| Event Key | Definition | Type |
|---|---|---|
| Access Control Outcome | Outcome from Access Control | String |
| Access Key ID | The access key ID | String |
| Account ID | The account ID that generated the event | String |
| Account Name | The account name that generated the event | String |
| Account Vendor | Vendor name of the account ID owner | String |
| Action Token jti | The action token’s jti | String |
| Ad-hoc Query ID | ID of the ad-hoc query | String |
| Affected Family | Software family affected by the current CPE | String |
| Affected Platform | The platform (Linux, Mac OSX, Windows) affected by an IDS event | String |
| Affected Platforms | Software Platforms affected by the current CPE | String |
| Affected Products | Software Products affected by the current CPE | String |
| Agent UUID | The unique ID for agent event | String |
| Alarm Connector IDs | Connector IDs in the alarm | String |
| Alarm Connector Sources | Connector Sources in the alarm | String |
| Alarm Destination Asset IDs | CSV of alarm destination asset IDs | String Array |
| Alarm Destination Blacklist Activity | CVS of Observed activities of the IP addresses to cause it to be put into OTX | String Array |
| Alarm Destination Cities | CSV of alarm destination cities | String Array |
| Alarm Destination Countries | CSV of alarm destination countries | String Array |
| Alarm Destination Hostnames | Array of alarm destination hostnames | String Array |
| Alarm Destination IPs | Array of alarm destination IPs | String Array |
| Alarm Destination Latitudes | CSV of alarm destination latitudes | String Array |
| Alarm Destination Longitudes | CSV of alarm destination longitudes | String Array |
| Alarm Destination Names | Array with the destinations names of an alarm | String Array |
| Alarm Destination Organisations | CSV of alarm destination organisations | String Array |
| Alarm Destination User Account IDs | Array of alarm destination user account IDs | String Array |
| Alarm Destination User IDs | Array of alarm destination user IDs | String Array |
| Alarm Destination Users | Array of alarm destination users | String Array |
| Alarm Destination Zones | CSV of alarm destination zones | String Array |
| Alarm Destinations | Array with the destinations of an alarm | String Array |
| Alarm Events Count | Total number of events in an alarm | Long |
| Alarm ID | The ID associated with the alarm | String |
| Alarm Labels | Array with the alarm labels IDs | String Array |
| Alarm Response Codes | Array of alarm response codes | String Array |
| Alarm Sensor Sources | Array of the sensor sources which originate the alarm | String Array |
| Alarm Source Asset IDS | CSV of alarm source asset IDs | String Array |
| Alarm Source Blacklist Activity | CVS of observed activities of the IP addresses to cause it to be put into OTX | String Array |
| Alarm Source Cities | CSV of alarm source cities | String Array |
| Alarm Source Countries | CSV of alarm source countries | String Array |
| Alarm Source Hostnames | Array of alarm source hostnames | String Array |
| Alarm Source IPS | Array of alarm source IPs | String Array |
| Alarm Source Latitudes | CSV of alarm source latitudes | String Array |
| Alarm Source Longitudes | CSV of alarm source longitudes | String Array |
| Alarm Source Names | Array of the unique sources names for an alarm | String Array |
| Alarm Source Organisations | CSV of alarm source organisations | String Array |
| Alarm Source User Account IDS | Array of alarm source user account ids | String Array |
| Alarm Source User IDS | Array of alarm source user ids | String Array |
| Alarm Source Users | Array of alarm source users | String Array |
| Alarm Source Zones | CSV of alarm source zones | String Array |
| Alarm Sources | Array of the unique sources for an alarm | String Array |
| Analysis Account ID | The ID of the user account | String |
| Analysis Account Name | The name of the user account | String |
| Analysis Account Status | The status of the user account | String Array |
| Analysis Account Type | The type of user account | String |
| Analysis Account User Name | The user name associated with the user account | String |
| Analysis User ID | The ID of the user | String |
| Analysis User Name | The name of the user | String |
| Analysis User Status | The status of the user | String |
| App Execution Parameters | The application execution parameters | String |
| App ID | The ID of the App which generated this event | String |
| App Name | The Name of the App which generated this event | String |
| App Type | The App type which generated this event | String |
| Application Protocol | Layer-7 protocol observed in the event (eg SSH, FTP, SNMP) | String |
| Application Type | Application type | String |
| Application | Application name | String |
| Asset Group ID | The ID of the Asset Group in AssetDB | String |
| Asset Status | Asset Status | String |
| Asset Tag | Asset metadata name | String |
| Asset Tag Value | Asset metadata value | String |
| Assumed Role | Assumed role from AWS CloudTrail events | String |
| Audit Reason | The reason an audit event was generated | String |
| Authentication Mode | Authentication Mode | String |
| Authentication Package Name | The name of the authentication package used | String |
| Authentication Type | The method used be the user to authenticate, such as RSA Key, Password, Domain Credentials | String |
| Event Key | Definition | Type |
