DNS Schema🔗
Note
Schema docs show the fields available for normalization. For a schema field to be populated in XDR, its corresponding field defined in the parser must exist in the original data. Normalized data shows in the Normalized Data tab of events and is searchable in XDR only if the corresponding field exists in the original data. The Schema Library in Advanced Search shows only searchable fields.
| Normalized Field | Type | Parser Field | Description |
|---|---|---|---|
| resource_id | string | resourceId$ | Full resource string identifying the record |
| tenant_id | string | tenantId$ | The ID of the tenant that owns this specific to CTPX ID |
| sensor_type | string | sensorType$ | Type of device that generated this event. Ex: redcloak |
| sensor_event_id | string | sensorEventId$ | Event ID of original_data assigned by the sensor |
| sensor_tenant | string | sensorTenant$ | A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id |
| sensor_id | string | sensorId$ | An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id |
| sensor_cpe | string | sensorCpe$ | CPE of the platform producing the alert. Example: cpe:2.3:a:secureworks:redcloak:*:*:*:*:*:*:* |
| original_data | string | originalData$ | Original, unadulterated data prior to any transformation. |
| event_time_usec | uint64 | eventTimeUsec$ | Event time in microseconds (µs) |
| ingest_time_usec | uint64 | ingestTimeUsec$ | Ingest time in microseconds (µs). |
| event_time_fidelity | TimeFidelity | eventTimeFidelity$ | Specifies the original precision of the time used to populate event_time_usec |
| host_id | string | hostId$ | Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address |
| sensor_version | string | sensorVersion$ | The agent version as string. |
| source_address | string | sourceAddress$ | Origin of the DNS query. Not set by all agents. internal: this is not present in Redcloak agent events |
| destination_address | string | destinationAddress$ | Address of the DNS Server. Not set by all agents. internal: this is not present in Redcloak agent events |
| query_name | string | queryName$ | Domain name of the host or string queried for type |
| query_type | int32 | queryType$ | Numeric DNS record type of the QUERY defined by RFC1035, et.al. |
| query_class | int32 | queryClass$ | DNS record class |
| responses | DNSQuery.Responses | responses$ | A list of REPLIES in response to the QUERY |
| index_of_top_private_domain | sint32 | indexOfTopPrivateDomain$ | The character index in query_name where the top private domain starts. For www.microsoft.com, this will be 4. For www.store.example.co.uk this will be 10. A negative value indicates that the top private domain could not be determined. |
| is_top_private_domain_parsed | bool | isTopPrivateDomainParsed$ | True if the parser was run to find the top private domain. If false, disregard index_of_top_private_domain. |
| response_code | int32 | responseCode$ | The RCODE if present in the original_data defined by rfc6895, et.al. |
| src_ipblacklists | string | repeated | Provides the names of blacklists matched by the source |
| dest_ipblacklists | string | repeated | Provides the names of blacklists matched by the destination |
| src_ipgeo_summary | GeoSummary | The geographic location of the source IP | |
| dest_ipgeo_summary | GeoSummary | The geographic location of the destination IP | |
| whois_record | whois.WhoisSimple | Internet resource info of the source including IP registration | |
| processCorrelationID | ProcessCorrelationID | ProcessID of the process creating this DNS lookup |
DNSQuery.ResponseRecord🔗
Type of REPLY in response to the QUERY
| Normalized Field | Type | Parser Field | Description |
|---|---|---|---|
| response_type | int32 | responseType$ | |
| response_data | string | responseData$ |
DNSQuery.Responses🔗
A list of REPLIES in response to the QUERY
| Normalized Field | Type | Parser Field | Description |
|---|---|---|---|
| records | repeated DNSQuery.ResponseRecord | records$ |