The following is a list of all the event keys with a definition of their function and the type of the key.
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Event Key | Definition | Type |
---|---|---|
Access Control Outcome | Outcome from Access Control | String |
Access Key ID | The access key ID | String |
Account ID | The account ID that generated the event | String |
Account Name | The account name that generated the event | String |
Action | The action outcome | String |
Affected Family | Software family affected by the current CPE | String |
Affected Platform | The platform (Linux, Mac OSX, Windows) affected by an IDS event | String |
Affected Platforms | Software Platforms affected by the current CPE | String |
Affected Products | Software Products affected by the current CPE | String |
Alarm Destination Asset IDs | CSV of alarm destination asset IDs | String Array |
Alarm Destination Organisations | CSV of alarm destination organisations | String Array |
Alarm Destination Users | An array of alarm destination users | String Array |
Alarm Destination Zones | CSV of alarm destination zones | String Array |
Alarm Source Organisations | CSV of alarm source organisations | String Array |
Alarm Source Zones | CSV of alarm source zones | String Array |
Alarm Status | The status of the alarm | String |
App Execution Parameters | The application execution parameters | String |
App ID | The ID of the App which generated this event | String |
App Name | The Name of the App which generated this event | String |
Application | Application name | String |
Application Protocol | Layer-7 protocol observed in the event (eg SSH, FTP, SNMP) | String |
Application Type | Application type | String |
Asset Group ID | The ID of the Asset Group in AssetDB | String |
Asset Status | Asset Status | String |
Asset Tag | Asset metadata name | String |
Asset Tag Value | Asset metadata value | String |
Audit Reason | The reason an audit event was generated | String |
Authentication Mode | Authentication Mode | String |
Authentication Type | The method used be the user to authenticate, such as RSA Key, Password, Domain Credentials | String |
Event Key | Definition | Type |
---|---|---|
Base Event Count | A count associated with how many times was this same event observed | Integer |
Blacklist Name | The name listed on the blacklist | String |
Blacklist Reference Url | The referencing URL from the blacklist | URL |
Blacklist Violating IP | The IP reglistered to the blacklist | IP |
Event Key | Definition | Type |
---|---|---|
Certificate Issuer Name | Name of the authorizarion certificate issuer. | String |
Certificate Serial Number | Serial Number of the authorization certificate. | String |
Certificate Subject Name | Subject name in the authorization certificate. | String |
Confidence | Confidence level | Integer |
Connection Count | Number of incoming connections | Long |
Console Login | The outcome of a AWS console login try | String |
Consumer | Consumer of the event | String |
Container ID | The ID of the container | String |
Container Image | The image name used to launch the container | String |
Container Image ID | The id of the image used to launch the container | String |
Container Name | The name of the container | String |
Container State | The state of the the container | String |
Contains Credit Card Number | The event contains credit card numbers | Boolean |
Content Category | Category of the content is being inspected as part of the connection For example in a Content Filtering or Proxy device | String |
Control ID | The Control Node ID which will process this event | String |
Current PPS | Number of current packets per second (PPS) | Integer |
Current Working Directory | The Current Working Directory (CWD) referenced in the event | String |
Event Key | Definition | Type |
---|---|---|
Destination | This is compared against several known formats to extract relevant data eg [hostname] [port] [zone] etc | Network Info |
Destination Additional Hostnames | Destination additional hostnames | String Array |
Destination Address | Destination IP Address | IP |
Destination Address 6 | Destination IP Address in v6 format | String |
Destination ASN | Destination ASN | String |
Destination City | Destination City | String |
Destination Country | Destination Country | String |
Destination CPE | Destination CPE | String |
Destination Datacenter | Destination data center | String |
Destination Datastore | Destination data store | String |
Destination DNS Domain | The DNS domain part of the complete fully qualified domain name | String |
Destination FQDN | Destination FQDN | String |
Destination Hostname | Destination hostname | String |
Destination Infrastructure Name | Destination Infrastructure Name | String |
Destination Infrastructure Type | Destination Infrastructure Type | String |
Destination Instance ID | Instance ID for destination device | String |
Destination Latitude | Destinations Latitude | String |