|---|---|---|
| Base Event Count | A count associated with how many times was this same event observed | Integer |
| Blacklist Name | The name listed on the blacklist | String |
| Blacklist Reference URL | The referencing URL from the blacklist | URL |
| Blacklist Violating IP | The IP registered to the blacklist | IP |
| Bytes in | The number of bytes in a HTTP request | Long |
| Bytes out | he number of bytes in a HTTP response | Long |
| Event Key | Definition | Type |
|---|---|---|
| Case Numbers | Array of case numbers | String Array |
| Category ID | The id of the taxonomy of the event | String |
| Certificate Issuer Name | The issuer name of the certificate | String |
| Certificate Serial Number | The serial number of the certificate | String |
| Certificate Subject Name | The subject name of the certificate | String |
| Changed Client | The ID of the client that was modified | String |
| Confidence | Confidence level | Integer |
| Connection Count | Number of incoming connections | Long |
| Connector ID | The ID of the connector that generated the event | String |
| Connector Source File | The source file of the connector that generated the event | String |
| Connector Source | The source of the connector that generated the event | String |
| Console Login | The outcome of a AWS console login try | String |
| Consumer | Consumer of the event | String |
| Container CMD | Container CMD | String |
| Container CPU | Container CPU | String |
| Container ID | The ID of the container | String |
| Container Image | The image name used to launch the container | String |
| Container Image ID | The id of the image used to launch the container | String |
| Container Memory | Container Memory | String |
| Container Name | The name of the container | String |
| Container Security Context | Container security context | String |
| Container State | The state of the container | String |
| Container Volume | Container volume | String |
| Contains Credit Card Number | The event contains credit card numbers | Boolean |
| Content Category | Category of the content is being inspected as part of the connection For example in a Content Filtering or Proxy device | String |
| Control ID | The Control Node ID which will process this event | String |
| Current PPS | Number of current packets per second (PPS) | Integer |
| Current Working Directory | The Current Working Directory (CWD) referenced in the event | String |
| Event Key | Definition | Type |
|---|---|---|
| Datascience Anomaly Score | The score (0-1, floating point) indicating how anomalous the event is. The closer to 1, the more anomalous | Double |
| Datascience Inference Explanation | A JSON string representing the explanation map/dictionary of the prediction/inference | String |
| Datascience Inference Type | A string representing the type of inference done on the event. For example, Anomalous Login Time | String |
| Datascience Inference Value Data Type | A string representing the data type of the value of inference result. For example, integer, float, categorical, etc. | String |
| Datascience Inference Value | A string representing the value of inference result—something human understandable and able to write rules against | String |
| Destination Account ID | Destination user account in the event | String |
| Destination Account Name | Destination Account name where the event was generated | String |
| Destination Account | Destination Account where the event was generated | String |
| Destination | This is compared against several known formats to extract relevant data. For example, <hostname>:<port>:<zone>, etc. | Network Info |
| Destination Additional Hostnames | Destination additional hostnames | String Array |
| Destination Address | Destination IP Address | IP |
| Destination Address 6 | Destination IP Address in v6 format | String |
| Destination ASN | Destination ASN | String |
| Destination Asset ID | CSV of alarm destination asset IDs | String Array |
| Destination Blacklist Activity | CVS of observed activities of the IP addresses to cause it to be put into OTX | String Array |
| Destination Blacklist Priority | OTX priority | String |
| Destination Blacklist Reliability | OTX reliability | String |
| Destination canonical | Canonical Destination | String |
| Destination City | Destination City | String |
| Destination Country | Destination Country | String |
| Destination CPE | Destination CPE | String |
| Destination Datacenter | Destination data center | String |
| Destination Datastore | Destination data store | String |
| Destination DNS Domain | The DNS domain part of the complete fully qualified domain name | String |
| Destination FQDN | Destination FQDN | String |
| Destination Hostname | Destination hostname | String |
| Destination Infrastructure Name | Destination Infrastructure Name | String |
| Destination Infrastructure Type | Destination Infrastructure Type | String |
| Destination Instance ID | Instance ID for destination device | String |
| Destination Latitude | Destinations Latitude | String |
| Destination Location ID | This is an internal field used to associate this event with a particular location | String |
| Destination Location Name | This is an internal field used to associate this event with a particular location | String |
| Destination Longitude | Destinations Longitude | String |
| Destination MAC | Destination MAC Address | MAC |
| Destination MAC Vendor | Destination MAC Vendor | String |
