resource_id |
string |
resourceId$ |
Full resource string identifying the record |
tenant_id |
string |
tenantId$ |
The ID of the tenant that owns this specific to CTPX ID |
sensor_type |
string |
sensorType$ |
Type of device that generated this event. Ex: redcloak |
sensor_event_id |
string |
sensorEventId$ |
Event ID of original_data assigned by the sensor |
sensor_tenant |
string |
sensorTenant$ |
A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id |
sensor_id |
string |
sensorId$ |
An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id |
sensor_cpe |
string |
sensorCpe$ |
CPE of the platform producing the alert. Ex: cpe:2.3:a:secureworks:redcloak:::::::: |
original_data |
string |
originalData$ |
Original, unadulterated data prior to any transformation. |
event_time_usec |
uint64 |
eventTimeUsec$ |
Event time in microseconds (µs) |
ingest_time_usec |
uint64 |
ingestTimeUsec$ |
Ingest time in microseconds (µs). |
event_time_fidelity |
TimeFidelity |
eventTimeFidelity$ |
Specifies the original precision of the time used to populate event_time_usec |
host_id |
string |
hostId$ |
Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address |
sensor_version |
string |
sensorVersion$ |
The agent version as string. (index don't line up with base event bacause of existing field definitions) |
created_time_usec |
uint64 |
createdTimeUsec$ |
Alert creation time |
closed_time_usec |
uint64 |
closedTimeUsec$ |
Alert closed time |
updated_time_usec |
uint64 |
updatedTimeUsec$ |
Time at which alert last updated time |
first_event_time_usec |
uint64 |
firstEventTimeUsec$ |
Time at which event that caused this alert first observed. |
last_event_time_usec |
uint64 |
lastEventTimeUsec$ |
Time at which last event that caused this alert observed |
summary |
string |
summary$ |
Description of the third part alert |
title |
string |
title$ |
Title of the alert, shortened form of description available in alert title |
severity |
Thirdparty.AlertSeverity |
severity$ |
Alert severity normalized to third party alert severity. |
vendor_severity |
string |
vendorSeverity$ |
Alert severity preserved as raw value on the schema.This will help to know what vendor level indicator of severity and to write event filters based on this. |
confidence |
string |
confidence$ |
Confidence of the detection logic (generally percentage between 1-100 but can be anything) |
status |
string |
status$ |
Alert lifecycle status like unknown, newAlert, inProgress, resolved e.t.c |
generator_ids |
repeated string |
generatorIds$ |
Unique identifier's of the underlying detections, analytics, engines, etc that produced the alert |
tags |
repeated string |
tags$ |
User-definable labels that can be applied to an alert and can serve as filter conditions (for example "HVA", "SAW", etc.) |
user_principal_name |
string |
userPrincipalName$ |
User sign-in name |
source_user_name |
string |
sourceUserName$ |
Account from which the alert was generated |
target_user_name |
string |
targetUserName$ |
Account for which the alert was generated |
domain_name |
string |
domainName$ |
Domain of user account |
protocol |
uint32 |
protocol$ |
@inject_tag: validate:"lt=256" Network protocol with possible values of tcp,udp,icmp,etc. |
direction |
Thirdparty.Direction |
direction$ |
Network connection direction. Possible values are: unknown, inbound, outbound. |
action |
Thirdparty.Action |
action$ |
How the threat was handled. Possible values are: action_unknown, attempted, succeeded, blocked, failed. |
risk_score |
float |
riskScore$ |
@inject_tag: validate:"min=0.0,max=1.0" Provider generated/calculated risk score. Recommended value range of 0-1, which equates to a percentage. |
log_type |
string |
logType$ |
Vendor provided definition of the log type |
vendor |
string |
vendor$ |
Name of the alert vendor (for example, Microsoft, Dell, FireEye). |
provider |
string |
provider$ |
Specific provider (product/service - not vendor company); for example, WindowsDefenderATP. |
sub_provider |
string |
subProvider$ |
Specific sub provider (under aggregating provider); for example, WindowsDefenderATP.SmartScreen. |
provider_version |
string |
providerVersion$ |
Version of the provider or sub provider, if it exists, that generated the alert. |
ontology |
string |
ontology$ |
Category of the alert (for example, credential theft, ransomware, UnfamiliarLocation, UnauthorizedAccess:S3/TorIPCaller etc.). |
technique_ids |
repeated string |
techniqueIds$ |
List of attack technique IDs provided by the provider of the alert |
threat_intelligence_indicators |
repeated Thirdparty.ThreatIntelligenceIndicators |
threatIntelligenceIndicators$ |
Details related to threat intelligence indicators (category, last observed date, source, source url, type e.t.c |
vulnerabilities |
repeated Thirdparty.Vulnerabilities |
vulnerabilities$ |
List of vulnerabilities information that are associated with this alert. |
additional_data |
KeyValuePairsIndexed |
additionalData$ |
Additional interesting data for a given alert in key-value pairs |
source_address |
string |
sourceAddress$ |
Information provided by the alert provider about the source ip |
destination_address |
string |
destinationAddress$ |
Information provided by the alert provider about the destination ip. |
source_port |
uint32 |
sourcePort$ |
@inject_tag: validate:"lt=65536" TCP/UDP source port |
destination_port |
uint32 |
destinationPort$ |
@inject_tag: validate:"lt=65536" TCP/UDP destination port |
src_ipgeo_summary |
GeoSummary |
srcIpgeoSummary$ |
The geographic location of the source IP |
dest_ipgeo_summary |
GeoSummary |
destIpgeoSummary$ |
The geographic location of the destination IP |
remediation |
repeated string |
remediation |
Recommended remediation actions from the source provider of the alert(for example, isolate machine, enforce2FA, reimage host). |
comments |
repeated string |
comments$ |
Comments and feedback related to alert |
source_material |
repeated string |
sourceMaterial$ |
Any alert related source material containing information about the alert or detection(E.g provider's user interface for alerts or log search, etc.) |
evidence |
repeated Thirdparty.Evidence |
evidence$ |
Evidence items associated with the alert |