NIDS Schema🔗
Note
Schema docs show the fields available for normalization. For a schema field to be populated in XDR, its corresponding field defined in the parser must exist in the original data. Normalized data shows in the Normalized Data tab of events and is searchable in XDR only if the corresponding field exists in the original data. The Schema Library in Data Lake Search shows only searchable fields.
| Normalized Field | Type | Parser Field | Description |
|---|---|---|---|
| resource_id | string | resourceId$ | Full resource string identifying the record |
| tenant_id | string | tenantId$ | The ID of the tenant that owns this specific to CTPX ID |
| sensor_type | string | sensorType$ | Type of device that generated this event. Ex: redcloak |
| sensor_event_id | string | sensorEventId$ | Event ID of original_data assigned by the sensor |
| sensor_tenant | string | sensorTenant$ | A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id |
| sensor_id | string | sensorId$ | An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id |
| sensor_cpe | string | sensorCpe$ | CPE of the platform producing the alert. Example: cpe:2.3:a:secureworks:redcloak:*:*:*:*:*:*:* |
| original_data | string | originalData$ | Original, unadulterated data prior to any transformation. |
| event_time_usec | uint64 | eventTimeUsec$ | Event time in microseconds (µs) |
| ingest_time_usec | uint64 | ingestTimeUsec$ | Ingest time in microseconds (µs). |
| event_time_fidelity | TimeFidelity | eventTimeFidelity$ | Specifies the original precision of the time used to populate event_time_usec |
| host_id | string | hostId$ | Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address |
| sensor_version | string | sensorVersion$ | The agent version as string. |
| enrichments | Enrichments | enrichments$ | Event enrichments |
| generator_id | uint32 | generatorId$ | The generator_id that created the event (snort based NIDS) |
| signature_id | uint32 | signatureId$ | The rule ID used to create the event |
| signature_revision | uint32 | signatureRevision$ | The version of the rule |
| policy_id | uint32 | policyId$ | The policy ID (snort based NIDS) |
| message | string | message$ | Title of the event |
| classification | string | classification$ | event classification from classifications.conf (snort based NIDS) |
| priority | uint32 | priority$ | Priority placed on the event by the normalizer (based of vendor scale) where 1 is the highest priority and 5 is the lowest. |
| action | string | action$ | How the packet was handled. Possibly DROP, SDROP, REJECT, ALERT, FW_TRUSTED, ... |
| impact_flag | uint32 | impactFlag$ | Supercedes action |
| blocked | uint32 | blocked$ | 1=NotBlocked, 2=Blocked, 3=WouldHaveBlocked |
| vlan | uint32 | vlan$ | The extracted vlan id from the vlan header in the alerting packet |
| mpls_label | uint32 | mplsLabel$ | The extracted mpls label from the mpls header in the alerting packet |
| snort_sensor_id | uint32 | snortSensorId$ | ID of the alerting device |
| event_id | uint32 | eventId$ | ID of the event assigned by the sensor |
| event_ref | uint32 | eventRef$ | Reference to another event_id being part of the conversation |
| source_address | string | sourceAddress$ | IP source address |
| destination_address | string | destinationAddress$ | IP destination address |
| source_port | uint32 | sourcePort$ | TCP/UDP source port when protocol == 6 |
| icmp_type | uint32 | icmpType$ | Type of ICMP event when protocol == 1 |
| destination_port | uint32 | destinationPort$ | TCP/UDP source port when protocol == 6 |
| icmp_code | uint32 | icmpCode$ | ICMP code when protocol == 99 |
| protocol | uint32 | protocol$ | IP protocol number |
| ttl | uint32 | ttl$ | IP packet time-to-live |
| tos | string | tos$ | IP packet type-of-service flags |
| packet_id | uint32 | packetId$ | IP packet identifier |
| ip_len | uint32 | ipLen$ | Length of the alerting packet's IP header |
| dgm_len | uint32 | dgmLen$ | Packet datagram length for UDP packets |
| flags | string | flags$ | TCP flags ala tcpdump format string |
| sequence | string | sequence$ | TCP sequence of alerting packet |
| ack | string | ack$ | The TCP ACK |
| window | string | window$ | The size of the receive window |
| tcp_len | uint32 | tcpLen$ | Size of the TCP packet |
| tcp_options | string | tcpOptions$ | String formatted TCP options |
| pcap | bytes | bytes$ | All packets associated with the alert. Base64-encoded and suitable for use (after decoding) with tcpdump, wireshark, et.al. |
