|
Field Name
|
Type
|
General Field
|
Description
|
Example
|
Products
|
|
act
|
-
|
-
|
The actions taken to mitigate the event
|
|
|
|
actResult
|
-
|
-
|
The result of an action
|
|
|
|
behaviorCat
|
-
|
-
|
The matched policy category
|
|
|
|
cves
|
-
|
-
|
The CVEs associated with this filter
|
|
|
|
detectionType
|
-
|
-
|
The detection type
|
|
|
|
dmac
|
-
|
-
|
The MAC address of the destination IP (dest_ip)
|
|
|
|
dpt
|
-
|
|
The destination port
|
|
|
|
dst
|
-
|
|
The destination IP
|
|
|
|
duser
|
-
|
|
The email recipient
|
|
|
|
endpointGUID
|
-
|
|
The GUID of the agent which reported the detection
|
|
|
|
endpointHostName
|
-
|
|
The endpoint hostname or node where the event was detected
|
|
|
|
endpointIp
|
-
|
|
The endpoint host IP (for ptp/stp: the client IP)
|
|
|
|
eventId
|
-
|
-
|
The event ID from the logs of each product
|
|
|
|
eventName
|
-
|
-
|
The event type
|
|
|
|
eventSubId
|
-
|
-
|
The access type
|
|
|
|
eventSubName
|
-
|
-
|
The event type sub-name
|
|
|
|
fileHash
|
-
|
|
The SHA-1 of the file that triggered the rule or policy
|
|
|
|
fileName
|
-
|
|
The file name
|
|
|
|
fileOperation
|
-
|
-
|
The operation of the file
|
|
|
|
filePath
|
-
|
|
The file path without the file name
|
|
|
|
filePathName
|
-
|
|
The file path with the file name
|
|
|
|
firstAct
|
-
|
-
|
The first scan action
|
|
|
|
firstActResult
|
-
|
-
|
The first scan action result
|
|
|
|
fullPath
|
-
|
|
The combination of the file path and the file name
|
|
|
|
groups
|
-
|
-
|
The OSSEC rule group names
|
|
|
|
hostName
|
-
|
|
The computer name of the client host (the hostname from the suspicious URL detected
by
Deep Discovery Inspector)
|
|
|
|
instanceId
|
-
|
-
|
The ID of the instance that indicates the meta-cloud or data center VM
|
|
|
|
interestedIp
|
-
|
|
The IP of the interestedHost
|
|
|
|
isEntity
|
-
|
-
|
The current entity (or after change/modification)
|
|
|
|
logKey
|
-
|
-
|
The unique key of the event
|
|
|
|
mDeviceGUID
|
-
|
-
|
The GUID of the agent host
|
|
|
|
majorVirusType
|
-
|
-
|
The virus type
|
|
|
|
malFamily
|
-
|
-
|
The threat family
|
|
|
|
malName
|
-
|
-
|
The name of the detected malware
|
|
|
|
malType
|
-
|
-
|
The risk type for Network Content Correlation Engine rules
|
|
|
|
mitreVersion
|
-
|
-
|
The MITRE version
|
|
|
|
mpname
|
-
|
-
|
The management product name
|
|
|
|
mpver
|
-
|
-
|
The product version
|
|
|
|
objectCmd
|
-
|
|
The object process command line
|
|
|
|
objectFileHashMd5
|
-
|
|
The MD5 of the object
|
|
|
|
objectFileHashSha1
|
-
|
|
The SHA-1 of the objectFilePath object
|
|
|
|
objectFileHashSha256
|
-
|
|
The SHA-256 of the object (objectFilePath)
|
|
|
|
objectFilePath
|
-
|
|
The file path of the target process image or target file
|
|
|
|
objectIp
|
-
|
|
The IP address of the domain
|
|
|
|
objectRegistryData
|
-
|
|
The registry data contents
|
|
|
|
objectRegistryKeyHandle
|
-
|
|
The registry key path
|
|
|
|
