Appendix 1 – Field Groups and Event Items Description
S.No |
Field Groups |
Description |
Event Items |
Description |
---|---|---|---|---|
1 |
agent |
Log collector |
agent_id |
ID of collector |
agent_ip |
IP address of collector |
|||
2 |
application |
Application information contained in events |
app_name |
Application Name |
app_pid |
Application Process ID |
|||
3 |
classification |
Event classification fields |
class_action |
Type of action attempted as part of the event |
class_domain |
Environment or domain of the event |
|||
class_object |
Type of object that is targeted oraffected by the event |
|||
class_service |
Service involved in event |
|||
class_status |
Status of the event action identified by the action field |
|||
class_subject |
Type of object that started the event action identified by the action field |
|||
4 |
custom |
Custom field labels and their values |
co_1 |
Custom Value 1 |
co_1label |
Custom Label 1 |
|||
co_2 |
Custom Value 2 |
|||
co_2label |
Custom Label 2 |
|||
co_3 |
Custom Value 3 |
|||
co_3label |
Custom Label 3 |
|||
co_4 |
Custom Value 4 |
|||
co_4label |
Custom Label 4 |
|||
co_5 |
Custom Value 5 |
|||
co_5label |
Custom Label 5 |
|||
5 |
destination |
Event target device |
dst_city |
Depending on country, it's either city or state of target device |
dst_country |
Country Name of target device |
|||
dst_host |
Host name of target device |
|||
dst_ip |
IP Address of target device |
|||
dst_ip_private |
To show whether this target IP is private or not |
|||
dst_ip_loc |
Latıtude and Longitude coordiantes of target device |
|||
dst_mac |
MAC Address of target device |
|||
dst_port |
Port that is targeted |
|||
dst_sd_1 |
If country has state, it's the state of target device's country(ex: USA/Kentucky) |
|||
dst_sd_2 |
Subdivision of state of target device's country |
|||
dst_tr_ip |
Translated IP Address of target device |
|||
dst_tr_port |
Translated Port |
|||
6 |
device |
Device where logs are produced on |
dvc_host |
Host name of device |
dvc_ip |
IP Address of device |
|||
7 |
event |
General event fields |
agent_time |
The time (in miliseconds) that raw log is processed on collector |
central_time |
The time (in miliseconds) that rae log is transformed to an event |
|||
customer_id |
identifier for the customer of mssp |
|||
dvc_time |
The time (in miliseconds) that log is seen on device |
|||
event_id |
Unique id of the event |
|||
It_1 |
Indicates list name event |
|||
It_2 |
Indicates list event field group and list name event |
|||
It_3 |
Indicates list event field group and list name and list type event |
|||
message |
Message of the event |
|||
mssp_id |
identifier for mssp |
|||
name |
Name of the event |
|||
raw_log |
The log text seen on device |
|||
raw_size |
Received log size in bytes encoded in UTF-8 |
|||
size |
Normalized event size in bytes encoded in UTF-8 |
|||
tag_list |
Event tags seperated with pipe character (|) |
|||
type |
Type of the event |
|||
8 |
file |
File information contained in events |
f_name |
File name |
f_size |
File size |
|||
f_type |
File type |
|||
f_uri_path |
File uri path |
|||
f_url |
File url |
|||
f_md5 |
MD5 hash value of the file |
|||
f_sha1 |
SHA1 hash value of the file |
|||
f_sha256 |
SHA256 hash value of the file |
|||
9 |
network |
Network-related information contained in events |
app_proto |
Application protocol used in event |
bytes_in |
Bytes received |
|||
bytes_out |
Bytes sent |
|||
int_in |
Interface in |
|||
int_out |
Out interface |
|||
session_id |
Session id |
|||
trans_proto |
Transport protocol used in event |
|||
10 |
product |
Product that produces raw logs that will be converted to events |
prod_name |
Name of the product |
prod_vendor |
Vendor of the product |
|||
prod_version |
Version of the product |
|||
11 |
rule |
Rule (firewall, ips, antivirus rule etc.) information contained in events |
rule_hit_count |
Represents how many hits occurred for the rule |
rule_id |
ID of the rule |
|||
rule_info |
Extra information related to the rule |
|||
rule_name |
Name of the rule |
|||
rule_sig_id |
ID of the signature related to rule |
|||
rule_sig_name |
Name of the signature related to rule |
|||
12 |
source |
Event source device |
src_city |
Depending on country, it's either city or state of source device |
src_country |
Country of source device |
|||
src_host |
Host name of source device |
|||
src_ip |
IP Address of source device |
|||
src_ip_private |
To show whether this source IP is private or not |
|||
src_loc |
Latıtude and Longitude coordiantes of source device |
|||
src_mac |
MAC Address of source device |
|||
src_port |
Event source port |
|||
src_sd_1 |
If country has state, it's the state of source device's country(ex: USA/Kentucky) |
|||
src_sd_2 |
Subdivision of state of source device's country |
|||
src_tr_ip |
Translated IP Address of source device |
|||
src_tr_port |
Source Port |
|||
13 |
syslog |
Syslog information |
facility |
Syslog facility field |
priority |
Syslog priority field |
|||
severity |
Syslog severity field |
|||
14 |
time |
Time-related information (calculated based on agent_time) |
partition_time |
Represents collection time of log in terms of day (calculated based on agent time) |
pass_days |
Represents how many days have passed since January 1, 1970 UTC |
|||
pass_hours |
Represents how many hours have passed since January 1, 1970 UTC |
|||
pass_minutes |
Represents how many minutes have passed since January 1, 1970 UTC |
|||
pass_months |
Represents how many months have passed since January 1, 1970 UTC |
|||
pass_years |
Represents how many years have passed since January 1, 1970 UTC |
|||
15 |
user |
User information contained in events |
usr_domain |
Domain of the user |
usr_name |
Name of the user |
|||
usr_uid |
UID of the user |
|||
target_domain |
Tageted User's Domain |
|||
target_name |
Tageted User's Name |
|||
target_uid |
Tageted User's Unique Id |