| Destination Name | Destination Name | String |
| Destination NAT Address | Destination NAT IP Address | IP |
| Destination NAT Port | Destination NAT Port | Integer |
| Destination Netmask | Destination IP Address mask | IP |
| Destination Network | Destination network | String |
| Destination NT domain | Destination Windows Domain | String |
| Destination Organisation | Destinations Organisation | String |
| Destination Port Label | Destination Port Label | String |
| Destination Port | Destination Port | Port |
| Destination Post NAT Address | Destination address for the event message after NAT occurred | IP |
| Destination Post NAT Port | Port number of the event destination after NAT | Integer |
| Destination Pre NAT Address | Destination address for the event message before NAT | IP |
| Destination Pre NAT Port | Port number of the event destination before NAT | Integer |
| Destination Process | Destination Process Name | String |
| Destination Process ID | Destination Process ID | String |
| Destination Process User | Destination Process User | String |
| Destination Region | Destinations Region | String |
| Destination Registered Country | Destination Registered Country | String |
| Destination Service Name | The service which is targeted by this event | String |
| Destination Translated Address | Identifies the translated destination address that the event refers to in an IP network | IP |
| Destination Translated Port | Port after it was translated | Integer |
| Destination User Email | Destinations User email | String |
| Destination User Group | The destination user group | String |
| Destination User ID | Destination user in the system | String |
| Destination User Privileges | Destinations Users privileges | String |
| Destination UserID | Destinations Users numeric ID | String |
| Destination Username | Destinations User name | String |
| Destination VGuest | Destination virtual guest | String |
| Destination VHost | Destination virtual host | String |
| Destination VPC | Destination VPC | String |
| Destinations VPN | Destinations VPN | String |
| Destination Workstation | Destinations workstation name | String |
| Destination Zone | Destinations Zone (DMZ Office Outside) | String |
| Destinations | List of destination asset IDs | String Array |
| Device Class | The Device Class listed in the system | String |
| Device Configuration | Configuration scheme/type set in a device | String |
| Device Custom Date 1-2 | There are two timestamps fields available which can be used to map fields which do not fit any other field of this dictionary | String |
| Device Custom Date 1-2 Label | All custom fields have a corresponding label field where the field itself can be described | String |
| Device Custom Number 1-3 | There are three number fields available which can be used to map fields which do not fit into any other field of this dictionary | Integer |
| Device Custom Number 1-3 Label | All custom fields have a corresponding label field where the field itself can be described | String |
| Device Direction | Any information about what direction the communication that was observed has taken | String |
| Device DNS Domain | The DNS domain part of the complete fully qualified domain name | String |
| Device Event Category | Represents the category assigned by the originating device | String |
| Device External ID | A name that uniquely identifies the device generating this event | String |
| Device Facility | The facility generating this event | String |
| Device Inbound Interface | Interface on which the packet or data entered the device | String |
| Device Name | The Device Name listed in the system | String |
| Device NT Domain | Device Windows Domain | String |
| Device Outbound Interface | Interface on which the packet or data left the device | String |
| Device Process Name | Process name associated to the event | String |
| Device Sender Address | Device sender address | IP |
| Device Sender Asset ID | Asset ID for device sender | String |
| Device Time Format | Format of the timestamp attached to this event | String |
| Device Translated Address | Identifies the translated device address that the event refers to in an IP network | IP |
| Device Vendor | The device vendor | String |
| DNS Message | DNS response message | String |
| DNS Rcode | DNS return message | Integer |
| DNS RR Name | The DNS Request/Response Resource Name | String |
| DNS RR Type | The DNS Resource Type | String |
| DNS Server Address | The address of the DNS server referenced in the event | String |
| DNS TTL | The DNS Time to Live | String |
| DNS Type | The DNS Type (Query / Answer) | String |
| Duration | The duration of the connection | String |
| Event Key | Definition | Type |
|---|---|---|
| Email Recipient | The Email recipient | |
| Email Relay | The relay the email was delivered through | String |
| Email Sender | The Email sender | |
| Email Subject | The subject of the email | String |
| Entity Category | The zone category of incident that is being reported | String |
| Environment Variable Key | The Environment Variable key referenced in the event | String |
| Environment Variable Value | The Environment Variable value referenced in the event | String |
| Error Code | The error code for a HTTP response | String |
| Error Message | The error message for a response | String |
| Event Action | The implied action of the event - Create Read Update Delete | String |
