 Role Availability
|
 Read-Only
|
 Analyst
|
Manager
|
The following is a list of all the event keys with a definition of their function and the type of the key.
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
| Event Key | Definition | Type |
|---|---|---|
| Access Control Outcome | Outcome from Access Control | String |
| Access Key ID | The access key ID | String |
| Account ID | The account ID that generated the event | String |
| Account Name | The account name that generated the event | String |
| Action | The action outcome | String |
| Affected Family | Software family affected by the current CPE | String |
| Affected Platform | The platform (Linux, Mac OSX, Windows) affected by an IDS event | String |
| Affected Platforms | Software Platforms affected by the current CPE | String |
| Affected Products | Software Products affected by the current CPE | String |
| Alarm Destination Asset IDs | CSV of alarm destination asset IDs | String Array |
| Alarm Destination Organisations | CSV of alarm destination organisations | String Array |
| Alarm Destination Users | An array of alarm destination users | String Array |
| Alarm Destination Zones | CSV of alarm destination zones | String Array |
| Alarm Source Organisations | CSV of alarm source organisations | String Array |
| Alarm Source Zones | CSV of alarm source zones | String Array |
| Alarm Status | The status of the alarm | String |
| App Execution Parameters | The application execution parameters | String |
| App ID | The ID of the App which generated this event | String |
| App Name | The Name of the App which generated this event | String |
| Application | Application name | String |
| Application Protocol | Layer-7 protocol observed in the event (eg SSH, FTP, SNMP) | String |
| Application Type | Application type | String |
| Asset Group ID | The ID of the Asset Group in AssetDB | String |
| Asset Status | Asset Status | String |
| Asset Tag | Asset metadata name | String |
| Asset Tag Value | Asset metadata value | String |
| Audit Reason | The reason an audit event was generated | String |
| Authentication Mode | Authentication Mode | String |
| Authentication Type | The method used be the user to authenticate, such as RSA Key, Password, Domain Credentials | String |
| Event Key | Definition | Type |
|---|---|---|
| Base Event Count | A count associated with how many times was this same event observed | Integer |
| Blacklist Name | The name listed on the blacklist | String |
| Blacklist Reference Url | The referencing URL from the blacklist | URL |
| Blacklist Violating IP | The IP reglistered to the blacklist | IP |
| Event Key | Definition | Type |
|---|---|---|
| Certificate Issuer Name | Name of the authorizarion certificate issuer. | String |
| Certificate Serial Number | Serial Number of the authorization certificate. | String |
| Certificate Subject Name | Subject name in the authorization certificate. | String |
| Confidence | Confidence level | Integer |
| Connection Count | Number of incoming connections | Long |
| Console Login | The outcome of a AWS console login try | String |
| Consumer | Consumer of the event | String |
| Container ID | The ID of the container | String |
| Container Image | The image name used to launch the container | String |
| Container Image ID | The id of the image used to launch the container | String |
| Container Name | The name of the container | String |
| Container State | The state of the the container | String |
| Contains Credit Card Number | The event contains credit card numbers | Boolean |
| Content Category | Category of the content is being inspected as part of the connection For example in a Content Filtering or Proxy device | String |
| Control ID | The Control Node ID which will process this event | String |
| Current PPS | Number of current packets per second (PPS) | Integer |
| Current Working Directory | The Current Working Directory (CWD) referenced in the event | String |
| Event Key | Definition | Type |
|---|---|---|
| Destination | This is compared against several known formats to extract relevant data eg [hostname] [port] [zone] etc | Network Info |
| Destination Additional Hostnames | Destination additional hostnames | String Array |
| Destination Address | Destination IP Address | IP |
| Destination Address 6 | Destination IP Address in v6 format | String |
| Destination ASN | Destination ASN | String |
| Destination City | Destination City | String |
| Destination Country | Destination Country | String |
| Destination CPE | Destination CPE | String |
| Destination Datacenter | Destination data center | String |
| Destination Datastore | Destination data store | String |
| Destination DNS Domain | The DNS domain part of the complete fully qualified domain name | String |
| Destination FQDN | Destination FQDN | String |
| Destination Hostname | Destination hostname | String |
| Destination Infrastructure Name | Destination Infrastructure Name | String |
| Destination Infrastructure Type | Destination Infrastructure Type | String |
| Destination Instance ID | Instance ID for destination device | String |
