Security Data Lake Information Model Schema

alert_definitions_version

2020.14092348

keyword

Version or identification value that indicates the version a collection of signatures (A/V etc.) is in use

alert_category

malware, trojan, ransomeware

keyword

Future: How do we define this field considering vendors will have their own categories? Or is that not a concern? Possibly movie this to derived fields & set only allowed values

alert_indicator

malware.exe, http://badsite

keyword

A filename, URL, packet snippet or other artifact that is related to the event that caused the alert to be generated.

alert_response_level

0, 1, 2

byte

Numeric value representing the type of action taken in response to an alert/threat. 0 = Nothing (allowed, ignored), 1 = prevent (blocked, quarantined), 2 = eradicate (deleted). This allows the use of numeric functions to detect unblocked threats where products may log multiple events for a single threat.

alert_signature

keyword

Vendor-provided Alert text description

alert_signature_id

keyword

Vendor specific unique identifier for alert signature (e.g., 1:1905345:5 for Snort signatures.)

alert_severity

critical, high, medium, low, informational

keyword

Severity of Alert

alert_severity_level

1-5

byte

Numeric representation of the severity rating of the source message: 1 = informational, 2 = low, 3 = medium, 4 = high, 5 = critical

application_name

Facebook, SQL, windows_rdp

keyword (normalized:loweronly)

Name of the application, this can be a layer 7 application name for network traffic, the name of an authenticating service/program for authentication, etc.

application_response_time

keyword

Amount of time Applications Take to give response to a request

application_sso_signonmode

keyword

For Single Sign-On (SSO) events this is the method used to access the application

application_sso_target_name

keyword

For SSO events this is the name of the application being accessed

associated_category

keyword

TBD: Not sure if this is useful

associated_hash

6f9efb466e043b9f3635827ce446e13c

keyword

All associated md5, sha1, sha256, sha512, imp hashes from a log message

associated_host

10.1.2.3,corpdc01,corpdc01.corpdomain.local

keyword

FUTURE: copy of any identifying host information - IP, Hostname, etc. from a log message, not implmented yet.

associated_ip

10.1.2.3,fe80:5cc3:11:4::2c

ip

Associated IP addresses for a log message

associated_mac

a0:b4:44:01:a9:d1

keyword

Associated MAC addresses for a log message, colon-delimited and lower case

associated_session_id

0xa72c

keyword

Associated session IDs for a log message

associated_user_id

999,S-1-5-18

keyword

This will be a field that maps to all user ID values (uids, SIDs, etc.) that are associated with a user context. This can/may eventually be populated from the user framework.

associated_user_name

administrator,[email protected]

keyword (normalized:loweronly)

Any associated/alternate user ID or email, can be a set of multiple values.

…_as_number

15169

keyword

Unique number. ASN identify each network on internet

…_as_organization

Bitdefender

keyword

Organization Name

…_as_isp

keyword

ISP associated with IP address

…_as_domain

keyword

Domain associated with IP address

container_id

keyword

Unique container ID

container_name

keyword

Container Name

container_namespace

keyword

Container's Namespace it is running in

destination_application_name

facebook, twitter

keyword

Describes the target application

destination_bytes_sent

203948

long

Network bytes sent by destination to the source. Some sources may present this as source bytes received, bytes received, or similar.

destination_device_model

iPad

keyword

Device Model Name

destination_device_vendor

Apple, ASUS

keyword

Device Vendor Name

destination_domain

corp.local

keyword (normalized:loweronly)

Destination domain context

destination_hostname

corpdc01

keyword (normalized:loweronly)

destination_ip

10.1.2.3, fe80:5cc3:11:4::2c

ip

IPv4 and IPv6 addresses

destination_nat_ip

10.1.2.3, fe80:5cc3:11:4::2c

ip

translated IP address assigned by a network device performing the NAT function

destination_nat_port

2356

integer

translated network port assigned by a network device performing the NAT function

destination_os_name

IOS, Android

keyword

Operating System Name

destination_os_version

IOS 10.0

keyword

Version number of Operating System

destination_packets_sent

73458324

long

Number of packets delivered to the destination endpoint

destination_port

80, 443

integer

Service port associated with a network connection port, 0-65535

destination_port_iana_name

ssh, ftp

keyword

The IANA-registered service name associated with the network application. Illuminate Core will use this value to define destination_port in events that have destination_ip defined, if destination_port is not already defined