| Event Activity | The activity related to an event In an IDS event this would be the activity being detected | String |
| Event Attack ID | The ID associated with an event reporting an attack | String |
| Event Attack Tactic | The attack tactic type associated with an event reporting an attack | String |
| Event Attack Technique | The attack technique associated with an event reporting an attack | String |
| Event Auth Action | Action of the authorization event | String |
| Event Auth Role | Role of the authorization event | String |
| Event Auth Scope | Scope of the authorization event | String |
| Event Category | The taxonomy of the event | String |
| Event Change | The event change/action made by the user | String |
| Event CVE | Contains information about the CVE associated with an event as an example an IDS signature | String |
| Event Description URL | The URL for full description of the event | String |
| Event Description | Full description of the event | String |
| Event Group | Event Grouping that this event belongs to | String |
| Event Group Job ID | When this group has been created from a job, the job ID | String |
| Event Group Type | Define which kind of event group is | String |
| Event Name | The short user-readable description of the event | String |
| Event Outcome | Displays the outcome, generally “success” or “failure” | String |
| Event Priority | The priority of the event | String |
| Event Receipt Time | The time at which the event related to the activity was received | Date |
| Event Ref Date | When the issue was first published | String |
| Event Ref ID | Event reference ID (CVE, etc) | String |
| Event Ref IDS | Event reference IDs (CVE, OSVDB, etc) | String Array |
| Event Ref Score | Score for the Issue (CVSS) | String |
| Event Ref Score V2 | Score V2 for the Issue (CVSS) | String |
| Event Ref Score V3 | Score V3 for the Issue (CVSS) | String |
| Event Ref Source | Issue Reference Source (CVE etc) | String |
| Event Ref Version | Issue Reference Source Version (CVE etc) | String |
| Event Severity | The severity of the event | String |
| Event Subcategory | The sub-taxonomy of the event | String |
| Event Type | The event type | String |
| Event Violation | The culprit | String |
| Events | Alarm events summary | String |
| Expires | Event expires | Boolean |
| External ID | An ID used by the originating device | String |
| Event Key | Definition | Type |
|---|---|---|
| File Create Time | The timestamp of when the file was created | String |
| File Hash | The hash of the file | String |
| File Hash Algorithm | The algorithm used to produce the file hash - SH256 MD5 etc | String |
| File Hash Md5 | The MD5 of the file | String |
| File Hash Sha1 | The SHA1 of the file | String |
| File Hash Sha256 | The SHA256 of the file | String |
| File ID | The Operating System ID of the file | String |
| File KB Size | The size in kilobytes of the file | String |
| File Modification Time | The last modification time of a file | String |
| File Name | The short name of a file | String |
| File Old Create Time | The previous creation time | String |
| File Old Hash_algorithm | The algorithm used to produce the file hash | String |
| File Old Hash | The previous file hash | String |
| File Old ID | The previous ID of the file | String |
| File Old Modification Time | The previous modification time of the file | String |
| File Old Name | The previous short file name | String |
| File Old Owner | Old file owner | String |
| File Old Path | The previous full path of the file | String |
| File Old Permission | The previous old permissions of the file | String |
| File Old Size | The previous size of the file | String |
| File Old Type | The previous type of the file | String |
| File Owner | The current owner of a file | String |
| File Path | Full path of the file | String |
| File Permission | The OS permissions of the file | String |
| File Type | The type of the file | String |
| Full Message | A long message | String |
| Event Key | Definition | Type |
|---|---|---|
| Gateway | Gateway IP addres | IP |
| Global List Name | Name of the Global List | String |
| Global List Value | Value from the list | String |
| Group Policy | Group Policy that the event refers to, for example a Active Directory Group Policy | String |
| Event Key | Definition | Type |
|---|---|---|
| Has Alarm | If this event is used by an alarm | Boolean |
| Highlight Fields | Array of important fields | String Array |
| HTML Link | A specified HTML link address | URL |
| HTML Snippet | A specified HTML link snippet | String |
| HTML Title | A specified HTML link title | String |
| HTTP Hostname | The hostname present in a HTTP connection | String |
| HTTP Referrer | The HTTP referrer in a HTTP request | String |
| Event Key | Definition | Type |
|---|---|---|
| Identity Group Name | Group name associated with the identity source address to further identify the identity event with Group name resolution | String |
| Identity Host Name | Host name information associated with the identity source address to further identify the true hostname tied to an event | String |
| Identity MAC | MAC associated with the identity source address to further identify the identity event with MAC resolution | String |
| Identity NetBIOS | NetBIOS name associated with the identity source address to further identify the identity event with NetBIOS name resolution | String |
| Identity Source Address | IPv4 or IPv6 address that can connect an event with a true user identify or true computer identity | IP |
| In Alarms | Array of alarms to which the event belongs | String Array |
| Incident ID | ID provided by the event source | String |
| Instance IDs | An array of the instance IDs for the instances being terminated | String Array |
| Instance Types | An array of the instance types for the instances being started | String Array |
| IOCs | Array with the matched Indicators of Compromise | String Array |
| IP Addresses | List of IP Addresses | String Array |
| Event Key | Definition | Type |
|---|---|---|
| k8s DNS Policy | K8S DNS Policy | String |
| k8s Node Name | K8S Node Name | String |
| k8s Priority | K8S Priority | String |
| Event Key | Definition | Type |
|---|---|---|
| Last Updated | When this item was last updated | String |
| Legacy Absolute | Legacy Key: Absolute | String |
| Legacy Application | Legacy Key: Application | String |
| Legacy Binary Data | Legacy Key: Binary Data | String |
| Legacy Condition | Legacy Key: Condition | String |
| Legacy CPU | Legacy Key: CPU | String |
| Legacy CTX | Legacy Key: CTX | String |
| Legacy Date | Legacy Key: Date | String |
| Legacy Device | Legacy Key: Device | String |
| Legacy Domain | Legacy Key: Domain | String |
| Legacy DST IP | Legacy Key: Destination IP | String |
| Legacy DST Port | Legacy Key: Destination Port | String |
| Legacy Event ID | Legacy Key: Event ID | String |
| Legacy Event Type | Legacy Key: Event Type | String |
| Legacy Extra Data | Legacy Key: Extra Data | String |
| Legacy FDdate | Legacy Key: FDate | String |
| Legacy Filename | Legacy Key: Filename | String |
| Legacy From | Legacy Key: From | String |
| Legacy GzipData | Legacy Key: GzipData | String |
| Legacy HIDS Event Type | Legacy Key: HIDS event type | String |
| Legacy Host | Legacy Key: host | String |
| Legacy Hostname | ”Legacy Key: hostname | String |
| Legacy Interface | Legacy Key: interface | String |
| Legacy Interval | Legacy Key: interval | String |
| Legacy Inventory Source | Legacy inventory source | String |
| Legacy IP | Legacy Key: IP | String |
| Legacy IPv | Legacy Key: IPv | String |
| Legacy Log | Legacy Key: log | String |
| Legacy Login | Legacy Key: login | String |
| Legacy MAC | Legacy Key: MAC | String |
| Legacy Mail | Legacy Key: Mail | String |
| Legacy Memory | Legacy Key: Memory | String |
| Legacy Occurrences | Legacy Key: Occurrences | String |
| Legacy Organization | Legacy Key: Organization | String |
| Legacy OS | Legacy Key: OS | String |
| Legacy Password | Legacy Key: Password | String |
| Legacy Plugin ID | Legacy Key: Plugin ID | String |
| Legacy Plugin SID | Legacy Key: Plugin SID | String |
| Legacy Port From | Legacy Key: Port From | String |
| Legacy Port To | Legacy Key: Port To | String |
| Legacy Port | Legacy Key: Port | String |
| Legacy Priority | Legacy Key: Priority | String |
| Legacy Protocol | Legacy Key: Protocol | String |
| Legacy Reliability | Legacy Key:Reliability | String |
| Legacy Sensor ID | Legacy Key:Sensor ID | String |
| Legacy Sensor | Legacy Key:Sensor | String |
| Legacy Service | Legacy Key:Service | String |
| Legacy Snort CID | Legacy Key: Snort CID | String |
| Legacy Snort SID | Legacy Key: Snort SID | String |
| Legacy Software | Legacy Key: Software | String |
| Legacy SRC IP | Legacy Key: Source IP | String |
| Legacy SRC Port | Legacy Key: Source Port | String |
| Legacy State | Legacy Key: State | String |
| Legacy Target | Legacy Key: Target | String |
| Legacy To | Legacy Key: To | String |
| Legacy Type | Legacy Key: Type | String |
| Legacy Unziplen | Legacy Key: Unzip Length | String |
| Legacy UserData | Legacy Key: UserData | String |
| Legacy Value | Legacy Key: Value | String |
| Legacy Vendor | Legacy Key: Vendor | String |
| Legacy Video | Legacy Key: Video | String |
| Level | The standard syslog level | Long |
| Log File | The Log File | String |
| Log | The raw log used to generate this event | String |
| Event Key | Definition | Type |
|---|---|---|
| Malware Family | Malware Family | String |
| Malware Variant | Virus or Malware Variant | String |
| Matched Value | The value that was matched for the enrichment metadata | String |
| Mute Alarm | Mute alarm | String |
| Event Key | Definition | Type |
|---|---|---|
| Needs Enrichment | If the event needs to be enriched | Boolean |
| Needs Internal Enrichment | If the event needs to be enriched with internal fields | Boolean |
| New Basic Constraints | New Basic Constraints | String |
| New Certificate | New Certificate | String |
| New IP | New IP | String |
| New Issuer | New Issuer | String |
| New Subject | New Subject | String |
| New Value | The new value in the field, after it was modified | String |
| Num Containers | Number of Containers | String |
| Event Key | Definition | Type |
|---|---|---|
| Object ID | The ID of the Object in AssetDB | String |
| Object Type | The object type of the source (if applies) | String |
| Old Basic Constraints | Old basic constraints | String |
| Old Certificate | Old certificate | String |
| Old IP | Old IP | IP |
| Old issue | Old issue | String |
| Old NS | Old NS | String |
| Old subject | Old subject | String |
| Operating System | Operating System | String |
| OTX activities | OTX activities | String |
| Event Key | Definition | Type |
|---|---|---|
| Package Architecture | The architecture of the package | String |