| Destination Latitude | Destinations Latitude | String |
| Destination Location ID | This is an internal field used to associate this event with a particular location | String |
| Destination Location Name | This is an internal field used to associate this event with a particular location | String |
| Destination Longitude | Destinations Longitude | String |
| Destination MAC Vendor | Destination MAC Address | MAC |
| Destination MAC Vendor | Destination MAC Vendor | String |
| Destination Name | Destination Name | String |
| Destination NAT Address | Destination NAT IP Address | IP |
| Destination NAT Port | Destination NAT Port | Integer |
| Destination Netmask | Destination IP Address mask | IP |
| Destination Network | Destination network | String |
| Destination NT domain | Destination Windows Domain | String |
| Destination Organisation | Destinations Organisation | String |
| Destination Port Label | Destination Port Label | String |
| Destination Post NAT Address | Destination address for the event message after NAT occurred | IP |
| Destination Post NAT Port | Port number of the event destination after NAT | Integer |
| Destination Pre NAT Address | Destination address for the event message before NAT | IP |
| Destination Pre NAT Port | Port number of the event destination before NAT | Integer |
| Destination Process | Destination Process Name | String |
| Destination Process ID | Destination Process ID | String |
| Destination Process User | Destination Process User | String |
| Destination Region | Destinations Region | String |
| Destination Registered Country | Destination Registered Country | String |
| Destination Service Name | The service which is targeted by this event | String |
| Destination Translated Address | Identifies the translated destination address that the event refers to in an IP network | IP |
| Destination Translated Port | Port after it was translated | Integer |
| Destination User Email | Destinations User email | String |
| Destination User Group | The destination user group | String |
| Destination User Privileges | Destinations Users privileges | String |
| Destination Username | Destinations User name | String |
| Destination VGuest | Destination virtual guest | String |
| Destination VHost | Destination virtual host | String |
| Destination Workstation | Destinations workstation name | String |
| Destination Zone | Destinations Zone (DMZ Office Outside) | String |
| Device Class | The Device Class listed in the system | String |
| Device Configuration | Configuration scheme/type set in a device | String |
| Device Custom Date 1-2 | There are two timestamps fields available which can be used to map fields which do not fit any other field of this dictionary | String |
| Device Custom Date 1-2 Label | All custom fields have a corresponding label field where the field itself can be described | String |
| Device Custom Number 1-3 Label | There are three number fields available which can be used to map fields which do not fit into any other field of this dictionary | Integer |
| Device Custom Number 1-3 Label | All custom fields have a corresponding label field where the field itself can be described | String |
| Device Direction | Any information about what direction the communication that was observed has taken | String |
| Device DNS Domain | The DNS domain part of the complete fully qualified domain name | String |
| Device Event Category | Represents the category assigned by the originating device | String |
| Device External ID | A name that uniquely identifies the device generating this event | String |
| Device Facility | The facility generating this event | String |
| Device Inbound Interface | Interface on which the packet or data entered the device | String |
| Device Name | The Device Name listed in the system | String |
| Device NT Domain | Device Windows Domain | String |
| Device Outbound Interface | Interface on which the packet or data left the device | String |
| Device Process Name | Process name associated to the event | String |
| Device Time Format | Format of the timestamp attached to this event | String |
| Device Translated Address | Identifies the translated device address that the event refers to in an IP network | IP |
| DNS Message | DNS response message | String |
| DNS Rcode | DNS return message | Integer |
| DNS RR Name | The DNS Request/Response Resource Name | String |
| DNS RR Type | The DNS Resource Type | String |
| DNS Server Address | The address of the DNS server referenced in the event | String |
| DNS TTL | The DNS Time to Live | String |
| DNS Type | The DNS Type (Query / Answer) | String |
| Duration | The duration of the connection | String |
| Event Key | Definition | Type |
|---|---|---|
| Email Recipient | The Email recipient | |
| Email Relay | The relay the email was delivered through | String |
| Email Sender | The Email sender | |
| Email Subject | The subject of the email | String |
| Entity Category | The zone category of incident that is being reported | String |
| Environment Variable Key | The Environment Variable key referenced in the event | String |
