Encrypt Schema🔗
Note
Schema docs show the fields available for normalization. For a schema field to be populated in XDR, its corresponding field defined in the parser must exist in the original data. Normalized data shows in the Normalized Data tab of events and is searchable in XDR only if the corresponding field exists in the original data. The Schema Library in Advanced Search shows only searchable fields.
| Normalized Field | Type | Parser Field | Description |
|---|---|---|---|
| resource_id | string | resourceId$ | Full resource string identifying the record |
| tenant_id | string | tenantId$ | The ID of the tenant that owns this specific to CTPX ID |
| sensor_type | string | sensorType$ | Type of device that generated this event. Ex: redcloak |
| sensor_event_id | string | sensorEventId$ | Event ID of original_data assigned by the sensor |
| sensor_tenant | string | sensorTenant$ | A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id |
| sensor_id | string | sensorId$ | An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id |
| sensor_cpe | string | sensorCpe$ | CPE of the platform producing the alert. Example: cpe:2.3:a:secureworks:redcloak:*:*:*:*:*:*:* |
| original_data | string | originalData$ | Original, unadulterated data prior to any transformation. |
| event_time_usec | uint64 | eventTimeUsec$ | Event time in microseconds (<C2><B5>s) |
| ingest_time_usec | uint64 | ingestTimeUsec$ | Ingest time in microseconds (<C2><B5>s). |
| event_time_fidelity | TimeFidelity | eventTimeFidelity$ | Specifies the original precision of the time used to populate event_time_usec |
| host_id | string | hostId$ | Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address |
| protocol | Encrypt.Protocol | protocol | The cryptographic protocol |
| tls_version | Encrypt.TlsVersion | tlsVersion$ | TLS Version |
| certificate_version | int32 | certificateVersion$ | Certificate version (ex: 3) |
| serial_number | string | serialNumber$ | Certificate Serial number |
| certificate_subject | string | certificateSubject$ | Certificate Subject |
| subject_order | string | subjectOrder$ | Certificate Subject Order (C:ST:L:O:OU:CN:E) |
| certificate_issuer | string | certificateIssuer$ | Certificate Issuer |
| issuer_order | string | issueOrder$ | Certificate Issuer Order (C:ST:L:O:OU:CN:E) |
| subject_common_name | string | subjectCommonName$ | Certificate Subject CommonName (CN) |
| subject_organizational_unit | string | subjectOrganizationalUnit$ | Certificate Subject OrganizationalUnit (OU) |
| subject_organization | string | subjectOrganization$ | Certificate Subject Organization (O) |
| subject_locality | string | subjectLocality$ | Certificate Subject Locality (L) |
| subject_state | string | subjectState$ | Certificate Subject StateOrProvinceName (S) |
| subject_country | string | subjectCountry$ | Certificate Subject CountryName (C) |
| subject_email | string | subjectEmail$ | Certificate Subject Email Address |
| issuer_common_name | string | issuerCommonName$ | Certificate Issuer CommonName (CN) |
| issuer_organizational_unit | string | issuerOrganizationalUnit$ | Certificate Issuer OrganizationalUnit (OU) |
| issuer_organization | string | issuerOrganization$ | Certificate Issuer Organization (O) |
| issuer_locality | string | issuerLocality$ | Certificate Issuer Locality (L) |
| issuer_state | string | issuerState$ | Certificate Issuer StateOrProvinceName (S) |
| issuer_country | string | issuerCountry$ | Certificate Issuer CountryName (C) |
| issuer_email | string | issuerEmail$ | Certificate Issuer Email Address |
| valid_from_usec | uint64 | validFromUsec$ | Timestamp before when certificate is not valid, in microseconds (µs) |
| valid_through_usec | uint64 | validThroughUsec$ | Timestamp after when certificate is not valid, in microseconds (µs) |
| valid_from_string | string | validFromString$ | Timestamp before when certificate is not valid, in string format (YYYYMMDDHHMMSSZ) |
| valid_through_string | string | validThroughString$ | Timestamp after when certificate is not valid, in string format (YYYYMMDDHHMMSSZ) |
| ja3 | string | ja3$ | JA3 hash |
| ja3s | string | ja3s$ | JA3S hash |
| fingerprint | FileHash | fingerprint$ | Certificate fingerprint |
| sensor_version | string | sensorVersion$ | The agent version as string. (because of existing field, we have to index unaligned with base) |
| source_address | string | sourceAddress$ | IP Address of the source |
| destination_address | string | destinationAddress$ | IP Address of the destination |
| source_port | uint32 | sourcePort$ | Port of the source |
| destination_port | uint32 | destinationPort$ | Port of the destination |
| source_ipgeo_summary | GeoSummary | sourceIpgeoSummary$ | The geographic location of the source IP |
| destination_ipgeo_summary | GeoSummary | destinationIpgeoSummary$ | The geographic location of the destination IP |
| event_type | string | eventType$ | The event type provided by the data source |
| event_metadata | KeyValuePairsIndexed | eventMetadata$ | event_metadata can be provided by the data source to add context |
Encrypt.Protocol🔗
Certificate properties
| Name | Number | Description |
|---|---|---|
| UNKNOWN_PROTOCOL | 0 | internal: unused but required for proto3 |
| TLS | 1 | TLS |
| SSL | 2 | SSL |
| SSH | 3 | SSH |
Encrypt.TlsVersion🔗
| Name | Number | Description |
|---|---|---|
| TLS_UNKNOWN | 0 | internal: unused but required for proto3 |
| TLS_10 | 1 | TLSv1.0 |
| TLS_11 | 2 | TLSv1.1 |
| TLS_12 | 3 | TLSv1.2 |
| TLS_13 | 4 | TLSv1.3 |