Destination Location ID | This is an internal field used to associate this event with a particular location | String |
Destination Location Name | This is an internal field used to associate this event with a particular location | String |
Destination Longitude | Destinations Longitude | String |
Destination MAC Vendor | Destination MAC Address | MAC |
Destination MAC Vendor | Destination MAC Vendor | String |
Destination Name | Destination Name | String |
Destination NAT Address | Destination NAT IP Address | IP |
Destination NAT Port | Destination NAT Port | Integer |
Destination Netmask | Destination IP Address mask | IP |
Destination Network | Destination network | String |
Destination NT domain | Destination Windows Domain | String |
Destination Organisation | Destinations Organisation | String |
Destination Port Label | Destination Port Label | String |
Destination Post NAT Address | Destination address for the event message after NAT occurred | IP |
Destination Post NAT Port | Port number of the event destination after NAT | Integer |
Destination Pre NAT Address | Destination address for the event message before NAT | IP |
Destination Pre NAT Port | Port number of the event destination before NAT | Integer |
Destination Process | Destination Process Name | String |
Destination Process ID | Destination Process ID | String |
Destination Process User | Destination Process User | String |
Destination Region | Destinations Region | String |
Destination Registered Country | Destination Registered Country | String |
Destination Service Name | The service which is targeted by this event | String |
Destination Translated Address | Identifies the translated destination address that the event refers to in an IP network | IP |
Destination Translated Port | Port after it was translated | Integer |
Destination User Email | Destinations User email | String |
Destination User Group | The destination user group | String |
Destination User Privileges | Destinations Users privileges | String |
Destination Username | Destinations User name | String |
Destination VGuest | Destination virtual guest | String |
Destination VHost | Destination virtual host | String |
Destination Workstation | Destinations workstation name | String |
Destination Zone | Destinations Zone (DMZ Office Outside) | String |
Device Class | The Device Class listed in the system | String |
Device Configuration | Configuration scheme/type set in a device | String |
Device Custom Date 1-2 | There are two timestamps fields available which can be used to map fields which do not fit any other field of this dictionary | String |
Device Custom Date 1-2 Label | All custom fields have a corresponding label field where the field itself can be described | String |
Device Custom Number 1-3 Label | There are three number fields available which can be used to map fields which do not fit into any other field of this dictionary | Integer |
Device Custom Number 1-3 Label | All custom fields have a corresponding label field where the field itself can be described | String |
Device Direction | Any information about what direction the communication that was observed has taken | String |
Device DNS Domain | The DNS domain part of the complete fully qualified domain name | String |
Device Event Category | Represents the category assigned by the originating device | String |
Device External ID | A name that uniquely identifies the device generating this event | String |
Device Facility | The facility generating this event | String |
Device Inbound Interface | Interface on which the packet or data entered the device | String |
Device Name | The Device Name listed in the system | String |
Device NT Domain | Device Windows Domain | String |
Device Outbound Interface | Interface on which the packet or data left the device | String |
Device Process Name | Process name associated to the event | String |
Device Time Format | Format of the timestamp attached to this event | String |
Device Translated Address | Identifies the translated device address that the event refers to in an IP network | IP |
DNS Message | DNS response message | String |
DNS Rcode | DNS return message | Integer |
DNS RR Name | The DNS Request/Response Resource Name | String |
DNS RR Type | The DNS Resource Type | String |
DNS Server Address | The address of the DNS server referenced in the event | String |
DNS TTL | The DNS Time to Live | String |
DNS Type | The DNS Type (Query / Answer) | String |
Duration | The duration of the connection | String |
Event Key | Definition | Type |
---|---|---|
Email Recipient | The Email recipient | |
Email Relay | The relay the email was delivered through | String |
Email Sender | The Email sender | |
Email Subject | The subject of the email | String |
Entity Category | The zone category of incident that is being reported | String |
Environment Variable Key | The Environment Variable key referenced in the event | String |