| Environment Variable Value | The Environment Variable value referenced in the event | String |
| Error Code | The error code for a HTTP response | String |
| Error Message | The error message for a response | String |
| Event Action | The implied action of the event - Create Read Update Delete | String |
| Event Activity | The activity related to an event In an IDS event this would be the activity being detected | String |
| Event Auth Action | Action of the authorization event | String |
| Event Auth Role | Role of the authorization event | String |
| Event Auth Scope | Scope of the authorization event | String |
| Event Change | The event change/action made by the user | String |
| Event CVE | Contains information about the CVE associated with an event as an example an IDS signature | String |
| Event Group | Event Grouping that this event belongs to | String |
| Event Group Job ID | When this group has been created from a job, the job ID | String |
| Event Name | The short user-readable description of the event | String |
| Event Outcome | Displays the outcome, generally "success" or "failure" | String |
| Event Receipt Time | The time at which the event related to the activity was received | Date |
| Event Ref Date | When the issue was first published | String |
| Event Ref ID | Event reference ID (CVE, etc) | String |
| Event Ref IDS | Event reference IDs (CVE, OSVDB, etc) | String Array |
| Event Ref Source | Issue Reference Source (CVE etc) | String |
| Event Type | The event type | String |
| Event Violation | The culprit | String |
| External ID | An ID used by the originating device | String |
| Event Key | Definition | Type |
|---|---|---|
| File Create Time | The timestamp of when the file was created | String |
| File Hash | The hash of the file | String |
| File Hash Algorithm | The algorithm used to produce the file hash - SH256 MD5 etc | String |
| File Hash Md5 | The MD5 of the file | String |
| File Hash Sha1 | The SHA1 of the file | String |
| File Hash Sha256 | The SHA256 of the file | String |
| File ID | The Operating System ID of the file | String |
| File Modification Time | The last modification time of a file | String |
| File Name | The short name of a file | String |
| File Old Owner | Old file owner | String |
| File Owner | The current owner of a file | String |
| File Path | Full path of the file | String |
| File Permission | The OS permissions of the file | String |
| File Type | The type of the file | String |
| Full Message | A long message | String |
| Event Key | Definition | Type |
|---|---|---|
| Global List Name | Name of the Global List | String |
| Global List Value | Value from the list | String |
| Group Policy | Group Policy that the event refers to, for example a Active Directory Group Policy | String |
| Event Key | Definition | Type |
|---|---|---|
| Has Alarm | If this event is used by an alarm | Boolean |
| HTML Link | A specified HTML link address | URL |
| HTML Snippet | A specified HTML link snippet | String |
| HHTML Title | A specified HTML link title | String |
| HTTP Hostname | The hostname present in a HTTP connection | String |
| HTTP Referrer | The HTTP referer in a HTTP request | String |
| Event Key | Definition | Type |
|---|---|---|
| Identity Group Name | Group name associated with the identity source address to further identify the identity event with Group name resolution | String |
| Identity Host Name | Host name information associated with the identity source address to further identify the true hostname tied to an event | String |
| Identity MAC | MAC associated with the identity source address to further identify the identity event with MAC resolution | String |
| Identity NetBIOS | NetBIOS name associated with the identity source address to further identify the identity event with NetBIOS name resolution | String |
| Identity Source Address | IPv4 or IPv6 address that can connect an event with a true user identify or true computer identity | IP |
| Incident ID | ID provided by the event source | String |
| IOCs | Array with the matched Indicators of Compromise | String Array |
| IP Addresses | List of IP Addresses | String Array |
| Event Key | Definition | Type |
|---|---|---|
| Legacy Tzone | Unused | String |
| Level | The standard syslog level | Long |
| Log File | The Log File | String |
| Event Key | Definition | Type |
|---|---|---|
| Malware Family | Malware Family | String |
| Malware Variant | Virus or Malware Variant | String |
| Matched Value | The value that was matched for the enrichment metadata | String |
| Event Key | Definition | Type |
|---|---|---|
| Object Type | The object type of the source (if applies) | String |
| Operating System | Operating System | String |
| Event Key | Definition | Type |
|---|---|---|
| Package Architecture | The architecture of the package | String |
| Package Name | The name of the package | String |
| Package Revision | The revision of the package | String |
| Package Source | The source of the package | String |
| Package Version | The version of the package | String |
