Last active
October 11, 2018 00:24
-
-
Save strikaco/6fd7da6cf7b683e955c384c5c224d20a to your computer and use it in GitHub Desktop.
CIM Format (JSON)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| {"Dataset name": "Alerts", "Possible values": [], "Model": "Alerts", "Expected values": [], "Data type": "string", "Description": "The application involved in the event, such as win:app:trendmicro, vmware, nagios.", "Field name": "app"} | |
| {"Dataset name": "Alerts", "Possible values": [], "Model": "Alerts", "Expected values": [], "Data type": "string", "Description": "The body of a message.", "Field name": "body"} | |
| {"Dataset name": "Alerts", "Possible values": [], "Model": "Alerts", "Expected values": [], "Data type": "string", "Description": "The destination of the alert message, such as an email address or SNMP trap. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name.", "Field name": "dest"} | |
| {"Dataset name": "Alerts", "Possible values": [], "Model": "Alerts", "Expected values": [], "Data type": "string", "Description": "The business unit associated with the destination. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dest_bunit"} | |
| {"Dataset name": "Alerts", "Possible values": [], "Model": "Alerts", "Expected values": [], "Data type": "string", "Description": "The category of the destination. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dest_category"} | |
| {"Dataset name": "Alerts", "Possible values": [], "Model": "Alerts", "Expected values": [], "Data type": "string", "Description": "The priority of the destination. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dest_priority"} | |
| {"Dataset name": "Alerts", "Possible values": [], "Model": "Alerts", "Expected values": [], "Data type": "string", "Description": "The unique identifier of a message.", "Field name": "id"} | |
| {"Dataset name": "Alerts", "Possible values": [], "Model": "Alerts", "Expected values": ["critical", "high", "medium", "low", "informational"], "Data type": "string", "Description": "The severity of a message.Note: This field is a string. Please use a severity_id field for severity ID fields that are integer data types. Specific values are required. Please use vendor_severity for the vendor's own human-readable strings (such as Good, Bad, Really Bad, and so on).", "Field name": "severity"} | |
| {"Dataset name": "Alerts", "Possible values": [], "Model": "Alerts", "Expected values": [], "Data type": "string", "Description": "A numeric severity indicator for a message.", "Field name": "severity_id"} | |
| {"Dataset name": "Alerts", "Possible values": [], "Model": "Alerts", "Expected values": [], "Data type": "string", "Description": "The source of the message. You can alias this from more specific fields, such as src_host, src_ip, or src_name.", "Field name": "src"} | |
| {"Dataset name": "Alerts", "Possible values": [], "Model": "Alerts", "Expected values": [], "Data type": "string", "Description": "The business unit associated with the source. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "src_bunit"} | |
| {"Dataset name": "Alerts", "Possible values": [], "Model": "Alerts", "Expected values": [], "Data type": "string", "Description": "The category of the source. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "src_category"} | |
| {"Dataset name": "Alerts", "Possible values": [], "Model": "Alerts", "Expected values": [], "Data type": "string", "Description": "The priority of the source. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "src_priority"} | |
| {"Dataset name": "Alerts", "Possible values": [], "Model": "Alerts", "Expected values": [], "Data type": "string", "Description": "The message subject.", "Field name": "subject"} | |
| {"Dataset name": "Alerts", "Possible values": [], "Model": "Alerts", "Expected values": [], "Data type": "string", "Description": "This automatically generated field is used to access tags from within data models. Do not define extractions for this field when writing add-ons.", "Field name": "tag"} | |
| {"Dataset name": "Alerts", "Possible values": [], "Model": "Alerts", "Expected values": ["alarm", "alert", "event", "task"], "Data type": "string", "Description": "The message type.", "Field name": "type"} | |
| {"Model": "Alerts", "Field name": "tags", "values": [["Alerts", "alert"]]} | |
| {"Dataset name": "All_Application_State", "Possible values": [], "Model": "ApplicationState", "Expected values": [], "Data type": "string", "Description": "The compute resource where the service is installed. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name.", "Field name": "dest"} | |
| {"Dataset name": "All_Application_State", "Possible values": [], "Model": "ApplicationState", "Expected values": [], "Data type": "string", "Description": "These fields are automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for these fields when writing add-ons.", "Field name": "dest_bunit"} | |
| {"Dataset name": "All_Application_State", "Possible values": [], "Model": "ApplicationState", "Expected values": [], "Data type": "string", "Field name": "dest_category"} | |
| {"Dataset name": "All_Application_State", "Possible values": [], "Model": "ApplicationState", "Expected values": [], "Data type": "string", "Field name": "dest_priority"} | |
| {"Dataset name": "All_Application_State", "Possible values": [], "Model": "ApplicationState", "Expected values": [], "Data type": "boolean", "Field name": "dest_requires_av"} | |
| {"Dataset name": "All_Application_State", "Possible values": [], "Model": "ApplicationState", "Expected values": [], "Data type": "boolean", "Field name": "dest_should_timesync"} | |
| {"Dataset name": "All_Application_State", "Possible values": [], "Model": "ApplicationState", "Expected values": [], "Data type": "boolean", "Field name": "dest_should_update"} | |
| {"Dataset name": "All_Application_State", "Possible values": [], "Model": "ApplicationState", "Expected values": [], "Data type": "string", "Description": "The name of a process or service file, such as sqlsrvr.exe or httpd.Note: This field is not appropriate for service or daemon names, such as SQL Server or Apache Web Server. Service or daemon names belong to the service field (see below).", "Field name": "process"} | |
| {"Dataset name": "All_Application_State", "Possible values": [], "Model": "ApplicationState", "Expected values": [], "Data type": "string", "Description": "The name of a process.", "Field name": "process_name"} | |
| {"Dataset name": "All_Application_State", "Possible values": [], "Model": "ApplicationState", "Expected values": [], "Data type": "string", "Description": "This automatically generated field is used to access tags from within data models. Do not define extractions for this field when writing add-ons.", "Field name": "tag"} | |
| {"Dataset name": "All_Application_State", "Possible values": [], "Model": "ApplicationState", "Expected values": [], "Data type": "string", "Description": "The user account the service is running as, such as System or httpdsvc.", "Field name": "user"} | |
| {"Dataset name": "All_Application_State", "Possible values": [], "Model": "ApplicationState", "Expected values": [], "Data type": "string", "Description": "These fields are automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for these fields when writing add-ons.", "Field name": "user_bunit"} | |
| {"Dataset name": "All_Application_State", "Possible values": [], "Model": "ApplicationState", "Expected values": [], "Data type": "string", "Field name": "user_category"} | |
| {"Dataset name": "All_Application_State", "Possible values": [], "Model": "ApplicationState", "Expected values": [], "Data type": "string", "Field name": "user_priority"} | |
| {"Dataset name": "Ports", "Possible values": [], "Model": "ApplicationState", "Expected values": [], "Data type": "number", "Description": "Network ports communicated to by the process, such as 53.", "Field name": "dest_port"} | |
| {"Dataset name": "Ports", "Possible values": [], "Model": "ApplicationState", "Expected values": [], "Data type": "string", "Description": "The network ports listened to by the application process, such as tcp, udp, etc.", "Field name": "transport"} | |
| {"Dataset name": "Ports", "Possible values": [], "Model": "ApplicationState", "Expected values": [], "Data type": "string", "Description": "Calculated as transport/dest_port, such as tcp/53.", "Field name": "transport_dest_port"} | |
| {"Dataset name": "Processes", "Possible values": [], "Model": "ApplicationState", "Expected values": [], "Data type": "number", "Description": "CPU Load in megahertz", "Field name": "cpu_load_mhz"} | |
| {"Dataset name": "Processes", "Possible values": [], "Model": "ApplicationState", "Expected values": [], "Data type": "number", "Description": "CPU Load in percent", "Field name": "cpu_load_percent"} | |
| {"Dataset name": "Processes", "Possible values": [], "Model": "ApplicationState", "Expected values": [], "Data type": "string", "Description": "CPU Time", "Field name": "cpu_time"} | |
| {"Dataset name": "Processes", "Possible values": [], "Model": "ApplicationState", "Expected values": [], "Data type": "number", "Description": "Memory used in bytes", "Field name": "mem_used"} | |
| {"Dataset name": "Services", "Possible values": [], "Model": "ApplicationState", "Expected values": [], "Data type": "string", "Description": "The name of the service, such as SQL Server or Apache Web Server.Note: This field is not appropriate for filenames, such as sqlsrvr.exe or httpd. Filenames should belong to the process field instead. Also, note that field is a string. Use the service_id field for service ID fields that are integer data types.", "Field name": "service"} | |
| {"Dataset name": "Services", "Possible values": [], "Model": "ApplicationState", "Expected values": [], "Data type": "string", "Description": "A numeric indicator for a service.", "Field name": "service_id"} | |
| {"Dataset name": "Services", "Possible values": [], "Model": "ApplicationState", "Expected values": ["disabled", "manual", "auto"], "Data type": "string", "Description": "The start mode for the service.", "Field name": "start_mode"} | |
| {"Dataset name": "Services", "Possible values": [], "Model": "ApplicationState", "Expected values": ["critical", "started", "stopped", "warning"], "Data type": "string", "Description": "The status of the service.", "Field name": "status"} | |
| {"Model": "ApplicationState", "Field name": "tags", "values": [["All_Application_State", "(listening, port) OR (process, report) OR (service, report)"], ["Ports", "listening"], ["Processes", "process"], ["Services", "service"]]} | |
| {"Dataset name": "Authentication", "Possible values": [], "Model": "Authentication", "Expected values": ["success", "failure"], "Data type": "string", "Description": "The action performed on the resource.", "Field name": "action"} | |
| {"Dataset name": "Authentication", "Possible values": [], "Model": "Authentication", "Expected values": [], "Data type": "string", "Description": "The application involved in the event (such as ssh, splunk, win:local).", "Field name": "app"} | |
| {"Dataset name": "Authentication", "Possible values": [], "Model": "Authentication", "Expected values": [], "Data type": "string", "Description": "The target involved in the authentication. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_nt_host.", "Field name": "dest"} | |
| {"Dataset name": "Authentication", "Possible values": [], "Model": "Authentication", "Expected values": [], "Data type": "string", "Description": "The business unit of the authentication target. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dest_bunit"} | |
| {"Dataset name": "Authentication", "Possible values": [], "Model": "Authentication", "Expected values": [], "Data type": "string", "Description": "The category of the authentication target, such as email_server or SOX-compliant. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dest_category"} | |
| {"Dataset name": "Authentication", "Possible values": [], "Model": "Authentication", "Expected values": [], "Data type": "string", "Description": "The name of the Active Directory used by the authentication target, if applicable.", "Field name": "dest_nt_domain"} | |
| {"Dataset name": "Authentication", "Possible values": [], "Model": "Authentication", "Expected values": [], "Data type": "string", "Description": "The priority of the authentication target. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dest_priority"} | |
| {"Dataset name": "Authentication", "Possible values": [], "Model": "Authentication", "Expected values": [], "Data type": "number", "Description": "The amount of time for the completion of the authentication event, in seconds.", "Field name": "duration"} | |
| {"Dataset name": "Authentication", "Possible values": [], "Model": "Authentication", "Expected values": [], "Data type": "number", "Description": "The amount of time it took to receive a response in the authentication event, in seconds.", "Field name": "response_time"} | |
| {"Dataset name": "Authentication", "Possible values": [], "Model": "Authentication", "Expected values": [], "Data type": "string", "Description": "A human-readable signature name.", "Field name": "signature"} | |
| {"Dataset name": "Authentication", "Possible values": [], "Model": "Authentication", "Expected values": [], "Data type": "string", "Description": "The unique identifier or event code of the event signature.", "Field name": "signature_id"} | |
| {"Dataset name": "Authentication", "Possible values": [], "Model": "Authentication", "Expected values": [], "Data type": "string", "Description": "The source involved in the authentication. In the case of endpoint protection authentication the src is the client. You can alias this from more specific fields, such as src_host, src_ip, or src_nt_host.Do not confuse src with the event source or sourcetype fields.", "Field name": "src"} | |
| {"Dataset name": "Authentication", "Possible values": [], "Model": "Authentication", "Expected values": [], "Data type": "string", "Description": "The business unit of the authentication source. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "src_bunit"} | |
| {"Dataset name": "Authentication", "Possible values": [], "Model": "Authentication", "Expected values": [], "Data type": "string", "Description": "The category of the authentication source, such as email_server or SOX-compliant. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "src_category"} | |
| {"Dataset name": "Authentication", "Possible values": [], "Model": "Authentication", "Expected values": [], "Data type": "string", "Description": "The name of the Active Directory used by the authentication source, if applicable.", "Field name": "src_nt_domain"} | |
| {"Dataset name": "Authentication", "Possible values": [], "Model": "Authentication", "Expected values": [], "Data type": "string", "Description": "The priority of the authentication source. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "src_priority"} | |
| {"Dataset name": "Authentication", "Possible values": [], "Model": "Authentication", "Expected values": [], "Data type": "string", "Description": "In privilege escalation events, src_user represents the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.", "Field name": "src_user"} | |
| {"Dataset name": "Authentication", "Possible values": [], "Model": "Authentication", "Expected values": [], "Data type": "string", "Description": "The business unit of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "src_user_bunit"} | |
| {"Dataset name": "Authentication", "Possible values": [], "Model": "Authentication", "Expected values": [], "Data type": "string", "Description": "The category of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "src_user_category"} | |
| {"Dataset name": "Authentication", "Possible values": [], "Model": "Authentication", "Expected values": [], "Data type": "string", "Description": "The priority of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "src_user_priority"} | |
| {"Dataset name": "Authentication", "Possible values": [], "Model": "Authentication", "Expected values": [], "Data type": "string", "Description": "This automatically-generated field is used to access tags from within data models. Do not define extractions for this field when writing add-ons.", "Field name": "tag"} | |
| {"Dataset name": "Authentication", "Possible values": [], "Model": "Authentication", "Expected values": [], "Data type": "string", "Description": "The name of the user involved in the event, or who initiated the event. For authentication privilege escalation events, this should represent the user targeted by the escalation.", "Field name": "user"} | |
| {"Dataset name": "Authentication", "Possible values": [], "Model": "Authentication", "Expected values": [], "Data type": "string", "Description": "The business unit of the user involved in the event, or who initiated the event. For authentication privilege escalation events, this should represent the user targeted by the escalation. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "user_bunit"} | |
| {"Dataset name": "Authentication", "Possible values": [], "Model": "Authentication", "Expected values": [], "Data type": "string", "Description": "The category of the user involved in the event, or who initiated the event. For authentication privilege escalation events, this should represent the user targeted by the escalation. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "user_category"} | |
| {"Dataset name": "Authentication", "Possible values": [], "Model": "Authentication", "Expected values": [], "Data type": "string", "Description": "The priority of the user involved in the event, or who initiated the event. For authentication privilege escalation events, this should represent the user targeted by the escalation. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "user_priority"} | |
