sophos fields

edit

sophos Module

network.interface.name

Name of the network interface where the traffic has been observed.

type: keyword

rsa.internal.msg

This key is used to capture the raw message that comes into the Log Decoder

type: keyword

rsa.internal.messageid

type: keyword

rsa.internal.event_desc

type: keyword

rsa.internal.message

This key captures the contents of instant messages

type: keyword

rsa.internal.time

This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.

type: date

rsa.internal.level

Deprecated key defined only in table map.

type: long

rsa.internal.msg_id

This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.msg_vid

This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.data

Deprecated key defined only in table map.

type: keyword

rsa.internal.obj_server

Deprecated key defined only in table map.

type: keyword

rsa.internal.obj_val

Deprecated key defined only in table map.

type: keyword

rsa.internal.resource

Deprecated key defined only in table map.

type: keyword

rsa.internal.obj_id

Deprecated key defined only in table map.

type: keyword

rsa.internal.statement

Deprecated key defined only in table map.

type: keyword

rsa.internal.audit_class

Deprecated key defined only in table map.

type: keyword

rsa.internal.entry

Deprecated key defined only in table map.

type: keyword

rsa.internal.hcode

Deprecated key defined only in table map.

type: keyword

rsa.internal.inode

Deprecated key defined only in table map.

type: long

rsa.internal.resource_class

Deprecated key defined only in table map.

type: keyword

rsa.internal.dead

Deprecated key defined only in table map.

type: long

rsa.internal.feed_desc

This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.feed_name

This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.cid

This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.device_class

This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.device_group

This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.device_host

This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.device_ip

This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip

rsa.internal.device_ipv6

This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip

rsa.internal.device_type

This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.device_type_id

Deprecated key defined only in table map.

type: long

rsa.internal.did

This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.entropy_req

This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long

rsa.internal.entropy_res

This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long

rsa.internal.event_name

Deprecated key defined only in table map.

type: keyword

rsa.internal.feed_category

This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.forward_ip

This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.

type: ip

rsa.internal.forward_ipv6

This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip

rsa.internal.header_id

This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.lc_cid

This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.lc_ctime

This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: date

rsa.internal.mcb_req

This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most

type: long

rsa.internal.mcb_res

This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most

type: long

rsa.internal.mcbc_req

This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long

rsa.internal.mcbc_res

This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long

rsa.internal.medium

This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session

type: long

rsa.internal.node_name

Deprecated key defined only in table map.

type: keyword

rsa.internal.nwe_callback_id

This key denotes that event is endpoint related

type: keyword

rsa.internal.parse_error

This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.payload_req

This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long

rsa.internal.payload_res

This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long

rsa.internal.process_vid_dst

Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.

type: keyword

rsa.internal.process_vid_src

Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.

type: keyword

rsa.internal.rid

This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long

rsa.internal.session_split

This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.site

Deprecated key defined only in table map.

type: keyword

rsa.internal.size

This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long

rsa.internal.sourcefile

This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.ubc_req

This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long

rsa.internal.ubc_res

This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long

rsa.internal.word

This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log

type: keyword

rsa.time.event_time

This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form

type: date

rsa.time.duration_time

This key is used to capture the normalized duration/lifetime in seconds.

type: double

rsa.time.event_time_str

This key is used to capture the incomplete time mentioned in a session as a string

type: keyword

rsa.time.starttime

This key is used to capture the Start time mentioned in a session in a standard form

type: date

rsa.time.month

type: keyword

rsa.time.day

type: keyword

rsa.time.endtime

This key is used to capture the End time mentioned in a session in a standard form

type: date

rsa.time.timezone

This key is used to capture the timezone of the Event Time

type: keyword

rsa.time.duration_str

A text string version of the duration

type: keyword

rsa.time.date

type: keyword

rsa.time.year

type: keyword

rsa.time.recorded_time

The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it’s own timestamp at the time of collection from its child nodes. Must be in timestamp format.

type: date

rsa.time.datetime

type: keyword

rsa.time.effective_time

This key is the effective time referenced by an individual event in a Standard Timestamp format

type: date

rsa.time.expire_time

This key is the timestamp that explicitly refers to an expiration.

type: date

rsa.time.process_time

Deprecated, use duration.time

type: keyword

rsa.time.hour

type: keyword

rsa.time.min

type: keyword

rsa.time.timestamp

type: keyword

rsa.time.event_queue_time

This key is the Time that the event was queued.

type: date

rsa.time.p_time1

type: keyword

rsa.time.tzone

type: keyword

rsa.time.eventtime

type: keyword

rsa.time.gmtdate

type: keyword

rsa.time.gmttime

type: keyword

rsa.time.p_date

type: keyword

rsa.time.p_month

type: keyword

rsa.time.p_time

type: keyword

rsa.time.p_time2

type: keyword

rsa.time.p_year

type: keyword

rsa.time.expire_time_str

This key is used to capture incomplete timestamp that explicitly refers to an expiration.

type: keyword

rsa.time.stamp

Deprecated key defined only in table map.

type: date

rsa.misc.action

type: keyword

rsa.misc.result

This key is used to capture the outcome/result string value of an action in a session.

type: keyword

rsa.misc.severity

This key is used to capture the severity given the session

type: keyword

rsa.misc.event_type

This key captures the event category type as specified by the event source.

type: keyword

rsa.misc.reference_id

This key is used to capture an event id from the session directly

type: keyword

rsa.misc.version

This key captures Version of the application or OS which is generating the event.

type: keyword

rsa.misc.disposition

This key captures the The end state of an action.

type: keyword

rsa.misc.result_code

This key is used to capture the outcome/result numeric value of an action in a session

type: keyword

rsa.misc.category

This key is used to capture the category of an event given by the vendor in the session

type: keyword

rsa.misc.obj_name

This is used to capture name of object

type: keyword

rsa.misc.obj_type

This is used to capture type of object

type: keyword

rsa.misc.event_source

This key captures Source of the event that’s not a hostname

type: keyword

rsa.misc.log_session_id

This key is used to capture a sessionid from the session directly

type: keyword

rsa.misc.group

This key captures the Group Name value

type: keyword

rsa.misc.policy_name

This key is used to capture the Policy Name only.

type: keyword

rsa.misc.rule_name

This key captures the Rule Name

type: keyword

rsa.misc.context

This key captures Information which adds additional context to the event.

type: keyword

rsa.misc.change_new

This key is used to capture the new values of the attribute that’s changing in a session

type: keyword

rsa.misc.space

type: keyword

rsa.misc.client

This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.

type: keyword

rsa.misc.msgIdPart1

type: keyword

rsa.misc.msgIdPart2

type: keyword

rsa.misc.change_old

This key is used to capture the old value of the attribute that’s changing in a session

type: keyword

rsa.misc.operation_id

An alert number or operation number. The values should be unique and non-repeating.

type: keyword

rsa.misc.event_state

This key captures the current state of the object/item referenced within the event. Describing an on-going event.