destination_region

us-east-1

keyword

Name of region source device is located in

destination_id

09VX93DD

keyword

Identifying value for the destination such as a serial number

destination_type

keyword

Destination device information such as model number

destination_vm_name

keyword

Virtual system name (not to be confused with the hostname)

destination_vsys_uuid

1f5398c7-4d84-4499-84ee-d5e9246c52f8

keyword

Destination virtual system UUID

destination_zone

internal

keyword

Network zone for the destination

destination_as_*

See: as_* fields

destination_category

keyword

Future: from entity mapping

destination_geo_*

See: geo_* fields

destination_location_name

Chicago, US, Datacenter 01, Bismark - Finance

keyword

Field is derived either from an internal enterprise network definition or the Geo location fields if availble

destination_mac

a0:b4:44:01:a9:d1

keyword

MAC address of host, colon-delimited and lower case

destination_priority

critical, high, medium, low

keyword

Future: from entity mapping

destination_priority_level

4-Jan

byte

Numeric value representing the priority of the destination device, 1 = low, 2 = medium, 3 = high, 4 = critical

destination_reference

IPv4, IPv6, hostname,fqdn

keyword (normalized:loweronly)

Automatically mapped from the following fields: destination_ip, destination_hostname, destination_target, destination_vm_name, desination_mac

email_attachment_file_name

attachment.exe

array

The file name(s) of an attachment.

email_attachment_file_size

1024

long

The size in bytes of the attachments.

email_bcc

[email protected]

keyword

The email address of BCC recipient/destination.

email_cc

[email protected]

keyword

The email address of CC recipient/destination.

email_delivered_to

[email protected]

keyword

The Delivered-To email header field.

email_direction

inbound, outbound, lateral

keyword

Indicates the direction of the observed email flow. Must be either inbound, outbound or lateral, this should be mapped to these values if vendors provide network direction differently.

email_from

[email protected]

keyword

Per RFC 5322, specifies the address responsible for the actual transmission/sender of the message.

email_message_id

<[email protected]>

keyword

The globally-unique message identifier.

email_raw_header

keyword

The email authentication header.

email_reply_to

[email protected]

keyword

The address that replies should be delivered to based on the value in the RFC 5322 Reply-To: header.

email_size

234

long

The size of an email in bytes.

email_subject

RE: FWD: Testing

keyword

The email subject.

email_to

[email protected]

keyword

The email address of recipient/destination.

email_uid

123456789A

keyword

The email unique identifier internally used by an email software to track a message.

email_x_originating_ip

192.168.2.3

array

The X-Originating-IP header identifying the email's originating IP address(es).

email_xmailer

spambot

keyword

Tool that created and sent the email.

event_action

blocked, allowed, scan_start, scan_end, scan_pause, scan_cancel, scan_resume

keyword

Action that was described in a log such as a firewall log or an antivirus agent log

event_code

4624, 1

long

Numeric event defined by the vendor representing the source message type, e.g. EventCode/Event ID for Microsoft. This field is treated as a numeric value in order to support ranged queries. Any leading 0 values will be removed

event_created

2020-02-20 08:23:15.102, 1602080607

date

Date/time that the event actually occured or when the original event message was created

event_duration

10293874

long

Length of time, in seconds, for the event being described

event_end

2021-03-26T11:25:13.113

date

Date/time that event described in the log message had concluded, usually associated with an event that has a duration.

event_error_code

0xC00008

keyword

Vendor-provided error code associated with the current message

event_error_description

ERROR_ACCESS_DENIED, Not Found

keyword

Description of error associated with the current message

event_id

0023425, 90EF8

keyword

Vendor-provided identifier representing a message type. This is similar to event_code but is instead mapped as a lateral string value. Ranged searches are not supported but the ID values will not be modified in any way.

event_log_name

security, auth.log

keyword

Reference to log, such as 'Security', 'auth.log', etc. - this differs from vendor_subtype as it refers more to the original source the log was collected from.

event_log_path

/var/log/syslog

keyword

Full path of log file source

event_observer_hostname

SERVER01.server01.corp.internal

keyword/loweronly

Hostname or FQDN of a system such as an IDS or IPS that generates an message (such as an alert) based on inspection of a thing, such as network traffic.

event_observer_id

234cd78sc

keyword

Unique ID of the Observer Device, Serial Number, etc

event_observer_ip

10.1.2.3, fe80:5cc3:11:4::2c

ip

IP address of the event observer

event_observer_uid

keyword

Unique identifier (such as a serial number or asset ID) associated with the event observer

event_received_time

2020-02-20 08:00:00, 1602080607

date

Date/time that the event was received by the reporting host. Normally applicable to logs relayed by a centralized log server.

event_repeat_count

5, 3, 9185

long

Count of times a message has been repeated

event_reporter

SERVER01.server01.corp.internal

keyword

Hostname or IP for system that delivered the message to Security Data Lake - a WEC server, syslog collector, etc.

event_source

LAPTOP01,laptop01.corp.internal

keyword

Hostname or IP of source system that generated the event

event_source_api_version

keyword

API version of source where logs are collected via API

event_source_product

windows, linux, okta

keyword

System responsible for generating the event, e.g. “windows,” “okta,” etc.

event_start

2020-02-20 08:00:00, 1602080607

date

Beginning time of an event described in a log message, usually associated with an event that has a duration.

event_uid

1123523564, 0122e2b3-9923-11ea-ab51-061b68b4ca16

keyword

Unique identification associated with a single event/message (e.g. “record number” from Windows event logs, a Security Data Lake message ID)

event_outcome

success, failure

keyword

The outcome (success/failure) of the action described by event_action.

event_severity

critical, high, medium, low, informational

keyword

This will be added by Illuminate Core if only the event_severity_level is defined. This can be mapped from vendor severity levels that do not use the same severity definitions.

event_severity_level

1-5

byte

Numeric representation of the severity rating of the source message: 1 = informational, 2 = low, 3 = medium, 4 = high, 5 = critical. This will be added by Illuminate core when only event_severity is defined.

file_company

Microsoft

keyword

Company name associated with a file taken from the file metadata

file_compile_time

date

Compiled date/time that a binary file was compiled

file_contents

keyword

Contents of a file

file_description

WMI

keyword

Description of file

file_is_executable

true, false

boolean

Flag indicating if file is executable

file_is_signed

1

boolean

Flag indicating if file has been digitally signed

file_name

file.zip, file.exe, file

keyword

File name, not including path

file_path

C:\\temp\\file.exe

keyword

Full path and file name

file_product

keyword

Product name the file was shipped with

file_product_version

keyword

Product version the file was shipped with

file_signature_status

valid

keyword

Status of file signature

file_signed_by

Microsoft Windows

keyword

Title of file signer

file_size

23894713

long

File size in bytes

file_type

gzip compressed data, application/pdf

keyword

Description of file contents

file_version

10.0.14393.4169 (rs1_release.210107-1130)

keyword

Version of file

…_geo_city

Hamburg, Houston

keyword

City Name

…_geo_continent

America

keyword

Continent Name

…_geo_country_iso

US, DE, CA

keyword

Country ISO Alpha-2 code

…_geo_country

USA, Canada

keyword

Country Name

…_geo_coordinates

34.1186,-118.3004

keyword

Latitude, Longitude Coordinate

…_geo_name

Hamburg, DE

keyword

Location Name, can be derived by combining other values

…_geo_state

Hamburg

keyword

State name

gim_event_type_code

100000

long

This field is assigned during the normalization process. Based on this field messages will have category, subcategory, and type fields applied.

gim_event_category

process, audit, authentication

keyword

The category the associated log message falls under. Message categories are groupings of related messages that often have common fields.

gim_event_class

endpoint, protocol

keyword

This is an optional field that is used for related categories. For example, the process and service categories are part of the Endpoint gim_event_class, among others.

gim_event_type

network connection

keyword

A description of the event described in the associated log message.

gim_event_subcategory

credential validation, process

keyword

A secondary grouping of events under a category where individual events share many common characteristics.

hash_md5

4c583e00d47108f809282d5d595f5fb0

keyword

MD5 hash value

hash_sha1

5d4d04eff6aba8467ebd26c43008ab028203be35

keyword

SHA1 hash value

hash_sha256

keyword

SHA256 hash value

hash_sha512

keyword

SHA512 hash value

hash_imphash

0c2803c4e9a2102c4dc65963dad36cdf

keyword

IMP hash value

host_device

\\Device\\HarddiskVolume2

keyword

Identifier for a device (drive network adapter) connected to a system

host_hostname

corpdc01, corpdc01.local, lab01.corpdomain.com

keyword (normalized:loweronly)

