Cisco fields

edit

Module for handling Cisco network device logs.

cisco.amp

edit

Module for parsing Cisco AMP logs.

cisco.amp.timestamp_nanoseconds

The timestamp in Epoch nanoseconds.

type: date

cisco.amp.event_type_id

A sub ID of the event, depending on event type.

type: keyword

cisco.amp.detection

The name of the malware detected.

type: keyword

cisco.amp.detection_id

The ID of the detection.

type: keyword

cisco.amp.connector_guid

The GUID of the connector sending information to AMP.

type: keyword

cisco.amp.group_guids

An array of group GUIDS related to the connector sending information to AMP.

type: keyword

cisco.amp.vulnerabilities

An array of related vulnerabilities to the malicious event.

type: flattened

cisco.amp.scan.description

Description of an event related to a scan being initiated, for example the specific directory name.

type: keyword

cisco.amp.scan.clean

Boolean value if a scanned file was clean or not.

type: boolean

cisco.amp.scan.scanned_files

Count of files scanned in a directory.

type: long

cisco.amp.scan.scanned_processes

Count of processes scanned related to a single scan event.

type: long

cisco.amp.scan.scanned_paths

Count of different directories scanned related to a single scan event.

type: long

cisco.amp.scan.malicious_detections

Count of malicious files or documents detected related to a single scan event.

type: long

cisco.amp.computer.connector_guid

The GUID of the connector, similar to top level connector_guid, but unique if multiple connectors are involved.

type: keyword

cisco.amp.computer.external_ip

The external IP of the related host.

type: ip

cisco.amp.computer.active

If the current endpoint is active or not.

type: boolean

cisco.amp.computer.network_addresses

All network interface information on the related host.

type: flattened

cisco.amp.file.disposition

Categorization of file, for example "Malicious" or "Clean".

type: keyword

cisco.amp.network_info.disposition

Categorization of a network event related to a file, for example "Malicious" or "Clean".

type: keyword

cisco.amp.network_info.nfm.direction

The current direction based on source and destination IP.

type: keyword

cisco.amp.related.mac

An array of all related MAC addresses.

type: keyword

cisco.amp.related.cve

An array of all related MAC addresses.

type: keyword

cisco.amp.cloud_ioc.description

Description of the related IOC for specific IOC events from AMP.

type: keyword

cisco.amp.cloud_ioc.short_description

Short description of the related IOC for specific IOC events from AMP.

type: keyword

cisco.amp.network_info.parent.disposition

Categorization of a IOC for example "Malicious" or "Clean".

type: keyword

cisco.amp.network_info.parent.identity.md5

MD5 hash of the related IOC.

type: keyword

cisco.amp.network_info.parent.identity.sha1

SHA1 hash of the related IOC.

type: keyword

cisco.amp.network_info.parent.identify.sha256

SHA256 hash of the related IOC.

type: keyword

cisco.amp.file.archived_file.disposition

Categorization of a file archive related to a file, for example "Malicious" or "Clean".

type: keyword

cisco.amp.file.archived_file.identity.md5

MD5 hash of the archived file related to the malicious event.

type: keyword

cisco.amp.file.archived_file.identity.sha1

SHA1 hash of the archived file related to the malicious event.

type: keyword

cisco.amp.file.archived_file.identity.sha256

SHA256 hash of the archived file related to the malicious event.

type: keyword

cisco.amp.file.attack_details.application

The application name related to Exploit Prevention events.

type: keyword

cisco.amp.file.attack_details.attacked_module

Path to the executable or dll that was attacked and detected by Exploit Prevention.

type: keyword

cisco.amp.file.attack_details.base_address

The base memory address related to the exploit detected.

type: keyword

cisco.amp.file.attack_details.suspicious_files

An array of related files when an attack is detected by Exploit Prevention.

type: keyword

cisco.amp.file.parent.disposition

Categorization of parrent, for example "Malicious" or "Clean".

type: keyword

cisco.amp.error.description

Description of an endpoint error event.

type: keyword

cisco.amp.error.error_code

The error code describing the related error event.

type: keyword

cisco.amp.threat_hunting.severity

Severity result of the threat hunt registered to the malicious event. Can be Low-Critical.

type: keyword

cisco.amp.threat_hunting.incident_report_guid

The GUID of the related threat hunting report.

type: keyword

cisco.amp.threat_hunting.incident_hunt_guid

The GUID of the related investigation tracking issue.

type: keyword

cisco.amp.threat_hunting.incident_title

Title of the incident related to the threat hunting activity.

type: keyword

cisco.amp.threat_hunting.incident_summary

Summary of the outcome on the threat hunting activity.

type: keyword

cisco.amp.threat_hunting.incident_remediation

Recommendations to resolve the vulnerability or exploited host.

type: keyword

cisco.amp.threat_hunting.incident_id

The id of the related incident for the threat hunting activity.

type: keyword

cisco.amp.threat_hunting.incident_end_time

When the threat hunt finalized or closed.

type: date

cisco.amp.threat_hunting.incident_start_time

When the threat hunt was initiated.

type: date

cisco.amp.file.attack_details.indicators

Different indicator types that matches the exploit detected, for example different MITRE tactics.

type: flattened

cisco.amp.threat_hunting.tactics

List of all MITRE tactics related to the incident found.

type: flattened

cisco.amp.threat_hunting.techniques

List of all MITRE techniques related to the incident found.

type: flattened

cisco.amp.tactics

List of all MITRE tactics related to the incident found.

type: flattened

cisco.amp.mitre_tactics

Array of all related mitre tactic ID’s

type: keyword

cisco.amp.techniques

List of all MITRE techniques related to the incident found.

type: flattened

cisco.amp.mitre_techniques

Array of all related mitre technique ID’s

type: keyword

cisco.amp.command_line.arguments

The CLI arguments related to the Cloud Threat IOC reported by Cisco.

type: keyword

cisco.amp.bp_data

Endpoint isolation information

type: flattened

cisco.asa

edit

Fields for Cisco ASA Firewall.

cisco.asa.message_id

The Cisco ASA message identifier.

type: keyword

cisco.asa.suffix

Optional suffix after %ASA identifier.

type: keyword

example: session

cisco.asa.source_interface

Source interface for the flow or event.

type: keyword

cisco.asa.destination_interface

Destination interface for the flow or event.

type: keyword

cisco.asa.rule_name

Name of the Access Control List rule that matched this event.

type: keyword

cisco.asa.source_username

Name of the user that is the source for this event.

type: keyword

cisco.asa.destination_username

Name of the user that is the destination for this event.

type: keyword

cisco.asa.mapped_source_ip

The translated source IP address.

type: ip

cisco.asa.mapped_source_host

The translated source host.

type: keyword

cisco.asa.mapped_source_port

The translated source port.

