| resource_id |
string |
resourceId$ |
Full resource string identifying the record. |
| tenant_id |
string |
tenantId$ |
The ID of the tenant that owns this specific to CTPX ID |
| visibility |
Visibility |
visibility$ |
Constraints on visibility of the record |
| normalizer |
string |
normalizer$ |
Name & version of normalizer that created this record |
| sensor_type |
string |
sensorType$ |
Type of device that generated this event. Ex: redcloak, iSensor |
| sensor_event_id |
string |
sensorEventId$ |
Event ID of original_data assigned by the sensor |
| sensor_tenant |
string |
sensorTenant$ |
A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id |
| sensor_id |
string |
sensorId$ |
An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id, iSensor Dev IP |
| sensor_cpe |
string |
sensorCpe$ |
CPE of the platform producing the alert. Ex: cpe:2.3 secureworks:redcloak:::::::: |
| original_data |
string |
originalData$ |
Original, unadulterated data prior to any transformation. |
| event_time_usec |
uint64 |
eventTimeUsec$ |
Event time in microseconds (µs) |
| ingest_time_usec |
uint64 |
ingestTimeUsec$ |
Ingest time in microseconds (µs). |
| event_time_fidelity |
TimeFidelity |
eventTimeFidelity$ |
Specifies the original precision of the time used to populate event_time_usec |
| host_id |
string |
hostId$ |
Host ID -- unique identifier for the host where the event originated; preferably a uuid internal: leveraged by assets-v2 |
| sensor_version |
string |
sensorVersion$ |
The agent version as string. (index don't line up with base event bacause of existing field definitions) |
| normalizer_version |
string |
normalizerVersion$ |
The normalizer version (git tag) |
| normalizer_revision |
string |
normalizerRevision$ |
The normalizer revision (git commit hash) |
| created_time_usec |
uint64 |
createdTimeUsec$ |
Alert creation time |
| closed_time_usec |
uint64 |
closedTimeUsec$ |
Alert closed time |
| updated_time_usec |
uint64 |
updatedTimeUsec$ |
Time at which alert last updated time |
| first_event_time_usec |
uint64 |
firstEventTimeUsec$ |
Time at which event that caused this alert first observed. |
| last_event_time_usec |
uint64 |
lastEventTimeUsec$ |
Time at which last event that caused this alert observed |
| summary |
string |
summary$ |
Description of the third party alert |
| title |
string |
title$ |
Title of the alert, shortened form of description available in alert title |
| severity |
Thirdparty.AlertSeverity |
severity$ |
Alert severity normalized to third party alert severity. |
| vendor_severity |
string |
vendorSeverity$ |
Alert severity preserved as raw value on the schema.This will help to know what vendor level indicator of severity and to write event filters based on this. |
| confidence |
string |
confidence$ |
Confidence of the alert logic (generally percentage between 1-100 but can be anything) |
| status |
string |
status$ |
Alert lifecycle status like unknown, newAlert, inProgress, resolved e.t.c |
| user_principal_name |
string |
userPrincipalName$ |
User sign-in name |
| source_user_name |
string |
sourceUserName$ |
Account from which the alert was generated |
| target_user_name |
string |
targetUserName$ |
Account for which the alert was generated |
| domain_name |
string |
domainName$ |
Domain of user account |
| protocol |
uint32 |
protocol$ |
Network protocol with possible values of tcp,udp,icmp,etc. |
| direction |
Thirdparty.Direction |
direction$ |
Network connection direction. Possible values are: unknown, inbound, outbound. |
| action |
Thirdparty.Action |
action$ |
How the threat was handled. Possible values are: action_unknown, attempted, succeeded, blocked, failed. |
| risk_score |
float |
riskScore$ |
Provider generated/calculated risk score. Recommended value range of 0-1, which equates to a percentage. |
| log_type |
string |
logType$ |
Vendor provided definition of the log type |
| destination_service_name |
string |
destinationServiceName$ |
The destination cloud app or service name of the alert |
| destination_service_class |
string |
destinationServiceClass$ |
The classification of the destination cloud app or service name of the alert |