NetBIOS or dns hostname

host_id

keyword

Host unique identifier (e.g. SID for Microsoft)

host_ip

10.1.2.3, fe80:5cc3:11:4::2c

ip

IPv4 and IPv6 addresses

host_ipv6

fe80:5cc3:11:4::2c

ip

IPv6 addresses

host_mac

02:a1:f9:c2:d5:04

keyword

MAC address of host, colon-delimited and lower case

host_reference

127.0.0.1, corpdc01, corpdc01.local, lab01.corpdomain.com

keyword (normalized:loweronly)

Mapped from host_ip or host_hostname in that order - allows a common field to reference for messages that do not provide both (note: CIDR search will not work against this field)

host_region

us-east-1

keyword

Name of region source device is located in

host_type_version

keyword

Operating sytem version of host

host_virtfw_hostname

keyword/loweronly

For firewalls that operate as partitioned services this is the name of the logical device

host_virtfw_id

keyword

For firewalls that operate as partitioned services this is the ID value of the logical device

host_virtfw_uid

keyword

Unique identifier such as a UUID value representing a virtual host

host_vm_name

keyword

Virtual system name (not to be confused with the hostname)

host_as_*

See: as_* fields

host_category

keyword

Future: from entity mapping

host_geo_*

See: geo_* fields

host_location_name

Chicago, US, Datacenter 01, Bismark - Finance

keyword

Field is derived either from an internal enterprise network definition or the Geo location fields if available

host_priority

critical, high, medium, low

keyword

Future: from entity mapping

host_priority_level

2

byte

Numeric value representing the priority of the host device, 1 = low, 2 = medium, 3 = high, 4 = critical

host_reference

IPv4,IPv6, hostname,fqdn

keyword (normalized:loweronly)

Automatically mapped from the following fields: host_ip, host_hostname, host_vm_name, host_mac

host_type

keyword

Machine “type”

http_application

facebook

keyword

Layer 7 application name

http_bytes

29347485

Long

Sum of request + response bytes

http_content_type

application/octet-stream

keyword

Mime type of http content

http_headers

keyword

Full list of http headers

http_host

Host: wwww.mycorp.local

keyword

host: … header from request, if present

http_referrer

http://mycorp.local/

keyword

“referer” header value if present

http_request_bytes

239478

long

Size of request

http_request_method

GET, POST

keyword

HTTP request method

http_request_path

/path/to/resource?option=test

keyword

Need to review field length/truncation at 8192 characters (consider utf-8). Some may consider the path not to include the “query” (text after the last “/”), but this value may include it.

http_response_bytes

498274

long

Size of response

http_response

OK, Moved Permanently

keyword

Text response mapped from the response code

http_response_code

200, 404, 500

integer

Numeric server response code

http_uri

https://www.graylog.org, https://www.graylog.org/blog, https://www.mycorp.local/workspaces/team#posts

keyword

Full request string; Need to review field length/truncation at 8192 characters (consider utf-8)

http_uri_category

Suspicious, Games

keyword

Categorization of associated web site/URL

http_uri_stem

Default.htm

keyword

The target of the request. For Example: http://www.test.com/test.jsp?hello=y the URI stem is /test.jsp

http_uri_query

hello=y

keyword

The query the client was trying to perform. Example http://www.test.com/test.jsp?hello=y the query is hello=y

http_user_agent

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0)

keyword

User Agent string

http_user_agent_name

Firefox

keyword

Attempted identification of the browser client usually based on user agent analysis

http_user_agent_os

Windows 10

keyword

Operating System of User Agent

http_version

1.0, 1.1, 2.0

keyword

HTTP version

http_xff

X-Forwarded-For: 10.1.2.3

keyword

HTTP x-forwarded-for header value. Future: May map as IP, need to account for different ways this is presented.

http_request_path_analyzed

** TBD

Need to review best analyzer configuration for HTTP paths / consider truncation

http_uri_analyzed

ftp://ftp01.server.internal/file.tar.gz, https://www.graylog.org, https://www.graylog.org/blog

text/standard

Optionally copied when a URL must be tokenized. Future: will have to research best analyzer config / consider truncation

http_uri_length

9283

long

String length of HTTP user agent

http_user_agent_analyzed

text/standard

This is a copy of the http_user_agent field but processed with text analysis

http_user_agent_length

54

long

String length of original user agent

network_application

facebook, instagram

keyword/loweronly

Application name - Facebook, etc.