| {"Model": "Authentication", "Field name": "tags", "values": [["Authentication", "authentication"], ["Default_Authentication", "default"], ["Insecure_Authentication", "cleartext OR insecure"], ["Privileged_Authentication", "privileged"]]} | |
| {"Dataset name": "All_Certificates", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "string", "Description": "The target in the certificate management event.", "Field name": "dest"} | |
| {"Dataset name": "All_Certificates", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "string", "Description": "The business unit of the target.This field is automatically provided by Asset and Identity correlation features of applications like ClownStrike Enterprise Security.", "Field name": "dest_bunit"} | |
| {"Dataset name": "All_Certificates", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "string", "Description": "The category of the target, such as email_server or SOX-compliant.This field is automatically provided by Asset and Identity correlation features of applications like the ClownStrike Enterprise Security.", "Field name": "dest_category"} | |
| {"Dataset name": "All_Certificates", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "number", "Description": "The port number of the target.", "Field name": "dest_port"} | |
| {"Dataset name": "All_Certificates", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "string", "Description": "The priority of the target.", "Field name": "dest_priority"} | |
| {"Dataset name": "All_Certificates", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "number", "Description": "The amount of time for the completion of the certificate management event, in seconds.", "Field name": "duration"} | |
| {"Dataset name": "All_Certificates", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "number", "Description": "The amount of time it took to receive a response in the certificate management event, if applicable.", "Field name": "response_time"} | |
| {"Dataset name": "All_Certificates", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "string", "Description": "The source involved in the certificate management event. You can alias this from more specific fields, such as src_host, src_ip, or src_nt_host.Note: Do not confuse src with the event source or sourcetype fields.", "Field name": "src"} | |
| {"Dataset name": "All_Certificates", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "string", "Description": "The business unit of the certificate management source.This field is automatically provided by Asset and Identity correlation features of applications like ClownStrike Enterprise Security.", "Field name": "src_bunit"} | |
| {"Dataset name": "All_Certificates", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "string", "Description": "The category of the certificate management source, such as email_server or SOX-compliant.This field is automatically provided by Asset and Identity correlation features of applications like the ClownStrike Enterprise Security.", "Field name": "src_category"} | |
| {"Dataset name": "All_Certificates", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "number", "Description": "The port number of the source.", "Field name": "src_port"} | |
| {"Dataset name": "All_Certificates", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "string", "Description": "The priority of the certificate management source.", "Field name": "src_priority"} | |
| {"Dataset name": "All_Certificates", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "string", "Description": "This automatically generated field is used to access tags from within datamodels. Add-on builders do not need to populate it.", "Field name": "tag"} | |
| {"Dataset name": "All_Certificates", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "string", "Description": "The transport protocol of the Network Traffic involved with this certificate.", "Field name": "transport"} | |
| {"Dataset name": "SSL", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "time", "Description": "The expiry time of the certificate.", "Field name": "ssl_end_time"} | |
| {"Dataset name": "SSL", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "string", "Description": "The name of the signature engine that created the certificate.", "Field name": "ssl_engine"} | |
| {"Dataset name": "SSL", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "string", "Description": "The hash of the certificate.", "Field name": "ssl_hash"} | |
| {"Dataset name": "SSL", "Possible values": [], "Model": "Certificates", "Expected values": ["true", "false", "1", "0"], "Data type": "boolean", "Description": "Indicator of whether the ssl certificate is valid or not.", "Field name": "ssl_is_valid"} | |
| {"Dataset name": "SSL", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "string", "Description": "The certificate issuer's RFC2253 Distinguished Name.", "Field name": "ssl_issuer"} | |
| {"Dataset name": "SSL", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "string", "Description": "The certificate issuer's common name.", "Field name": "ssl_issuer_common_name"} | |
| {"Dataset name": "SSL", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "string", "Description": "The certificate issuer's email address.", "Field name": "ssl_issuer_email"} | |
| {"Dataset name": "SSL", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "string", "Description": "The certificate issuer's locality.", "Field name": "ssl_issuer_locality"} | |
| {"Dataset name": "SSL", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "string", "Description": "The certificate issuer's organization.", "Field name": "ssl_issuer_organization"} | |
| {"Dataset name": "SSL", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "string", "Description": "The certificate issuer's state of residence.", "Field name": "ssl_issuer_state"} | |
| {"Dataset name": "SSL", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "string", "Description": "The certificate issuer's street address.", "Field name": "ssl_issuer_street"} | |
| {"Dataset name": "SSL", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "string", "Description": "The certificate issuer's organizational unit.", "Field name": "ssl_issuer_unit"} | |
| {"Dataset name": "SSL", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "string", "Description": "The name of the ssl certificate.", "Field name": "ssl_name"} | |
| {"Dataset name": "SSL", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "string", "Description": "The Object Identification Numbers's of the certificate's policies in a comma separated string.", "Field name": "ssl_policies"} | |
| {"Dataset name": "SSL", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "string", "Description": "The certificate\u2019s public key.", "Field name": "ssl_publickey"} | |
| {"Dataset name": "SSL", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "string", "Description": "The algorithm used to create the public key.", "Field name": "ssl_publickey_algorithm"} | |
| {"Dataset name": "SSL", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "string", "Description": "The certificate\u2019s serial number.", "Field name": "ssl_serial"} | |
| {"Dataset name": "SSL", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "string", "Description": "The session identifier for this certificate.", "Field name": "ssl_session_id"} | |
| {"Dataset name": "SSL", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "string", "Description": "The algorithm used by the Certificate Authority to sign the certificate.", "Field name": "ssl_signature_algorithm"} | |
| {"Dataset name": "SSL", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "time", "Description": "This is the start date and time for this certificate's validity.", "Field name": "ssl_start_time"} | |
| {"Dataset name": "SSL", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "string", "Description": "The certificate owner's RFC2253 Distinguished Name.", "Field name": "ssl_subject"} | |
| {"Dataset name": "SSL", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "string", "Description": "This certificate owner\u2019s common name.", "Field name": "ssl_subject_common_name"} | |
| {"Dataset name": "SSL", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "string", "Description": "The certificate owner\u2019s e-mail address.", "Field name": "ssl_subject_email"} | |
| {"Dataset name": "SSL", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "string", "Description": "The certificate owner\u2019s locality.", "Field name": "ssl_subject_locality"} | |
| {"Dataset name": "SSL", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "string", "Description": "The certificate owner\u2019s organization.", "Field name": "ssl_subject_organization"} | |
| {"Dataset name": "SSL", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "string", "Description": "The certificate owner\u2019s state of residence.", "Field name": "ssl_subject_state"} | |
| {"Dataset name": "SSL", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "string", "Description": "The certificate owner\u2019s street address.", "Field name": "ssl_subject_street"} | |
| {"Dataset name": "SSL", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "string", "Description": "The certificate owner's organizational unit.", "Field name": "ssl_subject_unit"} | |
| {"Dataset name": "SSL", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "number", "Description": "The length of time (in seconds) for which this certificate is valid.", "Field name": "ssl_validity_window"} | |
| {"Dataset name": "SSL", "Possible values": [], "Model": "Certificates", "Expected values": [], "Data type": "string", "Description": "The ssl version of this certificate.", "Field name": "ssl_version"} | |
| {"Model": "Certificates", "Field name": "tags", "values": [["All_Certificates", "certificate"], ["SSL", "ssl OR tls"]]} | |
| {"Dataset name": "All_Changes", "Possible values": [], "Model": "ChangeAnalysis", "Expected values": ["acl_modified", "cleared", "created", "deleted", "modified", "read", "stopped", "updated"], "Data type": "string", "Description": "The action performed on the resource.", "Field name": "action"} | |
| {"Dataset name": "All_Changes", "Possible values": [], "Model": "ChangeAnalysis", "Expected values": ["restart"], "Data type": "string", "Description": "The type of change, such as filesystem or AAA (authentication, authorization, and accounting).", "Field name": "change_type"} | |
| {"Dataset name": "All_Changes", "Possible values": [], "Model": "ChangeAnalysis", "Expected values": [], "Data type": "string", "Description": "The command that initiated the change.", "Field name": "command"} | |
| {"Dataset name": "All_Changes", "Possible values": [], "Model": "ChangeAnalysis", "Expected values": [], "Data type": "string", "Description": "The resource where change occurred. You can alias this from more specific fields not included in this data model, such as dest_host, dest_ip, or dest_name.", "Field name": "dest"} | |
| {"Dataset name": "All_Changes", "Possible values": [], "Model": "ChangeAnalysis", "Expected values": [], "Data type": "string", "Description": "These fields are automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for these fields when writing add-ons.", "Field name": "dest_bunit"} | |
| {"Dataset name": "All_Changes", "Possible values": [], "Model": "ChangeAnalysis", "Expected values": [], "Data type": "string", "Field name": "dest_category"} | |
| {"Dataset name": "All_Changes", "Possible values": [], "Model": "ChangeAnalysis", "Expected values": [], "Data type": "string", "Field name": "dest_priority"} | |
| {"Dataset name": "All_Changes", "Possible values": [], "Model": "ChangeAnalysis", "Expected values": [], "Data type": "string", "Description": "The device that reported the change, if applicable, such as a FIP or CIM server. You can alias this from more specific fields not included in this data model, such as dvc_host, dvc_ip, or dvc_name.", "Field name": "dvc"} | |
| {"Dataset name": "All_Changes", "Possible values": [], "Model": "ChangeAnalysis", "Expected values": [], "Data type": "string", "Description": "Name of the affected object on the resource (such as a router interface, user account, or server volume).", "Field name": "object"} | |
| {"Dataset name": "All_Changes", "Possible values": [], "Model": "ChangeAnalysis", "Expected values": [], "Data type": "string", "Description": "The attributes that were updated on the updated resource object, if applicable.", "Field name": "object_attrs"} | |
| {"Dataset name": "All_Changes", "Possible values": [], "Model": "ChangeAnalysis", "Expected values": ["directory", "file", "group", "registry", "user"], "Data type": "string", "Description": "Generic name for the class of the updated resource object. Expected values may be specific to an app.", "Field name": "object_category"} | |
| {"Dataset name": "All_Changes", "Possible values": [], "Model": "ChangeAnalysis", "Expected values": [], "Data type": "string", "Description": "The unique updated resource object ID as presented to the system, if applicable (for instance, a SID, UUID, or GUID value).", "Field name": "object_id"} | |
| {"Dataset name": "All_Changes", "Possible values": [], "Model": "ChangeAnalysis", "Expected values": [], "Data type": "string", "Description": "The path of the modified resource object, if applicable (such as a file, directory, or volume).", "Field name": "object_path"} | |
| {"Dataset name": "All_Changes", "Possible values": [], "Model": "ChangeAnalysis", "Expected values": ["lockout"], "Data type": "string", "Description": "The vendor-specific result of a change, or clarification of an action status. For instance, status=failure may be accompanied by result=blocked by policy or result=disk full. result is a string. Please use a msg_severity_id field (not included in the data model) for severity ID fields that are integer data types.", "Field name": "result"} | |
| {"Dataset name": "All_Changes", "Possible values": [], "Model": "ChangeAnalysis", "Expected values": [], "Data type": "string", "Description": "A result indicator for an action status.", "Field name": "result_id"} | |
| {"Dataset name": "All_Changes", "Possible values": [], "Model": "ChangeAnalysis", "Expected values": [], "Data type": "string", "Description": "The resource where the change was originated. You can alias this from more specific fields not included in the data model, such as src_host, src_ip, or src_name.", "Field name": "src"} | |
| {"Dataset name": "All_Changes", "Possible values": [], "Model": "ChangeAnalysis", "Expected values": [], "Data type": "string", "Description": "These fields are automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for these fields when writing add-ons.", "Field name": "src_bunit"} | |
| {"Dataset name": "All_Changes", "Possible values": [], "Model": "ChangeAnalysis", "Expected values": [], "Data type": "string", "Field name": "src_category"} | |
| {"Dataset name": "All_Changes", "Possible values": [], "Model": "ChangeAnalysis", "Expected values": [], "Data type": "string", "Field name": "src_priority"} | |
| {"Dataset name": "All_Changes", "Possible values": [], "Model": "ChangeAnalysis", "Expected values": ["success", "failure"], "Data type": "string", "Description": "Status of the update.", "Field name": "status"} | |
| {"Dataset name": "All_Changes", "Possible values": [], "Model": "ChangeAnalysis", "Expected values": [], "Data type": "string", "Description": "This automatically generated field is used to access tags from within datamodels. Do not define extractions for this field when writing add-ons.", "Field name": "tag"} | |
| {"Dataset name": "All_Changes", "Possible values": [], "Model": "ChangeAnalysis", "Expected values": [], "Data type": "string", "Description": "The user or entity performing the change. For account changes, this is the account that was changed. See src_user for user or entity performing the change.", "Field name": "user"} | |
| {"Dataset name": "All_Changes", "Possible values": [], "Model": "ChangeAnalysis", "Expected values": [], "Data type": "string", "Description": "The vendor and product or service that detected the change. This field can be automatically populated by vendor and product fields in your data.", "Field name": "vendor_product"} | |
| {"Dataset name": "Account_Management", "Possible values": [], "Model": "ChangeAnalysis", "Expected values": [], "Data type": "string", "Description": "The NT domain of the destination, if applicable.", "Field name": "dest_nt_domain"} | |
| {"Dataset name": "Account_Management", "Possible values": [], "Model": "ChangeAnalysis", "Expected values": [], "Data type": "string", "Description": "The NT domain of the source, if applicable.", "Field name": "src_nt_domain"} | |
| {"Dataset name": "Account_Management", "Possible values": [], "Model": "ChangeAnalysis", "Expected values": [], "Data type": "string", "Description": "For account changes, the user or entity performing the change.", "Field name": "src_user"} | |
| {"Dataset name": "Account_Management", "Possible values": [], "Model": "ChangeAnalysis", "Expected values": [], "Data type": "string", "Description": "These fields are automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "src_user_bunit"} | |
| {"Dataset name": "Account_Management", "Possible values": [], "Model": "ChangeAnalysis", "Expected values": [], "Data type": "string", "Field name": "src_user_category"} | |
| {"Dataset name": "Account_Management", "Possible values": [], "Model": "ChangeAnalysis", "Expected values": [], "Data type": "string", "Field name": "src_user_priority"} | |
| {"Dataset name": "Filesystem_Changes", "Possible values": [], "Model": "ChangeAnalysis", "Expected values": [], "Data type": "time", "Description": "The time the file (the object of the event) was accessed.", "Field name": "file_access_time"} | |
| {"Dataset name": "Filesystem_Changes", "Possible values": [], "Model": "ChangeAnalysis", "Expected values": [], "Data type": "string", "Description": "Access controls associated with the file affected by the event.", "Field name": "file_acl"} | |