type: long

cisco.asa.mapped_destination_ip

The translated destination IP address.

type: ip

cisco.asa.mapped_destination_host

The translated destination host.

type: keyword

cisco.asa.mapped_destination_port

The translated destination port.

type: long

cisco.asa.threat_level

Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high.

type: keyword

cisco.asa.threat_category

Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc.

type: keyword

cisco.asa.connection_id

Unique identifier for a flow.

type: keyword

cisco.asa.icmp_type

ICMP type.

type: short

cisco.asa.icmp_code

ICMP code.

type: short

cisco.asa.connection_type

The VPN connection type

type: keyword

cisco.asa.dap_records

The assigned DAP records

type: keyword

cisco.asa.command_line_arguments

The command line arguments logged by the local audit log

type: keyword

cisco.asa.assigned_ip

The IP address assigned to a VPN client successfully connecting

type: ip

cisco.asa.privilege.old

When a users privilege is changed this is the old value

type: keyword

cisco.asa.privilege.new

When a users privilege is changed this is the new value

type: keyword

cisco.asa.burst.object

The related object for burst warnings

type: keyword

cisco.asa.burst.id

The related rate ID for burst warnings

type: keyword

cisco.asa.burst.current_rate

The current burst rate seen

type: keyword

cisco.asa.burst.configured_rate

The current configured burst rate

type: keyword

cisco.asa.burst.avg_rate

The current average burst rate seen

type: keyword

cisco.asa.burst.configured_avg_rate

The current configured average burst rate allowed

type: keyword

cisco.asa.burst.cumulative_count

The total count of burst rate hits since the object was created or cleared

type: keyword

cisco.ftd

edit

Fields for Cisco Firepower Threat Defense Firewall.

cisco.ftd.message_id

The Cisco FTD message identifier.

type: keyword

cisco.ftd.suffix

Optional suffix after %FTD identifier.

type: keyword

example: session

cisco.ftd.source_interface

Source interface for the flow or event.

type: keyword

cisco.ftd.destination_interface

Destination interface for the flow or event.

type: keyword

cisco.ftd.rule_name

Name of the Access Control List rule that matched this event.

type: keyword

cisco.ftd.source_username

Name of the user that is the source for this event.

type: keyword

cisco.ftd.destination_username

Name of the user that is the destination for this event.

type: keyword

cisco.ftd.mapped_source_ip

The translated source IP address. Use ECS source.nat.ip.

type: ip

cisco.ftd.mapped_source_host

The translated source host.

type: keyword

cisco.ftd.mapped_source_port

The translated source port. Use ECS source.nat.port.

type: long

cisco.ftd.mapped_destination_ip

The translated destination IP address. Use ECS destination.nat.ip.

type: ip

cisco.ftd.mapped_destination_host

The translated destination host.

type: keyword

cisco.ftd.mapped_destination_port

The translated destination port. Use ECS destination.nat.port.

type: long

cisco.ftd.threat_level

Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high.

type: keyword

cisco.ftd.threat_category

Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc.

type: keyword

cisco.ftd.connection_id

Unique identifier for a flow.

type: keyword

cisco.ftd.icmp_type

ICMP type.

type: short

cisco.ftd.icmp_code

ICMP code.

type: short

cisco.ftd.security

Raw fields for Security Events.

type: object

cisco.ftd.connection_type

The VPN connection type

type: keyword

cisco.ftd.dap_records

The assigned DAP records

type: keyword

cisco.ios

edit

Fields for Cisco IOS logs.

cisco.ios.access_list

Name of the IP access list.

type: keyword

cisco.ios.facility

The facility to which the message refers (for example, SNMP, SYS, and so forth). A facility can be a hardware device, a protocol, or a module of the system software. It denotes the source or the cause of the system message.

type: keyword

example: SEC

network.interface.name

Name of the network interface where the traffic has been observed.

type: keyword

rsa.internal.msg

This key is used to capture the raw message that comes into the Log Decoder

type: keyword

rsa.internal.messageid

type: keyword

rsa.internal.event_desc

type: keyword

rsa.internal.message

This key captures the contents of instant messages

type: keyword

rsa.internal.time

This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.

type: date

rsa.internal.level

Deprecated key defined only in table map.

type: long

rsa.internal.msg_id

This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.msg_vid

This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.data

Deprecated key defined only in table map.

type: keyword

rsa.internal.obj_server

Deprecated key defined only in table map.

type: keyword

rsa.internal.obj_val

Deprecated key defined only in table map.

type: keyword

rsa.internal.resource

Deprecated key defined only in table map.

type: keyword

rsa.internal.obj_id

Deprecated key defined only in table map.

type: keyword

rsa.internal.statement

Deprecated key defined only in table map.

type: keyword

rsa.internal.audit_class

Deprecated key defined only in table map.

type: keyword

rsa.internal.entry

Deprecated key defined only in table map.

type: keyword

rsa.internal.hcode

Deprecated key defined only in table map.

type: keyword

rsa.internal.inode

Deprecated key defined only in table map.

type: long

rsa.internal.resource_class

Deprecated key defined only in table map.

type: keyword

rsa.internal.dead

Deprecated key defined only in table map.

type: long

rsa.internal.feed_desc

This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.feed_name

This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.cid

This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.device_class

This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.device_group

This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.device_host

This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.device_ip

This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip

rsa.internal.device_ipv6

This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip

rsa.internal.device_type

This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.device_type_id

Deprecated key defined only in table map.

type: long

rsa.internal.did

This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.entropy_req

This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long

rsa.internal.entropy_res

This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long

rsa.internal.event_name

Deprecated key defined only in table map.

type: keyword

rsa.internal.feed_category

This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.forward_ip

This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.

type: ip

rsa.internal.forward_ipv6

This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip

rsa.internal.header_id

This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.lc_cid

This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.lc_ctime

This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: date

rsa.internal.mcb_req

This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most

type: long

rsa.internal.mcb_res

This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most

type: long

rsa.internal.mcbc_req

This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long

rsa.internal.mcbc_res

This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long

rsa.internal.medium

This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session

type: long

rsa.internal.node_name

Deprecated key defined only in table map.

type: keyword

rsa.internal.nwe_callback_id

This key denotes that event is endpoint related

type: keyword

rsa.internal.parse_error

This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.payload_req

This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long

rsa.internal.payload_res

This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long

rsa.internal.process_vid_dst

Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.

type: keyword

rsa.internal.process_vid_src

Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.

type: keyword

rsa.internal.rid

This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long

rsa.internal.session_split

This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.site

Deprecated key defined only in table map.

type: keyword

rsa.internal.size

This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long

rsa.internal.sourcefile

This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.ubc_req

This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long

rsa.internal.ubc_res

This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long

rsa.internal.word

This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log

type: keyword

rsa.time.event_time

This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form

type: date

rsa.time.duration_time

This key is used to capture the normalized duration/lifetime in seconds.

type: double

rsa.time.event_time_str

This key is used to capture the incomplete time mentioned in a session as a string

type: keyword

rsa.time.starttime

This key is used to capture the Start time mentioned in a session in a standard form

type: date

rsa.time.month

type: keyword

rsa.time.day

type: keyword

rsa.time.endtime

This key is used to capture the End time mentioned in a session in a standard form

type: date

rsa.time.timezone

This key is used to capture the timezone of the Event Time

type: keyword

rsa.time.duration_str

A text string version of the duration

type: keyword

rsa.time.date

type: keyword

rsa.time.year

type: keyword

rsa.time.recorded_time

The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it’s own timestamp at the time of collection from its child nodes. Must be in timestamp format.

type: date

rsa.time.datetime

type: keyword

rsa.time.effective_time

This key is the effective time referenced by an individual event in a Standard Timestamp format

type: date

rsa.time.expire_time

This key is the timestamp that explicitly refers to an expiration.

type: date

rsa.time.process_time

Deprecated, use duration.time

type: keyword

rsa.time.hour

type: keyword

rsa.time.min

type: keyword

rsa.time.timestamp

type: keyword

rsa.time.event_queue_time

This key is the Time that the event was queued.

type: date

rsa.time.p_time1

type: keyword

rsa.time.tzone

type: keyword

rsa.time.eventtime

type: keyword

rsa.time.gmtdate

type: keyword

rsa.time.gmttime

type: keyword

rsa.time.p_date

type: keyword

rsa.time.p_month

type: keyword

rsa.time.p_time

type: keyword

rsa.time.p_time2

type: keyword

rsa.time.p_year

type: keyword

rsa.time.expire_time_str

This key is used to capture incomplete timestamp that explicitly refers to an expiration.

type: keyword

rsa.time.stamp

Deprecated key defined only in table map.

type: date

rsa.misc.action

type: keyword

rsa.misc.result

This key is used to capture the outcome/result string value of an action in a session.

type: keyword

rsa.misc.severity

This key is used to capture the severity given the session

type: keyword

rsa.misc.event_type

This key captures the event category type as specified by the event source.

type: keyword

rsa.misc.reference_id

This key is used to capture an event id from the session directly

type: keyword

rsa.misc.version

This key captures Version of the application or OS which is generating the event.

type: keyword

rsa.misc.disposition

This key captures the The end state of an action.

type: keyword

rsa.misc.result_code

This key is used to capture the outcome/result numeric value of an action in a session

type: keyword

rsa.misc.category

This key is used to capture the category of an event given by the vendor in the session

type: keyword

rsa.misc.obj_name

This is used to capture name of object

type: keyword

rsa.misc.obj_type

This is used to capture type of object

type: keyword

rsa.misc.event_source

This key captures Source of the event that’s not a hostname

type: keyword

rsa.misc.log_session_id

This key is used to capture a sessionid from the session directly

type: keyword

rsa.misc.group

This key captures the Group Name value

type: keyword

rsa.misc.policy_name

This key is used to capture the Policy Name only.

type: keyword

rsa.misc.rule_name

This key captures the Rule Name

type: keyword

rsa.misc.context

This key captures Information which adds additional context to the event.

type: keyword

rsa.misc.change_new

This key is used to capture the new values of the attribute that’s changing in a session

type: keyword

rsa.misc.space

type: keyword

rsa.misc.client

This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.

type: keyword

rsa.misc.msgIdPart1

type: keyword

rsa.misc.msgIdPart2

type: keyword

rsa.misc.change_old

This key is used to capture the old value of the attribute that’s changing in a session

type: keyword

rsa.misc.operation_id

An alert number or operation number. The values should be unique and non-repeating.

type: keyword

rsa.misc.event_state

This key captures the current state of the object/item referenced within the event. Describing an on-going event.

type: keyword

rsa.misc.group_object

This key captures a collection/grouping of entities. Specific usage

type: keyword

rsa.misc.node

Common use case is the node name within a cluster. The cluster name is reflected by the host name.

type: keyword

rsa.misc.rule

This key captures the Rule number

type: keyword

rsa.misc.device_name

This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc

type: keyword

rsa.misc.param

This key is the parameters passed as part of a command or application, etc.

type: keyword

rsa.misc.change_attrib

This key is used to capture the name of the attribute that’s changing in a session

type: keyword

rsa.misc.event_computer

This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.

type: keyword

rsa.misc.reference_id1

This key is for Linked ID to be used as an addition to "reference.id"

type: keyword

rsa.misc.event_log

This key captures the Name of the event log

type: keyword

rsa.misc.OS

This key captures the Name of the Operating System

type: keyword

rsa.misc.terminal

This key captures the Terminal Names only

type: keyword

rsa.misc.msgIdPart3

type: keyword

rsa.misc.filter

This key captures Filter used to reduce result set

type: keyword

rsa.misc.serial_number

This key is the Serial number associated with a physical asset.

type: keyword

rsa.misc.checksum

This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.

type: keyword

rsa.misc.event_user

This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.

type: keyword

rsa.misc.virusname

This key captures the name of the virus

type: keyword

rsa.misc.content_type

This key is used to capture Content Type only.

type: keyword

rsa.misc.group_id

This key captures Group ID Number (related to the group name)

type: keyword

rsa.misc.policy_id

This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise

type: keyword

rsa.misc.vsys

This key captures Virtual System Name

type: keyword

rsa.misc.connection_id

This key captures the Connection ID

type: keyword

rsa.misc.reference_id2

This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play.

type: keyword

rsa.misc.sensor

This key captures Name of the sensor. Typically used in IDS/IPS based devices

type: keyword

rsa.misc.sig_id

This key captures IDS/IPS Int Signature ID

type: long

rsa.misc.port_name

This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).

type: keyword

rsa.misc.rule_group

This key captures the Rule group name

type: keyword

rsa.misc.risk_num

This key captures a Numeric Risk value

type: double

rsa.misc.trigger_val

This key captures the Value of the trigger or threshold condition.

type: keyword

rsa.misc.log_session_id1

This key is used to capture a Linked (Related) Session ID from the session directly

type: keyword

rsa.misc.comp_version

This key captures the Version level of a sub-component of a product.

type: keyword

rsa.misc.content_version

This key captures Version level of a signature or database content.

type: keyword

rsa.misc.hardware_id

This key is used to capture unique identifier for a device or system (NOT a Mac address)

type: keyword

rsa.misc.risk

This key captures the non-numeric risk value

type: keyword

rsa.misc.event_id

type: keyword

rsa.misc.reason

type: keyword

rsa.misc.status

type: keyword

rsa.misc.mail_id

This key is used to capture the mailbox id/name

type: keyword

rsa.misc.rule_uid

This key is the Unique Identifier for a rule.