| Packet Payload | Packet payload information from Network IDS | String |
| Packet Type | What type of packet this is | String |
| Packets Received | The number of packets received | Integer |
| Packets Sent | The number of packets sent | Integer |
| Patch Reference ID | Patch reference id (Oval rule, etc) | String |
| Patch Vulnerability Reference List | List of reference ID's (CVE, etc) for the patch event | String Array |
| Peak PPS | Packets per second (PPS) peak value | Integer |
| Pefile Company | Company authoring Pefile | String |
| Pefile Description | Description of Pefile | String |
| Pefile Fileversion | File version of Pefile | String |
| Pefile Product | Product pefile is related to | String |
| Plugin Rule | Plugin Rule | String |
| Plugin Vendor | The vendor of the device this plugin was made for | String |
| Policy | Policy that the event refers to, for example a Firewall or Content Filtering Policy | String |
| Policy Address | Address referenced on a db policy firewall rule etc | String |
| Policy Interface | Network Interface referenced on a db policy firewall rule etc | String |
| Policy Mac | Mac address referenced on a db policy firewall rule etc | String |
| Priority | Priority of Alarm | String |
| Protocol Version | Version of the current protocol | String |
| Event Key | Definition | Type |
|---|---|---|
| Realm | Realm where the user roles and permissions apply | String |
| Received From | Source this event was received from | String |
| Rep Device Address 6 | Reporting device address version 6 | String |
| Rep Device Asset ID | Instance ID for reporting device | String |
| Rep Device FQDN | Reporting device FQDN | String |
| Rep Device Location ID | This is an internal field used to associate this event with a particular location | String |
| Rep Device Location Name | This is an internal field used to associate this event with a particular location | String |
| Reporting Device Address | Reporting device address | IP |
| Reporting Device Hostname | Reporting device hostname | String |
| Reporting Device Instance ID | Instance ID for the reporting device | String |
| Reporting Device MAC | Reporting device MAC | MAC |
| Reporting Device Model | The model of the reporting device | String |
| Reporting Device Outbound Interface | The network interface passing through the traffic generating the event on the reporting device | String |
| Reporting Device Rule ID | The ID of the rule used by the reporting device to generate this event (ie firewall rule, CVE, IDS rule | String |
| Reporting Device Type | The device type of the reporting device | String |
| Reporting Device Vendor | The vendor of the reporting device | String |
| Reporting Device Version | The version of the reporting device | String |
| Reputation Score | Risk or reputation score for a host | String |
| Resource Provider | Provider of resource | String |
| Resource URI | URI representing a resource uniquely | String |
| Response Content Type | HTTP response content type | String |
| Return Value | Return value | String |
| Role | Role or roles of the user in the organization | String |
| Rule Dictionary | Rule Dictionary | String |
| Rule UUID | Rule ID which triggered event | String |
| Event Key | Definition | Type |
|---|---|---|
| Searched Site | Site searched | String |
| Security Group ID | Security Group ID | String |
| Security Group Name | Security Group Name | String |
| Sensor App Action | The Sensor App Action Called | String |
| Session | Session Identifier | String |
| Short Message | A short descriptive message | String |
| Source Additional Hostnames | Source additional hostnames | String Array |
| Source Address 6 | Source IP Address in v6 format | String |
| Source ASN | Source ASN | String |
| Source City | Source City | String |
| Source Country | Source Country | String |
| Source CPE | Source CPE | String |
| Source Datacenter | Source data center | String |
| Source Datastore | Source data store | String |
| Source DNS Domain | The DNS domain part of the complete fully qualified domain name | String |
| Source FQDN | Source FQDN | String |
| Source Hostname | Source hostname | String |
| Source Infrastructure Name | Source Infrastructure Name | String |
| Source Infrastructure Type | Source Infrastructure Type | String |
| Source Instance ID | Instance ID for source device | String |
| Source Latitude | Source Latitude | String |
| Source Location ID | This is an internal field used to associate this event with a particular location | String |
| Source Location Name | This is an internal field used to associate this event with a particular location | String |
| Source Longitude | Source Longitude | String |
| Source MAC | Source MAC Address | MAC |
| Source MAC Vendor | Source MAC Vendor | String |
| Source Name | Source Name | String |
| Source NAT Address | Source NAT IP Address | IP |
| Source NAT Port | Source NAT Port | Integer |
| Source Netmask | Source IP Address mask | IP |
| Source Network | Source network | String |
| Source NT Domain | Source Windows Domain | String |
| Source Organisation | Source Organisation | String |
| Source Port Label | Source Port Label | String |
