Generic Fields |
CapturedImage |
binary |
|
|
Category |
string |
category |
|
Computer |
string |
computer name |
|
Description |
string |
description |
|
DestIP |
string |
DestIP |
|
DestIP_Country_Code |
string |
country code of DestIP |
|
DestIP_Country_Name |
string |
country name of DestIP |
|
DestMAC |
string |
destination MAC address |
|
EventID |
long |
event ID |
|
EventLog |
string |
event log |
|
EventPath |
string |
event path |
|
EventType |
long |
event type |
|
GMT |
date |
GMT |
|
ID |
string |
ID |
|
IP |
string |
IP |
|
IsIncident |
boolean |
if the event is categorized as security incident |
|
LocalTime |
date |
local time |
|
N1 ... N40 |
long |
general purpose numeric fields |
|
PlatformID |
string |
platform id |
|
PostDtsSHA256 |
string |
log hash after passing through Data Transformation Service |
|
PreDtsSHA256 |
string |
log hash before passing through Data Transformation Service |
|
RawData |
string |
raw data |
|
ReceivedTime |
date |
received time |
|
S1 ... S150 |
string |
general purpose string fields |
|
SecondaryTag |
string |
secondary tag |
|
SessionID |
string |
session ID |
|
Source |
string |
source |
|
SrcIP |
string |
source IP |
|
SrcIP_Country_Code |
string |
country code of SrcIP |
|
SrcIP_Country_Name |
string |
country name of SrcIP |
|
SrcMAC |
string |
source MAC address |
|
Tag |
string |
tag |
|
Tenant |
string |
tenant |
|
TimeOfDay |
long |
time of day |
|
UserDomain |
string |
user domain |
|
UserName |
string |
username |
|
VersionMajor |
long |
version major |
|
VersionMinor |
long |
version minor |
|
content |
string |
content |
|
|
|
|
_Timestamp |
SkewedOffset |
long |
the difference between real time and machine time |
|
Time |
long |
it is the number of seconds ... as a scalar real number which represents the number of seconds that have passed since 00:00:00 UTC Thursday, 1 January 1970 |
|
TimeZoneOffSet |
long |
adding the 80 seconds to the GMT |
|
isDST |
boolean |
the summer time if applied or not |
|
|
|
|
_agent |
GUID |
string |
agent globally unique identifier |
|
Name |
string |
the name of that agent concerned |
|
Site |
string |
the location of the agent concerned |
|
|
|
|
_asset |
Application |
string |
application name |
|
Criticality |
long |
security level (rating) |
|
GeoLat |
GEO |
decoded latitude from IP address |
|
Name |
string |
the actual name of asset |
|
Owner |
string |
Owner name |
|
Project |
string |
project name |
|
SecurityValue |
long |
security level |
|
Site |
string |
the location where it happened (city) |
|
URGeoLongL |
GEO |
decoded longitude from IP address |
|
|
|
|
_attack |
DestIP |
string |
destination IP is the IP address of the device to which the packet is being sent. |
|
GeoCity |
string |
decoded City from IP address |
|
GeoCountry |
string |
decoded Country from IP address |
|
Host |
string |
is a computer or other device that communicates with other hosts on a network, include clients and servers -- that send or receive data, services or applications |
|
GeoLat |
GEO |
decoded latitude from IP address |
|
GeoLong |
GEO |
decoded longitude from IP address |
|
Method |
string |
is a particular procedure for accomplishing or approaching something, especially a systematic or established one. |
|
Object |
string |
network objects are used to categorize IP addresses into different types of network entities |
|
OtherInfo |
String |
other information about our network |
|
Result |
boolean |
the result of the attack |
|
SrcIP |
string |
source IP is the IP (Internet Protocol) address of the device sending the IP packet (the IP unit of data transfer). |
|
TriggeredRule |
string |
is use to define conditions under which a trigger action is to be executed. |
|
|
|
|
_dataSource |
Name |
string |
the name of the data source |
|
SecurityAppliance |
string |
physical name of the data source |
|
Version |
string |
the version |
|
|
|
|
_event |
Category |
string |
a category is assigned by Cyber Quest for each event |
|
Result |
boolean |
success/failed |
|
SourceObject |
string |
the origin of the object more accurate where it comes from |
|
SourceUser |
string |
the origin of the user more accurate where it comes from |
|
SubCategory |
string |
a Subcategory is assigned by Cyber Quest for each event depending on the main category |
|
TargetObject |
string |
destination of the object more accurate where it goes |
|
TargetUser |
string |
destination of the user more accurate where it goes |
|
URL |
string |
Uniform Resource Locator is a way of identifying the location of a file on the internet for events |
|
|
|
|
_forensics |
What |
string |
describes the action |
|
Where |
string |
describes the location where the event occurred |
|
Who |
string |
describes who created the event |
|
Why |
string |
describes why the event was created |
|
|
|
|
_geoLocation |
DestIPGeoCountry |
string |
destination IP coordinates of the country |
|
DestIPGeoPoint |
geo_point |
destination IP coordinates of the point |
|
DestIPGeocity |
string |
destination IP coordinates of the city |
|
Host |
string |
host |
|
SrcIPGeoCountry |
string |
source IP coordinates of the country |
|
SrcIPGeoPoint |
geo_point |
source IP coordinates of the point |
|
SrcIPGeocity |
string |
source IP coordinates of the city |
|
|
|
|
_incident |
Category |
string |
a category is assigned by Cyber Quest for each incident |
|
Impact |
string |
it is measure of the extent of the Incident and of the potential damage caused by the Incident before it can be resolved. |
|
Score |
long |
an incident is an unplanned situation where an IT service is or will be interrupted or degraded in quality |
|
SubCategory |
string |
a Subcategory is assigned by Cyber Quest for each incident depending on the main category |
|
|
|
|
_malware |
DeliveryMethod |
string |
deliveryMethod (mail, file etc...) |
|
Name |
string |
malware name |
|
|
|
|
_network |
AplicationName |
string |
application name |
|
DestIPv4 |
ip |
destination IP(IPv4) |
|
DestIPv6 |
string |
destination IP(IPv6) |
|
DestInterface |
string |
destination interface |
|
DestPort |
long |
destination port |
|
FlowID |
string |
NetflowID |
|
PostNATDestIPv4 |
ip |
destination IP(IPv4) after network translation |
|
PostNATDestIPv6 |
string |
destination IP(IPv6) after network translation |
|
PostNATDestPort |
long |
destination port after network translation |
|
PostNATSrcIPv4 |
ip |
source IP(IPv4) after network translation |
|
PostNATSrcIPv6 |
string |
source IP(IPv6) after network translation |
|
PostNATSrcPort |
long |
source port after network translation |
|
Protocol |
string |
protocol |
|
ReceivedBytes |
long |
received bytes |
|
SrcIPv4 |
ip |
destination IP(IPv4) |
|
SrcIPv6 |
string |
source IP(IPv6) |
|
SrcInterface |
string |
source interface |
|
SrcPort |
long |
source port |
|
TransferedBytes |
long |
transferred bytes |