type: keyword

rsa.misc.trigger_desc

This key captures the Description of the trigger or threshold condition.

type: keyword

rsa.misc.inout

type: keyword

rsa.misc.p_msgid

type: keyword

rsa.misc.data_type

type: keyword

rsa.misc.msgIdPart4

type: keyword

rsa.misc.error

This key captures All non successful Error codes or responses

type: keyword

rsa.misc.index

type: keyword

rsa.misc.listnum

This key is used to capture listname or listnumber, primarily for collecting access-list

type: keyword

rsa.misc.ntype

type: keyword

rsa.misc.observed_val

This key captures the Value observed (from the perspective of the device generating the log).

type: keyword

rsa.misc.policy_value

This key captures the contents of the policy. This contains details about the policy

type: keyword

rsa.misc.pool_name

This key captures the name of a resource pool

type: keyword

rsa.misc.rule_template

A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template

type: keyword

rsa.misc.count

type: keyword

rsa.misc.number

type: keyword

rsa.misc.sigcat

type: keyword

rsa.misc.type

type: keyword

rsa.misc.comments

Comment information provided in the log message

type: keyword

rsa.misc.doc_number

This key captures File Identification number

type: long

rsa.misc.expected_val

This key captures the Value expected (from the perspective of the device generating the log).

type: keyword

rsa.misc.job_num

This key captures the Job Number

type: keyword

rsa.misc.spi_dst

Destination SPI Index

type: keyword

rsa.misc.spi_src

Source SPI Index

type: keyword

rsa.misc.code

type: keyword

rsa.misc.agent_id

This key is used to capture agent id

type: keyword

rsa.misc.message_body

This key captures the The contents of the message body.

type: keyword

rsa.misc.phone

type: keyword

rsa.misc.sig_id_str

This key captures a string object of the sigid variable.

type: keyword

rsa.misc.cmd

type: keyword

rsa.misc.misc

type: keyword

rsa.misc.name

type: keyword

rsa.misc.cpu

This key is the CPU time used in the execution of the event being recorded.

type: long

rsa.misc.event_desc

This key is used to capture a description of an event available directly or inferred

type: keyword

rsa.misc.sig_id1

This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id

type: long

rsa.misc.im_buddyid

type: keyword

rsa.misc.im_client

type: keyword

rsa.misc.im_userid

type: keyword

rsa.misc.pid

type: keyword

rsa.misc.priority

type: keyword

rsa.misc.context_subject

This key is to be used in an audit context where the subject is the object being identified

type: keyword

rsa.misc.context_target

type: keyword

rsa.misc.cve

This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.

type: keyword

rsa.misc.fcatnum

This key captures Filter Category Number. Legacy Usage

type: keyword

rsa.misc.library

This key is used to capture library information in mainframe devices

type: keyword

rsa.misc.parent_node

This key captures the Parent Node Name. Must be related to node variable.

type: keyword

rsa.misc.risk_info

Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword

rsa.misc.tcp_flags

This key is captures the TCP flags set in any packet of session

type: long

rsa.misc.tos

This key describes the type of service

type: long

rsa.misc.vm_target

VMWare Target VMWARE only varaible.

type: keyword

rsa.misc.workspace

This key captures Workspace Description

type: keyword

rsa.misc.command

type: keyword

rsa.misc.event_category

type: keyword

rsa.misc.facilityname

type: keyword

rsa.misc.forensic_info

type: keyword

rsa.misc.jobname

type: keyword

rsa.misc.mode

type: keyword

rsa.misc.policy

type: keyword

rsa.misc.policy_waiver

type: keyword

rsa.misc.second

type: keyword

rsa.misc.space1

type: keyword

rsa.misc.subcategory

type: keyword

rsa.misc.tbdstr2

type: keyword

rsa.misc.alert_id

Deprecated, New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword

rsa.misc.checksum_dst

This key is used to capture the checksum or hash of the the target entity such as a process or file.

type: keyword

rsa.misc.checksum_src

This key is used to capture the checksum or hash of the source entity such as a file or process.