type: keyword

rsa.misc.group_object

This key captures a collection/grouping of entities. Specific usage

type: keyword

rsa.misc.node

Common use case is the node name within a cluster. The cluster name is reflected by the host name.

type: keyword

rsa.misc.rule

This key captures the Rule number

type: keyword

rsa.misc.device_name

This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc

type: keyword

rsa.misc.param

This key is the parameters passed as part of a command or application, etc.

type: keyword

rsa.misc.change_attrib

This key is used to capture the name of the attribute that’s changing in a session

type: keyword

rsa.misc.event_computer

This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.

type: keyword

rsa.misc.reference_id1

This key is for Linked ID to be used as an addition to "reference.id"

type: keyword

rsa.misc.event_log

This key captures the Name of the event log

type: keyword

rsa.misc.OS

This key captures the Name of the Operating System

type: keyword

rsa.misc.terminal

This key captures the Terminal Names only

type: keyword

rsa.misc.msgIdPart3

type: keyword

rsa.misc.filter

This key captures Filter used to reduce result set

type: keyword

rsa.misc.serial_number

This key is the Serial number associated with a physical asset.

type: keyword

rsa.misc.checksum

This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.

type: keyword

rsa.misc.event_user

This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.

type: keyword

rsa.misc.virusname

This key captures the name of the virus

type: keyword

rsa.misc.content_type

This key is used to capture Content Type only.

type: keyword

rsa.misc.group_id

This key captures Group ID Number (related to the group name)

type: keyword

rsa.misc.policy_id

This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise

type: keyword

rsa.misc.vsys

This key captures Virtual System Name

type: keyword

rsa.misc.connection_id

This key captures the Connection ID

type: keyword

rsa.misc.reference_id2

This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play.

type: keyword

rsa.misc.sensor

This key captures Name of the sensor. Typically used in IDS/IPS based devices

type: keyword

rsa.misc.sig_id

This key captures IDS/IPS Int Signature ID

type: long

rsa.misc.port_name

This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).

type: keyword

rsa.misc.rule_group

This key captures the Rule group name

type: keyword

rsa.misc.risk_num

This key captures a Numeric Risk value

type: double

rsa.misc.trigger_val

This key captures the Value of the trigger or threshold condition.

type: keyword

rsa.misc.log_session_id1

This key is used to capture a Linked (Related) Session ID from the session directly

type: keyword

rsa.misc.comp_version

This key captures the Version level of a sub-component of a product.

type: keyword

rsa.misc.content_version

This key captures Version level of a signature or database content.

type: keyword

rsa.misc.hardware_id

This key is used to capture unique identifier for a device or system (NOT a Mac address)

type: keyword

rsa.misc.risk

This key captures the non-numeric risk value

type: keyword

rsa.misc.event_id

type: keyword

rsa.misc.reason

type: keyword

rsa.misc.status

type: keyword

rsa.misc.mail_id

This key is used to capture the mailbox id/name

type: keyword

rsa.misc.rule_uid

This key is the Unique Identifier for a rule.

type: keyword

rsa.misc.trigger_desc

This key captures the Description of the trigger or threshold condition.

type: keyword

rsa.misc.inout

type: keyword

rsa.misc.p_msgid

type: keyword

rsa.misc.data_type

type: keyword

rsa.misc.msgIdPart4

type: keyword

rsa.misc.error

This key captures All non successful Error codes or responses

type: keyword

rsa.misc.index

type: keyword

rsa.misc.listnum

This key is used to capture listname or listnumber, primarily for collecting access-list

type: keyword

rsa.misc.ntype

type: keyword

rsa.misc.observed_val

This key captures the Value observed (from the perspective of the device generating the log).

type: keyword

rsa.misc.policy_value

This key captures the contents of the policy. This contains details about the policy

type: keyword

rsa.misc.pool_name

This key captures the name of a resource pool

type: keyword

rsa.misc.rule_template

A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template

type: keyword

rsa.misc.count

type: keyword

rsa.misc.number

type: keyword

rsa.misc.sigcat

type: keyword

rsa.misc.type

type: keyword

rsa.misc.comments

Comment information provided in the log message

type: keyword

rsa.misc.doc_number

This key captures File Identification number

type: long

rsa.misc.expected_val

This key captures the Value expected (from the perspective of the device generating the log).

type: keyword

rsa.misc.job_num

This key captures the Job Number

type: keyword

rsa.misc.spi_dst

Destination SPI Index

type: keyword

rsa.misc.spi_src

Source SPI Index

type: keyword

rsa.misc.code

type: keyword

rsa.misc.agent_id

This key is used to capture agent id

type: keyword

rsa.misc.message_body

This key captures the The contents of the message body.

type: keyword

rsa.misc.phone

type: keyword

rsa.misc.sig_id_str

This key captures a string object of the sigid variable.

type: keyword

rsa.misc.cmd

type: keyword

rsa.misc.misc

type: keyword

rsa.misc.name

type: keyword

rsa.misc.cpu

This key is the CPU time used in the execution of the event being recorded.

type: long

rsa.misc.event_desc

This key is used to capture a description of an event available directly or inferred

type: keyword

rsa.misc.sig_id1

This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id

type: long

rsa.misc.im_buddyid

type: keyword

rsa.misc.im_client

type: keyword

rsa.misc.im_userid

type: keyword

rsa.misc.pid

type: keyword

rsa.misc.priority

type: keyword

rsa.misc.context_subject

This key is to be used in an audit context where the subject is the object being identified

type: keyword

rsa.misc.context_target

type: keyword

rsa.misc.cve

This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.

type: keyword

rsa.misc.fcatnum

This key captures Filter Category Number. Legacy Usage

type: keyword

rsa.misc.library

This key is used to capture library information in mainframe devices

type: keyword

rsa.misc.parent_node

This key captures the Parent Node Name. Must be related to node variable.

type: keyword

rsa.misc.risk_info

Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword

rsa.misc.tcp_flags

This key is captures the TCP flags set in any packet of session

type: long

rsa.misc.tos

This key describes the type of service

type: long

rsa.misc.vm_target

VMWare Target VMWARE only varaible.

type: keyword

rsa.misc.workspace

This key captures Workspace Description

type: keyword

rsa.misc.command

type: keyword

rsa.misc.event_category

type: keyword

rsa.misc.facilityname

type: keyword

rsa.misc.forensic_info

type: keyword

rsa.misc.jobname

type: keyword

rsa.misc.mode

type: keyword

rsa.misc.policy

type: keyword

rsa.misc.policy_waiver

type: keyword

rsa.misc.second

type: keyword

rsa.misc.space1

type: keyword

rsa.misc.subcategory

type: keyword

rsa.misc.tbdstr2

type: keyword

rsa.misc.alert_id

Deprecated, New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword

rsa.misc.checksum_dst

This key is used to capture the checksum or hash of the the target entity such as a process or file.

type: keyword

rsa.misc.checksum_src

This key is used to capture the checksum or hash of the source entity such as a file or process.