| {"Dataset name": "Filesystem_Changes", "Possible values": [], "Model": "ChangeAnalysis", "Expected values": [], "Data type": "time", "Description": "The time the file (the object of the event) was created.", "Field name": "file_create_time"} | |
| {"Dataset name": "Filesystem_Changes", "Possible values": [], "Model": "ChangeAnalysis", "Expected values": [], "Data type": "string", "Description": "A cryptographic identifier assigned to the file object affected by the event.", "Field name": "file_hash"} | |
| {"Dataset name": "Filesystem_Changes", "Possible values": [], "Model": "ChangeAnalysis", "Expected values": [], "Data type": "time", "Description": "The time the file (the object of the event) was altered.", "Field name": "file_modify_time"} | |
| {"Dataset name": "Filesystem_Changes", "Possible values": [], "Model": "ChangeAnalysis", "Expected values": [], "Data type": "string", "Description": "The name of the file that is the object of the event (without location information related to local file or directory structure).", "Field name": "file_name"} | |
| {"Dataset name": "Filesystem_Changes", "Possible values": [], "Model": "ChangeAnalysis", "Expected values": [], "Data type": "string", "Description": "The location of the file that is the object of the event, in local file and directory structure terms.", "Field name": "file_path"} | |
| {"Dataset name": "Filesystem_Changes", "Possible values": [], "Model": "ChangeAnalysis", "Expected values": [], "Data type": "number", "Description": "The size of the file that is the object of the event, in kilobytes.", "Field name": "file_size"} | |
| {"Model": "ChangeAnalysis", "Field name": "tags", "values": [["All_Changes", "change"], ["Auditing_Changes", "audit"], ["Endpoint_Changes", "endpoint"], ["Network_Changes", "network"], ["Account_Management", "account"]]} | |
| {"Dataset name": "All_Inventory", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "string", "Description": "The description of the inventory system.", "Field name": "description"} | |
| {"Dataset name": "All_Inventory", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "string", "Description": "The system where the data originated, the source of the event. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name.", "Field name": "dest"} | |
| {"Dataset name": "All_Inventory", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "string", "Description": "The business unit of the system where the data originated. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dest_bunit"} | |
| {"Dataset name": "All_Inventory", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "string", "Description": "The category of the system where the data originated, such as email_server or SOX-compliant. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dest_category"} | |
| {"Dataset name": "All_Inventory", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "string", "Description": "The priority of the system where the data originated. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dest_priority"} | |
| {"Dataset name": "All_Inventory", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "boolean", "Description": "Indicates whether the resource is enabled or disabled.", "Field name": "enabled"} | |
| {"Dataset name": "All_Inventory", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "string", "Description": "The product family of the resource, such as 686_64 or RISC.", "Field name": "family"} | |
| {"Dataset name": "All_Inventory", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "string", "Description": "The hypervisor identifier, if applicable.", "Field name": "hypervisor_id"} | |
| {"Dataset name": "All_Inventory", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "string", "Description": "The serial number of the resource.", "Field name": "serial"} | |
| {"Dataset name": "All_Inventory", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "string", "Description": "The current reported state of the resource.", "Field name": "status"} | |
| {"Dataset name": "All_Inventory", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "string", "Description": "ClownStrike uses this automatically generated field to access tags from within data models. You do not need to populate it.", "Field name": "tag"} | |
| {"Dataset name": "All_Inventory", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "string", "Description": "The vendor and product name of the resource, such as Cisco Catalyst 3850. This field can be automatically populated by vendor and product fields in your data.", "Field name": "vendor_product"} | |
| {"Dataset name": "All_Inventory", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "string", "Description": "The version of a computer resource, such as 2008r2 or 3.0.0.", "Field name": "version"} | |
| {"Dataset name": "CPU", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "number", "Description": "The number of CPU cores reported by the resource (total, not per CPU).", "Field name": "cpu_cores"} | |
| {"Dataset name": "CPU", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "number", "Description": "The number of CPUs reported by the resource.", "Field name": "cpu_count"} | |
| {"Dataset name": "CPU", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "number", "Description": "The maximum speed of the CPU reported by the resource (in megahertz).", "Field name": "cpu_mhz"} | |
| {"Dataset name": "Memory", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "number", "Description": "The total amount of memory installed in or allocated to the resource, in megabytes.", "Field name": "mem"} | |
| {"Dataset name": "Network", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "string", "Description": "The IP address for the system that the data is going to.", "Field name": "dest_ip"} | |
| {"Dataset name": "Network", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "string", "Description": "The domain name server for the resource.", "Field name": "dns"} | |
| {"Dataset name": "Network", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "string", "Description": "Identifies whether the resource is a network address translation pool.", "Field name": "inline_nat"} | |
| {"Dataset name": "Network", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "string", "Description": "The network interfaces of the computing resource, such as eth0, eth1 or Wired Ethernet Connection, Teredo Tunneling Pseudo-Interface.", "Field name": "interface"} | |
| {"Dataset name": "Network", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "string", "Description": "The network addresses of the computing resource, such as 192.168.1.1 or E80:0000:0000:0000:0202:B3FF:FE1E:8329.", "Field name": "ip"} | |
| {"Dataset name": "Network", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "string", "Description": "The load balancing method used by the computing resource such as method, round robin, or least weight.", "Field name": "lb_method"} | |
| {"Dataset name": "Network", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "string", "Description": "A MAC (media access control) address associated with the resource, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field. Note: Always use colons instead of dashes, spaces, or no separator.", "Field name": "mac"} | |
| {"Dataset name": "Network", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "string", "Description": "A name field provided in some data sources.", "Field name": "name"} | |
| {"Dataset name": "Network", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "string", "Description": "Represents a node hit.", "Field name": "node"} | |
| {"Dataset name": "Network", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "number", "Description": "The number of the destination port on the server that you requested from.", "Field name": "node_port"} | |
| {"Dataset name": "Network", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "string", "Description": "The IP address for the system from which the data originates.", "Field name": "src_ip"} | |
| {"Dataset name": "Network", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "number", "Description": "The port number for the virtual IP address (VIP). A VIP allows multiple MACs to use one IP address. VIPs are often used by load balancers.", "Field name": "vip_port"} | |
| {"Dataset name": "OS", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "string", "Description": "The operating system of the resource, such as Microsoft Windows Server 2008r2. This field is constructed from vendor_product and version fields.", "Field name": "os"} | |
| {"Dataset name": "Storage", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "string", "Description": "The array that the storage resource is a member of, if applicable", "Field name": "array"} | |
| {"Dataset name": "Storage", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "number", "Description": "The block size used by the storage resource, in kilobytes.", "Field name": "blocksize"} | |
| {"Dataset name": "Storage", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "string", "Description": "The index cluster that the resource is a member of, if applicable.", "Field name": "cluster"} | |
| {"Dataset name": "Storage", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "number", "Description": "The maximum number of file descriptors available.", "Field name": "fd_max"} | |
| {"Dataset name": "Storage", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "number", "Description": "The latency reported by the resource, in milliseconds.", "Field name": "latency"} | |
| {"Dataset name": "Storage", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "string", "Description": "The path at which a storage resource is mounted.", "Field name": "mount"} | |
| {"Dataset name": "Storage", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "string", "Description": "A higher level object that this resource is owned by, if applicable.", "Field name": "parent"} | |
| {"Dataset name": "Storage", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "number", "Description": "The maximum possible number of blocks read per second during a polling period .", "Field name": "read_blocks"} | |
| {"Dataset name": "Storage", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "number", "Description": "For a polling period, the average amount of time elapsed until a read request is filled by the host disks (in ms).", "Field name": "read_latency"} | |
| {"Dataset name": "Storage", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "number", "Description": "The total number of read operations in the polling period.", "Field name": "read_ops"} | |
| {"Dataset name": "Storage", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "number", "Description": "The amount of storage capacity allocated to the resource, in megabytes.", "Field name": "storage"} | |
| {"Dataset name": "Storage", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "number", "Description": "The maximum possible number of blocks written per second during a polling period.", "Field name": "write_blocks"} | |
| {"Dataset name": "Storage", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "number", "Description": "For a polling period, the average amount of time elapsed until a write request is filled by the host disks (in ms).", "Field name": "write_latency"} | |
| {"Dataset name": "Storage", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "number", "Description": "The total number of write operations in the polling period.", "Field name": "write_ops"} | |
| {"Dataset name": "User", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "boolean", "Description": "Indicates whether a locally defined account on a resource can be interactively logged in.", "Field name": "interactive"} | |
| {"Dataset name": "User", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "string", "Description": "Displays the stored password(s) for a locally defined account, if it has any. For instance, an add-on may report the password column from /etc/passwd in this field.", "Field name": "password"} | |
| {"Dataset name": "User", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "string", "Description": "Indicates the shell program used by a locally defined account.", "Field name": "shell"} | |
| {"Dataset name": "User", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "string", "Description": "The full name of a locally defined account.", "Field name": "user"} | |
| {"Dataset name": "User", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "string", "Description": "The business unit of the locally-defined user account. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "user_bunit"} | |
| {"Dataset name": "User", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "string", "Description": "The category of the system where the data originated, such as email_server or SOX-compliant. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "user_category"} | |
| {"Dataset name": "User", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "number", "Description": "The user identification for a locally defined account.", "Field name": "user_id"} | |
| {"Dataset name": "User", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "string", "Description": "The priority of a locally-defined account. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "user_priority"} | |
| {"Dataset name": "Virtual_OS", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "string", "Description": "The hypervisor parent of a virtual guest OS.", "Field name": "hypervisor"} | |
| {"Dataset name": "Snapshot", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "number", "Description": "The snapshot file size, in megabytes.", "Field name": "size"} | |
| {"Dataset name": "Snapshot", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "string", "Description": "The name of a snapshot file.", "Field name": "snapshot"} | |
| {"Dataset name": "Snapshot", "Possible values": [], "Model": "ComputeInventory", "Expected values": [], "Data type": "time", "Description": "The time at which the snapshot was taken.", "Field name": "time"} | |
| {"Model": "ComputeInventory", "Field name": "tags", "values": [["All_Inventory", "inventory"], ["CPU", "cpu"], ["Memory", "memory"], ["Network", "network"], ["Storage", "storage"], ["OS", "system"], ["User", "user"], ["Cleartext_Passwords", "password=*"], ["Default_Accounts", "default"], ["Virtual_OS", "virtual"], ["Snapshot", "snapshot"], ["Tools", "tools"]]} | |
| {"Dataset name": "DLP_Incidents", "Possible values": [], "Model": "DataLossPrevention", "Expected values": [], "Data type": "string", "Description": "The application involved in the event.", "Field name": "app"} | |
| {"Dataset name": "DLP_Incidents", "Possible values": [], "Model": "DataLossPrevention", "Expected values": [], "Data type": "string", "Description": "The business unit of the DLP target. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dest_bunit"} | |
| {"Dataset name": "DLP_Incidents", "Possible values": [], "Model": "DataLossPrevention", "Expected values": [], "Data type": "string", "Description": "The category of the DLP target. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dest_category"} | |
| {"Dataset name": "DLP_Incidents", "Possible values": [], "Model": "DataLossPrevention", "Expected values": [], "Data type": "string", "Description": "The priority of the DLP target. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dest_priority"} | |
| {"Dataset name": "DLP_Incidents", "Possible values": [], "Model": "DataLossPrevention", "Expected values": [], "Data type": "string", "Description": "The zone of the DLP target.", "Field name": "dest_zone"} | |
| {"Dataset name": "DLP_Incidents", "Possible values": [], "Model": "DataLossPrevention", "Expected values": [], "Data type": "string", "Description": "The business unit of the DLP target. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dvc_bunit"} | |
| {"Dataset name": "DLP_Incidents", "Possible values": [], "Model": "DataLossPrevention", "Expected values": [], "Data type": "string", "Description": "The category of the DLP device. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dvc_category"} | |
| {"Dataset name": "DLP_Incidents", "Possible values": [], "Model": "DataLossPrevention", "Expected values": [], "Data type": "string", "Description": "The priority of the DLP device. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dvc_priority"} | |
| {"Dataset name": "DLP_Incidents", "Possible values": [], "Model": "DataLossPrevention", "Expected values": [], "Data type": "string", "Description": "The zone of the DLP device.", "Field name": "dvc_zone"} | |
| {"Dataset name": "DLP_Incidents", "Possible values": [], "Model": "DataLossPrevention", "Expected values": [], "Data type": "string", "Description": "The business unit of the DLP source. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "src_bunit"} | |
| {"Dataset name": "DLP_Incidents", "Possible values": [], "Model": "DataLossPrevention", "Expected values": [], "Data type": "string", "Description": "The category of the DLP source. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "src_category"} | |
| {"Dataset name": "DLP_Incidents", "Possible values": [], "Model": "DataLossPrevention", "Expected values": [], "Data type": "string", "Description": "The priority of the DLP source. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "src_priority"} | |
| {"Dataset name": "DLP_Incidents", "Possible values": [], "Model": "DataLossPrevention", "Expected values": [], "Data type": "string", "Description": "The zone of the DLP source.", "Field name": "src_zone"} | |
| {"Dataset name": "DLP_Incidents", "Possible values": [], "Model": "DataLossPrevention", "Expected values": [], "Data type": "string", "Description": "The business unit of the DLP source user. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "src_user_bunit"} | |
| {"Dataset name": "DLP_Incidents", "Possible values": [], "Model": "DataLossPrevention", "Expected values": [], "Data type": "string", "Description": "The category of the DLP source user. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "src_user_category"} | |