type: keyword

rsa.misc.fresult

This key captures the Filter Result

type: long

rsa.misc.payload_dst

This key is used to capture destination payload

type: keyword

rsa.misc.payload_src

This key is used to capture source payload

type: keyword

rsa.misc.pool_id

This key captures the identifier (typically numeric field) of a resource pool

type: keyword

rsa.misc.process_id_val

This key is a failure key for Process ID when it is not an integer value

type: keyword

rsa.misc.risk_num_comm

This key captures Risk Number Community

type: double

rsa.misc.risk_num_next

This key captures Risk Number NextGen

type: double

rsa.misc.risk_num_sand

This key captures Risk Number SandBox

type: double

rsa.misc.risk_num_static

This key captures Risk Number Static

type: double

rsa.misc.risk_suspicious

Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword

rsa.misc.risk_warning

Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword

rsa.misc.snmp_oid

SNMP Object Identifier

type: keyword

rsa.misc.sql

This key captures the SQL query

type: keyword

rsa.misc.vuln_ref

This key captures the Vulnerability Reference details

type: keyword

rsa.misc.acl_id

type: keyword

rsa.misc.acl_op

type: keyword

rsa.misc.acl_pos

type: keyword

rsa.misc.acl_table

type: keyword

rsa.misc.admin

type: keyword

rsa.misc.alarm_id

type: keyword

rsa.misc.alarmname

type: keyword

rsa.misc.app_id

type: keyword

rsa.misc.audit

type: keyword

rsa.misc.audit_object

type: keyword

rsa.misc.auditdata

type: keyword

rsa.misc.benchmark

type: keyword

rsa.misc.bypass

type: keyword

rsa.misc.cache

type: keyword

rsa.misc.cache_hit

type: keyword

rsa.misc.cefversion

type: keyword

rsa.misc.cfg_attr

type: keyword

rsa.misc.cfg_obj

type: keyword

rsa.misc.cfg_path

type: keyword

rsa.misc.changes

type: keyword

rsa.misc.client_ip

type: keyword

rsa.misc.clustermembers

type: keyword

rsa.misc.cn_acttimeout

type: keyword

rsa.misc.cn_asn_src

type: keyword

rsa.misc.cn_bgpv4nxthop

type: keyword

rsa.misc.cn_ctr_dst_code

type: keyword

rsa.misc.cn_dst_tos

type: keyword

rsa.misc.cn_dst_vlan

type: keyword

rsa.misc.cn_engine_id

type: keyword

rsa.misc.cn_engine_type

type: keyword

rsa.misc.cn_f_switch

type: keyword

rsa.misc.cn_flowsampid

type: keyword

rsa.misc.cn_flowsampintv

type: keyword

rsa.misc.cn_flowsampmode

type: keyword

rsa.misc.cn_inacttimeout

type: keyword

rsa.misc.cn_inpermbyts

type: keyword

rsa.misc.cn_inpermpckts

type: keyword

rsa.misc.cn_invalid

type: keyword

rsa.misc.cn_ip_proto_ver

type: keyword

rsa.misc.cn_ipv4_ident

type: keyword

rsa.misc.cn_l_switch

type: keyword

rsa.misc.cn_log_did

type: keyword

rsa.misc.cn_log_rid

type: keyword

rsa.misc.cn_max_ttl

type: keyword

rsa.misc.cn_maxpcktlen

type: keyword

rsa.misc.cn_min_ttl

type: keyword

rsa.misc.cn_minpcktlen

type: keyword

rsa.misc.cn_mpls_lbl_1

type: keyword

rsa.misc.cn_mpls_lbl_10

type: keyword

rsa.misc.cn_mpls_lbl_2

type: keyword

rsa.misc.cn_mpls_lbl_3

type: keyword

rsa.misc.cn_mpls_lbl_4

type: keyword

rsa.misc.cn_mpls_lbl_5

type: keyword

rsa.misc.cn_mpls_lbl_6

type: keyword

rsa.misc.cn_mpls_lbl_7

type: keyword

rsa.misc.cn_mpls_lbl_8

type: keyword

rsa.misc.cn_mpls_lbl_9

type: keyword

rsa.misc.cn_mplstoplabel

type: keyword

rsa.misc.cn_mplstoplabip

type: keyword

rsa.misc.cn_mul_dst_byt

type: keyword

rsa.misc.cn_mul_dst_pks

type: keyword

rsa.misc.cn_muligmptype

type: keyword

rsa.misc.cn_sampalgo

type: keyword

rsa.misc.cn_sampint

type: keyword

rsa.misc.cn_seqctr

type: keyword

rsa.misc.cn_spackets

type: keyword

rsa.misc.cn_src_tos

type: keyword

rsa.misc.cn_src_vlan

type: keyword

rsa.misc.cn_sysuptime

type: keyword

rsa.misc.cn_template_id

type: keyword

rsa.misc.cn_totbytsexp

type: keyword

rsa.misc.cn_totflowexp

type: keyword

rsa.misc.cn_totpcktsexp

type: keyword

rsa.misc.cn_unixnanosecs

type: keyword

rsa.misc.cn_v6flowlabel

type: keyword

rsa.misc.cn_v6optheaders

type: keyword

rsa.misc.comp_class

type: keyword

rsa.misc.comp_name

type: keyword

rsa.misc.comp_rbytes

type: keyword

rsa.misc.comp_sbytes

type: keyword

rsa.misc.cpu_data

type: keyword

rsa.misc.criticality

type: keyword

rsa.misc.cs_agency_dst

type: keyword

rsa.misc.cs_analyzedby

type: keyword

rsa.misc.cs_av_other

type: keyword

rsa.misc.cs_av_primary

type: keyword

rsa.misc.cs_av_secondary

type: keyword

rsa.misc.cs_bgpv6nxthop

type: keyword

rsa.misc.cs_bit9status

type: keyword

rsa.misc.cs_context

type: keyword

rsa.misc.cs_control

type: keyword

rsa.misc.cs_data

type: keyword

rsa.misc.cs_datecret

type: keyword

rsa.misc.cs_dst_tld

type: keyword

rsa.misc.cs_eth_dst_ven

type: keyword

rsa.misc.cs_eth_src_ven

type: keyword

rsa.misc.cs_event_uuid

type: keyword

rsa.misc.cs_filetype

type: keyword

rsa.misc.cs_fld

type: keyword

rsa.misc.cs_if_desc

type: keyword

rsa.misc.cs_if_name

type: keyword

rsa.misc.cs_ip_next_hop

type: keyword

rsa.misc.cs_ipv4dstpre

type: keyword

rsa.misc.cs_ipv4srcpre

type: keyword

rsa.misc.cs_lifetime

type: keyword

rsa.misc.cs_log_medium

type: keyword

rsa.misc.cs_loginname

type: keyword

rsa.misc.cs_modulescore

type: keyword

rsa.misc.cs_modulesign

type: keyword

rsa.misc.cs_opswatresult

type: keyword

rsa.misc.cs_payload

type: keyword

rsa.misc.cs_registrant

type: keyword

rsa.misc.cs_registrar

type: keyword

rsa.misc.cs_represult

type: keyword

rsa.misc.cs_rpayload

type: keyword

rsa.misc.cs_sampler_name

type: keyword

rsa.misc.cs_sourcemodule

type: keyword

rsa.misc.cs_streams

type: keyword

rsa.misc.cs_targetmodule

type: keyword

rsa.misc.cs_v6nxthop

type: keyword

rsa.misc.cs_whois_server

type: keyword

rsa.misc.cs_yararesult

type: keyword

rsa.misc.description

type: keyword

rsa.misc.devvendor

type: keyword

rsa.misc.distance

type: keyword

rsa.misc.dstburb

type: keyword

rsa.misc.edomain

type: keyword

rsa.misc.edomaub

type: keyword

rsa.misc.euid

type: keyword

rsa.misc.facility

type: keyword

rsa.misc.finterface

type: keyword

rsa.misc.flags

type: keyword

rsa.misc.gaddr

type: keyword

rsa.misc.id3

type: keyword

rsa.misc.im_buddyname

type: keyword

rsa.misc.im_croomid

type: keyword

rsa.misc.im_croomtype

type: keyword

rsa.misc.im_members

type: keyword

rsa.misc.im_username

type: keyword

rsa.misc.ipkt

type: keyword

rsa.misc.ipscat

type: keyword

rsa.misc.ipspri

type: keyword

rsa.misc.latitude

type: keyword

rsa.misc.linenum

type: keyword

rsa.misc.list_name

type: keyword

rsa.misc.load_data

type: keyword

rsa.misc.location_floor

type: keyword

rsa.misc.location_mark

type: keyword

rsa.misc.log_id

type: keyword

rsa.misc.log_type

type: keyword

rsa.misc.logid

type: keyword

rsa.misc.logip

type: keyword

rsa.misc.logname

type: keyword

rsa.misc.longitude

type: keyword

rsa.misc.lport

type: keyword

rsa.misc.mbug_data

type: keyword

rsa.misc.misc_name

type: keyword

rsa.misc.msg_type

type: keyword

rsa.misc.msgid

type: keyword

rsa.misc.netsessid

type: keyword

rsa.misc.num

type: keyword

rsa.misc.number1

type: keyword

rsa.misc.number2

type: keyword

rsa.misc.nwwn

type: keyword

rsa.misc.object

type: keyword

rsa.misc.operation

type: keyword

rsa.misc.opkt

type: keyword

rsa.misc.orig_from

type: keyword