| destination_url |
string |
destinationUrl$ |
The destination URL provided by the alert producer |
| user_agent |
string |
userAgent$ |
The user-agent string used in the request |
| alert_id |
string |
alertId$ |
Unique identifier of the alert object |
| source_user_id |
string |
sourceUserId$ |
Account ID from which the alert was generated |
| target_user_id |
string |
targetUserId$ |
Account ID for which the alert was generated |
| destination_mac |
string |
destinationMac$ |
Destination MAC address for which the alert was generated |
| source_mac |
string |
sourceMac$ |
Source MAC address for which the alert was generated |
| target_host_name |
string |
targetHostName$ |
Target host name for which the alert was generated |
| target_host |
HostPart |
targetHost$ |
Standardized format for target_host_name |
| source_host_name |
string |
sourceHostName$ |
Source host name for which the alert was generated |
| source_host |
HostPart |
sourceHost$ |
Standardized format for source_host_name |
| is_custom_alert |
NullableBoolean |
isCustomAlert$ |
Boolean value to indicate whether the underlying alert logic is authored by the vendor (false), or an end user (true) |
| is_generated |
NullableBoolean |
isGenerated$ |
Indicates whether the alert is from programmatically generated data ("true") or from material telemetry ("false") |
| action_reason |
string |
actionReason$ |
A reason supplied by the actioning device for the action taken |
| device_location |
string |
deviceLocation$ |
A label that indicates the logical location of the device that produced the log, for example "Build A Devices" |
| user_location |
string |
userLocation$ |
A label that indicates the the logical location of the user contained in the log or of the user that produced the action contained in the log, for example "Traveling worker" |
| alert_category |
string |
alertCategory$ |
A vendor-provided general categorization to classify alerts into broad categories such as "Threat", "Policy Violation", "Operational Issue", etc. This differs from log_type, which is a vendor-provided definition of the log type, and ontology, which is a more specific and formal category of the alert based on domain knowledge |
| target_os |
OperatingSystem |
targetOs$ |
Operating system, architecture of the target of the alert |
| source_user_type |
string |
sourceUserType$ |
Type of the audited user, categoried by alert provider |
| vendor |
string |
vendor$ |
Name of the alert vendor (for example, Microsoft, Dell, FireEye). |
| provider |
string |
provider$ |
Specific provider (product/service - not vendor company); for example, WindowsDefenderATP. |
| sub_provider |
string |
subProvider$ |
Specific sub provider (under aggregating provider); for example, WindowsDefenderATP.SmartScreen. |
| provider_version |
string |
providerVersion$ |
Version of the provider or sub provider, if it exists, that generated the alert. |
| ontology |
string |
ontology$ |
Category of the alert (for example, credential theft, ransomware, UnfamiliarLocation, UnauthorizedAccess:S3/TorIPCaller etc.). |
| additional_data |
KeyValuePairsIndexed |
additionalData$ |
Additional interesting data for a given alert in key-value pairs |
| source_address |
string |
sourceAddress$ |
Information provided by the alert provider about the source ip |
| destination_address |
string |
destinationAddress$ |
Information provided by the alert provider about the destination ip. |
| source_port |
uint32 |
sourcePort$ |
TCP/UDP source port |
| destination_port |
uint32 |
destinationPort$ |
TCP/UDP destination port |
| src_ipgeo_summary |
GeoSummary |
srcIpgeoSummary$ |
The geographic location of the source IP |
| dest_ipgeo_summary |
GeoSummary |
destIpgeoSummary$ |
The geographic location of the destination IP |
| vendor_src_ipgeo_summary |
GeoSummary |
vendorSrcIpgeoSummary$ |
The geographic srcip location provided by the alert producer |
| vendor_dst_ipgeo_summary |
GeoSummary |
vendorDstIpgeoSummary$ |
The geographic dstip location provided by the alert producer |
| session_id |
string |
sessionId$ |
An identifier for the communication channel between two devices or applications across the network. |