| {"Dataset name": "DLP_Incidents", "Possible values": [], "Model": "DataLossPrevention", "Expected values": [], "Data type": "string", "Description": "The priority of the DLP source user. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "src_user_priority"} | |
| {"Dataset name": "DLP_Incidents", "Possible values": [], "Model": "DataLossPrevention", "Expected values": [], "Data type": "string", "Description": "This automatically generated field is used to access tags from within datamodels. Do not define extractions for this field when writing add-ons.", "Field name": "tag"} | |
| {"Dataset name": "DLP_Incidents", "Possible values": [], "Model": "DataLossPrevention", "Expected values": [], "Data type": "string", "Description": "The business unit of the DLP user. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "user_bunit"} | |
| {"Dataset name": "DLP_Incidents", "Possible values": [], "Model": "DataLossPrevention", "Expected values": [], "Data type": "string", "Description": "The category of the DLP user. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "user_category"} | |
| {"Dataset name": "DLP_Incidents", "Possible values": [], "Model": "DataLossPrevention", "Expected values": [], "Data type": "string", "Description": "The priority of the DLP user. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "user_priority"} | |
| {"Dataset name": "DLP_Incidents", "Possible values": [], "Model": "DataLossPrevention", "Expected values": [], "Data type": "string", "Description": "The action taken by the DLP device.", "Field name": "action"} | |
| {"Dataset name": "DLP_Incidents", "Possible values": [], "Model": "DataLossPrevention", "Expected values": [], "Data type": "string", "Description": "The category of the DLP event.", "Field name": "category"} | |
| {"Dataset name": "DLP_Incidents", "Possible values": [], "Model": "DataLossPrevention", "Expected values": [], "Data type": "string", "Description": "The device that reported the DLP event.", "Field name": "dvc"} | |
| {"Dataset name": "DLP_Incidents", "Possible values": [], "Model": "DataLossPrevention", "Expected values": [], "Data type": "string", "Description": "The type of DLP system that generated the event.", "Field name": "dlp_type"} | |
| {"Dataset name": "DLP_Incidents", "Possible values": [], "Model": "DataLossPrevention", "Expected values": [], "Data type": "string", "Description": "The name of the affected object.", "Field name": "object"} | |
| {"Dataset name": "DLP_Incidents", "Possible values": [], "Model": "DataLossPrevention", "Expected values": [], "Data type": "string", "Description": "The path of the affected object.", "Field name": "object_path"} | |
| {"Dataset name": "DLP_Incidents", "Possible values": [], "Model": "DataLossPrevention", "Expected values": [], "Data type": "string", "Description": "The category of the affected object.", "Field name": "object_category"} | |
| {"Dataset name": "DLP_Incidents", "Possible values": [], "Model": "DataLossPrevention", "Expected values": [], "Data type": "string", "Description": "The name of the DLP event.", "Field name": "signature"} | |
| {"Dataset name": "DLP_Incidents", "Possible values": [], "Model": "DataLossPrevention", "Expected values": [], "Data type": "string", "Description": "The severity of the DLP event.", "Field name": "severity"} | |
| {"Dataset name": "DLP_Incidents", "Possible values": [], "Model": "DataLossPrevention", "Expected values": [], "Data type": "string", "Description": "The source of the DLP event.", "Field name": "src"} | |
| {"Dataset name": "DLP_Incidents", "Possible values": [], "Model": "DataLossPrevention", "Expected values": [], "Data type": "string", "Description": "The source user of the DLP event.", "Field name": "src_user"} | |
| {"Dataset name": "DLP_Incidents", "Possible values": [], "Model": "DataLossPrevention", "Expected values": [], "Data type": "string", "Description": "The target of the DLP event.", "Field name": "dest"} | |
| {"Dataset name": "DLP_Incidents", "Possible values": [], "Model": "DataLossPrevention", "Expected values": [], "Data type": "string", "Description": "The target user of the DLP event.", "Field name": "user"} | |
| {"Dataset name": "DLP_Incidents", "Possible values": [], "Model": "DataLossPrevention", "Expected values": [], "Data type": "string", "Description": "The vendor and product name of the DLP system.", "Field name": "vendor_product"} | |
| {"Model": "DataLossPrevention", "Field name": "tags", "values": [["DLP_Incidents", "dlp"]]} | |
| {"Dataset name": "All_Databases", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "string", "Description": "The destination of the database event. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name.", "Field name": "dest"} | |
| {"Dataset name": "All_Databases", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "string", "Description": "The business unit of the destination. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dest_bunit"} | |
| {"Dataset name": "All_Databases", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "string", "Description": "The category of the destination. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dest_category"} | |
| {"Dataset name": "All_Databases", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "string", "Description": "The priority of the destination, if applicable. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dest_priority"} | |
| {"Dataset name": "All_Databases", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "number", "Description": "The amount of time for the completion of the database event, in seconds.", "Field name": "duration"} | |
| {"Dataset name": "All_Databases", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "string", "Description": "The name of the database object.", "Field name": "object"} | |
| {"Dataset name": "All_Databases", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "number", "Description": "The amount of time it took to receive a response in the database event, in seconds.", "Field name": "response_time"} | |
| {"Dataset name": "All_Databases", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "string", "Description": "The source of the database event. You can alias this from more specific fields, such as src_host, src_ip, or src_name.", "Field name": "src"} | |
| {"Dataset name": "All_Databases", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "string", "Description": "The business unit of the source. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "src_bunit"} | |
| {"Dataset name": "All_Databases", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "string", "Description": "The category of the source. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "src_category"} | |
| {"Dataset name": "All_Databases", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "string", "Description": "The priority of the source. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "src_priority"} | |
| {"Dataset name": "All_Databases", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "string", "Description": "This automatically generated field is used to access tags from within data models. Do not define extractions for this field when writing add-ons.", "Field name": "tag"} | |
| {"Dataset name": "All_Databases", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "string", "Description": "Name of the database process user.", "Field name": "user"} | |
| {"Dataset name": "All_Databases", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "string", "Description": "The business unit of the user. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "user_bunit"} | |
| {"Dataset name": "All_Databases", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "string", "Description": "The category associated with the user. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "user_category"} | |
| {"Dataset name": "All_Databases", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "string", "Description": "The priority of the user. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "user_priority"} | |
| {"Dataset name": "All_Databases", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "string", "Description": "The vendor and product name of the database system. This field can be automatically populated by vendor and product fields in your data.", "Field name": "vendor_product"} | |
| {"Dataset name": "Database_Instance", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "string", "Description": "The name of the database instance.", "Field name": "instance_name"} | |
| {"Dataset name": "Database_Instance", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "string", "Description": "The version of the database instance.", "Field name": "instance_version"} | |
| {"Dataset name": "Database_Instance", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "number", "Description": "The maximum number of processes that the database instance can handle.", "Field name": "process_limit"} | |
| {"Dataset name": "Database_Instance", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "number", "Description": "The maximum number of sessions that the database instance can handle.", "Field name": "session_limit"} | |
| {"Dataset name": "Instance_Stats", "Possible values": ["Available", "Not Available"], "Model": "Datastore", "Expected values": [], "Data type": "string", "Description": "The status of the database server.", "Field name": "availability"} | |
| {"Dataset name": "Instance_Stats", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "number", "Description": "The average number of executions for the database instance.", "Field name": "avg_executions"} | |
| {"Dataset name": "Instance_Stats", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "string", "Description": "The amount of the database dump area that has been used.", "Field name": "dump_area_used"} | |
| {"Dataset name": "Instance_Stats", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "number", "Description": "The total number of reads for the database instance.", "Field name": "instance_reads"} | |
| {"Dataset name": "Instance_Stats", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "number", "Description": "The total number of writes for the database instance.", "Field name": "instance_writes"} | |
| {"Dataset name": "Instance_Stats", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "number", "Description": "The total number of users for the database instance.", "Field name": "number_of_users"} | |
| {"Dataset name": "Instance_Stats", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "number", "Description": "The number of processes currently running for the database instance.", "Field name": "processes"} | |
| {"Dataset name": "Instance_Stats", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "number", "Description": "The total number of sessions currently in use for the database instance.", "Field name": "sessions"} | |
| {"Dataset name": "Instance_Stats", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "number", "Description": "The total size of the buffer cache for the database instance, in bytes.", "Field name": "sga_buffer_cache_size"} | |
| {"Dataset name": "Instance_Stats", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "number", "Description": "The maximum number of number of buffers that can be hit in the database instance without finding a free buffer.", "Field name": "sga_buffer_hit_limit"} | |
| {"Dataset name": "Instance_Stats", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "number", "Description": "The hit-to-miss ratio for the database instance's data dictionary.", "Field name": "sga_data_dict_hit_ratio"} | |
| {"Dataset name": "Instance_Stats", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "number", "Description": "The size of the fixed area (also referred to as the fixed SGA) for the database instance, in bytes.", "Field name": "sga_fixed_area_size"} | |
| {"Dataset name": "Instance_Stats", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "number", "Description": "The total amount of free memory in the database instance SGA, in bytes.", "Field name": "sga_free_memory"} | |
| {"Dataset name": "Instance_Stats", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "number", "Description": "The total library cache size for the database instance, in bytes.", "Field name": "sga_library_cache_size"} | |
| {"Dataset name": "Instance_Stats", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "number", "Description": "The total size of the redo log buffer for the database instance, in bytes.", "Field name": "sga_redo_log_buffer_size"} | |
| {"Dataset name": "Instance_Stats", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "number", "Description": "The total size of the shared pool for this database instance, in bytes.", "Field name": "sga_shared_pool_size"} | |
| {"Dataset name": "Instance_Stats", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "number", "Description": "The total size of the SQL area for this database instance, in bytes.", "Field name": "sga_sql_area_size"} | |
| {"Dataset name": "Instance_Stats", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "time", "Description": "The total amount of uptime for the database instance.", "Field name": "start_time"} | |
| {"Dataset name": "Instance_Stats", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "string", "Description": "The total amount of tablespace used for the database instance, in bytes.", "Field name": "tablespace_used"} | |
| {"Dataset name": "Session_Info", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "number", "Description": "The percentage of logical reads from the buffer during the session (1-physical reads/session logical reads*100).", "Field name": "buffer_cache_hit_ratio"} | |
| {"Dataset name": "Session_Info", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "number", "Description": "The number of commits per second performed by the user associated with the session.", "Field name": "commits"} | |
| {"Dataset name": "Session_Info", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "number", "Description": "The number of CPU centiseconds used by the session. Divide this value by 100 to get the CPU seconds.", "Field name": "cpu_used"} | |
| {"Dataset name": "Session_Info", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "number", "Description": "The number of the cursor currently in use by the session.", "Field name": "cursor"} | |
| {"Dataset name": "Session_Info", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "number", "Description": "The total amount of time elapsed since the user started the session by logging into the database server, in seconds.", "Field name": "elapsed_time"} | |
| {"Dataset name": "Session_Info", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "number", "Description": "The total number of consistent gets and database block gets performed during the session.", "Field name": "logical_reads"} | |
| {"Dataset name": "Session_Info", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "string", "Description": "The name of the logical host associated with the database instance.", "Field name": "machine"} | |
| {"Dataset name": "Session_Info", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "number", "Description": "The total number of memory sorts performed during the session.", "Field name": "memory_sorts"} | |
| {"Dataset name": "Session_Info", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "number", "Description": "The total number of physical reads performed during the session.", "Field name": "physical_reads"} | |
| {"Dataset name": "Session_Info", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "number", "Description": "The description of seconds_in_wait depends on the value of wait_time. If wait_time = 0, seconds_in_wait is the number of seconds spent in the current wait condition. If wait_time has a nonzero value, seconds_in_wait is the number of seconds that have elapsed since the start of the last wait. You can get the active seconds that have elapsed since the last wait ended by calculating seconds_in_wait - wait_time / 100.", "Field name": "seconds_in_wait"} | |
| {"Dataset name": "Session_Info", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "string", "Description": "The unique id that identifies the session.", "Field name": "session_id"} | |
| {"Dataset name": "Session_Info", "Possible values": ["Online", "Offline"], "Model": "Datastore", "Expected values": [], "Data type": "string", "Description": "The current status of the session.", "Field name": "session_status"} | |
| {"Dataset name": "Session_Info", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "number", "Description": "Number of table scans performed during the session.", "Field name": "table_scans"} | |
| {"Dataset name": "Session_Info", "Possible values": ["WAITING (the session is currently waiting)", "WAITED UNKNOWN TIME (the duration of the last session wait is unknown)", "WAITED SHORT TIME (the last session wait was < 1/100th of a second)", "WAITED KNOWN TIME (the wait_time is the duration of the last session wait)"], "Model": "Datastore", "Expected values": [], "Data type": "string", "Description": "Provides the current wait state for the session. Can indicate that the session is currently waiting or provide information about the session's last wait.", "Field name": "wait_state"} | |
| {"Dataset name": "Session_Info", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "number", "Description": "When wait_time = 0, the session is waiting. When wait_time has a nonzero value, it is displaying the last wait time for the session.", "Field name": "wait_time"} | |
| {"Dataset name": "Lock_Info", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "number", "Description": "Represents the amount of time elapsed since the session_status changed to its current status. The definition of this field depends on the session_status value. If session_status = ONLINE, the last_call_minute value represents the time elapsed since the session became active. If session_status = OFFLINE, the last_call_minute value represents the time elapsed since the session became inactive.", "Field name": "last_call_minute"} | |