rsa.misc.owner_id

type: keyword

rsa.misc.p_action

type: keyword

rsa.misc.p_filter

type: keyword

rsa.misc.p_group_object

type: keyword

rsa.misc.p_id

type: keyword

rsa.misc.p_msgid1

type: keyword

rsa.misc.p_msgid2

type: keyword

rsa.misc.p_result1

type: keyword

rsa.misc.password_chg

type: keyword

rsa.misc.password_expire

type: keyword

rsa.misc.permgranted

type: keyword

rsa.misc.permwanted

type: keyword

rsa.misc.pgid

type: keyword

rsa.misc.policyUUID

type: keyword

rsa.misc.prog_asp_num

type: keyword

rsa.misc.program

type: keyword

rsa.misc.real_data

type: keyword

rsa.misc.rec_asp_device

type: keyword

rsa.misc.rec_asp_num

type: keyword

rsa.misc.rec_library

type: keyword

rsa.misc.recordnum

type: keyword

rsa.misc.ruid

type: keyword

rsa.misc.sburb

type: keyword

rsa.misc.sdomain_fld

type: keyword

rsa.misc.sec

type: keyword

rsa.misc.sensorname

type: keyword

rsa.misc.seqnum

type: keyword

rsa.misc.session

type: keyword

rsa.misc.sessiontype

type: keyword

rsa.misc.sigUUID

type: keyword

rsa.misc.spi

type: keyword

rsa.misc.srcburb

type: keyword

rsa.misc.srcdom

type: keyword

rsa.misc.srcservice

type: keyword

rsa.misc.state

type: keyword

rsa.misc.status1

type: keyword

rsa.misc.svcno

type: keyword

rsa.misc.system

type: keyword

rsa.misc.tbdstr1

type: keyword

rsa.misc.tgtdom

type: keyword

rsa.misc.tgtdomain

type: keyword

rsa.misc.threshold

type: keyword

rsa.misc.type1

type: keyword

rsa.misc.udb_class

type: keyword

rsa.misc.url_fld

type: keyword

rsa.misc.user_div

type: keyword

rsa.misc.userid

type: keyword

rsa.misc.username_fld

type: keyword

rsa.misc.utcstamp

type: keyword

rsa.misc.v_instafname

type: keyword

rsa.misc.virt_data

type: keyword

rsa.misc.vpnid

type: keyword

rsa.misc.autorun_type

This is used to capture Auto Run type

type: keyword

rsa.misc.cc_number

Valid Credit Card Numbers only

type: long

rsa.misc.content

This key captures the content type from protocol headers

type: keyword

rsa.misc.ein_number

Employee Identification Numbers only

type: long

rsa.misc.found

This is used to capture the results of regex match

type: keyword

rsa.misc.language

This is used to capture list of languages the client support and what it prefers

type: keyword

rsa.misc.lifetime

This key is used to capture the session lifetime in seconds.

type: long

rsa.misc.link

This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.misc.match

This key is for regex match name from search.ini

type: keyword

rsa.misc.param_dst

This key captures the command line/launch argument of the target process or file

type: keyword

rsa.misc.param_src

This key captures source parameter

type: keyword

rsa.misc.search_text

This key captures the Search Text used

type: keyword

rsa.misc.sig_name

This key is used to capture the Signature Name only.

type: keyword

rsa.misc.snmp_value

SNMP set request value

type: keyword

rsa.misc.streams

This key captures number of streams in session

type: long

rsa.db.index

This key captures IndexID of the index.

type: keyword

rsa.db.instance

This key is used to capture the database server instance name

type: keyword

rsa.db.database

This key is used to capture the name of a database or an instance as seen in a session

type: keyword

rsa.db.transact_id

This key captures the SQL transantion ID of the current session

type: keyword

rsa.db.permissions

This key captures permission or privilege level assigned to a resource.

type: keyword

rsa.db.table_name

This key is used to capture the table name

type: keyword

rsa.db.db_id

This key is used to capture the unique identifier for a database

type: keyword

rsa.db.db_pid

This key captures the process id of a connection with database server

type: long

rsa.db.lread

This key is used for the number of logical reads

type: long

rsa.db.lwrite

This key is used for the number of logical writes

type: long

rsa.db.pread

This key is used for the number of physical writes

type: long

rsa.network.alias_host

This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.

type: keyword

rsa.network.domain

type: keyword

rsa.network.host_dst

This key should only be used when it’s a Destination Hostname

type: keyword

rsa.network.network_service

This is used to capture layer 7 protocols/service names

type: keyword

rsa.network.interface

This key should be used when the source or destination context of an interface is not clear

type: keyword

rsa.network.network_port

Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)

type: long

rsa.network.eth_host

Deprecated, use alias.mac

type: keyword

rsa.network.sinterface

This key should only be used when it’s a Source Interface

type: keyword

rsa.network.dinterface

This key should only be used when it’s a Destination Interface

type: keyword

rsa.network.vlan

This key should only be used to capture the ID of the Virtual LAN

type: long

rsa.network.zone_src

This key should only be used when it’s a Source Zone.

type: keyword

rsa.network.zone

This key should be used when the source or destination context of a Zone is not clear

type: keyword

rsa.network.zone_dst

This key should only be used when it’s a Destination Zone.

type: keyword

rsa.network.gateway

This key is used to capture the IP Address of the gateway

type: keyword

rsa.network.icmp_type

This key is used to capture the ICMP type only

type: long

rsa.network.mask

This key is used to capture the device network IPmask.

type: keyword

rsa.network.icmp_code

This key is used to capture the ICMP code only

type: long

rsa.network.protocol_detail

This key should be used to capture additional protocol information

type: keyword

rsa.network.dmask

This key is used for Destionation Device network mask

type: keyword

rsa.network.port

This key should only be used to capture a Network Port when the directionality is not clear

type: long

rsa.network.smask

This key is used for capturing source Network Mask

type: keyword

rsa.network.netname

This key is used to capture the network name associated with an IP range. This is configured by the end user.

type: keyword

rsa.network.paddr

Deprecated

type: ip

rsa.network.faddr

type: keyword

rsa.network.lhost

type: keyword

rsa.network.origin

type: keyword

rsa.network.remote_domain_id

type: keyword

rsa.network.addr

type: keyword

rsa.network.dns_a_record

type: keyword

rsa.network.dns_ptr_record

type: keyword

rsa.network.fhost

type: keyword

rsa.network.fport

type: keyword

rsa.network.laddr

type: keyword

rsa.network.linterface

type: keyword

rsa.network.phost

type: keyword

rsa.network.ad_computer_dst

Deprecated, use host.dst

type: keyword

rsa.network.eth_type

This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only

type: long

rsa.network.ip_proto

This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI

type: long

rsa.network.dns_cname_record

type: keyword

rsa.network.dns_id

type: keyword

rsa.network.dns_opcode

type: keyword

rsa.network.dns_resp

type: keyword

rsa.network.dns_type

type: keyword

rsa.network.domain1

type: keyword

rsa.network.host_type

type: keyword

rsa.network.packet_length

type: keyword

rsa.network.host_orig

This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.