network_bytes

71238

long

Bytes transferred during a connection, may be calculated by summing bytes sent/received (source_bytes_sent/destination_bytes_sent) - some vendors may report this as packet_length

network_bytes_rx

DEPRECATED - use destination_bytes_sent

Deprecated field reference

network_bytes_tx

DEPRECATED - use source_bytes_sent

Deprecated field reference

network_community_id

keyword

See: https://github.com/corelight/community-id-spec

network_connection_duration

0:23:45

keyword

Duration of time a network connection was established

network_connection_uid

CMdzit1AMNsmfAIiQc

keyword

Unique identifier value for a network connection

network_data_bytes

71238

long

Total bytes of the data payload

network_direction

inbound, outbound, lateral

keyword

Indicates the direction of the observed network flow. Must be either inbound or outbound, this should be mapped to these values if vendors provide network direction differently.

network_forwarded_ip

10.1.2.3, fe80:5cc3:11:4::2c

ip

Forwarded IP addresses associated with network events

network_header_bytes

71238

long

Total bytes of packet header information

network_iana_number

6, 17, 41

integer

https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml

network_icmp_type

echo, time exceeded

keyword

https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml

network_inner

TBD

Nested or encapsulated network data

network_interface_in

gi0/1

keyword/loweronly

Name of interface traffic receiving traffic

network_interface_out

gi0/1

keyword/loweronly

Name of interface traffic sending traffic

network_ip_version

4, 6

keyword

IPv4 or IPv6

network_name

TBD

Logical or descriptive name for network context

network_packets

71238

long

Count of packets transferred during a connection, may be calculated by summing packets sent/received (source_packets_sent/destination_packets_sent)

network_packets_rx

DEPRECATED - use destination_packets_sent

Deprecated field reference

network_packets_tx

DEPRECATED - use source_packets_sent

Deprecated field reference

network_protocol

ipv4, ipv6, icmp

keyword/loweronly

Protocol names, preferrably from the Keyword column in https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml

network_transport

udp, tcp

keyword/loweronly

transport layer protocol of packet/connection

network_tunnel_type

gre, ipsec

keyword/loweronly

tunnel type

network_tunnel_duration

2093847

long

time in seconds for tunnel duration

network_type

TBD - maybe not needed since network_protocol

Optional field for specifying custom network type

policy_id

6da61e4c-84a8-4136-900d-f86c09bb3774

keyword

Unique identifier of a policy

policy_uid

keyword

policy_name

admin-user-template

keyword

Name of a policy

privilege_assigned_category

elevated_privilege

keyword

Tag-type values which can be used to add supplemental metadata about the privilege in question. The value 'elevated_privilege' is assigned here to identify when an attribute or role listed in the privilege_id field indicates the privilege provides access to perform sensitive tasks on a system.

privilege_assigned_id

ffd52fa5-98dc-465c-991d-fc073eb59f8f

keyword

Identification of the privilege attribute or role, this is the field used by compliance content.

privilege_assigned_name

SeDebugPrivilege

keyword

A short descriptive name of the privilege, not all systems will generate this.

privilege_category

built_in

keyword

Tag-type values which can be used to add supplemental metadata about the privilege in question. The value 'elevated_privilege' is assigned here to identify when an attribute or role listed in the privilege_id field indicates the privilege provides access to perform sensitive tasks on a system.

privilege_id

c430b396-e693-46cc-96f3-db01bf8bb62a

keyword

Identification of the privilege attribute or role, this is the field used by compliance content.

privilege_name

Attack Simulation Administrator

keyword

A short descriptive name of the privilege, not all systems will generate this.

privilege_removed_category

built_in

keyword

Tag-type values which can be used to add supplemental metadata about the privilege in question. The value 'elevated_privilege' is assigned here to identify when an attribute or role listed in the privilege_id field indicates the privilege provides access to perform sensitive tasks on a system.

privilege_removed_id

c430b396-e693-46cc-96f3-db01bf8bb62a

keyword

Identification of the privilege attribute or role, this is the field used by compliance content.