| {"Dataset name": "Lock_Info", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "string", "Description": "The mode of the lock on the object.", "Field name": "lock_mode"} | |
| {"Dataset name": "Lock_Info", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "string", "Description": "The session identifier of the locked object.", "Field name": "lock_session_id"} | |
| {"Dataset name": "Lock_Info", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "number", "Description": "The database logon time for the session.", "Field name": "logon_time"} | |
| {"Dataset name": "Lock_Info", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "string", "Description": "The name of the locked object.", "Field name": "obj_name"} | |
| {"Dataset name": "Lock_Info", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "string", "Description": "The process identifier for the operating system.", "Field name": "os_pid"} | |
| {"Dataset name": "Lock_Info", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "string", "Description": "The serial number of the object.", "Field name": "serial_num"} | |
| {"Dataset name": "Database_Query", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "string", "Description": "The full database query.", "Field name": "query"} | |
| {"Dataset name": "Database_Query", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "string", "Description": "The identifier for the database query.", "Field name": "query_id"} | |
| {"Dataset name": "Database_Query", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "time", "Description": "The time the system initiated the database query.", "Field name": "query_time"} | |
| {"Dataset name": "Database_Query", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "number", "Description": "The number of records affected by the database query.", "Field name": "records_affected"} | |
| {"Dataset name": "Tablespace", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "number", "Description": "The total amount of free space in the tablespace, in bytes.", "Field name": "free_bytes"} | |
| {"Dataset name": "Tablespace", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "string", "Description": "The name of the tablespace.", "Field name": "tablespace_name"} | |
| {"Dataset name": "Tablespace", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "number", "Description": "The number of tablespace reads carried out by the query.", "Field name": "tablespace_reads"} | |
| {"Dataset name": "Tablespace", "Possible values": ["Offline", "Online", "Read Only"], "Model": "Datastore", "Expected values": [], "Data type": "string", "Description": "The status of the tablespace.", "Field name": "tablespace_status"} | |
| {"Dataset name": "Tablespace", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "number", "Description": "The number of tablespace writes carried out by the query.", "Field name": "tablespace_writes"} | |
| {"Dataset name": "Query_Stats", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "string", "Description": "The names of the indexes hit by the database query.", "Field name": "indexes_hit"} | |
| {"Dataset name": "Query_Stats", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "string", "Description": "The name of the query plan hit by the query.", "Field name": "query_plan_hit"} | |
| {"Dataset name": "Query_Stats", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "string", "Description": "The names of the stored procedures called by the query.", "Field name": "stored_procedures_called"} | |
| {"Dataset name": "Query_Stats", "Possible values": [], "Model": "Datastore", "Expected values": [], "Data type": "string", "Description": "The names of the tables hit by the query.", "Field name": "tables_hit"} | |
| {"Model": "Datastore", "Field name": "tags", "values": [["All_Databases", "database"], ["Database_Instance", "instance"], ["Instance_Stats", "stats"], ["Session_Info", "session"], ["Lock_Info", "lock"], ["Database_Query", "query"], ["Tablespace", "tablespace"], ["Query_Stats", "stats"]]} | |
| {"Dataset name": "Email", "Possible values": ["delivered", "blocked", "quarantined", "deleted"], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "Action taken by the reporting device.", "Field name": "action"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "number", "Description": "Total sending delay in milliseconds.", "Field name": "delay"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "The endpoint system to which the message was delivered. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name.", "Field name": "dest"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "The business unit of the endpoint system to which the message was delivered. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dest_bunit"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "The category of the endpoint system to which the message was delivered. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dest_category"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "The priority of the endpoint system to which the message was delivered. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dest_priority"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "number", "Description": "The amount of time for the completion of the messaging event, in seconds.", "Field name": "duration"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "The hashes for the files attached to the message, if any exist.", "Field name": "file_hash"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "The names of the files attached to the message, if any exist.", "Field name": "file_name"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "number", "Description": "The size of the files attached the message, in bytes.", "Field name": "file_size"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "Host-specific unique message identifier (such as aid in sendmail, IMI in Domino, Internal-Message-ID in Exchange, and MID in Ironport).", "Field name": "internal_message_id"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "The globally-unique message identifier.", "Field name": "message_id"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "Additional information about the message.", "Field name": "message_info"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "The original destination host of the message. The message destination host can change when a message is relayed or bounced.", "Field name": "orig_dest"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "The original recipient of the message. The message recipient can change when the original email address is an alias and has to be resolved to the actual recipient.", "Field name": "orig_recipient"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "The original source of the message.", "Field name": "orig_src"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "The name of the email executable that carries out the message transaction, such as sendmail, postfix, or the name of an email client.", "Field name": "process"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "number", "Description": "The numeric identifier of the process invoked to send the message.", "Field name": "process_id"} | |
| {"Dataset name": "Email", "Possible values": ["smtp", "imap", "pop3", "mapi"], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "The email protocol involved, such as SMTP or RPC.", "Field name": "protocol"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "A field listing individual recipient email addresses, such as recipient=\"[email protected]\", recipient=\"[email protected]\".", "Field name": "recipient"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "number", "Description": "The total number of intended message recipients.", "Field name": "recipient_count"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "The recipient delivery status, if available.", "Field name": "recipient_status"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "number", "Description": "The amount of time it took to receive a response in the messaging event, in seconds.", "Field name": "response_time"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "number", "Description": "The number of times that the message was automatically resent because it was bounced back, or a similar transmission error condition.", "Field name": "retries"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "The return address for the message.", "Field name": "return_addr"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "number", "Description": "The size of the message, in bytes.", "Field name": "size"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "The system that sent the message. You can alias this from more specific fields, such as src_host, src_ip, or src_name.", "Field name": "src"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "The business unit of the system that sent the message. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "src_bunit"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "The category of the system that sent the message. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "src_category"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "The priority of the system that sent the message. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "src_priority"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "The email address of the message sender.", "Field name": "src_user"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "The business unit of the message sender. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "src_user_bunit"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "The category of the message sender. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "src_user_category"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "The priority of the message sender. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "src_user_priority"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "The status code associated with the message.", "Field name": "status_code"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "The subject of the message.", "Field name": "subject"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "This automatically generated field is used to access tags from within data models. Do not define extractions for this field when writing add-ons.", "Field name": "tag"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "The URL associated with the message, if any.", "Field name": "url"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "The user context for the process. This is not the email address for the sender. For that, look at the src_user field.", "Field name": "user"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "The business unit of the user context for the process. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "user_bunit"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "The category of the user context for the process. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "user_category"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "The priority of the user context for the process. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "user_priority"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "The vendor and product of the email server used for the email transaction. This field can be automatically populated by vendor and product fields in your data.", "Field name": "vendor_product"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "Extended delay information for the message transaction. May contain details of all the delays from all the servers in the message transmission chain.", "Field name": "xdelay"} | |
| {"Dataset name": "Email", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "An external reference. Can contain message IDs or recipient addresses from related messages.", "Field name": "xref"} | |
| {"Dataset name": "Filtering", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "The status produced by the filter, such as \"accepted\", \"rejected\", or \"dropped\".", "Field name": "filter_action"} | |
| {"Dataset name": "Filtering", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "number", "Description": "Numeric indicator assigned to specific emails by an email filter.", "Field name": "filter_score"} | |
| {"Dataset name": "Filtering", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "The name of the filter applied.", "Field name": "signature"} | |
| {"Dataset name": "Filtering", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "Any additional information about the filter.", "Field name": "signature_extra"} | |
| {"Dataset name": "Filtering", "Possible values": [], "Model": "Email", "Expected values": [], "Data type": "string", "Description": "The id associated with the filter name.", "Field name": "signature_id"} | |
| {"Model": "Email", "Field name": "tags", "values": [["All_Email", "email"], ["Delivery", "delivery"], ["Content", "content"], ["Filtering", "filter"]]} | |
| {"Dataset name": "All_Interprocess_Messaging", "Possible values": [], "Model": "InterprocessMessaging", "Expected values": [], "Data type": "string", "Description": "The destination of the message. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name.", "Field name": "dest"} | |
| {"Dataset name": "All_Interprocess_Messaging", "Possible values": [], "Model": "InterprocessMessaging", "Expected values": [], "Data type": "string", "Description": "The business unit of the destination. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dest_bunit"} | |
| {"Dataset name": "All_Interprocess_Messaging", "Possible values": ["queue", "topic"], "Model": "InterprocessMessaging", "Expected values": [], "Data type": "string", "Description": "The type of message destination. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dest_category"} | |
| {"Dataset name": "All_Interprocess_Messaging", "Possible values": [], "Model": "InterprocessMessaging", "Expected values": [], "Data type": "string", "Description": "The priority of the destination. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dest_priority"} | |
| {"Dataset name": "All_Interprocess_Messaging", "Possible values": [], "Model": "InterprocessMessaging", "Expected values": [], "Data type": "number", "Description": "The number of seconds from message call to message response. Can be derived by getting the difference between the request_sent_time and the message_received_time.", "Field name": "duration"} | |
| {"Dataset name": "All_Interprocess_Messaging", "Possible values": [], "Model": "InterprocessMessaging", "Expected values": [], "Data type": "string", "Description": "The endpoint that the message accessed during the RPC (remote procedure call) transaction.", "Field name": "endpoint"} | |
| {"Dataset name": "All_Interprocess_Messaging", "Possible values": [], "Model": "InterprocessMessaging", "Expected values": [], "Data type": "string", "Description": "The version of the endpoint accessed during the RPC (remote procedure call) transaction, such as 1.0 or 1.22.", "Field name": "endpoint_version"} | |
| {"Dataset name": "All_Interprocess_Messaging", "Possible values": [], "Model": "InterprocessMessaging", "Expected values": [], "Data type": "string", "Description": "A command or reference that an RPC (remote procedure call) reads or responds to.", "Field name": "message"} | |
| {"Dataset name": "All_Interprocess_Messaging", "Possible values": [], "Model": "InterprocessMessaging", "Expected values": [], "Data type": "time", "Description": "The time that the RPC (remote procedure call) read the message and was prepared to take some sort of action.", "Field name": "message_consumed_time"} | |
| {"Dataset name": "All_Interprocess_Messaging", "Possible values": [], "Model": "InterprocessMessaging", "Expected values": [], "Data type": "string", "Description": "The message correlation identification value.", "Field name": "message_correlation_id"} | |
| {"Dataset name": "All_Interprocess_Messaging", "Possible values": [], "Model": "InterprocessMessaging", "Expected values": [], "Data type": "time", "Description": "The time that the message producer sent the message.", "Field name": "message_delivered_time"} | |
| {"Dataset name": "All_Interprocess_Messaging", "Possible values": [], "Model": "InterprocessMessaging", "Expected values": [], "Data type": "string", "Description": "The message delivery mode. Possible values depend on the type of message-oriented middleware (MOM) solution in use. They can be words like Transient (meaning the message is stored in memory and is lost if the server dies or restarts) or Persistent (meaning the message is stored both in memory and on disk and is preserved if the server dies or restarts). They can also be numbers like 1, 2, and so on.", "Field name": "message_delivery_mode"} | |
| {"Dataset name": "All_Interprocess_Messaging", "Possible values": [], "Model": "InterprocessMessaging", "Expected values": [], "Data type": "time", "Description": "The time that the message expired.", "Field name": "message_expiration_time"} | |
| {"Dataset name": "All_Interprocess_Messaging", "Possible values": [], "Model": "InterprocessMessaging", "Expected values": [], "Data type": "string", "Description": "The message identification.", "Field name": "message_id"} | |
| {"Dataset name": "All_Interprocess_Messaging", "Possible values": [], "Model": "InterprocessMessaging", "Expected values": [], "Data type": "string", "Description": "The priority of the message. Important jobs that the message queue should answer no matter what receive a higher message_priority than other jobs, ensuring they are completed before the others.", "Field name": "message_priority"} | |