type: keyword

rsa.network.rpayload

This key is used to capture the total number of payload bytes seen in the retransmitted packets.

type: keyword

rsa.network.vlan_name

This key should only be used to capture the name of the Virtual LAN

type: keyword

rsa.investigations.ec_activity

This key captures the particular event activity(Ex:Logoff)

type: keyword

rsa.investigations.ec_theme

This key captures the Theme of a particular Event(Ex:Authentication)

type: keyword

rsa.investigations.ec_subject

This key captures the Subject of a particular Event(Ex:User)

type: keyword

rsa.investigations.ec_outcome

This key captures the outcome of a particular Event(Ex:Success)

type: keyword

rsa.investigations.event_cat

This key captures the Event category number

type: long

rsa.investigations.event_cat_name

This key captures the event category name corresponding to the event cat code

type: keyword

rsa.investigations.event_vcat

This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.

type: keyword

rsa.investigations.analysis_file

This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file

type: keyword

rsa.investigations.analysis_service

This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service

type: keyword

rsa.investigations.analysis_session

This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session

type: keyword

rsa.investigations.boc

This is used to capture behaviour of compromise

type: keyword

rsa.investigations.eoc

This is used to capture Enablers of Compromise

type: keyword

rsa.investigations.inv_category

This used to capture investigation category

type: keyword

rsa.investigations.inv_context

This used to capture investigation context

type: keyword

rsa.investigations.ioc

This is key capture indicator of compromise

type: keyword

rsa.counters.dclass_c1

This is a generic counter key that should be used with the label dclass.c1.str only

type: long

rsa.counters.dclass_c2

This is a generic counter key that should be used with the label dclass.c2.str only

type: long

rsa.counters.event_counter

This is used to capture the number of times an event repeated

type: long

rsa.counters.dclass_r1

This is a generic ratio key that should be used with the label dclass.r1.str only

type: keyword

rsa.counters.dclass_c3

This is a generic counter key that should be used with the label dclass.c3.str only

type: long

rsa.counters.dclass_c1_str

This is a generic counter string key that should be used with the label dclass.c1 only

type: keyword

rsa.counters.dclass_c2_str

This is a generic counter string key that should be used with the label dclass.c2 only

type: keyword

rsa.counters.dclass_r1_str

This is a generic ratio string key that should be used with the label dclass.r1 only

type: keyword

rsa.counters.dclass_r2

This is a generic ratio key that should be used with the label dclass.r2.str only

type: keyword

rsa.counters.dclass_c3_str

This is a generic counter string key that should be used with the label dclass.c3 only

type: keyword

rsa.counters.dclass_r3

This is a generic ratio key that should be used with the label dclass.r3.str only

type: keyword

rsa.counters.dclass_r2_str

This is a generic ratio string key that should be used with the label dclass.r2 only

type: keyword

rsa.counters.dclass_r3_str

This is a generic ratio string key that should be used with the label dclass.r3 only

type: keyword

rsa.identity.auth_method

This key is used to capture authentication methods used only

type: keyword

rsa.identity.user_role

This key is used to capture the Role of a user only

type: keyword

rsa.identity.dn

X.500 (LDAP) Distinguished Name

type: keyword

rsa.identity.logon_type

This key is used to capture the type of logon method used.

type: keyword

rsa.identity.profile

This key is used to capture the user profile

type: keyword

rsa.identity.accesses

This key is used to capture actual privileges used in accessing an object

type: keyword

rsa.identity.realm

Radius realm or similar grouping of accounts

type: keyword

rsa.identity.user_sid_dst

This key captures Destination User Session ID

type: keyword

rsa.identity.dn_src

An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn

type: keyword

rsa.identity.org

This key captures the User organization

type: keyword

rsa.identity.dn_dst

An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn

type: keyword

rsa.identity.firstname

This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword

rsa.identity.lastname

This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword

rsa.identity.user_dept

User’s Department Names only

type: keyword

rsa.identity.user_sid_src

This key captures Source User Session ID

type: keyword

rsa.identity.federated_sp

This key is the Federated Service Provider. This is the application requesting authentication.

type: keyword

rsa.identity.federated_idp

This key is the federated Identity Provider. This is the server providing the authentication.

type: keyword

rsa.identity.logon_type_desc

This key is used to capture the textual description of an integer logon type as stored in the meta key logon.type.

type: keyword

rsa.identity.middlename

This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword

rsa.identity.password

This key is for Passwords seen in any session, plain text or encrypted

type: keyword

rsa.identity.host_role

This key should only be used to capture the role of a Host Machine

type: keyword

rsa.identity.ldap

This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context

type: keyword

rsa.identity.ldap_query

This key is the Search criteria from an LDAP search

type: keyword

rsa.identity.ldap_response

This key is to capture Results from an LDAP search

type: keyword

rsa.identity.owner

This is used to capture username the process or service is running as, the author of the task

type: keyword

rsa.identity.service_account

This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage

type: keyword

rsa.email.email_dst

This key is used to capture the Destination email address only, when the destination context is not clear use email

type: keyword

rsa.email.email_src

This key is used to capture the source email address only, when the source context is not clear use email

type: keyword

rsa.email.subject

This key is used to capture the subject string from an Email only.

type: keyword

rsa.email.email

This key is used to capture a generic email address where the source or destination context is not clear

type: keyword

rsa.email.trans_from

Deprecated key defined only in table map.

type: keyword

rsa.email.trans_to

Deprecated key defined only in table map.

type: keyword

rsa.file.privilege

Deprecated, use permissions

type: keyword

rsa.file.attachment

This key captures the attachment file name

type: keyword

rsa.file.filesystem

type: keyword

rsa.file.binary

Deprecated key defined only in table map.

type: keyword

rsa.file.filename_dst

This is used to capture name of the file targeted by the action

type: keyword

rsa.file.filename_src

This is used to capture name of the parent filename, the file which performed the action

type: keyword

rsa.file.filename_tmp

type: keyword

rsa.file.directory_dst

<span>This key is used to capture the directory of the target process or file</span>

type: keyword

rsa.file.directory_src

This key is used to capture the directory of the source process or file

type: keyword

rsa.file.file_entropy

This is used to capture entropy vale of a file

type: double

rsa.file.file_vendor

This is used to capture Company name of file located in version_info

type: keyword

rsa.file.task_name

This is used to capture name of the task

type: keyword

rsa.web.fqdn

Fully Qualified Domain Names

type: keyword

rsa.web.web_cookie

This key is used to capture the Web cookies specifically.