type: keyword

rsa.misc.fresult

This key captures the Filter Result

type: long

rsa.misc.payload_dst

This key is used to capture destination payload

type: keyword

rsa.misc.payload_src

This key is used to capture source payload

type: keyword

rsa.misc.pool_id

This key captures the identifier (typically numeric field) of a resource pool

type: keyword

rsa.misc.process_id_val

This key is a failure key for Process ID when it is not an integer value

type: keyword

rsa.misc.risk_num_comm

This key captures Risk Number Community

type: double

rsa.misc.risk_num_next

This key captures Risk Number NextGen

type: double

rsa.misc.risk_num_sand

This key captures Risk Number SandBox

type: double

rsa.misc.risk_num_static

This key captures Risk Number Static

type: double

rsa.misc.risk_suspicious

Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword

rsa.misc.risk_warning

Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword

rsa.misc.snmp_oid

SNMP Object Identifier

type: keyword

rsa.misc.sql

This key captures the SQL query

type: keyword

rsa.misc.vuln_ref

This key captures the Vulnerability Reference details

type: keyword

rsa.misc.acl_id

type: keyword

rsa.misc.acl_op

type: keyword

rsa.misc.acl_pos

type: keyword

rsa.misc.acl_table

type: keyword

rsa.misc.admin

type: keyword

rsa.misc.alarm_id

type: keyword

rsa.misc.alarmname

type: keyword

rsa.misc.app_id

type: keyword

rsa.misc.audit

type: keyword

rsa.misc.audit_object

type: keyword

rsa.misc.auditdata

type: keyword

rsa.misc.benchmark

type: keyword

rsa.misc.bypass

type: keyword

rsa.misc.cache

type: keyword

rsa.misc.cache_hit

type: keyword

rsa.misc.cefversion

type: keyword

rsa.misc.cfg_attr

type: keyword

rsa.misc.cfg_obj

type: keyword

rsa.misc.cfg_path

type: keyword

rsa.misc.changes

type: keyword

rsa.misc.client_ip

type: keyword

rsa.misc.clustermembers

type: keyword

rsa.misc.cn_acttimeout

type: keyword

rsa.misc.cn_asn_src

type: keyword

rsa.misc.cn_bgpv4nxthop

type: keyword

rsa.misc.cn_ctr_dst_code

type: keyword

rsa.misc.cn_dst_tos

type: keyword

rsa.misc.cn_dst_vlan

type: keyword

rsa.misc.cn_engine_id

type: keyword

rsa.misc.cn_engine_type

type: keyword

rsa.misc.cn_f_switch

type: keyword

rsa.misc.cn_flowsampid

type: keyword

rsa.misc.cn_flowsampintv

type: keyword

rsa.misc.cn_flowsampmode

type: keyword

rsa.misc.cn_inacttimeout

type: keyword

rsa.misc.cn_inpermbyts

type: keyword

rsa.misc.cn_inpermpckts

type: keyword

rsa.misc.cn_invalid

type: keyword

rsa.misc.cn_ip_proto_ver

type: keyword

rsa.misc.cn_ipv4_ident

type: keyword

rsa.misc.cn_l_switch

type: keyword

rsa.misc.cn_log_did

type: keyword

rsa.misc.cn_log_rid

type: keyword

rsa.misc.cn_max_ttl

type: keyword

rsa.misc.cn_maxpcktlen

type: keyword

rsa.misc.cn_min_ttl

type: keyword

rsa.misc.cn_minpcktlen

type: keyword

rsa.misc.cn_mpls_lbl_1

type: keyword

rsa.misc.cn_mpls_lbl_10

type: keyword

rsa.misc.cn_mpls_lbl_2

type: keyword

rsa.misc.cn_mpls_lbl_3

type: keyword

rsa.misc.cn_mpls_lbl_4

type: keyword

rsa.misc.cn_mpls_lbl_5

type: keyword

rsa.misc.cn_mpls_lbl_6

type: keyword

rsa.misc.cn_mpls_lbl_7

type: keyword

rsa.misc.cn_mpls_lbl_8

type: keyword

rsa.misc.cn_mpls_lbl_9

type: keyword

rsa.misc.cn_mplstoplabel

type: keyword

rsa.misc.cn_mplstoplabip

type: keyword

rsa.misc.cn_mul_dst_byt

type: keyword

rsa.misc.cn_mul_dst_pks

type: keyword

rsa.misc.cn_muligmptype

type: keyword

rsa.misc.cn_sampalgo

type: keyword

rsa.misc.cn_sampint

type: keyword

rsa.misc.cn_seqctr

type: keyword

rsa.misc.cn_spackets

type: keyword

rsa.misc.cn_src_tos

type: keyword

rsa.misc.cn_src_vlan

type: keyword

rsa.misc.cn_sysuptime

type: keyword

rsa.misc.cn_template_id

type: keyword

rsa.misc.cn_totbytsexp

type: keyword

rsa.misc.cn_totflowexp

type: keyword

rsa.misc.cn_totpcktsexp

type: keyword

rsa.misc.cn_unixnanosecs

type: keyword

rsa.misc.cn_v6flowlabel

type: keyword

rsa.misc.cn_v6optheaders

type: keyword

rsa.misc.comp_class

type: keyword

rsa.misc.comp_name

type: keyword

rsa.misc.comp_rbytes

type: keyword

rsa.misc.comp_sbytes

type: keyword

rsa.misc.cpu_data

type: keyword

rsa.misc.criticality

type: keyword

rsa.misc.cs_agency_dst

type: keyword

rsa.misc.cs_analyzedby

type: keyword

rsa.misc.cs_av_other

type: keyword

rsa.misc.cs_av_primary

type: keyword

rsa.misc.cs_av_secondary

type: keyword

rsa.misc.cs_bgpv6nxthop

type: keyword

rsa.misc.cs_bit9status

type: keyword

rsa.misc.cs_context

type: keyword

rsa.misc.cs_control

type: keyword

rsa.misc.cs_data

type: keyword

rsa.misc.cs_datecret

type: keyword

rsa.misc.cs_dst_tld

type: keyword

rsa.misc.cs_eth_dst_ven

type: keyword

rsa.misc.cs_eth_src_ven

type: keyword

rsa.misc.cs_event_uuid

type: keyword

rsa.misc.cs_filetype

type: keyword

rsa.misc.cs_fld

type: keyword

rsa.misc.cs_if_desc

type: keyword

rsa.misc.cs_if_name

type: keyword

rsa.misc.cs_ip_next_hop

type: keyword

rsa.misc.cs_ipv4dstpre

type: keyword

rsa.misc.cs_ipv4srcpre

type: keyword

rsa.misc.cs_lifetime

type: keyword

rsa.misc.cs_log_medium

type: keyword

rsa.misc.cs_loginname

type: keyword

rsa.misc.cs_modulescore

type: keyword

rsa.misc.cs_modulesign

type: keyword

rsa.misc.cs_opswatresult

type: keyword

rsa.misc.cs_payload

type: keyword

rsa.misc.cs_registrant

type: keyword

rsa.misc.cs_registrar

type: keyword

rsa.misc.cs_represult

type: keyword

rsa.misc.cs_rpayload

type: keyword

rsa.misc.cs_sampler_name

type: keyword

rsa.misc.cs_sourcemodule

type: keyword

rsa.misc.cs_streams

type: keyword

rsa.misc.cs_targetmodule

type: keyword

rsa.misc.cs_v6nxthop

type: keyword

rsa.misc.cs_whois_server