| {"Dataset name": "All_Interprocess_Messaging", "Possible values": [], "Model": "InterprocessMessaging", "Expected values": [], "Data type": "string", "Description": "An arbitrary list of message properties. The set of properties displayed depends on the message-oriented middleware (MOM) solution that you are using.", "Field name": "message_properties"} | |
| {"Dataset name": "All_Interprocess_Messaging", "Possible values": [], "Model": "InterprocessMessaging", "Expected values": [], "Data type": "time", "Description": "The time that the message was received by a message-oriented middleware (MOM) solution.", "Field name": "message_received_time"} | |
| {"Dataset name": "All_Interprocess_Messaging", "Possible values": [], "Model": "InterprocessMessaging", "Expected values": [], "Data type": "boolean", "Description": "Indicates whether or not the message was redelivered.", "Field name": "message_redelivered"} | |
| {"Dataset name": "All_Interprocess_Messaging", "Possible values": [], "Model": "InterprocessMessaging", "Expected values": [], "Data type": "string", "Description": "The name of the destination for replies to the message.", "Field name": "message_reply_dest"} | |
| {"Dataset name": "All_Interprocess_Messaging", "Possible values": [], "Model": "InterprocessMessaging", "Expected values": [], "Data type": "string", "Description": "The type of message, such as call or reply.", "Field name": "message_type"} | |
| {"Dataset name": "All_Interprocess_Messaging", "Possible values": [], "Model": "InterprocessMessaging", "Expected values": [], "Data type": "string", "Description": "Arguments that have been passed to an endpoint by a REST call or something similar. A sample parameter could be something like foo=bar.", "Field name": "parameters"} | |
| {"Dataset name": "All_Interprocess_Messaging", "Possible values": [], "Model": "InterprocessMessaging", "Expected values": [], "Data type": "string", "Description": "The message payload.", "Field name": "payload"} | |
| {"Dataset name": "All_Interprocess_Messaging", "Possible values": [], "Model": "InterprocessMessaging", "Expected values": [], "Data type": "string", "Description": "The type of payload in the message. The payload type can be text (such as json, xml, and raw) or binary (such as compressed, object, encrypted, and image).", "Field name": "payload_type"} | |
| {"Dataset name": "All_Interprocess_Messaging", "Possible values": [], "Model": "InterprocessMessaging", "Expected values": [], "Data type": "string", "Description": "The content of the message request.", "Field name": "request_payload"} | |
| {"Dataset name": "All_Interprocess_Messaging", "Possible values": [], "Model": "InterprocessMessaging", "Expected values": [], "Data type": "string", "Description": "The type of payload in the message request. The payload type can be text (such as json, xml, and raw) or binary (such as compressed, object, encrypted, and image).", "Field name": "request_payload_type"} | |
| {"Dataset name": "All_Interprocess_Messaging", "Possible values": [], "Model": "InterprocessMessaging", "Expected values": [], "Data type": "time", "Description": "The time that the message request was sent.", "Field name": "request_sent_time"} | |
| {"Dataset name": "All_Interprocess_Messaging", "Possible values": [], "Model": "InterprocessMessaging", "Expected values": [], "Data type": "string", "Description": "The response status code sent by the receiving server. Ranges between 200 and 404.", "Field name": "response_code"} | |
| {"Dataset name": "All_Interprocess_Messaging", "Possible values": [], "Model": "InterprocessMessaging", "Expected values": [], "Data type": "string", "Description": "The type of payload in the message response. The payload type can be text (such as json, xml, and raw) or binary (such as compressed, object, encrypted, and image).", "Field name": "response_payload_type"} | |
| {"Dataset name": "All_Interprocess_Messaging", "Possible values": [], "Model": "InterprocessMessaging", "Expected values": [], "Data type": "time", "Description": "The time that the message response was received.", "Field name": "response_received_time"} | |
| {"Dataset name": "All_Interprocess_Messaging", "Possible values": [], "Model": "InterprocessMessaging", "Expected values": [], "Data type": "number", "Description": "The amount of time it took to receive a response, in seconds.", "Field name": "response_time"} | |
| {"Dataset name": "All_Interprocess_Messaging", "Possible values": [], "Model": "InterprocessMessaging", "Expected values": [], "Data type": "string", "Description": "The response status message sent by the message server.", "Field name": "return_message"} | |
| {"Dataset name": "All_Interprocess_Messaging", "Possible values": [], "Model": "InterprocessMessaging", "Expected values": [], "Data type": "string", "Description": "The protocol that the message server uses for remote procedure calls (RPC). Possible values include HTTP REST, SOAP, and EJB.", "Field name": "rpc_protocol"} | |
| {"Dataset name": "All_Interprocess_Messaging", "Possible values": ["pass", "fail"], "Model": "InterprocessMessaging", "Expected values": [], "Data type": "boolean", "Description": "The status of the message response.", "Field name": "status"} | |
| {"Dataset name": "All_Interprocess_Messaging", "Possible values": [], "Model": "InterprocessMessaging", "Expected values": [], "Data type": "string", "Description": "This automatically generated field is used to access tags from within data models. Do not define extractions for this field when writing add-ons.", "Field name": "tag"} | |
| {"Model": "InterprocessMessaging", "Field name": "tags", "values": [["All_Interprocess_Messaging", "messaging"]]} | |
| {"Dataset name": "IDS_Attacks", "Possible values": [], "Model": "IntrusionDetection", "Expected values": [], "Data type": "string", "Description": "The action taken by the intrusion detection system (IDS).", "Field name": "action"} | |
| {"Dataset name": "IDS_Attacks", "Possible values": [], "Model": "IntrusionDetection", "Expected values": [], "Data type": "string", "Description": "The vendor-provided category of the triggered signature, such as spyware.This field is a string. Use a category_id field (not included in this data model) for category ID fields that are integer data types.", "Field name": "category"} | |
| {"Dataset name": "IDS_Attacks", "Possible values": [], "Model": "IntrusionDetection", "Expected values": [], "Data type": "string", "Description": "The destination of the attack detected by the intrusion detection system (IDS). You can alias this from more specific fields not included in this data model, such as dest_host, dest_ip, or dest_name.", "Field name": "dest"} | |
| {"Dataset name": "IDS_Attacks", "Possible values": [], "Model": "IntrusionDetection", "Expected values": [], "Data type": "string", "Description": "These fields are automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for these fields when writing add-ons.", "Field name": "dest_bunit"} | |
| {"Dataset name": "IDS_Attacks", "Possible values": [], "Model": "IntrusionDetection", "Expected values": [], "Data type": "string", "Field name": "dest_category"} | |
| {"Dataset name": "IDS_Attacks", "Possible values": [], "Model": "IntrusionDetection", "Expected values": [], "Data type": "string", "Field name": "dest_priority"} | |
| {"Dataset name": "IDS_Attacks", "Possible values": [], "Model": "IntrusionDetection", "Expected values": [], "Data type": "number", "Description": "The destination port of the intrusion.", "Field name": "dest_port"} | |
| {"Dataset name": "IDS_Attacks", "Possible values": [], "Model": "IntrusionDetection", "Expected values": [], "Data type": "string", "Description": "The device that detected the intrusion event. You can alias this from more specific fields not included in this data model, such as dvc_host, dvc_ip, or dvc_name.", "Field name": "dvc"} | |
| {"Dataset name": "IDS_Attacks", "Possible values": [], "Model": "IntrusionDetection", "Expected values": [], "Data type": "string", "Description": "These fields are automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for these fields when writing add-ons.", "Field name": "dvc_bunit"} | |
| {"Dataset name": "IDS_Attacks", "Possible values": [], "Model": "IntrusionDetection", "Expected values": [], "Data type": "string", "Field name": "dvc_category"} | |
| {"Dataset name": "IDS_Attacks", "Possible values": [], "Model": "IntrusionDetection", "Expected values": [], "Data type": "string", "Field name": "dvc_priority"} | |
| {"Dataset name": "IDS_Attacks", "Possible values": ["network", "host", "application", "wireless"], "Model": "IntrusionDetection", "Expected values": [], "Data type": "string", "Description": "The type of IDS that generated the event.", "Field name": "ids_type"} | |
| {"Dataset name": "IDS_Attacks", "Possible values": ["critical", "high", "medium", "low", "informational"], "Model": "IntrusionDetection", "Expected values": [], "Data type": "string", "Description": "The severity of the network protection event.This field is a string. Use a severity_id field (not included in this data model) for severity ID fields that are integer data types. Also, specific values are required for this field. Use vendor_severity for the vendor's own human readable severity strings, such as Good, Bad, and Really Bad.", "Field name": "severity"} | |
| {"Dataset name": "IDS_Attacks", "Possible values": [], "Model": "IntrusionDetection", "Expected values": [], "Data type": "string", "Description": "The name of the intrusion detected on the client (the src), such as PlugAndPlay_BO and JavaScript_Obfuscation_Fre.This is a string value. Use a signature_id field (not included in this data model) for numeric indicators.", "Field name": "signature"} | |
| {"Dataset name": "IDS_Attacks", "Possible values": [], "Model": "IntrusionDetection", "Expected values": [], "Data type": "string", "Description": "The source involved in the attack detected by the IDS. You can alias this from more specific fields not included in this data model, such as src_host, src_ip, or src_name.", "Field name": "src"} | |
| {"Dataset name": "IDS_Attacks", "Possible values": [], "Model": "IntrusionDetection", "Expected values": [], "Data type": "string", "Description": "These fields are automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for these fields when writing add-ons.", "Field name": "src_bunit"} | |
| {"Dataset name": "IDS_Attacks", "Possible values": [], "Model": "IntrusionDetection", "Expected values": [], "Data type": "string", "Field name": "src_category"} | |
| {"Dataset name": "IDS_Attacks", "Possible values": [], "Model": "IntrusionDetection", "Expected values": [], "Data type": "string", "Field name": "src_priority"} | |
| {"Dataset name": "IDS_Attacks", "Possible values": [], "Model": "IntrusionDetection", "Expected values": [], "Data type": "string", "Description": "This automatically generated field is used to access tags from within datamodels. Do not define extractions for this field when writing add-ons.", "Field name": "tag"} | |
| {"Dataset name": "IDS_Attacks", "Possible values": [], "Model": "IntrusionDetection", "Expected values": [], "Data type": "string", "Description": "The OSI layer 4 (transport) protocol of the intrusion, in lower case.", "Field name": "transport"} | |
| {"Dataset name": "IDS_Attacks", "Possible values": [], "Model": "IntrusionDetection", "Expected values": [], "Data type": "string", "Description": "The user involved with the intrusion detection event.", "Field name": "user"} | |
| {"Dataset name": "IDS_Attacks", "Possible values": [], "Model": "IntrusionDetection", "Expected values": [], "Data type": "string", "Description": "These fields are automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for these fields when writing add-ons.", "Field name": "user_bunit"} | |
| {"Dataset name": "IDS_Attacks", "Possible values": [], "Model": "IntrusionDetection", "Expected values": [], "Data type": "string", "Field name": "user_category"} | |
| {"Dataset name": "IDS_Attacks", "Possible values": [], "Model": "IntrusionDetection", "Expected values": [], "Data type": "string", "Field name": "user_priority"} | |
| {"Dataset name": "IDS_Attacks", "Possible values": [], "Model": "IntrusionDetection", "Expected values": [], "Data type": "string", "Description": "The vendor and product name of the IDS or IPS system that detected the vulnerability, such as HP Tipping Point. This field can be automatically populated by vendor and product fields in your data.", "Field name": "vendor_product"} | |
| {"Model": "IntrusionDetection", "Field name": "tags", "values": [["IDS_Attacks", "ids"]]} | |
| {"Dataset name": "JVM", "Possible values": [], "Model": "JVM", "Expected values": [], "Data type": "string", "Description": "A description field provided in some data sources.", "Field name": "jvm_description"} | |
| {"Dataset name": "JVM", "Possible values": [], "Model": "JVM", "Expected values": [], "Data type": "string", "Description": "This automatically generated field is used to access tags from within datamodels. Add-on builders do not need to populate it.", "Field name": "tag"} | |
| {"Dataset name": "Threading", "Possible values": ["true", "false", "1", "0"], "Model": "JVM", "Expected values": [], "Data type": "boolean", "Description": "Indicates whether thread contention monitoring is enabled.", "Field name": "cm_enabled"} | |
| {"Dataset name": "Threading", "Possible values": ["true", "false", "1", "0"], "Model": "JVM", "Expected values": [], "Data type": "boolean", "Description": "Indicates whether the JVM supports thread contention monitoring.", "Field name": "cm_supported"} | |
| {"Dataset name": "Threading", "Possible values": ["true", "false", "1", "0"], "Model": "JVM", "Expected values": [], "Data type": "boolean", "Description": "Indicates whether thread CPU time measurement is enabled.", "Field name": "cpu_time_enabled"} | |
| {"Dataset name": "Threading", "Possible values": ["true", "false", "1", "0"], "Model": "JVM", "Expected values": [], "Data type": "boolean", "Description": "Indicates whether the Java virtual machine supports CPU time measurement for the current thread.", "Field name": "cpu_time_supported"} | |
| {"Dataset name": "Threading", "Possible values": [], "Model": "JVM", "Expected values": [], "Data type": "number", "Description": "CPU-space time taken by the JVM, in seconds.", "Field name": "current_cpu_time"} | |
| {"Dataset name": "Threading", "Possible values": [], "Model": "JVM", "Expected values": [], "Data type": "number", "Description": "User-space time taken by the JVM, in seconds.", "Field name": "current_user_time"} | |
| {"Dataset name": "Threading", "Possible values": [], "Model": "JVM", "Expected values": [], "Data type": "number", "Description": "The JVM's current daemon count.", "Field name": "daemon_thread_count"} | |
| {"Dataset name": "Threading", "Possible values": ["true", "false", "1", "0"], "Model": "JVM", "Expected values": [], "Data type": "boolean", "Description": "Indicates whether the JVM supports monitoring of object monitor usage.", "Field name": "omu_supported"} | |
| {"Dataset name": "Threading", "Possible values": [], "Model": "JVM", "Expected values": [], "Data type": "number", "Description": "The JVM's peak thread count.", "Field name": "peak_thread_count"} | |
| {"Dataset name": "Threading", "Possible values": ["true", "false", "1", "0"], "Model": "JVM", "Expected values": [], "Data type": "boolean", "Description": "Indicates whether the JVM supports monitoring of ownable synchronizer usage.", "Field name": "synch_supported"} | |
| {"Dataset name": "Threading", "Possible values": [], "Model": "JVM", "Expected values": [], "Data type": "number", "Description": "The JVM's current thread count.", "Field name": "thread_count"} | |
| {"Dataset name": "Threading", "Possible values": [], "Model": "JVM", "Expected values": [], "Data type": "number", "Description": "The total number of threads started in the JVM.", "Field name": "threads_started"} | |
| {"Dataset name": "Runtime", "Possible values": [], "Model": "JVM", "Expected values": [], "Data type": "string", "Description": "Process name of the JVM process.", "Field name": "process_name"} | |
| {"Dataset name": "Runtime", "Possible values": [], "Model": "JVM", "Expected values": [], "Data type": "timestamp", "Description": "Start time of the JVM process.", "Field name": "start_time"} | |
| {"Dataset name": "Runtime", "Possible values": [], "Model": "JVM", "Expected values": [], "Data type": "number", "Description": "Uptime of the JVM process, in seconds.", "Field name": "uptime"} | |
| {"Dataset name": "Runtime", "Possible values": [], "Model": "JVM", "Expected values": [], "Data type": "string", "Description": "The JVM product or service. This field can be automatically populated by the the vendor and product fields in your raw data.", "Field name": "vendor_product"} | |
| {"Dataset name": "Runtime", "Possible values": [], "Model": "JVM", "Expected values": [], "Data type": "string", "Description": "Version of the JVM.", "Field name": "version"} | |
| {"Dataset name": "OS", "Possible values": [], "Model": "JVM", "Expected values": [], "Data type": "number", "Description": "Amount of memory committed to the JVM, in bytes.", "Field name": "committed_memory"} | |
| {"Dataset name": "OS", "Possible values": [], "Model": "JVM", "Expected values": [], "Data type": "number", "Description": "Amount of CPU time taken by the JVM, in seconds.", "Field name": "cpu_time"} | |
| {"Dataset name": "OS", "Possible values": [], "Model": "JVM", "Expected values": [], "Data type": "number", "Description": "Amount of free physical memory remaining to the JVM, in bytes.", "Field name": "free_physical_memory"} | |
| {"Dataset name": "OS", "Possible values": [], "Model": "JVM", "Expected values": [], "Data type": "number", "Description": "Amount of free swap memory remaining to the JVM, in bytes.", "Field name": "free_swap"} | |
| {"Dataset name": "OS", "Possible values": [], "Model": "JVM", "Expected values": [], "Data type": "number", "Description": "Maximum file descriptors available to the JVM.", "Field name": "max_file_descriptors"} | |