Environment Variable Value | The Environment Variable value referenced in the event | String |
Error Code | The error code for a HTTP response | String |
Error Message | The error message for a response | String |
Event Action | The implied action of the event - Create Read Update Delete | String |
Event Activity | The activity related to an event In an IDS event this would be the activity being detected | String |
Event Auth Action | Action of the authorization event | String |
Event Auth Role | Role of the authorization event | String |
Event Auth Scope | Scope of the authorization event | String |
Event Change | The event change/action made by the user | String |
Event CVE | Contains information about the CVE associated with an event as an example an IDS signature | String |
Event Group | Event Grouping that this event belongs to | String |
Event Group Job ID | When this group has been created from a job, the job ID | String |
Event Name | The short user-readable description of the event | String |
Event Outcome | Displays the outcome, generally "success" or "failure" | String |
Event Receipt Time | The time at which the event related to the activity was received | Date |
Event Ref Date | When the issue was first published | String |
Event Ref ID | Event reference ID (CVE, etc) | String |
Event Ref IDS | Event reference IDs (CVE, OSVDB, etc) | String Array |
Event Ref Source | Issue Reference Source (CVE etc) | String |
Event Type | The event type | String |
Event Violation | The culprit | String |
External ID | An ID used by the originating device | String |
Event Key | Definition | Type |
---|---|---|
File Create Time | The timestamp of when the file was created | String |
File Hash | The hash of the file | String |
File Hash Algorithm | The algorithm used to produce the file hash - SH256 MD5 etc | String |
File Hash Md5 | The MD5 of the file | String |
File Hash Sha1 | The SHA1 of the file | String |
File Hash Sha256 | The SHA256 of the file | String |
File ID | The Operating System ID of the file | String |
File Modification Time | The last modification time of a file | String |
File Name | The short name of a file | String |
File Old Owner | Old file owner | String |
File Owner | The current owner of a file | String |
File Path | Full path of the file | String |
File Permission | The OS permissions of the file | String |
File Type | The type of the file | String |
Full Message | A long message | String |
Event Key | Definition | Type |
---|---|---|
Global List Name | Name of the Global List | String |
Global List Value | Value from the list | String |
Group Policy | Group Policy that the event refers to, for example a Active Directory Group Policy | String |
Event Key | Definition | Type |
---|---|---|
Has Alarm | If this event is used by an alarm | Boolean |
HTML Link | A specified HTML link address | URL |
HTML Snippet | A specified HTML link snippet | String |
HHTML Title | A specified HTML link title | String |
HTTP Hostname | The hostname present in a HTTP connection | String |
HTTP Referrer | The HTTP referer in a HTTP request | String |
Event Key | Definition | Type |
---|---|---|
Identity Group Name | Group name associated with the identity source address to further identify the identity event with Group name resolution | String |
Identity Host Name | Host name information associated with the identity source address to further identify the true hostname tied to an event | String |
Identity MAC | MAC associated with the identity source address to further identify the identity event with MAC resolution | String |
Identity NetBIOS | NetBIOS name associated with the identity source address to further identify the identity event with NetBIOS name resolution | String |
Identity Source Address | IPv4 or IPv6 address that can connect an event with a true user identify or true computer identity | IP |
Incident ID | ID provided by the event source | String |
IOCs | Array with the matched Indicators of Compromise | String Array |
IP Addresses | List of IP Addresses | String Array |
Event Key | Definition | Type |
---|---|---|
Legacy Tzone | Unused | String |
Level | The standard syslog level | Long |
Log File | The Log File | String |
Event Key | Definition | Type |
---|---|---|
Malware Family | Malware Family | String |
Malware Variant | Virus or Malware Variant | String |
Matched Value | The value that was matched for the enrichment metadata | String |
Event Key | Definition | Type |
---|---|---|
Object Type | The object type of the source (if applies) | String |
Operating System | Operating System | String |
Event Key | Definition | Type |
---|---|---|
Package Architecture | The architecture of the package | String |
Package Name | The name of the package | String |
Package Revision | The revision of the package | String |
Package Source | The source of the package | String |
Package Version | The version of the package | String |
Packet Payload | Packet payload information from Network IDS | String |