| pcapref | string | pcapref$ | When pcap field is not present, provide a text string explaining on how to obtain the pcap. Example "REST QUERY <IP> with <PATH> having <arguments>" |
| source_username | string | sourceUsername$ | The username associated with the source. |
| destination_username | string | destinationUsername$ | The username associated with the destination. |
| application_name | string | applicationName$ | Application detected by Deep Packet Inspection engine. |
| is_custom_alert | NullableBoolean | isCustomAlert$ | True when the detection reflects customer or tenant logic: wholly custom rules or indicators, or vendor-supplied templates, content packs, or building blocks that the tenant instantiated or materially configured (for example policies, named rule instances, thresholds, or scope). False when the alert is produced solely by vendor-default, uniformly deployed detection without meaningful per-tenant logic. Unknown when provenance cannot be determined from the source. |
| direction | Nids.Direction | direction$ | Direction of the network traffic between the source and destination from the perspective of the sensor. |
| event_metadata | KeyValuePairsIndexed | eventMetadata$ | event_metadata can be provided by the appliance to add context, such as url/filename triggered on, BETTER schema information, etc |
| countermeasure_author | Nids.author | countermeasureAuthor$ | countermeasure_author tells you who might have authored the event captured in the nids alert. |
| log_type | string | logType$ | Vendor provided definition of the log type |
| src_ipblacklists | repeated string | srcIpblacklists$ | Provides the names of blacklists matched by the source |
| dest_ipblacklists | repeated string | destIpblacklists$ | Provides the names of blacklists matched by the source |
| src_ipgeo_summary | GeoSummary | srcIpgeoSummary$ | The geographic location of the source IP |
| dest_ipgeo_summary | GeoSummary | destIpgeoSummary$ | The geographic location of the destination IP |
| threat_intelligence_indicators | repeated Nids.ThreatIntelligenceIndicators | threatIntelligenceIndicators$ | Details related to threat intelligence indicators (category, last observed date, source, source url, type e.t.c |
Note
When is_custom_alert is true:
- Detection severity is not altered.
- The detections produced by these events bypass the MDR service queue and are delivered directly to the tenant as custom detections for self-service, because they fall outside the Taegis MDR service scope.
Nids.ThreatIntelligenceIndicators🔗
| Normalized Field | Type | Parser Field | Description |
|---|---|---|---|
| type | string | type$ | Type of TI, e.g. IP address, Email address, url, hash, malware etc |
| value | string | value$ | Raw value of the TI indicator, e.g. (1.1.1.1, FAKEURL.COM may be available for sale or other proposals ) |
| category | string | category$ | Category of the TI like C&C, Keylogger, backdoor, etc |
| last_observation_time_usec | uint64 | lastObservationTimeUsec$ | Timestamp related to when TI last curated. |
| source | string | source$ | Human readable source if the TI data, e.g. “Microsoft TIC” |
| source_url | string | sourceUrl$ | URL that provides information about the TI |
| family | string | family$ | Provider-generated malware family (for example, 'wannacry', 'notpetya', etc.). |
Nids.VendorExtraContextEntry🔗
| Normalized Field | Type | Parser Field | Description |
|---|---|---|---|
| key | string | key$ | |
| value | string | value$ |
Nids.Direction🔗
| Name | Number | Description |
|---|---|---|
| UNKNOWN | 0 | unused but required for proto3 |
| INBOUND | 1 | When you have a flow to/from the security control itself. Receive |
| OUTBOUND | 2 | Send |
| CLIENT_TO_SERVER | 3 | When you get a flow from a security control inspecting a flow from point A to B. The security control is not apart of the conversation, just an observer. The security control only know who is the initiator (client) of the connection and who is the receiver (server). |
| SERVER_TO_CLIENT | 4 |
Nids.author🔗
| Name | Number | Description |
|---|---|---|
| DEFAULT_ORIGIN | 0 | unused but required for proto3 |
| VENDOR_OF_SENSOR | 1 | Whoever manufactured the sensortType is the author of this nids countermeasure. |
| SCWX_CTU | 2 | Denotes that the nids countermeasure is from SecureWork's Counter Threat Unit. |
| EMERGING_THREATS | 3 | Denotes a countermeasure from https://rules.emergingthreats.net/{: target="_blank"}. |