type: keyword

rsa.misc.cs_yararesult

type: keyword

rsa.misc.description

type: keyword

rsa.misc.devvendor

type: keyword

rsa.misc.distance

type: keyword

rsa.misc.dstburb

type: keyword

rsa.misc.edomain

type: keyword

rsa.misc.edomaub

type: keyword

rsa.misc.euid

type: keyword

rsa.misc.facility

type: keyword

rsa.misc.finterface

type: keyword

rsa.misc.flags

type: keyword

rsa.misc.gaddr

type: keyword

rsa.misc.id3

type: keyword

rsa.misc.im_buddyname

type: keyword

rsa.misc.im_croomid

type: keyword

rsa.misc.im_croomtype

type: keyword

rsa.misc.im_members

type: keyword

rsa.misc.im_username

type: keyword

rsa.misc.ipkt

type: keyword

rsa.misc.ipscat

type: keyword

rsa.misc.ipspri

type: keyword

rsa.misc.latitude

type: keyword

rsa.misc.linenum

type: keyword

rsa.misc.list_name

type: keyword

rsa.misc.load_data

type: keyword

rsa.misc.location_floor

type: keyword

rsa.misc.location_mark

type: keyword

rsa.misc.log_id

type: keyword

rsa.misc.log_type

type: keyword

rsa.misc.logid

type: keyword

rsa.misc.logip

type: keyword

rsa.misc.logname

type: keyword

rsa.misc.longitude

type: keyword

rsa.misc.lport

type: keyword

rsa.misc.mbug_data

type: keyword

rsa.misc.misc_name

type: keyword

rsa.misc.msg_type

type: keyword

rsa.misc.msgid

type: keyword

rsa.misc.netsessid

type: keyword

rsa.misc.num

type: keyword

rsa.misc.number1

type: keyword

rsa.misc.number2

type: keyword

rsa.misc.nwwn

type: keyword

rsa.misc.object

type: keyword

rsa.misc.operation

type: keyword

rsa.misc.opkt

type: keyword

rsa.misc.orig_from

type: keyword

rsa.misc.owner_id

type: keyword

rsa.misc.p_action

type: keyword

rsa.misc.p_filter

type: keyword

rsa.misc.p_group_object

type: keyword

rsa.misc.p_id

type: keyword

rsa.misc.p_msgid1

type: keyword

rsa.misc.p_msgid2

type: keyword

rsa.misc.p_result1

type: keyword

rsa.misc.password_chg

type: keyword

rsa.misc.password_expire

type: keyword

rsa.misc.permgranted

type: keyword

rsa.misc.permwanted

type: keyword

rsa.misc.pgid

type: keyword

rsa.misc.policyUUID

type: keyword

rsa.misc.prog_asp_num

type: keyword

rsa.misc.program

type: keyword

rsa.misc.real_data

type: keyword

rsa.misc.rec_asp_device

type: keyword

rsa.misc.rec_asp_num

type: keyword

rsa.misc.rec_library

type: keyword

rsa.misc.recordnum

type: keyword

rsa.misc.ruid

type: keyword

rsa.misc.sburb

type: keyword

rsa.misc.sdomain_fld

type: keyword

rsa.misc.sec

type: keyword

rsa.misc.sensorname

type: keyword

rsa.misc.seqnum

type: keyword

rsa.misc.session

type: keyword

rsa.misc.sessiontype

type: keyword

rsa.misc.sigUUID

type: keyword

rsa.misc.spi

type: keyword

rsa.misc.srcburb

type: keyword

rsa.misc.srcdom

type: keyword

rsa.misc.srcservice

type: keyword

rsa.misc.state

type: keyword

rsa.misc.status1

type: keyword

rsa.misc.svcno

type: keyword

rsa.misc.system

type: keyword

rsa.misc.tbdstr1

type: keyword

rsa.misc.tgtdom

type: keyword

rsa.misc.tgtdomain

type: keyword

rsa.misc.threshold

type: keyword

rsa.misc.type1

type: keyword

rsa.misc.udb_class

type: keyword

rsa.misc.url_fld

type: keyword

rsa.misc.user_div

type: keyword

rsa.misc.userid

type: keyword

rsa.misc.username_fld

type: keyword

rsa.misc.utcstamp

type: keyword

rsa.misc.v_instafname

type: keyword

rsa.misc.virt_data

type: keyword

rsa.misc.vpnid

type: keyword

rsa.misc.autorun_type

This is used to capture Auto Run type

type: keyword

rsa.misc.cc_number

Valid Credit Card Numbers only

type: long

rsa.misc.content

This key captures the content type from protocol headers

type: keyword

rsa.misc.ein_number

Employee Identification Numbers only

type: long

rsa.misc.found

This is used to capture the results of regex match

type: keyword

rsa.misc.language

This is used to capture list of languages the client support and what it prefers

type: keyword

rsa.misc.lifetime

This key is used to capture the session lifetime in seconds.

type: long

rsa.misc.link

This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.misc.match

This key is for regex match name from search.ini

type: keyword

rsa.misc.param_dst

This key captures the command line/launch argument of the target process or file

type: keyword

rsa.misc.param_src

This key captures source parameter

type: keyword

rsa.misc.search_text

This key captures the Search Text used

type: keyword

rsa.misc.sig_name

This key is used to capture the Signature Name only.

type: keyword

rsa.misc.snmp_value

SNMP set request value

type: keyword

rsa.misc.streams

This key captures number of streams in session

type: long

rsa.db.index

This key captures IndexID of the index.

type: keyword

rsa.db.instance

This key is used to capture the database server instance name

type: keyword

rsa.db.database

This key is used to capture the name of a database or an instance as seen in a session

type: keyword

rsa.db.transact_id

This key captures the SQL transantion ID of the current session

type: keyword

rsa.db.permissions

This key captures permission or privilege level assigned to a resource.

type: keyword

rsa.db.table_name

This key is used to capture the table name

type: keyword

rsa.db.db_id

This key is used to capture the unique identifier for a database

type: keyword

rsa.db.db_pid

This key captures the process id of a connection with database server

type: long

rsa.db.lread

This key is used for the number of logical reads

type: long

rsa.db.lwrite

This key is used for the number of logical writes

type: long

rsa.db.pread

This key is used for the number of physical writes

type: long

rsa.network.alias_host

This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.