type: keyword

rsa.web.alias_host

type: keyword

rsa.web.reputation_num

Reputation Number of an entity. Typically used for Web Domains

type: double

rsa.web.web_ref_domain

Web referer’s domain

type: keyword

rsa.web.web_ref_query

This key captures Web referer’s query portion of the URL

type: keyword

rsa.web.remote_domain

type: keyword

rsa.web.web_ref_page

This key captures Web referer’s page information

type: keyword

rsa.web.web_ref_root

Web referer’s root URL path

type: keyword

rsa.web.cn_asn_dst

type: keyword

rsa.web.cn_rpackets

type: keyword

rsa.web.urlpage

type: keyword

rsa.web.urlroot

type: keyword

rsa.web.p_url

type: keyword

rsa.web.p_user_agent

type: keyword

rsa.web.p_web_cookie

type: keyword

rsa.web.p_web_method

type: keyword

rsa.web.p_web_referer

type: keyword

rsa.web.web_extension_tmp

type: keyword

rsa.web.web_page

type: keyword

rsa.threat.threat_category

This key captures Threat Name/Threat Category/Categorization of alert

type: keyword

rsa.threat.threat_desc

This key is used to capture the threat description from the session directly or inferred

type: keyword

rsa.threat.alert

This key is used to capture name of the alert

type: keyword

rsa.threat.threat_source

This key is used to capture source of the threat

type: keyword

rsa.crypto.crypto

This key is used to capture the Encryption Type or Encryption Key only

type: keyword

rsa.crypto.cipher_src

This key is for Source (Client) Cipher

type: keyword

rsa.crypto.cert_subject

This key is used to capture the Certificate organization only

type: keyword

rsa.crypto.peer

This key is for Encryption peer’s IP Address

type: keyword

rsa.crypto.cipher_size_src

This key captures Source (Client) Cipher Size

type: long

rsa.crypto.ike

IKE negotiation phase.

type: keyword

rsa.crypto.scheme

This key captures the Encryption scheme used

type: keyword

rsa.crypto.peer_id

This key is for Encryption peer’s identity

type: keyword

rsa.crypto.sig_type

This key captures the Signature Type

type: keyword

rsa.crypto.cert_issuer

type: keyword

rsa.crypto.cert_host_name

Deprecated key defined only in table map.

type: keyword

rsa.crypto.cert_error

This key captures the Certificate Error String

type: keyword

rsa.crypto.cipher_dst

This key is for Destination (Server) Cipher

type: keyword

rsa.crypto.cipher_size_dst

This key captures Destination (Server) Cipher Size

type: long

rsa.crypto.ssl_ver_src

Deprecated, use version

type: keyword

rsa.crypto.d_certauth

type: keyword

rsa.crypto.s_certauth

type: keyword

rsa.crypto.ike_cookie1

ID of the negotiation — sent for ISAKMP Phase One

type: keyword

rsa.crypto.ike_cookie2

ID of the negotiation — sent for ISAKMP Phase Two

type: keyword

rsa.crypto.cert_checksum

type: keyword

rsa.crypto.cert_host_cat

This key is used for the hostname category value of a certificate

type: keyword

rsa.crypto.cert_serial

This key is used to capture the Certificate serial number only

type: keyword

rsa.crypto.cert_status

This key captures Certificate validation status

type: keyword

rsa.crypto.ssl_ver_dst

Deprecated, use version

type: keyword

rsa.crypto.cert_keysize

type: keyword

rsa.crypto.cert_username

type: keyword

rsa.crypto.https_insact

type: keyword

rsa.crypto.https_valid

type: keyword

rsa.crypto.cert_ca

This key is used to capture the Certificate signing authority only

type: keyword

rsa.crypto.cert_common

This key is used to capture the Certificate common name only

type: keyword

rsa.wireless.wlan_ssid

This key is used to capture the ssid of a Wireless Session

type: keyword

rsa.wireless.access_point

This key is used to capture the access point name.

type: keyword

rsa.wireless.wlan_channel

This is used to capture the channel names

type: long

rsa.wireless.wlan_name

This key captures either WLAN number/name

type: keyword

rsa.storage.disk_volume

A unique name assigned to logical units (volumes) within a physical disk

type: keyword

rsa.storage.lun

Logical Unit Number.This key is a very useful concept in Storage.

type: keyword

rsa.storage.pwwn

This uniquely identifies a port on a HBA.

type: keyword

rsa.physical.org_dst

This is used to capture the destination organization based on the GEOPIP Maxmind database.

type: keyword

rsa.physical.org_src

This is used to capture the source organization based on the GEOPIP Maxmind database.

type: keyword

rsa.healthcare.patient_fname

This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword

rsa.healthcare.patient_id

This key captures the unique ID for a patient

type: keyword

rsa.healthcare.patient_lname

This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword

rsa.healthcare.patient_mname

This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword

rsa.endpoint.host_state

This key is used to capture the current state of the machine, such as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall disabled</strong> and so on

type: keyword

rsa.endpoint.registry_key

This key captures the path to the registry key

type: keyword

rsa.endpoint.registry_value

This key captures values or decorators used within a registry entry

type: keyword

cisco.umbrella

edit

Fields for Cisco Umbrella.

cisco.umbrella.identities

An array of the different identities related to the event.

type: keyword

cisco.umbrella.categories

The security or content categories that the destination matches.

type: keyword

cisco.umbrella.policy_identity_type

The first identity type matched with this request. Available in version 3 and above.

type: keyword

cisco.umbrella.identity_types

The type of identity that made the request. For example, Roaming Computer or Network.

type: keyword

cisco.umbrella.blocked_categories

The categories that resulted in the destination being blocked. Available in version 4 and above.

type: keyword

cisco.umbrella.content_type

The type of web content, typically text/html.

type: keyword

cisco.umbrella.sha_sha256

Hex digest of the response content.

type: keyword

cisco.umbrella.av_detections

The detection name according to the antivirus engine used in file inspection.

type: keyword

cisco.umbrella.puas

A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner.

type: keyword

cisco.umbrella.amp_disposition

The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown.

type: keyword

cisco.umbrella.amp_malware_name

If Malicious, the name of the malware according to AMP.

type: keyword

cisco.umbrella.amp_score

The score of the malware from AMP. This field is not currently used and will be blank.

type: keyword

cisco.umbrella.datacenter

The name of the Umbrella Data Center that processed the user-generated traffic.

type: keyword

cisco.umbrella.origin_id

The unique identity of the network tunnel.

type: keyword