ExternalURI
ExternalURI references an external resource for a given event. This may be
the source of an event, research or other information that is outside of TDR.
Normalized Field |
Type |
Parser Field |
Description |
uri |
string |
uri$ |
Identifies the resource. This may be a web url, UUID or other string that uniquely identifies a single event in another resource. |
description |
string |
description$ |
Contains a short description of what uri references. |
FileHash
Normalized Field |
Type |
Parser Field |
Description |
md5 |
string |
md5$ |
|
sha1 |
string |
sha1$ |
|
sha256 |
string |
sha256$ |
|
sha512 |
string |
sha512$ |
|
GeoSummary
GeoSummary provides a succinct summary of geographical facts associated with a given point-radius
GeoSummary.ASN
for more info on ASNs see: https://en.wikipedia.org/wiki/Autonomous_system_(Internet){: target="_blank"}
Normalized Field |
Type |
Parser Field |
Description |
autonomous_system_no |
uint32 |
autonomousSystemNo$ |
The autonomous system number associated with the IP address. |
autonomous_system_org |
string |
autonomousSystemOrg$ |
The organization associated with the registered autonomous system number for the IP address. |
GeoSummary.City
Normalized Field |
Type |
Parser Field |
Description |
geoname_id |
uint32 |
geonameId$ |
A unique identifier for the city as specified by GeoNames |
locale_names |
KeyValuePairsIndexed |
|
A map from locale codes, such as "en", to the localized names for the feature. |
name |
string |
name$ |
The name of the City |
confidence |
uint32 |
confidence$ |
Range from 0 to 99, with 0 representing least confidence in data sources and 99 representing total confidence in data sources. |
GeoSummary.City.NamesEntry
Normalized Field |
Type |
Parser Field |
Description |
key |
string |
key$ |
|
value |
string |
value$ |
|
GeoSummary.Continent
Normalized Field |
Type |
Parser Field |
Description |
geoname_id |
uint32 |
geonameId$ |
A unique identifier for the city as specified by GeoNames [http://www.geonames.org/]{: target="_blank"} |
code |
string |
code$ |
A two-character code for the continent associated with the IP address. The possible codes are: AF – Africa AN – Antarctica AS – Asia EU – Europe NA – North America OC – Oceania SA – South America |
GeoSummary.Country
Normalized Field |
Type |
Parser Field |
Description |
geoname_id |
uint32 |
geonameId$ |
A unique identifier for the city as specified by GeoNames |
iso_code |
string |
isoCode$ |
A two-character ISO 3166-1 country code for the country associated with the IP address. |
code |
string |
code$ |
A three-letter ISO 3166-1 alpha-3 country codes https://en.wikipedia.org/wiki/ISO_3166-1_alpha-3{: target="_blank"} |
confidence |
uint32 |
confidence$ |
Range from 0 to 99, with 0 representing least confidence in data sources and 99 representing total confidence in data sources. |
GeoSummary.Location
Normalized Field |
Type |
Parser Field |
Description |
radius |
uint32 |
radius$ |
The approximate accuracy radius, in kilometers, around the latitude and longitude for the geographical entity (country, subdivision, city or postal code) associated with the IP address. |
latitude |
float |
latitude$ |
The approximate latitude and longitude of the postal code, city, subdivision or country associated with the IP address.** |
longitude |
float |
longitude$ |
|
us_metro_code |
uint32 |
usMetroCode$ |
The metro code associated with the IP address. These are only available for IP addresses in the US. |
timezone |
string |
timezone$ |
The time zone associated with location, as specified by the IANA Time Zone Database, e.g., "America/New_York". |
gmt_offset |
sint32 |
gmtOffset$ |
The offset from GMT associated with timezone |
KeyAndValues
Normalized Field |
Type |
Parser Field |
Description |
key |
string |
key$ |
|
values |
repeated string |
values$ |
|
KeyValuePairsIndexed
KeyValueRecordIndexed
Normalized Field |
Type |
Parser Field |
Description |
key |
string |
key$ |
Name of object such as 'filename' |
value |
string |
value$ |
Value of object such as 'important.docx' |
ProcessCorrelationID
ProcessCorrelationID identifies a unique process
Normalized Field |
Type |
Parser Field |
Description |
pid |
string |
|
Identifies the id of the process |
timewindow |
string |
|
This is an opaque value that makes a process unique that we need because Windows can reuse process IDs. This value is constructed from the create_time of the process, but it should be treated as an opaque value. Please do not try to convert this value to a time or infer any other meaning. If you wish, you may rely on the fact that newer processes have higher time_window values than older processes (e.g., you may sort by time_window ). |
TimeFidelity
Name |
Number |
Description |
UNDEFINED |
0 |
unused but required for proto3 |
SECOND |
1 |
|
MILLI |
2 |
10^-3 seconds |
MICRO |
3 |
10^-6 seconds |
NANO |
4 |
10^-9 seconds |
Enrichments
Normalized Field |
Type |
Parser Field |
Description |
attack_technique_ids |
string |
repeated |
List of MITRE Attack Technique IDs |
rule_id_to_techniques |
KeyAndValues |
repeated |
if there is more than one state, it is to be assume that the states are or'ed together |