| Package Name | The name of the package | String |
| Package Revision | The revision of the package | String |
| Package Source | The source of the package | String |
| Package Version | The version of the package | String |
| Packet Data | The binary packet data of the event | String Array |
| Packet Payload | Packet payload information from Network IDS | String |
| Packet Type | What type of packet this is | String |
| Packets Received | The number of packets received | Integer |
| Packets Sent | The number of packets sent | Integer |
| Patch Reference ID | Patch reference id (Oval rule, etc) | String |
| Patch Vulnerability Reference List | List of reference ID’s (CVE, etc) for the patch event | String Array |
| Peak PPS | Packets per second (PPS) peak value | Integer |
| Pefile Company | The company field on a PE32 executable file | String |
| Pefile Description | he description field on a PE32 executable file | String |
| Pefile Fileversion | The fileversion field on a PE32 executable file | String |
| Pefile Product | The product field on a PE32 executable file | String |
| Plugin Device Type | The type of the device this plugin was made for | String |
| Plugin Device Version | The version of the device this plugin was made for | String |
| Plugin Device | Plugin Device | String |
| Plugin Family | Plugin Family | String |
| Plugin Parent | Parent which was used to normalize event | String |
| Plugin Rule | Plugin Rule | String |
| Plugin Vendor | The vendor of the device this plugin was made for | String |
| Plugin Version | Plugin Version | String |
| Plugin | Plugin used to normalize event | String |
| Policy | Policy that the event refers to, for example a Firewall or Content Filtering Policy | String |
| Policy Address | Address referenced on a db policy firewall rule etc | String |
| Policy Interface | Network Interface referenced on a db policy firewall rule etc | String |
| Policy Mac | Mac address referenced on a db policy firewall rule etc | String |
| Pre_authentication Type | The method used be the user to pre-authenticate, RSA Key, Password, Domain Credentials | String |
| Previous Value | The value present in the field, before it was modified | String |
| Priority Label | Priority label of Alarm | String |
| Priority | Priority of Alarm | String |
| Project ID | Project ID | String |
| Protocol Version | Version of the current protocol | String |
| Event Key | Definition | Type |
|---|---|---|
| Realm | Realm where the user roles and permissions apply | String |
| Received From | Source this event was received from | String |
| Registry Path | The registry path | String |
| Registry Value | The registry value | String |
| Relative Distinguished Name | The name of the authentication package used | String |
| Reporting Device Canonical | Reporting Device Canonical Name | String |
| Reporting Device Address | Reporting device address | IP |
| Rep Device Address 6 | Reporting device address version 6 | String |
| Rep Device Asset ID | Instance ID for reporting device | String |
| Rep Device FQDN | Reporting device FQDN | String |
| Reporting Device Hostname | Reporting device hostname | String |
| Reporting Device Inbound Interface | The network interface receiving the traffic generating the event on the reporting device | String |
| Reporting Device Instance ID | Instance ID for the reporting device | String |
| Rep Device Location ID | This is an internal field used to associate this event with a particular location | String |
| Rep Device Location Name | This is an internal field used to associate this event with a particular location | String |
| Reporting Device MAC | Reporting device MAC | MAC |
| Reporting Device Model | The model of the reporting device | String |
| Reporting Device Outbound Interface | The network interface passing through the traffic generating the event on the reporting device | String |
| Reporting Device Rule ID | The ID of the rule used by the reporting device to generate this event (ie firewall rule, CVE, IDS rule | String |
| Reporting Device Type | The device type of the reporting device | String |
| Reporting Device Vendor | The vendor of the reporting device | String |
| Reporting Device Version | The version of the reporting device | String |
| Report Executed Category | The category of the report | String |
| Report Executed Database Index | The database index to get the report | String |
| Report Executed Database | The database in which the report has been executed | String |
| Report Executed Date | When the report was executed | Date |
| Report Executed Format | The format we use to run the save the report | String |
| Report Executed Key | The executed report’s key | String |
| Report Executed Parameters | The parameters used to run the query | String |
| Report Executed Query | The query executed to fill the report | String |
| Report Executed rsql Query | The rsql query executed to fill the report | String |
| Report Executed State | The search state | String |
| Report Executed User | User who run the report | String |
| Report Executed UUID | The executed report’s uuid. Unique identifier | String |
| Reputation Score | Risk or reputation score for a host | String |
| Request Content Type | The content type for the request | String |
| Request Cookies | The cookies passed in a HTTP request | String |
| Request HTTP Version | HTTP version for the request | String |