type: keyword

rsa.network.domain

type: keyword

rsa.network.host_dst

This key should only be used when it’s a Destination Hostname

type: keyword

rsa.network.network_service

This is used to capture layer 7 protocols/service names

type: keyword

rsa.network.interface

This key should be used when the source or destination context of an interface is not clear

type: keyword

rsa.network.network_port

Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)

type: long

rsa.network.eth_host

Deprecated, use alias.mac

type: keyword

rsa.network.sinterface

This key should only be used when it’s a Source Interface

type: keyword

rsa.network.dinterface

This key should only be used when it’s a Destination Interface

type: keyword

rsa.network.vlan

This key should only be used to capture the ID of the Virtual LAN

type: long

rsa.network.zone_src

This key should only be used when it’s a Source Zone.

type: keyword

rsa.network.zone

This key should be used when the source or destination context of a Zone is not clear

type: keyword

rsa.network.zone_dst

This key should only be used when it’s a Destination Zone.

type: keyword

rsa.network.gateway

This key is used to capture the IP Address of the gateway

type: keyword

rsa.network.icmp_type

This key is used to capture the ICMP type only

type: long

rsa.network.mask

This key is used to capture the device network IPmask.

type: keyword

rsa.network.icmp_code

This key is used to capture the ICMP code only

type: long

rsa.network.protocol_detail

This key should be used to capture additional protocol information

type: keyword

rsa.network.dmask

This key is used for Destionation Device network mask

type: keyword

rsa.network.port

This key should only be used to capture a Network Port when the directionality is not clear

type: long

rsa.network.smask

This key is used for capturing source Network Mask

type: keyword

rsa.network.netname

This key is used to capture the network name associated with an IP range. This is configured by the end user.

type: keyword

rsa.network.paddr

Deprecated

type: ip

rsa.network.faddr

type: keyword

rsa.network.lhost

type: keyword

rsa.network.origin

type: keyword

rsa.network.remote_domain_id

type: keyword

rsa.network.addr

type: keyword

rsa.network.dns_a_record

type: keyword

rsa.network.dns_ptr_record

type: keyword

rsa.network.fhost

type: keyword

rsa.network.fport

type: keyword

rsa.network.laddr

type: keyword

rsa.network.linterface

type: keyword

rsa.network.phost

type: keyword

rsa.network.ad_computer_dst

Deprecated, use host.dst

type: keyword

rsa.network.eth_type

This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only

type: long

rsa.network.ip_proto

This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI

type: long

rsa.network.dns_cname_record

type: keyword

rsa.network.dns_id

type: keyword

rsa.network.dns_opcode

type: keyword

rsa.network.dns_resp

type: keyword

rsa.network.dns_type

type: keyword

rsa.network.domain1

type: keyword

rsa.network.host_type

type: keyword

rsa.network.packet_length

type: keyword

rsa.network.host_orig

This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.

type: keyword

rsa.network.rpayload

This key is used to capture the total number of payload bytes seen in the retransmitted packets.

type: keyword

rsa.network.vlan_name

This key should only be used to capture the name of the Virtual LAN

type: keyword

rsa.investigations.ec_activity

This key captures the particular event activity(Ex:Logoff)

type: keyword

rsa.investigations.ec_theme

This key captures the Theme of a particular Event(Ex:Authentication)

type: keyword

rsa.investigations.ec_subject

This key captures the Subject of a particular Event(Ex:User)

type: keyword

rsa.investigations.ec_outcome

This key captures the outcome of a particular Event(Ex:Success)

type: keyword

rsa.investigations.event_cat

This key captures the Event category number

type: long

rsa.investigations.event_cat_name

This key captures the event category name corresponding to the event cat code

type: keyword

rsa.investigations.event_vcat

This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.

type: keyword

rsa.investigations.analysis_file

This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file

type: keyword

rsa.investigations.analysis_service

This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service

type: keyword

rsa.investigations.analysis_session

This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session

type: keyword

rsa.investigations.boc

This is used to capture behaviour of compromise

type: keyword

rsa.investigations.eoc

This is used to capture Enablers of Compromise

type: keyword

rsa.investigations.inv_category

This used to capture investigation category

type: keyword

rsa.investigations.inv_context

This used to capture investigation context

type: keyword

rsa.investigations.ioc

This is key capture indicator of compromise

type: keyword

rsa.counters.dclass_c1

This is a generic counter key that should be used with the label dclass.c1.str only

type: long

rsa.counters.dclass_c2

This is a generic counter key that should be used with the label dclass.c2.str only

type: long

rsa.counters.event_counter

This is used to capture the number of times an event repeated

type: long

rsa.counters.dclass_r1

This is a generic ratio key that should be used with the label dclass.r1.str only

type: keyword

rsa.counters.dclass_c3

This is a generic counter key that should be used with the label dclass.c3.str only

type: long

rsa.counters.dclass_c1_str

This is a generic counter string key that should be used with the label dclass.c1 only

type: keyword

rsa.counters.dclass_c2_str

This is a generic counter string key that should be used with the label dclass.c2 only

type: keyword

rsa.counters.dclass_r1_str

This is a generic ratio string key that should be used with the label dclass.r1 only

type: keyword

rsa.counters.dclass_r2

This is a generic ratio key that should be used with the label dclass.r2.str only

type: keyword

rsa.counters.dclass_c3_str

This is a generic counter string key that should be used with the label dclass.c3 only

type: keyword

rsa.counters.dclass_r3

This is a generic ratio key that should be used with the label dclass.r3.str only

type: keyword

rsa.counters.dclass_r2_str

This is a generic ratio string key that should be used with the label dclass.r2 only

type: keyword

rsa.counters.dclass_r3_str

This is a generic ratio string key that should be used with the label dclass.r3 only

type: keyword

rsa.identity.auth_method

This key is used to capture authentication methods used only

type: keyword

rsa.identity.user_role

This key is used to capture the Role of a user only

type: keyword

rsa.identity.dn

X.500 (LDAP) Distinguished Name

type: keyword

rsa.identity.logon_type

This key is used to capture the type of logon method used.

type: keyword

rsa.identity.profile

This key is used to capture the user profile

type: keyword

rsa.identity.accesses

This key is used to capture actual privileges used in accessing an object

type: keyword

rsa.identity.realm

Radius realm or similar grouping of accounts

type: keyword

rsa.identity.user_sid_dst

This key captures Destination User Session ID

type: keyword

rsa.identity.dn_src

An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn

type: keyword

rsa.identity.org

This key captures the User organization

type: keyword

rsa.identity.dn_dst

An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn

type: keyword

rsa.identity.firstname

This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword

rsa.identity.lastname

This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword

rsa.identity.user_dept

User’s Department Names only

type: keyword

rsa.identity.user_sid_src

This key captures Source User Session ID

type: keyword

rsa.identity.federated_sp

This key is the Federated Service Provider. This is the application requesting authentication.

type: keyword

rsa.identity.federated_idp

This key is the federated Identity Provider. This is the server providing the authentication.

type: keyword

rsa.identity.logon_type_desc

This key is used to capture the textual description of an integer logon type as stored in the meta key logon.type.