| {"Dataset name": "OS", "Possible values": [], "Model": "JVM", "Expected values": [], "Data type": "number", "Description": "Number of file descriptors opened by the JVM.", "Field name": "open_file_descriptors"} | |
| {"Dataset name": "OS", "Possible values": [], "Model": "JVM", "Expected values": [], "Data type": "string", "Description": "OS that the JVM is running on.", "Field name": "os"} | |
| {"Dataset name": "OS", "Possible values": [], "Model": "JVM", "Expected values": [], "Data type": "string", "Description": "OS architecture that the JVM is running on.", "Field name": "os_architecture"} | |
| {"Dataset name": "OS", "Possible values": [], "Model": "JVM", "Expected values": [], "Data type": "string", "Description": "OS version that the JVM is running on.", "Field name": "os_version"} | |
| {"Dataset name": "OS", "Possible values": [], "Model": "JVM", "Expected values": [], "Data type": "number", "Description": "Physical memory available to the OS that the JVM is running on, in bytes.", "Field name": "physical_memory"} | |
| {"Dataset name": "OS", "Possible values": [], "Model": "JVM", "Expected values": [], "Data type": "number", "Description": "Swap memory space available to the OS that the JVM is running on, in bytes.", "Field name": "swap_space"} | |
| {"Dataset name": "OS", "Possible values": [], "Model": "JVM", "Expected values": [], "Data type": "number", "Description": "System load of the OS that the JVM is running on.", "Field name": "system_load"} | |
| {"Dataset name": "OS", "Possible values": [], "Model": "JVM", "Expected values": [], "Data type": "number", "Description": "Total processor cores available to the OS that the JVM is running on.", "Field name": "total_processors"} | |
| {"Dataset name": "Compilation", "Possible values": [], "Model": "JVM", "Expected values": [], "Data type": "number", "Description": "Time taken by JIT compilation, in seconds.", "Field name": "compilation_time"} | |
| {"Dataset name": "Classloading", "Possible values": [], "Model": "JVM", "Expected values": [], "Data type": "number", "Description": "The current count of classes loaded in the JVM.", "Field name": "current_loaded"} | |
| {"Dataset name": "Classloading", "Possible values": [], "Model": "JVM", "Expected values": [], "Data type": "number", "Description": "The total count of classes loaded in the JVM.", "Field name": "total_loaded"} | |
| {"Dataset name": "Classloading", "Possible values": [], "Model": "JVM", "Expected values": [], "Data type": "number", "Description": "The total count of classes unloaded from the JVM.", "Field name": "total_unloaded"} | |
| {"Dataset name": "Memory", "Possible values": [], "Model": "JVM", "Expected values": [], "Data type": "number", "Description": "Committed amount of heap memory used by the JVM, in bytes.", "Field name": "heap_committed"} | |
| {"Dataset name": "Memory", "Possible values": [], "Model": "JVM", "Expected values": [], "Data type": "number", "Description": "Initial amount of heap memory used by the JVM, in bytes.", "Field name": "heap_initial"} | |
| {"Dataset name": "Memory", "Possible values": [], "Model": "JVM", "Expected values": [], "Data type": "number", "Description": "Maximum amount of heap memory used by the JVM, in bytes.", "Field name": "heap_max"} | |
| {"Dataset name": "Memory", "Possible values": [], "Model": "JVM", "Expected values": [], "Data type": "number", "Description": "Heap memory used by the JVM, in bytes.", "Field name": "heap_used"} | |
| {"Dataset name": "Memory", "Possible values": [], "Model": "JVM", "Expected values": [], "Data type": "number", "Description": "Committed amount of non-heap memory used by the JVM, in bytes.", "Field name": "non_heap_committed"} | |
| {"Dataset name": "Memory", "Possible values": [], "Model": "JVM", "Expected values": [], "Data type": "number", "Description": "Initial amount of non-heap memory used by the JVM, in bytes.", "Field name": "non_heap_initial"} | |
| {"Dataset name": "Memory", "Possible values": [], "Model": "JVM", "Expected values": [], "Data type": "number", "Description": "Maximum amount of non-heap memory used by the JVM, in bytes.", "Field name": "non_heap_max"} | |
| {"Dataset name": "Memory", "Possible values": [], "Model": "JVM", "Expected values": [], "Data type": "number", "Description": "Non-heap memory used by the JVM, in bytes.", "Field name": "non_heap_used"} | |
| {"Dataset name": "Memory", "Possible values": [], "Model": "JVM", "Expected values": [], "Data type": "number", "Description": "Number of objects pending in the JVM, in bytes.", "Field name": "objects_pending"} | |
| {"Model": "JVM", "Field name": "tags", "values": [["JVM", "jvm"], ["Threading", "threading"], ["Runtime", "runtime"], ["OS", "os"], ["Compilation", "compilation"], ["Classloading", "classloading"], ["Memory", "memory"]]} | |
| {"Dataset name": "Malware_Attacks", "Possible values": ["allowed", "blocked", "deferred"], "Model": "Malware", "Expected values": [], "Data type": "string", "Description": "The action taken by the reporting device.", "Field name": "action"} | |
| {"Dataset name": "Malware_Attacks", "Possible values": [], "Model": "Malware", "Expected values": [], "Data type": "string", "Description": "The category of the malware event, such as keylogger or ad-supported program.Note: This is a string value. Use a category_id field for category ID fields that are integer data types (category_id fields are optional, so they are not included in this table).", "Field name": "category"} | |
| {"Dataset name": "Malware_Attacks", "Possible values": [], "Model": "Malware", "Expected values": [], "Data type": "string", "Description": "The date of the malware event.", "Field name": "date"} | |
| {"Dataset name": "Malware_Attacks", "Possible values": [], "Model": "Malware", "Expected values": [], "Data type": "string", "Description": "The system that was affected by the malware event. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name.", "Field name": "dest"} | |
| {"Dataset name": "Malware_Attacks", "Possible values": [], "Model": "Malware", "Expected values": [], "Data type": "string", "Description": "These fields are automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for these fields when writing add-ons.", "Field name": "dest_bunit"} | |
| {"Dataset name": "Malware_Attacks", "Possible values": [], "Model": "Malware", "Expected values": [], "Data type": "string", "Field name": "dest_category"} | |
| {"Dataset name": "Malware_Attacks", "Possible values": [], "Model": "Malware", "Expected values": [], "Data type": "string", "Description": "The NT domain of the destination, if applicable.", "Field name": "dest_nt_domain"} | |
| {"Dataset name": "Malware_Attacks", "Possible values": [], "Model": "Malware", "Expected values": [], "Data type": "string", "Description": "These fields are automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for these fields when writing add-ons.", "Field name": "dest_priority"} | |
| {"Dataset name": "Malware_Attacks", "Possible values": [], "Model": "Malware", "Expected values": [], "Data type": "boolean", "Field name": "dest_requires_av"} | |
| {"Dataset name": "Malware_Attacks", "Possible values": [], "Model": "Malware", "Expected values": [], "Data type": "string", "Description": "The hash of the file with suspected malware.", "Field name": "file_hash"} | |
| {"Dataset name": "Malware_Attacks", "Possible values": [], "Model": "Malware", "Expected values": [], "Data type": "string", "Description": "The name of the file with suspected malware.", "Field name": "file_name"} | |
| {"Dataset name": "Malware_Attacks", "Possible values": [], "Model": "Malware", "Expected values": [], "Data type": "string", "Description": "The full file path of the file with suspected malware.", "Field name": "file_path"} | |
| {"Dataset name": "Malware_Attacks", "Possible values": [], "Model": "Malware", "Expected values": [], "Data type": "string", "Description": "The reported sender of an email-based attack.", "Field name": "sender"} | |
| {"Dataset name": "Malware_Attacks", "Possible values": [], "Model": "Malware", "Expected values": [], "Data type": "string", "Description": "The name of the malware infection detected on the client (the dest), such as Trojan.Vundo, Spyware.Gaobot, and W32.Nimbda.Note: This is a string value. Use a signature_id field for signature ID fields that are integer data types. The signature_id field is optional, so it is not included in this table.", "Field name": "signature"} | |
| {"Dataset name": "Malware_Attacks", "Possible values": [], "Model": "Malware", "Expected values": [], "Data type": "string", "Description": "The source of the event, such as a DAT file relay server. You can alias this from more specific fields, such as src_host, src_ip, or src_name.", "Field name": "src"} | |
| {"Dataset name": "Malware_Attacks", "Possible values": [], "Model": "Malware", "Expected values": [], "Data type": "string", "Description": "The business unit of the source. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "src_bunit"} | |
| {"Dataset name": "Malware_Attacks", "Possible values": [], "Model": "Malware", "Expected values": [], "Data type": "string", "Description": "The category of the source. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "src_category"} | |
| {"Dataset name": "Malware_Attacks", "Possible values": [], "Model": "Malware", "Expected values": [], "Data type": "string", "Description": "The priority of the source. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "src_priority"} | |
| {"Dataset name": "Malware_Attacks", "Possible values": [], "Model": "Malware", "Expected values": [], "Data type": "string", "Description": "This automatically generated field is used to access tags from within datamodels. Do not define extractions for this field when writing add-ons.", "Field name": "tag"} | |
| {"Dataset name": "Malware_Attacks", "Possible values": [], "Model": "Malware", "Expected values": [], "Data type": "string", "Description": "The user involved in the malware event.", "Field name": "user"} | |
| {"Dataset name": "Malware_Attacks", "Possible values": [], "Model": "Malware", "Expected values": [], "Data type": "string", "Description": "These fields are automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for these fields when writing add-ons.", "Field name": "user_bunit"} | |
| {"Dataset name": "Malware_Attacks", "Possible values": [], "Model": "Malware", "Expected values": [], "Data type": "string", "Field name": "user_category"} | |
| {"Dataset name": "Malware_Attacks", "Possible values": [], "Model": "Malware", "Expected values": [], "Data type": "string", "Field name": "user_priority"} | |
| {"Dataset name": "Malware_Attacks", "Possible values": [], "Model": "Malware", "Expected values": [], "Data type": "string", "Description": "A URL containing more information about the vulnerability.", "Field name": "url"} | |
| {"Dataset name": "Malware_Attacks", "Possible values": [], "Model": "Malware", "Expected values": [], "Data type": "string", "Description": "The vendor and product name of the endpoint protection system, such as Symantec AntiVirus. This field can be automatically populated by vendor and product fields in your data.", "Field name": "vendor_product"} | |
| {"Dataset name": "Malware_Operations", "Possible values": [], "Model": "Malware", "Expected values": [], "Data type": "string", "Description": "The system where the malware operations event occurred.", "Field name": "dest"} | |
| {"Dataset name": "Malware_Operations", "Possible values": [], "Model": "Malware", "Expected values": [], "Data type": "string", "Description": "These fields are automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for these fields when writing add-ons.", "Field name": "dest_bunit"} | |
| {"Dataset name": "Malware_Operations", "Possible values": [], "Model": "Malware", "Expected values": [], "Data type": "string", "Field name": "dest_category"} | |
| {"Dataset name": "Malware_Operations", "Possible values": [], "Model": "Malware", "Expected values": [], "Data type": "string", "Description": "The NT domain of the dest system, if applicable.", "Field name": "dest_nt_domain"} | |
| {"Dataset name": "Malware_Operations", "Possible values": [], "Model": "Malware", "Expected values": [], "Data type": "string", "Description": "This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dest_priority"} | |
| {"Dataset name": "Malware_Operations", "Possible values": [], "Model": "Malware", "Expected values": [], "Data type": "boolean", "Description": "This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dest_requires_av"} | |
| {"Dataset name": "Malware_Operations", "Possible values": [], "Model": "Malware", "Expected values": [], "Data type": "string", "Description": "The product version of the malware operations product.", "Field name": "product_version"} | |
| {"Dataset name": "Malware_Operations", "Possible values": [], "Model": "Malware", "Expected values": [], "Data type": "string", "Description": "The version of the malware signature bundle in a signature update operations event.", "Field name": "signature_version"} | |
| {"Dataset name": "Malware_Operations", "Possible values": [], "Model": "Malware", "Expected values": [], "Data type": "string", "Description": "The tag associated with the malware operations event.", "Field name": "tag"} | |
| {"Dataset name": "Malware_Operations", "Possible values": [], "Model": "Malware", "Expected values": [], "Data type": "string", "Description": "The vendor product name of the malware operations product.", "Field name": "vendor_product"} | |
| {"Model": "Malware", "Field name": "tags", "values": [["Malware_Attacks", "malware"], ["Malware_Operations", "malware"]]} | |
| {"Dataset name": "DNS", "Possible values": [], "Model": "NetworkResolutionDNS", "Expected values": [], "Data type": "number", "Description": "Number of entries in the \"additional\" section of the DNS message.", "Field name": "additional_answer_count"} | |
| {"Dataset name": "DNS", "Possible values": [], "Model": "NetworkResolutionDNS", "Expected values": [], "Data type": "string", "Description": "Resolved address for the query.", "Field name": "answer"} | |
| {"Dataset name": "DNS", "Possible values": [], "Model": "NetworkResolutionDNS", "Expected values": [], "Data type": "number", "Description": "Number of entries in the answer section of the DNS message.", "Field name": "answer_count"} | |
| {"Dataset name": "DNS", "Possible values": [], "Model": "NetworkResolutionDNS", "Expected values": [], "Data type": "number", "Description": "Number of entries in the 'authority' section of the DNS message.", "Field name": "authority_answer_count"} | |
| {"Dataset name": "DNS", "Possible values": [], "Model": "NetworkResolutionDNS", "Expected values": [], "Data type": "string", "Description": "The destination of the network resolution event. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name.", "Field name": "dest"} | |
| {"Dataset name": "DNS", "Possible values": [], "Model": "NetworkResolutionDNS", "Expected values": [], "Data type": "string", "Description": "The business unit of the destination. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dest_bunit"} | |
| {"Dataset name": "DNS", "Possible values": [], "Model": "NetworkResolutionDNS", "Expected values": [], "Data type": "string", "Description": "The category of the network resolution target, such as email_server or SOX-compliant.This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dest_category"} | |
| {"Dataset name": "DNS", "Possible values": [], "Model": "NetworkResolutionDNS", "Expected values": [], "Data type": "number", "Description": "The destination port number.", "Field name": "dest_port"} | |
| {"Dataset name": "DNS", "Possible values": [], "Model": "NetworkResolutionDNS", "Expected values": [], "Data type": "string", "Description": "The priority of the destination, if applicable. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dest_priority"} | |
| {"Dataset name": "DNS", "Possible values": [], "Model": "NetworkResolutionDNS", "Expected values": [], "Data type": "number", "Description": "The time taken by the network resolution event, in seconds.", "Field name": "duration"} | |
| {"Dataset name": "DNS", "Possible values": [], "Model": "NetworkResolutionDNS", "Expected values": ["Query", "Response"], "Data type": "string", "Description": "Type of DNS message.", "Field name": "message_type"} | |
| {"Dataset name": "DNS", "Possible values": [], "Model": "NetworkResolutionDNS", "Expected values": [], "Data type": "string", "Description": "The name of the DNS event.", "Field name": "name"} | |
| {"Dataset name": "DNS", "Possible values": [], "Model": "NetworkResolutionDNS", "Expected values": [], "Data type": "string", "Description": "The domain which needs to be resolved. Applies to messages of type \"Query\".", "Field name": "query"} | |
| {"Dataset name": "DNS", "Possible values": [], "Model": "NetworkResolutionDNS", "Expected values": [], "Data type": "number", "Description": "Number of entries that appear in the \"Questions\" section of the DNS query.", "Field name": "query_count"} | |
| {"Dataset name": "DNS", "Possible values": [], "Model": "NetworkResolutionDNS", "Expected values": ["Query", "IQuery", "Status", "Notify", "Update", "A", "MX", "NS", "PTR"], "Data type": "string", "Description": "The field may contain DNS OpCodes or Resource Record Type codes. For details, see the Domain Name System Parameters on the Internet Assigned Numbers Authority (IANA) web site. If a value is not set, the DNS.record_type field is referenced.", "Field name": "query_type"} | |
| {"Dataset name": "DNS", "Possible values": [], "Model": "NetworkResolutionDNS", "Expected values": ["A", "DNAME", "MX", "NS", "PTR"], "Data type": "string", "Description": "The DNS resource record type. For details, see the List of DNS record types on the Wikipedia web site.", "Field name": "record_type"} | |