Packet Type | What type of packet this is | String |
Packets Received | The number of packets received | Integer |
Packets Sent | The number of packets sent | Integer |
Patch Reference ID | Patch reference id (Oval rule, etc) | String |
Patch Vulnerability Reference List | List of reference ID's (CVE, etc) for the patch event | String Array |
Peak PPS | Packets per second (PPS) peak value | Integer |
Pefile Company | Company authoring Pefile | String |
Pefile Description | Description of Pefile | String |
Pefile Fileversion | File version of Pefile | String |
Pefile Product | Product pefile is related to | String |
Plugin Rule | Plugin Rule | String |
Plugin Vendor | The vendor of the device this plugin was made for | String |
Policy | Policy that the event refers to, for example a Firewall or Content Filtering Policy | String |
Policy Address | Address referenced on a db policy firewall rule etc | String |
Policy Interface | Network Interface referenced on a db policy firewall rule etc | String |
Policy Mac | Mac address referenced on a db policy firewall rule etc | String |
Priority | Priority of Alarm | String |
Protocol Version | Version of the current protocol | String |
Event Key | Definition | Type |
---|---|---|
Realm | Realm where the user roles and permissions apply | String |
Received From | Source this event was received from | String |
Rep Device Address 6 | Reporting device address version 6 | String |
Rep Device Asset ID | Instance ID for reporting device | String |
Rep Device FQDN | Reporting device FQDN | String |
Rep Device Location ID | This is an internal field used to associate this event with a particular location | String |
Rep Device Location Name | This is an internal field used to associate this event with a particular location | String |
Reporting Device Address | Reporting device address | IP |
Reporting Device Hostname | Reporting device hostname | String |
Reporting Device Instance ID | Instance ID for the reporting device | String |
Reporting Device MAC | Reporting device MAC | MAC |
Reporting Device Model | The model of the reporting device | String |
Reporting Device Outbound Interface | The network interface passing through the traffic generating the event on the reporting device | String |
Reporting Device Rule ID | The ID of the rule used by the reporting device to generate this event (ie firewall rule, CVE, IDS rule | String |
Reporting Device Type | The device type of the reporting device | String |
Reporting Device Vendor | The vendor of the reporting device | String |
Reporting Device Version | The version of the reporting device | String |
Reputation Score | Risk or reputation score for a host | String |
Resource Provider | Provider of resource | String |
Resource URI | URI representing a resource uniquely | String |
Response Content Type | HTTP response content type | String |
Return Value | Return value | String |
Role | Role or roles of the user in the organization | String |
Rule Dictionary | Rule Dictionary | String |
Rule UUID | Rule ID which triggered event | String |
Event Key | Definition | Type |
---|---|---|
Searched Site | Site searched | String |
Security Group ID | Security Group ID | String |
Security Group Name | Security Group Name | String |
Sensor App Action | The Sensor App Action Called | String |
Session | Session Identifier | String |
Short Message | A short descriptive message | String |
Source Additional Hostnames | Source additional hostnames | String Array |
Source Address 6 | Source IP Address in v6 format | String |
Source ASN | Source ASN | String |
Source City | Source City | String |
Source Country | Source Country | String |
Source CPE | Source CPE | String |
Source Datacenter | Source data center | String |
Source Datastore | Source data store | String |
Source DNS Domain | The DNS domain part of the complete fully qualified domain name | String |
Source FQDN | Source FQDN | String |
Source Hostname | Source hostname | String |
Source Infrastructure Name | Source Infrastructure Name | String |
Source Infrastructure Type | Source Infrastructure Type | String |
Source Instance ID | Instance ID for source device | String |
Source Latitude | Source Latitude | String |
Source Location ID | This is an internal field used to associate this event with a particular location | String |
Source Location Name | This is an internal field used to associate this event with a particular location | String |
Source Longitude | Source Longitude | String |
Source MAC | Source MAC Address | MAC |
Source MAC Vendor | Source MAC Vendor | String |
Source Name | Source Name | String |
Source NAT Address | Source NAT IP Address | IP |
Source NAT Port | Source NAT Port | Integer |
Source Netmask | Source IP Address mask | IP |
Source Network | Source network | String |
Source NT Domain | Source Windows Domain | String |
Source Organisation | Source Organisation | String |
Source Port Label | Source Port Label | String |