type: keyword

rsa.identity.middlename

This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword

rsa.identity.password

This key is for Passwords seen in any session, plain text or encrypted

type: keyword

rsa.identity.host_role

This key should only be used to capture the role of a Host Machine

type: keyword

rsa.identity.ldap

This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context

type: keyword

rsa.identity.ldap_query

This key is the Search criteria from an LDAP search

type: keyword

rsa.identity.ldap_response

This key is to capture Results from an LDAP search

type: keyword

rsa.identity.owner

This is used to capture username the process or service is running as, the author of the task

type: keyword

rsa.identity.service_account

This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage

type: keyword

rsa.email.email_dst

This key is used to capture the Destination email address only, when the destination context is not clear use email

type: keyword

rsa.email.email_src

This key is used to capture the source email address only, when the source context is not clear use email

type: keyword

rsa.email.subject

This key is used to capture the subject string from an Email only.

type: keyword

rsa.email.email

This key is used to capture a generic email address where the source or destination context is not clear

type: keyword

rsa.email.trans_from

Deprecated key defined only in table map.

type: keyword

rsa.email.trans_to

Deprecated key defined only in table map.

type: keyword

rsa.file.privilege

Deprecated, use permissions

type: keyword

rsa.file.attachment

This key captures the attachment file name

type: keyword

rsa.file.filesystem

type: keyword

rsa.file.binary

Deprecated key defined only in table map.

type: keyword

rsa.file.filename_dst

This is used to capture name of the file targeted by the action

type: keyword

rsa.file.filename_src

This is used to capture name of the parent filename, the file which performed the action

type: keyword

rsa.file.filename_tmp

type: keyword

rsa.file.directory_dst

<span>This key is used to capture the directory of the target process or file</span>

type: keyword

rsa.file.directory_src

This key is used to capture the directory of the source process or file

type: keyword

rsa.file.file_entropy

This is used to capture entropy vale of a file

type: double

rsa.file.file_vendor

This is used to capture Company name of file located in version_info

type: keyword

rsa.file.task_name

This is used to capture name of the task

type: keyword

rsa.web.fqdn

Fully Qualified Domain Names

type: keyword

rsa.web.web_cookie

This key is used to capture the Web cookies specifically.

type: keyword

rsa.web.alias_host

type: keyword

rsa.web.reputation_num

Reputation Number of an entity. Typically used for Web Domains

type: double

rsa.web.web_ref_domain

Web referer’s domain

type: keyword

rsa.web.web_ref_query

This key captures Web referer’s query portion of the URL

type: keyword

rsa.web.remote_domain

type: keyword

rsa.web.web_ref_page

This key captures Web referer’s page information

type: keyword

rsa.web.web_ref_root

Web referer’s root URL path

type: keyword

rsa.web.cn_asn_dst

type: keyword

rsa.web.cn_rpackets

type: keyword

rsa.web.urlpage

type: keyword

rsa.web.urlroot

type: keyword

rsa.web.p_url

type: keyword

rsa.web.p_user_agent

type: keyword

rsa.web.p_web_cookie

type: keyword

rsa.web.p_web_method

type: keyword

rsa.web.p_web_referer

type: keyword

rsa.web.web_extension_tmp

type: keyword

rsa.web.web_page

type: keyword

rsa.threat.threat_category

This key captures Threat Name/Threat Category/Categorization of alert

type: keyword

rsa.threat.threat_desc

This key is used to capture the threat description from the session directly or inferred

type: keyword

rsa.threat.alert

This key is used to capture name of the alert

type: keyword

rsa.threat.threat_source

This key is used to capture source of the threat

type: keyword

rsa.crypto.crypto

This key is used to capture the Encryption Type or Encryption Key only

type: keyword

rsa.crypto.cipher_src

This key is for Source (Client) Cipher

type: keyword

rsa.crypto.cert_subject

This key is used to capture the Certificate organization only

type: keyword

rsa.crypto.peer

This key is for Encryption peer’s IP Address

type: keyword

rsa.crypto.cipher_size_src

This key captures Source (Client) Cipher Size

type: long

rsa.crypto.ike

IKE negotiation phase.

type: keyword

rsa.crypto.scheme

This key captures the Encryption scheme used

type: keyword

rsa.crypto.peer_id

This key is for Encryption peer’s identity

type: keyword

rsa.crypto.sig_type

This key captures the Signature Type

type: keyword

rsa.crypto.cert_issuer

type: keyword

rsa.crypto.cert_host_name

Deprecated key defined only in table map.

type: keyword

rsa.crypto.cert_error

This key captures the Certificate Error String

type: keyword

rsa.crypto.cipher_dst

This key is for Destination (Server) Cipher

type: keyword

rsa.crypto.cipher_size_dst

This key captures Destination (Server) Cipher Size

type: long

rsa.crypto.ssl_ver_src

Deprecated, use version

type: keyword

rsa.crypto.d_certauth

type: keyword

rsa.crypto.s_certauth

type: keyword

rsa.crypto.ike_cookie1

ID of the negotiation — sent for ISAKMP Phase One

type: keyword

rsa.crypto.ike_cookie2

ID of the negotiation — sent for ISAKMP Phase Two

type: keyword

rsa.crypto.cert_checksum

type: keyword

rsa.crypto.cert_host_cat

This key is used for the hostname category value of a certificate

type: keyword

rsa.crypto.cert_serial

This key is used to capture the Certificate serial number only

type: keyword

rsa.crypto.cert_status

This key captures Certificate validation status

type: keyword

rsa.crypto.ssl_ver_dst

Deprecated, use version

type: keyword

rsa.crypto.cert_keysize

type: keyword

rsa.crypto.cert_username

type: keyword

rsa.crypto.https_insact

type: keyword

rsa.crypto.https_valid

type: keyword

rsa.crypto.cert_ca

This key is used to capture the Certificate signing authority only

type: keyword

rsa.crypto.cert_common

This key is used to capture the Certificate common name only

type: keyword

rsa.wireless.wlan_ssid

This key is used to capture the ssid of a Wireless Session

type: keyword

rsa.wireless.access_point

This key is used to capture the access point name.

type: keyword

rsa.wireless.wlan_channel

This is used to capture the channel names

type: long

rsa.wireless.wlan_name

This key captures either WLAN number/name

type: keyword

rsa.storage.disk_volume

A unique name assigned to logical units (volumes) within a physical disk

type: keyword

rsa.storage.lun

Logical Unit Number.This key is a very useful concept in Storage.

type: keyword

rsa.storage.pwwn

This uniquely identifies a port on a HBA.

type: keyword

rsa.physical.org_dst

This is used to capture the destination organization based on the GEOPIP Maxmind database.

type: keyword

rsa.physical.org_src

This is used to capture the source organization based on the GEOPIP Maxmind database.