privilege_removed_name

SeLoadDriverPrivilege

keyword

A short descriptive name of the privilege, not all systems will generate this.

process_description

WMI Commandline Utility

keyword

Description of executed process

process_command_line

c:\\tmp\\runme.exe, /tmp/runme

keyword/loweronly

Full command line of executed process

process_command_line_length

29347

long

Length of process_command_line

process_id

2045,0x3e7

keyword/loweronly

Process identifier associated with executed process

process_integrity_level

medium, high, trusted

keyword

Integrity level of executed process

process_parent_command_line

c:\\tmp\\runme.exe, /tmp/runme

keyword/loweronly

Full command line of parent process

process_parent_id

2045,0x3e7

keyword/loweronly

Process identifier associated with parent process

process_parent_name

whoami, whoami.exe

keyword/loweronly

File name of parent process, excluding path

process_parent_path

C:\\Windows\\system32\\whoami.exe, /usr/bin/whoami

keyword/loweronly

Full path of parent process

process_parent_uid

{73123815-5caa-4e39-90dc-d25d4013bf15}

keyword

GUID or unique identifier for parent process that is not the process_id

process_name

whoami, whoami.exe

keyword/loweronly

File name of executed process, excluding path

process_path

C:\\Windows\\system32\\whoami.exe, /usr/bin/whoami

keyword/loweronly

Full path of executed process

process_target_id

2045,0x3e7

keyword

The process ID of the targeted process of some action that was taken against that process

process_target_name

whoami, whoami.exe

keyword

The name of the targeted process of some action that was taken against that process

process_target_path

C:\\Windows\\system32\\whoami.exe, /usr/bin/whoami

keyword

The full path and name of the targeted process of some action that was taken against that process

process_target_uid

{73123815-5caa-4e39-90dc-d25d4013bf15}

keyword

The process unique identifier of the targeted process of some action that was taken against that running process

process_uid

{73123815-5caa-4e39-90dc-d25d4013bf15}

keyword

GUID or unique identifier for executed process that is not the process_id

process_working_directory

C:\\Windows\\Temp

keyword

The current working directory that the process was called from

query_class

IN

keyword

Class of name query, usually IN for DNS

query_record_type

A, AAAA, MX, SRV

keyword

Record type being requested

query_record_type_code

1, 3, 5

keyword

IANA assigned code for record type being requested

query_request

www.graylog.org

keyword

Name being resolved in DNS request

query_request_length

25

Long

Length of name resolution request

query_response

keyword

Name resolution answer

query_response_length

25

Long

Length of name resolution response

query_result

NXDOMAIN, NOERROR

keyword

Status of name resolution request

query_result_code

0, 3

keyword

IANA assigned DNS RCODE

rule_id

6da61e4c-84a8-4136-900d-f86c09bb3774

keyword

Unique identifier of a rule

rule_name

admin-user-template

keyword

Name of a Rule (ex. Outbound Web Traffic)

service_name

graylog-server.service, sshd, graylog-sidecar

keyword

Name of service

service_version

1.0.1054

keyword

Version Number of service or underlying application

service_state

running, started, stopped

keyword

State of service

session_id

Keyword

Vendor-provided unique identifier. This can be a random alphanumeric string, a hex value, a GUID value, etc.

source_bytes_sent

29834710

long

Network bytes sent by source, some sources may present this as source bytes tx, bytes tx or something similar.

source_device_model

iPad

keyword

Device Model Name

source_device_vendor

Apple, ASUS

keyword

Device Vendor Name

source_hostname

corpdc01, corpdc01.local, lab01.corpdomain.com

keyword (normalized:loweronly)

NetBIOS or dns hostname, converted to lowercase

source_id

09VX93DD

keyword

Identifying value for the source such as a serial number

source_ip

10.1.2.3, fe80:5cc3:11:4::2c

ip

IPv4 and IPv6 addresses

source_ipv6

fe80:5cc3:11:4::2c

ip

Only IPv6 addresses

source_nat_ip

10.1.2.3, fe80:5cc3:11:4::2c

ip

translated IP address assigned by a network device performing the NAT function

source_nat_port

2384

integer

translated network port assigned by a network device performing the NAT function

source_os_name

IOS, Android

keyword

Operating System Name

source_os_version

IOS 10.0

keyword

Version number of Operating System

source_packets_sent

23094823

long

Count of packets sent by source

source_port

45392

integer

numeric port, 0-65535

source_port_iana_name

ssh, ftp

keyword

The IANA-registered service name associated with the network application. Illuminate Core will use this value to define source_port in events that have source_ip defined if source_port is not already defined.

