Appendix 1 – Field Groups and Event Items Description

S.No	Field Groups	Description	Event Items	Description
1	agent	Log collector	agent_id	ID of collector
agent_ip	IP address of collector
2	application	Application information contained in events	app_name	Application Name
app_pid	Application Process ID
3	classification	Event classification fields	class_action	Type of action attempted as part of the event
class_domain	Environment or domain of the event
class_object	Type of object that is targeted oraffected by the event
class_service	Service involved in event
class_status	Status of the event action identified by the action field
class_subject	Type of object that started the event action identified by the action field
4	custom	Custom field labels and their values	co_1	Custom Value 1
co_1label	Custom Label 1
co_2	Custom Value 2
co_2label	Custom Label 2
co_3	Custom Value 3
co_3label	Custom Label 3
co_4	Custom Value 4
co_4label	Custom Label 4
co_5	Custom Value 5
co_5label	Custom Label 5
5	destination	Event target device	dst_host	Host name of target device
dst_ip	IP Address of target device
dst_mac	MAC Address of target device
dst_port	Port that is targeted
dst_tr_ip	Translated IP Address of target device
dst_tr_port	Translated Port
6	device	Device where logs are produced on	dvc_host	Host name of device
dvc_ip	IP Address of device
7	event	General event fields	agent_time	The time (in miliseconds) that raw log is processed on collector
central_time	The time (in miliseconds) that rae log is transformed to an event
dvc_time	The time (in miliseconds) that log is seen on device
event_id	Unique id of the event
message	Message of the event
name	Name of the event
raw_log	The log text seen on device
tags	Event tags seperated with pipe character (\|)
type	Type of the event
customer_id	identifier for the customer of mssp
mssp_id	identifier for mssp
raw_size	Received log size in bytes encoded in UTF-8
size	Normalized event size in bytes encoded in UTF-8
8	file	File information contained in events	f_name	File name
f_size	File size
f_type	File type
f_uri_path	File uri path
f_url	File url
f_md5	MD5 hash value of the file
f_sha1	SHA1 hash value of the file
f_sha256	SHA256 hash value of the file
9	network	Network-related information contained in events	app_proto	Application protocol used in event
bytes_in	Bytes received
bytes_out	Bytes sent
int_in	Interface in
int_out	Out interface
session_id	Session id
trans_proto	Transport protocol used in event
10	product	Product that produces raw logs that will be converted to events	prod_name	Name of the product
prod_vendor	Vendor of the product
prod_version	Version of the product
11	rule	Rule (firewall, ips, antivirus rule etc.) information contained in events	rule_hit_count	Represents how many hits occurred for the rule
rule_id	ID of the rule
rule_info	Extra information related to the rule
rule_name	Name of the rule
rule_sig_id	ID of the signature related to rule
rule_sig_name	Name of the signature related to rule
12	source	Event source device	src_host	Host name of source device
src_ip	IP Address of source device
src_mac	MAC Address of source device
src_port	Event source port
src_tr_ip	Translated IP Address of source device
src_tr_port	Source Port
13	syslog	Syslog information	facility	Syslog facility field
priority	Syslog priority field
severity	Syslog severity field
14	time	Time-related information (calculated based on agent_time)	pass_days	Represents how many days have passed since January 1, 1970 UTC
pass_hours	Represents how many hours have passed since January 1, 1970 UTC
pass_minutes	Represents how many minutes have passed since January 1, 1970 UTC
pass_months	Represents how many months have passed since January 1, 1970 UTC
pass_years	Represents how many years have passed since January 1, 1970 UTC
15	user	User information contained in events	usr_domain	Domain of the user
usr_name	Name of the user
usr_uid	UID of the user
target_domain	Tageted User's Domain
target_name	Tageted User's Name
target_uid	Tageted User's Unique Id

S.No

Field Groups

Description

Event Items

Description

agent

Log collector

agent_id

ID of collector

agent_ip

IP address of collector

application

Application information contained in events

app_name

Application Name

app_pid

Application Process ID

classification

Event classification fields

class_action

Type of action attempted as part of the event

class_domain

Environment or domain of the event

class_object

Type of object that is targeted oraffected by the event

class_service

Service involved in event

class_status

Status of the event action identified by the action field

class_subject

Type of object that started the event action identified by the action field

custom

Custom field labels and their values

co_1

Custom Value 1

co_1label

Custom Label 1

co_2

Custom Value 2

co_2label

Custom Label 2

co_3

Custom Value 3

co_3label

Custom Label 3

co_4

Custom Value 4

co_4label

Custom Label 4

co_5

Custom Value 5

co_5label

Custom Label 5

destination

Event target device

dst_host

Host name of target device

dst_ip

IP Address of target device

dst_mac

MAC Address of target device

dst_port

Port that is targeted

dst_tr_ip

Translated IP Address of target device

dst_tr_port

Translated Port

device

Device where logs are produced on

dvc_host

Host name of device

dvc_ip

IP Address of device

event

General event fields

agent_time

The time (in miliseconds) that raw log is processed on collector

central_time

The time (in miliseconds) that rae log is transformed to an event

dvc_time

The time (in miliseconds) that log is seen on device

event_id

Unique id of the event

message

Message of the event

name

Name of the event

raw_log

The log text seen on device

tags

Event tags seperated with pipe character (|)

type

Type of the event

customer_id

identifier for the customer of mssp

mssp_id

identifier for mssp

raw_size

Received log size in bytes encoded in UTF-8

size

Normalized event size in bytes encoded in UTF-8

file

File information contained in events

f_name

File name

f_size

File size

f_type

File type

f_uri_path

File uri path

f_url

File url

f_md5

MD5 hash value of the file

f_sha1

SHA1 hash value of the file

f_sha256

SHA256 hash value of the file

network

Network-related information contained in events

app_proto

Application protocol used in event

bytes_in

Bytes received

bytes_out

Bytes sent

int_in

Interface in

int_out

Out interface

session_id

Session id

trans_proto

Transport protocol used in event

product

Product that produces raw logs that will be converted to events

prod_name

Name of the product

prod_vendor

Vendor of the product

prod_version

Version of the product

rule

Rule (firewall, ips, antivirus rule etc.) information contained in events

rule_hit_count

Represents how many hits occurred for the rule

rule_id

ID of the rule

rule_info

Extra information related to the rule

rule_name

Name of the rule

rule_sig_id

ID of the signature related to rule

rule_sig_name

Name of the signature related to rule

source

Event source device

src_host

Host name of source device

src_ip

IP Address of source device

src_mac

MAC Address of source device

src_port

Event source port

src_tr_ip

Translated IP Address of source device

src_tr_port

Source Port

syslog

Syslog information

facility

Syslog facility field

priority

Syslog priority field

severity

Syslog severity field

time

Time-related information

(calculated based on agent_time)

pass_days

Represents how many days have passed since January 1, 1970 UTC

pass_hours

Represents how many hours have passed since January 1, 1970 UTC

pass_minutes

Represents how many minutes have passed since January 1, 1970 UTC

pass_months

Represents how many months have passed since January 1, 1970 UTC

pass_years

Represents how many years have passed since January 1, 1970 UTC

user

User information contained in events

usr_domain

Domain of the user

usr_name

Name of the user

usr_uid

UID of the user

target_domain

Tageted User's Domain

target_name

Tageted User's Name

target_uid

Tageted User's Unique Id

Xcitium NxSIEM

Admin Guide 1.4

English

Appendix 1 – Field Groups and Event Items Description