type: keyword

rsa.healthcare.patient_fname

This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword

rsa.healthcare.patient_id

This key captures the unique ID for a patient

type: keyword

rsa.healthcare.patient_lname

This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword

rsa.healthcare.patient_mname

This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword

rsa.endpoint.host_state

This key is used to capture the current state of the machine, such as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall disabled</strong> and so on

type: keyword

rsa.endpoint.registry_key

This key captures the path to the registry key

type: keyword

rsa.endpoint.registry_value

This key captures values or decorators used within a registry entry

type: keyword

sophos.xg

edit

Module for parsing sophosxg syslog.

sophos.xg.action

Event Action

type: keyword

sophos.xg.activityname

Web policy activity that matched and caused the policy result.

type: keyword

sophos.xg.ap

Access Point Serial ID or LocalWifi0 or LocalWifi1.

type: keyword

sophos.xg.app_category

Name of the category under which application falls

type: keyword

sophos.xg.app_filter_policy_id

Application filter policy ID applied on the traffic

type: keyword

sophos.xg.app_is_cloud

Application is Cloud

type: keyword

sophos.xg.app_name

Application name

type: keyword

sophos.xg.app_resolved_by

Application is resolved by signature or synchronized application

type: keyword

sophos.xg.app_risk

Risk level assigned to the application

type: keyword

sophos.xg.app_technology

Technology of the application

type: keyword

sophos.xg.appfilter_policy_id

Application Filter policy applied on the traffic

type: integer

sophos.xg.application

Application name

type: keyword

sophos.xg.application_category

Application is resolved by signature or synchronized application

type: keyword

sophos.xg.application_filter_policy

Application Filter policy applied on the traffic

type: integer

sophos.xg.application_name

Application name

type: keyword

sophos.xg.application_risk

Risk level assigned to the application

type: keyword

sophos.xg.application_technology

Technology of the application

type: keyword

sophos.xg.appresolvedby

Technology of the application

type: keyword

sophos.xg.auth_client

Auth Client

type: keyword

sophos.xg.auth_mechanism

Auth mechanism

type: keyword

sophos.xg.av_policy_name

Malware scanning policy name which is applied on the traffic

type: keyword

sophos.xg.backup_mode

Backup mode

type: keyword

sophos.xg.branch_name

Branch Name

type: keyword

sophos.xg.category

IPS signature category.

type: keyword

sophos.xg.category_type

Type of category under which website falls

type: keyword

sophos.xg.classification

Signature classification

type: keyword

sophos.xg.client_host_name

Client host name

type: keyword

sophos.xg.client_physical_address

Client physical address

type: keyword

sophos.xg.clients_conn_ssid

Number of client connected to the SSID.

type: long

sophos.xg.collisions

collisions

type: long

sophos.xg.con_event

Event Start/Stop

type: keyword

sophos.xg.con_id

Unique identifier of connection

type: integer

sophos.xg.configuration

Configuration

type: float

sophos.xg.conn_id

Unique identifier of connection

type: integer

sophos.xg.connectionname

Connectionname

type: keyword

sophos.xg.connectiontype

Connectiontype

type: keyword

sophos.xg.connevent

Event on which this log is generated

type: keyword

sophos.xg.connid

Connection ID

type: keyword

sophos.xg.content_type

Type of the content

type: keyword

sophos.xg.contenttype

Type of the content

type: keyword

sophos.xg.context_match

Context Match

type: keyword

sophos.xg.context_prefix

Content Prefix

type: keyword

sophos.xg.context_suffix

Context Suffix

type: keyword

sophos.xg.cookie

cookie

type: keyword

sophos.xg.date

Date (yyyy-mm-dd) when the event occurred

type: date

sophos.xg.destinationip

Original destination IP address of traffic

type: ip

sophos.xg.device

device

type: keyword

sophos.xg.device_id

Serial number of the device

type: keyword

sophos.xg.device_model

Model number of the device

type: keyword

sophos.xg.device_name

Model number of the device

type: keyword

sophos.xg.dictionary_name

Dictionary Name

type: keyword

sophos.xg.dir_disp

TPacket direction. Possible values:“org”, “reply”, “”

type: keyword

sophos.xg.direction

Direction

type: keyword

sophos.xg.domainname

Domain from which virus was downloaded

type: keyword

sophos.xg.download_file_name

Download file name

type: keyword

sophos.xg.download_file_type

Download file type

type: keyword

sophos.xg.dst_country_code

Code of the country to which the destination IP belongs

type: keyword

sophos.xg.dst_domainname

Receiver domain name

type: keyword

sophos.xg.dst_ip

Original destination IP address of traffic

type: ip

sophos.xg.dst_port

Original destination port of TCP and UDP traffic

type: integer

sophos.xg.dst_zone_type

Type of destination zone

type: keyword

sophos.xg.dstdomain

Destination Domain

type: keyword

sophos.xg.duration

Durability of traffic (seconds)

type: long

sophos.xg.email_subject

Email Subject

type: keyword

sophos.xg.ep_uuid

Endpoint UUID

type: keyword

sophos.xg.ether_type

ethernet frame type

type: keyword

sophos.xg.eventid

ATP Evenet ID

type: keyword

sophos.xg.eventtime

Event time

type: date

sophos.xg.eventtype

ATP event type

type: keyword

sophos.xg.exceptions

List of the checks excluded by web exceptions.

type: keyword

sophos.xg.execution_path

ATP execution path

type: keyword

sophos.xg.extra

extra

type: keyword

sophos.xg.file_name

Filename

type: keyword

sophos.xg.file_path

File path

type: keyword

sophos.xg.file_size

File Size

type: integer

sophos.xg.filename

File name associated with the event

type: keyword

sophos.xg.filepath

Path of the file containing virus

type: keyword

sophos.xg.filesize

Size of the file that contained virus

type: integer

sophos.xg.free

free

type: integer

sophos.xg.from_email_address

Sender email address

type: keyword

sophos.xg.ftp_direction

Direction of FTP transfer: Upload or Download

type: keyword

sophos.xg.ftp_url

FTP URL from which virus was downloaded

type: keyword

sophos.xg.ftpcommand

FTP command used when virus was found

type: keyword

sophos.xg.fw_rule_id

Firewall Rule ID which is applied on the traffic

type: integer

sophos.xg.fw_rule_type

Firewall rule type which is applied on the traffic

type: keyword

sophos.xg.hb_health

Heartbeat status

type: keyword

sophos.xg.hb_status

Heartbeat status

type: keyword

sophos.xg.host

Host

type: keyword

sophos.xg.http_category

HTTP Category

type: keyword

sophos.xg.http_category_type

HTTP Category Type

type: keyword

sophos.xg.httpresponsecode

code of HTTP response

type: long

sophos.xg.iap

Internet Access policy ID applied on the traffic

type: keyword

sophos.xg.icmp_code

ICMP code of ICMP traffic

type: keyword

sophos.xg.icmp_type

ICMP type of ICMP traffic

type: keyword

sophos.xg.idle_cpu

idle ##

type: float

sophos.xg.idp_policy_id

IPS policy ID which is applied on the traffic

type: integer

sophos.xg.idp_policy_name

IPS policy name i.e. IPS policy name which is applied on the traffic

type: keyword

sophos.xg.in_interface

Interface for incoming traffic, e.g., Port A

type: keyword

sophos.xg.interface

interface

type: keyword

sophos.xg.ipaddress

Ipaddress

type: keyword

sophos.xg.ips_policy_id

IPS policy ID applied on the traffic

type: integer

sophos.xg.lease_time

Lease Time

type: keyword

sophos.xg.localgateway

Localgateway

type: keyword

sophos.xg.localnetwork

Localnetwork

type: keyword

sophos.xg.log_component

Component responsible for logging e.g. Firewall rule

type: keyword

sophos.xg.log_id

Unique 12 characters code (0101011)