source_region

us-east-1

keyword

Name of region source device is located in

source_type

keyword

Source device information such as model number

source_vm_name

keyword

Virtual system name (not to be confused with the hostname)

source_vsys_uuid

keyword

source_zone

keyword

source_as_*

See: as_* fields

source_category

keyword

Future: from entity mapping

source_geo_*

See: geo_* fields

source_location_name

Chicago, US, Datacenter 01, Bismark - Finance

keyword

Field is derived either from an internal enterprise network definition or the Geo location fields if availble

source_mac

a0:b4:44:01:a9:d1

keyword

MAC address of host, colon-delimited and lower case

source_priority

critical, high, medium, low

keyword

Future: from entity mapping

source_priority_level

4-Jan

byte

Numeric value representing the priority of the source device, 1 = low, 2 = medium, 3 = high, 4 = critical

source_reference

IPv4,IPv6, hostname,fqdn

keyword (normalized:loweronly)

Automatically mapped from the following fields: source_ip, source_hostname, source_vm_name, source_mac

threat_category

malware

trojan

Keyword

threat_detected

true, false

Keyword

Is a threat detected

trace_id

Keyword

Unique ID of multiple events belonging together

trace_call

Keyword

Stack trace related to process call

user_command

keyword

user_command_path

keyword

user_domain

mycorp.internal

keyword

AD or LDAP domain

user_email

[email protected]

keyword

user_id

keyword

Mapped to SID or UID, etc.

user_name

keyword (normalized:loweronly)

user_session_id

0x534, 1055

keyword

User logon session identifier

user_category

vip, default account, finance, help desk

keyword

Future: From entity mapping

user_name_mapped

Built in\Administrators

keyword (normalized:loweronly)

When a user identity or identities is mapped from a source outside of the message itself it is written to this field. This is where Windows well-known SIDs are resolved.

user_priority

critical, high, medium, low

keyword

Future: From entity mapping

user_priority_level

4-Jan

byte

Numeric value representing the priority of the user account, 1 = low, 2 = medium, 3 = high, 4 = critical

user_type

user, computer, well-known sid, group, {any vendor-provided value}

keyword

Experimental field ** This is still being researched - need to look at what winlogbeats/nxlog may provide in terms of SID resolution in different configurations, and consider different technologies use of “types”

vendor_alert_severity

critical, high, medium, low

keyword

When the message is an alert this is the vendor-provided text description of the alert severity

vendor_alert_severity_level

4, 3, 2, 1

integer

When the message is an alert this is the vendor-provided numeric value for the alert severity

vendor_authentication_provider

Active Directory

keyword

Vendor defined action - Quick description of the service providing credential validation

vendor_credential_type

password, token

keyword

Vendor-defined credential type

vendor_event_action

allow, deny, pass, fail

keyword

Vendor defined action - this should be a short, typically one-word, description of what action the event is describing. The value is to be used verbatim, including case, from the source log.

vendor_event_category

Removable Media, Registry, File System

keyword

Vendor defined category of an event

vendor_event_description

keyword

Vendor defined description of the action with more detail than is included in vendor_event_action

vendor_event_outcome

block, drop, report, allow, reject

keyword

Vendor-defined result of the action defined in the message

vendor_event_outcome_reason

keyword

Vendor-provided text detailing the reason for the vendor-provided action and/or outcome the message is describing

vendor_event_severity

critical, high, medium, low, informational

keyword

Vendor-defined text description of the severity rating

vendor_event_severity_level

0, 1, 5, 10

integer

Vendor-defined numeric severity rating for this event

vendor_private_ip

ip

vendor_private_ipv6

ip

vendor_public_ip

ip

vendor_public_ipv6

ip

vendor_signin_protocol

keyword

vendor_subtype

ids, dnsmasq, kernel, threat

keyword

Vendor-defined subtype of log - this differs from event_log_name as it refers more to the subject or category of log message.

vendor_threat_suspected

keyword

vendor_transaction_id

keyword

vendor_transaction_type

keyword

vendor_user_type

keyword