objectRegistryRoot
|
-
|
-
|
The name of the object registry root key
|
|
|
|
objectRegistryValue
|
-
|
|
The registry value name
|
|
|
|
objectType
|
-
|
-
|
The object type
|
|
|
|
objectUser
|
-
|
|
The owner name of the target process or the sign-in user name
|
|
|
|
objectUserDomain
|
-
|
-
|
The owner domain of the target process
|
|
|
|
parentPid
|
-
|
-
|
The PID of the parent process
|
-
|
|
|
parentUser
|
-
|
-
|
The account name of the parent process
|
|
|
|
parentUserDomain
|
-
|
-
|
The domain name of the parent process
|
|
|
|
pname
|
-
|
-
|
The internal product ID
|
|
|
|
policyId
|
-
|
-
|
The policy ID of which the event was detected
|
|
|
|
processCmd
|
-
|
|
The subject process command line
|
|
|
|
processFileCreation
|
-
|
-
|
The Unix time of object creation
|
|
|
|
processFileHashMd5
|
-
|
|
The MD5 of the subject process
|
|
|
|
processFileHashSha1
|
-
|
|
The SHA-1 of the subject process
|
|
|
|
processFileHashSha256
|
-
|
|
The SHA-256 of the subject process
|
|
|
|
processFilePath
|
-
|
|
The file path of the subject process
|
|
|
|
processImagePath
|
-
|
-
|
The process triggered by the file event
|
|
|
|
processLaunchTime
|
-
|
-
|
The time the subject process was launched
|
|
|
|
processName
|
-
|
|
The image name of the process that triggered the event
|
|
|
|
processPid
|
-
|
-
|
The PID of the subject process
|
-
|
|
|
processUser
|
-
|
|
The user name of the process or the file creator
|
|
|
|
processUserDomain
|
-
|
-
|
The owner domain of the subject process image
|
|
|
|
proto
|
-
|
-
|
The exploited network protocol layer
|
|
|
|
protoFlag
|
-
|
-
|
The data flags
|
|
|
|
regionId
|
-
|
-
|
The cloud asset region
|
|
|
|
remarks
|
-
|
-
|
The additional information
|
|
|
|
request
|
-
|
|
The notable URLs
|
|
|
|
riskLevel
|
-
|
-
|
The risk level
|
|
|
|
rtDate
|
-
|
-
|
The date of the log generation
|
|
|
|
rtWeekDay
|
-
|
-
|
The weekday of the log generation
|
|
|
|
ruleName
|
-
|
-
|
The name of the rule that triggered the event
|
|
|
|
ruleType
|
-
|
-
|
The access rule type
|
|
|
|
ruleVer
|
-
|
-
|
The rule version
|
|
|
|
scanType
|
-
|
-
|
The scan type
|
|
|
|
secondAct
|
-
|
-
|
The second scan action
|
|
|
|
secondActResult
|
-
|
-
|
The result of the second scan action
|
|
|
|
senderGUID
|
-
|
-
|
The sender GUID
|
|
|
|
severity
|
-
|
-
|
The severity of the event
|
|
|
|
shost
|
-
|
|
The source hostname
|
|
|
|
smac
|
-
|
-
|
The source MAC address
|
|
|
|
sproc
|
-
|
-
|
The OSSEC program name
|
|
|
|
spt
|
-
|
|
The source port
|
|
|
|
src
|
-
|
|
The source IP
|
|
|
|
subRuleId
|
-
|
-
|
The sub-rule ID
|
|
|
|
subRuleName
|
-
|
-
|
The sub-rule name
|
|
|
|
suid
|
-
|
|
The user name or mailbox
|
|
|
|
targetType
|
-
|
-
|
The target object type
|
|
|
|
vpcId
|
-
|
-
|
The virtual private cloud that contains the cloud asset
|
|
|
|
wasEntity
|
-
|
-
|
The entity before change/modification
|
|
|
|
winEventId
|
-
|
-
|
The Windows Event ID
|
|
|
Views: