
| source_address |
string |
sourceAddress$ |
@inject_tag: validate:"ip" IP source address |
| destination_address |
string |
destinationAddress$ |
@inject_tag: validate:"ip" IP destination address |
| source_port |
uint32 |
sourcePort$ |
@inject_tag: validate:"lt=65536" TCP/UDP source port when protocol == 6 |
| icmp_type |
uint32 |
icmpType$ |
Type of ICMP event when protocol == 1 |
| destination_port |
uint32 |
destinationPort$ |
@inject_tag: validate:"lt=65536" TCP/UDP source port when protocol == 6 |
| icmp_code |
uint32 |
icmpCode$ |
ICMP code when protocol == 99 |
| protocol |
uint32 |
protocol |
IP protocol number |
| ttl |
uint32 |
ttl$ |
IP packet time-to-live |
| tos |
string |
tos$ |
IP packet type-of-service flags |
| packet_id |
uint32 |
packetId$ |
IP packet identifier |
| ip_len |
uint32 |
ipLen$ |
Length of the alerting packet's IP header |
| dgm_len |
uint32 |
dgmLen$ |
Packet datagram length for UDP packets |
| flags |
string |
flags$ |
TCP flags ala tcpdump format string |
| sequence |
string |
sequence$ |
TCP sequence of alerting packet |
| ack |
string |
ack$ |
The TCP ACK |
| window |
string |
window$ |
The size of the receive window |
| tcp_len |
uint32 |
tcpLen$ |
Size of the TCP packet |
| tcp_options |
string |
tcpOptions$ |
String formatted TCP options |
| pcap |
bytes |
bytes$ |
All packets associated with the alert. Base64-encoded and suitable for use (after decoding) with tcpdump, wireshark, et.al. |
| pcapref |
string |
pcapref$ |
When pcap field is not present, provide a text string explaining on how to obtain the pcap. Example "REST QUERY <IP> with <PATH> having <arguments>" |
| source_username |
string |
sourceUsername$ |
The username associated with the source. |
| destination_username |
string |
destinationUsername$ |
The username associated with the destination. |
| application_name |
string |
applicationName$ |
Application detected by Deep Packet Inspection engine. |
| direction |
Nids.Direction |
direction$ |
Direction of the network traffic between the source and destination from the perspective of the sensor. |
| event_metadata |
KeyValuePairsIndexed |
eventMetadata$ |
event_metadata can be provided by the appliance to add context, such as url/filename triggered on, BETTER schema information, etc) |
| countermeasure_author |
Nids.author |
countermeasureAuthor$ |
countermeasure_author tells you who might have authored the event captured in the nids alert. |
| log_type |
string |
logType$ |
Vendor provided definition of the log type |
| src_ipblacklists |
repeated string |
srcIpblacklists$ |
Provides the names of blacklists matched by the source |
| dest_ipblacklists |
repeated string |
destIpblacklists$ |
Provides the names of blacklists matched by the source |
| src_ipgeo_summary |
GeoSummary |
srcIpgeoSummary$ |
The geographic location of the source IP |
| dest_ipgeo_summary |
GeoSummary |
destIpgeoSummary$ |
The geographic location of the destination IP |
| threat_intelligence_indicators |
repeated Nids.ThreatIntelligenceIndicators |
threatIntelligenceIndicators$ |
Details related to threat intelligence indicators (category, last observed date, source, source url, type e.t.c |