Source Post Nat Address | Source address for the event message after NAT occurred | IP |
Source Post Nat Port | Port number of the event source after NAT | Integer |
Source Pre Nat Address | Source address for the event message before NAT | IP |
Source Pre Nat Port | Port number of the event source before NAT | Integer |
Source Process | Source Process name | String |
Source Process Command Line | The Process Command line | String |
Source Process ID | Source Process ID | String |
Source Process Parent | The Process Parent | String |
Source Process Parent Commandline | The Parent Command Line | String |
Source Process Parent Process ID | The Parent Process ID | String |
Source Process User | Source Process User | String |
Source Region | Source Region | String |
Source Registered Country | Source Registered Country | String |
Source Service Name | The service which is responsible for generating this event | String |
Source Translated Address | Identifies the translated source address that the event refers to in an IP network | IP |
Source Translated Port | Port after it was translated | Integer |
Source User Email | Source user email | String |
Source User Group | The source user group | String |
Source User Privileges | Source Users privileges | String |
Source Vguest | Source virtual guest | String |
Source Vhost | Source virtual host | String |
Source Workstation | Source Workstation | String |
Source Zone | Source Zone | String |
Sources | List of source asset IDs | String Array |
SSH Authorized Key | The SSH authorized key | String |
SSH Client Proto | Identifies the SSH client protocol | String |
SSH Client Software | Identifies the SSH client software | String |
SSH Server Proto | Identifies the SSH server protocol | String |
SSH Server Software | Identifies the SSH server software | String |
SSH Server Version | Identifies the SSH server version | String |
Stat Name | The name of the stat that has exceeded its threshold | String |
Stat Value | The value of the stat that has exceeded its threshold | Integer |
Suppress Rule ID | ID of the rule that suppressed this log | String |
Suppress Rule Name | Name of the rule that suppressed this log | String |
Suppressed | If event is suppressed | String |
System Event Type | The system event type generated | String |
Event Key | Definition | Type |
---|---|---|
Tag | The syslog tag (the data found before the [] after the timestamp) | String |
Time Created | The time that the incoming data is registered. The time is converted to the local time of the browser. | String |
Time Created ISO8601 | The time that the incoming data is registered. | Date |
Time Received | The time that the incoming data is recorded into USM Anywhere. | Date |
Time Received ISO8601 | The time that the incoming data is received by USM Anywhere. | Date |
Time Zone | The timezone the event occured in | String |
Timestamp End | Process end timestamp | Date |
Timestamp Start | Process start timestamp | Date |
TLS Cipher | The cipher algorithm used for this TLS connection | String |
TLS Fingerprint | Identifies the SHA1 fingerprint of the certificate | String |
TLS IssuerDN | Identifies the issuer DN of certificate | String |
TLS SNI | Identifies the server name indication sent by a client | String |
TLS Subject | Identifies the subject of the TLS protocol | String |
TLS Version | Identifies the version of TLS protocol | String |
Total Packets | The total number of packets transmitted | Integer |
Transaction Status | Transaction status | String |
Transient | Is the event transient | Boolean |
TTY Terminal | The TTY referenced in the event | String |
Event Key | Definition | Type |
---|---|---|
Used Hint | If a hint was used to find the plugin | Boolean |
User Group ID | Group ID that is associated with the user account | String |
User Policy | Policy associated with the user account | String |
User Realm | Portal name associated with the event | String |
User Resource | Resource associated with the user account | String |
User Role | Role type associated with the user account that created the event | String |
UUID | The unique ID for this Event | String |
Event Key | Definition | Type |
---|---|---|
Virtual Source Address | IP address of the virtual event source | IP |
Virtual Source Name | Name of the virtual event source | String |
Event Key | Definition | Type |
---|---|---|
Was Fuzzied | If fuzzied parser was used to generate the event | Boolean |
Was Guessed | If we brute forced the plugin | Boolean |
Wireless Access Point | The access point of the wireless network | String |
Wireless BSSID | The BSSID of the wireless network | String |
Wireless Channel | The channel of the wireless network | String |
Wireless Encryption | The encryption mechanism used by the wireless network | String |
Wireless SSID | The SSID of the wireless network | String |
Event Key | Definition | Type |
---|---|---|
Yara Signature | Yara Signatures | String Array |