| Request Method | The HTTP request method - OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT | String |
| Request Referrer | Referrer for the request | String |
| Request URL | The URL reference in a HTTP request | String |
| Request User Agent | User agent for the request | String |
| Resource Provider | Provider of resource | String |
| Resource URI | URI representing a resource uniquely | String |
| Response Code | The response code for the request | Integer |
| Response Content Type | HTTP response content type | String |
| Return Value | Return value | String |
| Role | Role or roles of the user in the organization | String |
| Rule Attack ID | Correlation Rule Attack ID | String |
| Rule Attack Tactic | Array of Correlation Rule Attack Tactics | String Array |
| Rule Attack Technique | Correlation Rule Attack Technique | String |
| Rule Dictionary | Rule Dictionary | String |
| Rule ID | Correlation Rule ID | String |
| Rule Intent | Alarm Intent | String |
| Rule Method | Alarm Method | String |
| Rule Name | Correlation Rule Name | String |
| Rule Strategy | Alarm Strategy | String |
| Rule UUID | Rule ID which triggered event | String |
| Event Key | Definition | Type |
|---|---|---|
| S3 Notification | S3 notification | String |
| Scheduled Task ID | The ID of the Scheduled task | String |
| Searched Site | Site searched | String |
| Security Group ID | Security Group ID | String |
| Security Group Name | Security Group Name | String |
| Sensor App Action | The Sensor App Action Called | String |
| Sensor Event Rate | The value of the sensor event rate | Double |
| Sensor Name | The name of the sensor that received this event | String |
| Sensor UUID | The UUID of the sensor that received this event | String |
| Session | Session Identifier | String |
| Shared Resource Name | The name of the shared resource | String |
| Short Message | A short descriptive message | String |
| Silent | Silent alarm | Boolean |
| Source Account ID | Source user account in the event | String |
| Source Account Name | Source account name where the event was generated | String |
| Source Account | Source Account where the event was generated | String |
| Source Additional Hostnames | Source additional hostnames | String Array |
| Source Address | Source IP Address | IP |
| Source Address 6 | Source IP Address in v6 format | String |
| Source ASN | Source ASN | String |
| Source Asset ID | This is an internal field used to associate this event with a particular asset | String |
| Source Blacklist Activity | Observed activity of the IP address to cause it to be put into OTX | String |
| Source Blacklist Priority | OTX priority | String |
| Source Blacklist Reliability | OTX reliability | String |
| Source Canonical | Canonical Source | String |
| Source City | Source City | String |
| Source Country | Source Country | String |
| Source CPE | Source CPE | String |
| Source Datacenter | Source data center | String |
| Source Datastore | Source data store | String |
| Source DNS Domain | The DNS domain part of the complete fully qualified domain name | String |
| Source FQDN | Source FQDN | String |
| Source Hostname | Source hostname | String |
| Source Infrastructure Name | Source Infrastructure Name | String |
| Source Infrastructure Type | Source Infrastructure Type | String |
| Source Instance ID | Instance ID for source device | String |
| Source Latitude | Source Latitude | String |
| Source Location ID | This is an internal field used to associate this event with a particular location | String |
| Source Location Name | This is an internal field used to associate this event with a particular location | String |
| Source Longitude | Source Longitude | String |
| Source MAC | Source MAC Address | MAC |
| Source MAC Vendor | Source MAC Vendor | String |
| Source Name | Source Name | String |
| Source NAT Address | Source NAT IP Address | IP |
| Source NAT Port | Source NAT Port | Integer |
| Source Netmask | Source IP Address mask | IP |
| Source Network | Source network | String |
| Source NT Domain | Source Windows Domain | String |
| Source Organisation | Source Organisation | String |
| Source Port Label | Source Port Label | String |
| Source Port | Source Port | Port |
| Source Post Nat Address | Source address for the event message after NAT occurred | IP |
| Source Post Nat Port | Port number of the event source after NAT | Integer |
| Source Pre Nat Address | Source address for the event message before NAT | IP |
| Source Pre Nat Port | Port number of the event source before NAT | Integer |
| Source Process | Source Process name | String |
| Source Process Command Line | The Process Command line | String |
| Source Process ID | Source Process ID | String |
| Source Process Parent | The Process Parent | String |
| Source Process Parent Commandline | The Parent Command Line | String |
| Source Process Parent Process ID | The Parent Process ID | String |
| Source Process User | Source Process User | String |
| Source Region | Source Region | String |
| Source Registered Country | Source Registered Country | String |
| Source Service Name | The service which is responsible for generating this event | String |
| Source Translated Address | Identifies the translated source address that the event refers to in an IP network | IP |
| Source Translated Port | Port after it was translated | Integer |
| Source User Email Domain | Source user email domain | String |
| Source User Email | Source user email | String |