type: keyword

sophos.xg.log_subtype

Sub type of event

type: keyword

sophos.xg.log_type

Type of event e.g. firewall event

type: keyword

sophos.xg.log_version

Log Version

type: keyword

sophos.xg.login_user

ATP login user

type: keyword

sophos.xg.mailid

mailid

type: keyword

sophos.xg.mailsize

mailsize

type: integer

sophos.xg.message

Message

type: keyword

sophos.xg.mode

Mode

type: keyword

sophos.xg.nat_rule_id

NAT Rule ID

type: keyword

sophos.xg.newversion

Newversion

type: keyword

sophos.xg.oldversion

Oldversion

type: keyword

sophos.xg.out_interface

Interface for outgoing traffic, e.g., Port B

type: keyword

sophos.xg.override_authorizer

Override authorizer

type: keyword

sophos.xg.override_name

Override name

type: keyword

sophos.xg.override_token

Override token

type: keyword

sophos.xg.phpsessid

PHP session ID

type: keyword

sophos.xg.platform

Platform of the traffic.

type: keyword

sophos.xg.policy_type

Policy type applied to the traffic

type: keyword

sophos.xg.priority

Severity level of traffic

type: keyword

sophos.xg.protocol

Protocol number of traffic

type: keyword

sophos.xg.qualifier

Qualifier

type: keyword

sophos.xg.quarantine

Path and filename of the file quarantined

type: keyword

sophos.xg.quarantine_reason

Quarantine reason

type: keyword

sophos.xg.querystring

querystring

type: keyword

sophos.xg.raw_data

Raw data

type: keyword

sophos.xg.received_pkts

Total number of packets received

type: long

sophos.xg.receiveddrops

received drops

type: long

sophos.xg.receivederrors

received errors

type: keyword

sophos.xg.receivedkbits

received kbits

type: long

sophos.xg.recv_bytes

Total number of bytes received

type: long

sophos.xg.red_id

RED ID

type: keyword

sophos.xg.referer

Referer

type: keyword

sophos.xg.remote_ip

Remote IP

type: ip

sophos.xg.remotenetwork

remotenetwork

type: keyword

sophos.xg.reported_host

Reported Host

type: keyword

sophos.xg.reported_ip

Reported IP

type: keyword

sophos.xg.reports

Reports

type: float

sophos.xg.rule_priority

Priority of IPS policy

type: keyword

sophos.xg.sent_bytes

Total number of bytes sent

type: long

sophos.xg.sent_pkts

Total number of packets sent

type: long

sophos.xg.server

Server

type: keyword

sophos.xg.sessionid

Sessionid

type: keyword

sophos.xg.sha1sum

SHA1 checksum of the item being analyzed

type: keyword

sophos.xg.signature

Signature

type: float

sophos.xg.signature_id

Signature ID

type: keyword

sophos.xg.signature_msg

Signature messsage

type: keyword

sophos.xg.site_category

Site Category

type: keyword

sophos.xg.source

Source

type: keyword

sophos.xg.sourceip

Original source IP address of traffic

type: ip

sophos.xg.spamaction

Spam Action

type: keyword

sophos.xg.sqli

related SQLI caught by the WAF

type: keyword

sophos.xg.src_country_code

Code of the country to which the source IP belongs

type: keyword

sophos.xg.src_domainname

Sender domain name

type: keyword

sophos.xg.src_ip

Original source IP address of traffic

type: ip

sophos.xg.src_mac

Original source MAC address of traffic

type: keyword

sophos.xg.src_port

Original source port of TCP and UDP traffic

type: integer

sophos.xg.src_zone_type

Type of source zone

type: keyword

sophos.xg.ssid

Configured SSID name.

type: keyword

sophos.xg.start_time

Start time

type: date

sophos.xg.starttime

Starttime

type: date

sophos.xg.status

Ultimate status of traffic – Allowed or Denied

type: keyword

sophos.xg.status_code

Status code

type: keyword

sophos.xg.subject

Email subject

type: keyword

sophos.xg.syslog_server_name

Syslog server name.

type: keyword

sophos.xg.system_cpu

system

type: float

sophos.xg.target

Platform of the traffic.

type: keyword

sophos.xg.temp

Temp

type: float

sophos.xg.threatname

ATP threatname

type: keyword

sophos.xg.timestamp

timestamp

type: date

sophos.xg.timezone

Time (hh:mm:ss) when the event occurred

type: keyword

sophos.xg.to_email_address

Receipeint email address

type: keyword

sophos.xg.total_memory

Total Memory

type: integer

sophos.xg.trans_dst_ip

Translated destination IP address for outgoing traffic

type: ip

sophos.xg.trans_dst_port

Translated destination port for outgoing traffic

type: integer

sophos.xg.trans_src_ip

Translated source IP address for outgoing traffic

type: ip

sophos.xg.trans_src_port

Translated source port for outgoing traffic

type: integer

sophos.xg.transaction_id

Transaction ID

type: keyword

sophos.xg.transactionid

Transaction ID of the AV scan.

type: keyword

sophos.xg.transmitteddrops

transmitted drops

type: long

sophos.xg.transmittederrors

transmitted errors

type: keyword

sophos.xg.transmittedkbits

transmitted kbits

type: long

sophos.xg.unit

unit

type: keyword

sophos.xg.updatedip

updatedip

type: ip

sophos.xg.upload_file_name

Upload file name

type: keyword

sophos.xg.upload_file_type

Upload file type

type: keyword

sophos.xg.url

URL from which virus was downloaded

type: keyword

sophos.xg.used

used

type: integer

sophos.xg.used_quota

Used Quota

type: keyword

sophos.xg.user

User

type: keyword

sophos.xg.user_cpu

system

type: float

sophos.xg.user_gp

Group name to which the user belongs.

type: keyword

sophos.xg.user_group

Group name to which the user belongs

type: keyword

sophos.xg.user_name

user_name

type: keyword

sophos.xg.users

Number of users from System Health / Live User events.

type: long

sophos.xg.vconn_id

Connection ID of the master connection

type: integer

sophos.xg.virus

virus name

type: keyword

sophos.xg.web_policy_id

Web policy ID

type: keyword

sophos.xg.website

Website

type: keyword

sophos.xg.xss

related XSS caught by the WAF

type: keyword