| Source Post Nat Address | Source address for the event message after NAT occurred | IP |
| Source Post Nat Port | Port number of the event source after NAT | Integer |
| Source Pre Nat Address | Source address for the event message before NAT | IP |
| Source Pre Nat Port | Port number of the event source before NAT | Integer |
| Source Process | Source Process name | String |
| Source Process Command Line | The Process Command line | String |
| Source Process ID | Source Process ID | String |
| Source Process Parent | The Process Parent | String |
| Source Process Parent Commandline | The Parent Command Line | String |
| Source Process Parent Process ID | The Parent Process ID | String |
| Source Process User | Source Process User | String |
| Source Region | Source Region | String |
| Source Registered Country | Source Registered Country | String |
| Source Service Name | The service which is responsible for generating this event | String |
| Source Translated Address | Identifies the translated source address that the event refers to in an IP network | IP |
| Source Translated Port | Port after it was translated | Integer |
| Source User Email | Source user email | String |
| Source User Group | The source user group | String |
| Source User Privileges | Source Users privileges | String |
| Source Vguest | Source virtual guest | String |
| Source Vhost | Source virtual host | String |
| Source Workstation | Source Workstation | String |
| Source Zone | Source Zone | String |
| Sources | List of source asset IDs | String Array |
| SSH Authorized Key | The SSH authorized key | String |
| SSH Client Proto | Identifies the SSH client protocol | String |
| SSH Client Software | Identifies the SSH client software | String |
| SSH Server Proto | Identifies the SSH server protocol | String |
| SSH Server Software | Identifies the SSH server software | String |
| SSH Server Version | Identifies the SSH server version | String |
| Stat Name | The name of the stat that has exceeded its threshold | String |
| Stat Value | The value of the stat that has exceeded its threshold | Integer |
| Suppress Rule ID | ID of the rule that suppressed this log | String |
| Suppress Rule Name | Name of the rule that suppressed this log | String |
| Suppressed | If event is suppressed | String |
| System Event Type | The system event type generated | String |
| Event Key | Definition | Type |
|---|---|---|
| Tag | The syslog tag (the data found before the [] after the timestamp) | String |
| Time Created | The time that the incoming data is registered. The time is converted to the local time of the browser. | String |
| Time Created ISO8601 | The time that the incoming data is registered. | Date |
| Time Received | The time that the incoming data is recorded into USM Anywhere. | Date |
| Time Received ISO8601 | The time that the incoming data is received by USM Anywhere. | Date |
| Time Zone | The timezone the event occured in | String |
| Timestamp End | Process end timestamp | Date |
| Timestamp Start | Process start timestamp | Date |
| TLS Cipher | The cipher algorithm used for this TLS connection | String |
| TLS Fingerprint | Identifies the SHA1 fingerprint of the certificate | String |
| TLS IssuerDN | Identifies the issuer DN of certificate | String |
| TLS SNI | Identifies the server name indication sent by a client | String |
| TLS Subject | Identifies the subject of the TLS protocol | String |
| TLS Version | Identifies the version of TLS protocol | String |
| Total Packets | The total number of packets transmitted | Integer |
| Transaction Status | Transaction status | String |
| Transient | Is the event transient | Boolean |
| TTY Terminal | The TTY referenced in the event | String |
| Event Key | Definition | Type |
|---|---|---|
| Used Hint | If a hint was used to find the plugin | Boolean |
| User Group ID | Group ID that is associated with the user account | String |
| User Policy | Policy associated with the user account | String |
| User Realm | Portal name associated with the event | String |
| User Resource | Resource associated with the user account | String |
| User Role | Role type associated with the user account that created the event | String |
| UUID | The unique ID for this Event | String |
| Event Key | Definition | Type |
|---|---|---|
| Virtual Source Address | IP address of the virtual event source | IP |
| Virtual Source Name | Name of the virtual event source | String |
| Event Key | Definition | Type |
|---|---|---|
| Was Fuzzied | If fuzzied parser was used to generate the event | Boolean |
| Was Guessed | If we brute forced the plugin | Boolean |
| Wireless Access Point | The access point of the wireless network | String |
| Wireless BSSID | The BSSID of the wireless network | String |
| Wireless Channel | The channel of the wireless network | String |
| Wireless Encryption | The encryption mechanism used by the wireless network | String |
| Wireless SSID | The SSID of the wireless network | String |
| Event Key | Definition | Type |
|---|---|---|
| Yara Signature | Yara Signatures | String Array |