| Source User Group | The source user group | String |
| Source User ID | Source user in the system | String |
| Source User Privileges | Source Users privileges | String |
| Source User ID | Source User ID | String |
| Source Username | Source username | String |
| Source Vguest | Source virtual guest | String |
| Source Vhost | Source virtual host | String |
| Source VPC | Source VPC | String |
| Source VPN | Source VPN | String |
| Source Workstation | Source Workstation | String |
| Source Zone | Source Zone | String |
| Source | Source - This is compared against several known formats to extract relevant data e.g. <hostname>:<port>:<zone> etc. | Network Info |
| Sources | List of source asset IDs | String Array |
| SSH Authorized Key | The SSH authorized key | String |
| SSH Client Proto | Identifies the SSH client protocol | String |
| SSH Client Software | Identifies the SSH client software | String |
| SSH Server Proto | Identifies the SSH server protocol | String |
| SSH Server Software | Identifies the SSH server software | String |
| SSH Server Version | Identifies the SSH server version | String |
| Stat Name | The name of the stat that has exceeded its threshold | String |
| Stat Value | The value of the stat that has exceeded its threshold | Integer |
| Subcategory ID | The ID of the sub-taxonomy of the event | String |
| Suppress Rule ID | ID of the rule that suppressed this log | String |
| Suppress Rule Name | Name of the rule that suppressed this log | String |
| Suppressed | If event is suppressed | String |
| Syslog Source | The source channel a syslog-ng event came from | String |
| System Event Type | The system event type generated | String |
| Event Key | Definition | Type |
|---|---|---|
| Tag | The syslog tag (the data found before the [] after the timestamp) | String |
| Threat Intelligence Feed Name | Array with the name of the feeds that the pulse has matched | String Array |
| Threat Intelligence Matched Metadata | Array with tuples of metadata | String Array |
| Ticket Encryption Type | The ticket encryption type used | String |
| Time End | The ending time of the event, such as a file download | Date |
| Time Offset | The time offset the event occurred in | String |
| Time Start | The starting time of the event, such as a file download | Date |
| Time Zone | The timezone the event occurred in | String |
| Timestamp Arrived | The approximated time that the event arrived to the customer control node | Date |
| Timestamp End | Process end timestamp | Date |
| Timestamp Occurred | The time that the event occurred - will be set by default if not populated | Date |
| Timestamp Received | When the event was received by the system | Date |
| Timestamp Start | Process start timestamp | Date |
| Timestamp | The approximated time that the event is sent from the control node to hot storage | Date |
| TLS Cipher | The cipher algorithm used for this TLS connection | String |
| TLS Fingerprint | Identifies the SHA1 fingerprint of the certificate | String |
| TLS IssuerDN | Identifies the issuer DN of certificate | String |
| TLS SNI | Identifies the server name indication sent by a client | String |
| TLS Subject | Identifies the subject of the TLS protocol | String |
| TLS Version | Identifies the version of TLS protocol | String |
| Total Disconnection Time | Total time the monitored asset has stopped sending data | String |
| Total Packets | The total number of packets transmitted | Integer |
| Transaction Status | Transaction status | String |
| Transient | Is the event transient | Boolean |
| Transport Protocol | Layer-4 protocol observed in the event (e.g. TCP, UDP) | String |
| TTY Terminal | The TTY referenced in the event | String |
| Event Key | Definition | Type |
|---|---|---|
| Used Hint | If a hint was used to find the plugin | Boolean |
| User Group ID | Group ID that is associated with the user account | String |
| User Policy | Policy associated with the user account | String |
| User Realm | Portal name associated with the event | String |
| User Resource Type | User Resource Type | String |
| User Resource | Resource associated with the user account | String |
| User Role | Role type associated with the user account that created the event | String |
| User Type | The type of user account. Example: Local, special, etc. | String |
| UUID | The unique ID for this Event | String |
| Event Key | Definition | Type |
|---|---|---|
| Virtual Source Address | IP address of the virtual event source | IP |
| Virtual Source Name | Name of the virtual event source | String |
| Event Key | Definition | Type |
|---|---|---|
| Was Fuzzied | If fuzzied parser was used to generate the event | Boolean |
| Was Guessed | If we brute forced the plugin | Boolean |
| was_legacy | Legacy Key: Was Legacy | String |
| watchlist | Array with matched watchlists | Array |
| Wireless Access Point | The access point of the wireless network | String |
| Wireless BSSID | The BSSID of the wireless network | String |
| Wireless Channel | The channel of the wireless network | String |
| Wireless Encryption | The encryption mechanism used by the wireless network | String |
| Wireless SSID | The SSID of the wireless network | String |
| WMI Class | WMI Class | String |
| WMI Consumer | WMI Consumer | String |
| WMI Filter | WMI Filter | String |
| WMI Path | WMI Path | String |
| Event Key | Definition | Type |
|---|---|---|
| Yara Signature | Yara Signatures | String Array |