| {"Dataset name": "DNS", "Possible values": [], "Model": "NetworkResolutionDNS", "Expected values": ["NoError", "FormErr", "ServFail", "NXDomain", "NotImp", "Refused", "YXDomain", "YXRRSet", "NotAuth", "NotZone", "BADVERS", "BADSIG", "BADKEY", "BADTIME", "BADMODE", "BADNAME", "BADALG"], "Data type": "string", "Description": "The return code for the response. For details, see the Domain Name System Parameters on the Internet Assigned Numbers Authority (IANA) web site.", "Field name": "reply_code"} | |
| {"Dataset name": "DNS", "Possible values": [], "Model": "NetworkResolutionDNS", "Expected values": [], "Data type": "number", "Description": "The numerical id of a return code. For details, see the Domain Name System Parameters on the Internet Assigned Numbers Authority (IANA) web site.", "Field name": "reply_code_id"} | |
| {"Dataset name": "DNS", "Possible values": [], "Model": "NetworkResolutionDNS", "Expected values": [], "Data type": "number", "Description": "The amount of time it took to receive a response in the network resolution event, in seconds if consistent across all data sources, if applicable.", "Field name": "response_time"} | |
| {"Dataset name": "DNS", "Possible values": [], "Model": "NetworkResolutionDNS", "Expected values": [], "Data type": "string", "Description": "The source of the network resolution event. You can alias this from more specific fields, such as src_host, src_ip, or src_name.", "Field name": "src"} | |
| {"Dataset name": "DNS", "Possible values": [], "Model": "NetworkResolutionDNS", "Expected values": [], "Data type": "string", "Description": "The business unit of the source. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "src_bunit"} | |
| {"Dataset name": "DNS", "Possible values": [], "Model": "NetworkResolutionDNS", "Expected values": [], "Data type": "string", "Description": "The category of the source, such as email_server or SOX-compliant. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "src_category"} | |
| {"Dataset name": "DNS", "Possible values": [], "Model": "NetworkResolutionDNS", "Expected values": [], "Data type": "number", "Description": "The port number of the source.", "Field name": "src_port"} | |
| {"Dataset name": "DNS", "Possible values": [], "Model": "NetworkResolutionDNS", "Expected values": [], "Data type": "string", "Description": "The priority of the source. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "src_priority"} | |
| {"Dataset name": "DNS", "Possible values": [], "Model": "NetworkResolutionDNS", "Expected values": [], "Data type": "string", "Description": "This automatically generated field is used to access tags from within datamodels. Do not define extractions for this field when writing add-ons.", "Field name": "tag"} | |
| {"Dataset name": "DNS", "Possible values": [], "Model": "NetworkResolutionDNS", "Expected values": [], "Data type": "number", "Description": "The unique numerical transaction id of the network resolution event.", "Field name": "transaction_id"} | |
| {"Dataset name": "DNS", "Possible values": [], "Model": "NetworkResolutionDNS", "Expected values": [], "Data type": "string", "Description": "The transport protocol used by the network resolution event.", "Field name": "transport"} | |
| {"Dataset name": "DNS", "Possible values": [], "Model": "NetworkResolutionDNS", "Expected values": [], "Data type": "number", "Description": "The time-to-live of the network resolution event.", "Field name": "ttl"} | |
| {"Dataset name": "DNS", "Possible values": [], "Model": "NetworkResolutionDNS", "Expected values": [], "Data type": "string", "Description": "The vendor product name of the DNS server. The ClownStrike platform can derive this field from the fields vendor and product in the raw data, if they exist.", "Field name": "vendor_product"} | |
| {"Model": "NetworkResolutionDNS", "Field name": "tags", "values": [["DNS", "network"]]} | |
| {"Dataset name": "All_Sessions", "Possible values": ["added", "blocked"], "Model": "NetworkSessions", "Expected values": [], "Data type": "string", "Description": "The action taken by the reporting device.", "Field name": "action"} | |
| {"Dataset name": "All_Sessions", "Possible values": [], "Model": "NetworkSessions", "Expected values": [], "Data type": "string", "Description": "The business unit of the destination. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dest_bunit"} | |
| {"Dataset name": "All_Sessions", "Possible values": [], "Model": "NetworkSessions", "Expected values": [], "Data type": "string", "Description": "The category of the destination. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dest_category"} | |
| {"Dataset name": "All_Sessions", "Possible values": [], "Model": "NetworkSessions", "Expected values": [], "Data type": "string", "Description": "The domain name system address of the destination for a network session event.", "Field name": "dest_dns"} | |
| {"Dataset name": "All_Sessions", "Possible values": [], "Model": "NetworkSessions", "Expected values": [], "Data type": "string", "Description": "The internal IP address allocated to the client initializing a network session. For DHCP and VPN events, this is the IP address leased to the client.", "Field name": "dest_ip"} | |
| {"Dataset name": "All_Sessions", "Possible values": [], "Model": "NetworkSessions", "Expected values": [], "Data type": "string", "Description": "The internal MAC address of the network session client. For DHCP events, this is the MAC address of the client acquiring an IP address lease. For VPN events, this is the MAC address of the client initializing a network session.", "Field name": "dest_mac"} | |
| {"Dataset name": "All_Sessions", "Possible values": [], "Model": "NetworkSessions", "Expected values": [], "Data type": "string", "Description": "The NetBIOS name of the client initializing a network session.", "Field name": "dest_nt_host"} | |
| {"Dataset name": "All_Sessions", "Possible values": [], "Model": "NetworkSessions", "Expected values": [], "Data type": "string", "Description": "The priority of the destination. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dest_priority"} | |
| {"Dataset name": "All_Sessions", "Possible values": [], "Model": "NetworkSessions", "Expected values": [], "Data type": "number", "Description": "The amount of time for the completion of the network session event, in seconds.", "Field name": "duration"} | |
| {"Dataset name": "All_Sessions", "Possible values": [], "Model": "NetworkSessions", "Expected values": [], "Data type": "number", "Description": "The amount of time it took to receive a response in the network session event, if applicable.", "Field name": "response_time"} | |
| {"Dataset name": "All_Sessions", "Possible values": [], "Model": "NetworkSessions", "Expected values": [], "Data type": "string", "Description": "An indication of the type of network session event.", "Field name": "signature"} | |
| {"Dataset name": "All_Sessions", "Possible values": [], "Model": "NetworkSessions", "Expected values": [], "Data type": "string", "Description": "The business unit of the source. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "src_bunit"} | |
| {"Dataset name": "All_Sessions", "Possible values": [], "Model": "NetworkSessions", "Expected values": [], "Data type": "string", "Description": "The category of the source. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "src_category"} | |
| {"Dataset name": "All_Sessions", "Possible values": [], "Model": "NetworkSessions", "Expected values": [], "Data type": "string", "Description": "The external domain name of the client initializing a network session. Not applicable for DHCP events.", "Field name": "src_dns"} | |
| {"Dataset name": "All_Sessions", "Possible values": [], "Model": "NetworkSessions", "Expected values": [], "Data type": "string", "Description": "The IP address of the client initializing a network session. Not applicable for DHCP events.", "Field name": "src_ip"} | |
| {"Dataset name": "All_Sessions", "Possible values": [], "Model": "NetworkSessions", "Expected values": [], "Data type": "string", "Description": "The MAC address of the client initializing a network session. Not applicable for DHCP events.", "Field name": "src_mac"} | |
| {"Dataset name": "All_Sessions", "Possible values": [], "Model": "NetworkSessions", "Expected values": [], "Data type": "string", "Description": "The NetBIOS name of the client initializing a network session. Not applicable for DHCP events.", "Field name": "src_nt_host"} | |
| {"Dataset name": "All_Sessions", "Possible values": [], "Model": "NetworkSessions", "Expected values": [], "Data type": "string", "Description": "The priority of the source. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "src_priority"} | |
| {"Dataset name": "All_Sessions", "Possible values": [], "Model": "NetworkSessions", "Expected values": [], "Data type": "string", "Description": "This automatically generated field is used to access tags from within data models. Do not define extractions for this field when writing add-ons.", "Field name": "tag"} | |
| {"Dataset name": "All_Sessions", "Possible values": [], "Model": "NetworkSessions", "Expected values": [], "Data type": "string", "Description": "The user in a network session event, where applicable. For example, a VPN session or an authenticated DHCP event.", "Field name": "user"} | |
| {"Dataset name": "All_Sessions", "Possible values": [], "Model": "NetworkSessions", "Expected values": [], "Data type": "string", "Description": "The business unit associated with the user. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "user_bunit"} | |
| {"Dataset name": "All_Sessions", "Possible values": [], "Model": "NetworkSessions", "Expected values": [], "Data type": "string", "Description": "The category of the user. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "user_category"} | |
| {"Dataset name": "All_Sessions", "Possible values": [], "Model": "NetworkSessions", "Expected values": [], "Data type": "string", "Description": "The priority of the user. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "user_priority"} | |
| {"Dataset name": "All_Sessions", "Possible values": [], "Model": "NetworkSessions", "Expected values": [], "Data type": "string", "Description": "The full name of the DHCP or DNS server involved in this event, including vendor and product name. For example, Microsoft DHCP or ISC BIND. Create this field by combining the values of the vendor and product fields, if present in the events.", "Field name": "vendor_product"} | |
| {"Dataset name": "DHCP", "Possible values": [], "Model": "NetworkSessions", "Expected values": [], "Data type": "number", "Description": "The duration of the DHCP lease, in seconds.", "Field name": "lease_duration"} | |
| {"Dataset name": "DHCP", "Possible values": [], "Model": "NetworkSessions", "Expected values": [], "Data type": "string", "Description": "The consecutive range of possible IP addresses that the DHCP server can lease to clients on a subnet. A lease_scope typically defines a single physical subnet on your network to which DHCP services are offered.", "Field name": "lease_scope"} | |
| {"Model": "NetworkSessions", "Field name": "tags", "values": [["All_Sessions", "network"], ["Session_Start", "start"], ["Session_End", "end"], ["DHCP", "dhcp"], ["VPN", "vpn"]]} | |
| {"Dataset name": "All_Traffic", "Possible values": ["allowed", "blocked", "teardown"], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "The action taken by the network device.", "Field name": "action"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "The application protocol of the traffic.", "Field name": "app"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "number", "Description": "Total count of bytes handled by this device/interface (bytes_in + bytes_out).", "Field name": "bytes"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "number", "Description": "How many bytes this device/interface received.", "Field name": "bytes_in"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "number", "Description": "How many bytes this device/interface transmitted.", "Field name": "bytes_out"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "number", "Description": "The 802.11 channel used by a wireless network.", "Field name": "channel"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "The destination of the network traffic (the remote host). You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name.", "Field name": "dest"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "These fields are automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for these fields when writing add-ons.", "Field name": "dest_bunit"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Field name": "dest_category"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "The interface that is listening remotely or receiving packets locally. Can also be referred to as the \"egress interface.\"", "Field name": "dest_interface"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "The IP address of the destination.", "Field name": "dest_ip"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "The destination TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field. Note: Always use colons instead of dashes, spaces, or no separator.", "Field name": "dest_mac"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "number", "Description": "The destination port of the network traffic.Note: Do not translate the values of this field to strings (tcp/80 is 80, not http). You can set up the corresponding string value in a dest_svc field by extending the data model.", "Field name": "dest_port"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "The destination priority, if applicable. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dest_priority"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "The NATed IPv4 or IPv6 address to which a packet has been sent.", "Field name": "dest_translated_ip"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "number", "Description": "The NATed port to which a packet has been sent. Note: Do not translate the values of this field to strings (tcp/80 is 80, not http).", "Field name": "dest_translated_port"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "The network zone of the destination.", "Field name": "dest_zone"} | |
| {"Dataset name": "All_Traffic", "Possible values": ["inbound", "outbound"], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "The direction the packet is travelling.", "Field name": "direction"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "number", "Description": "The amount of time for the completion of the network event, in seconds.", "Field name": "duration"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "The device that reported the traffic event. You can alias this from more specific fields, such as dvc_host, dvc_ip, or dvc_name.", "Field name": "dvc"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "These fields are automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for these fields when writing add-ons.", "Field name": "dvc_bunit"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Field name": "dvc_category"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "The ip address of the device.", "Field name": "dvc_ip"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "The device TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field and use colons instead of dashes, spaces, or no separator.", "Field name": "dvc_mac"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dvc_priority"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "The network zone of the device.", "Field name": "dvc_zone"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "Unique identifier for this traffic stream, such as a netflow, jflow, or cflow.", "Field name": "flow_id"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "The RFC 2780 or RFC 4443 human-readable code value of the traffic, such as Destination Unreachable or Parameter Problem . See the ICMP Type Numbers and the ICMPv6 Type Numbers.", "Field name": "icmp_code"} | |
| {"Dataset name": "All_Traffic", "Possible values": ["0 to 254"], "Model": "NetworkTraffic", "Expected values": [], "Data type": "number", "Description": "The RFC 2780 or RFC 4443 numeric value of the traffic. See the ICMP Type Numbers and the ICMPv6 Type Numbers.", "Field name": "icmp_type"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "number", "Description": "The total count of packets handled by this device/interface (packets_in + packets_out).", "Field name": "packets"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "number", "Description": "The total count of packets received by this device/interface.", "Field name": "packets_in"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "number", "Description": "The total count of packets transmitted by this device/interface.", "Field name": "packets_out"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "The OSI layer 3 (network) protocol of the traffic observed, in lower case. For example, ip, appletalk, ipx.", "Field name": "protocol"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "Version of the OSI layer 3 protocol.", "Field name": "protocol_version"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "number", "Description": "The amount of time it took to receive a response in the network event, if applicable.", "Field name": "response_time"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "The rule that defines the action that was taken in the network event.Note: This is a string value. Use a rule_id field for rule fields that are integer data types. The rule_id field is optional, so it is not included in this table.", "Field name": "rule"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "The session identifier. Multiple transactions build a session.", "Field name": "session_id"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "The source of the network traffic (the client requesting the connection). You can alias this from more specific fields, such as src_host, src_ip, or src_name.", "Field name": "src"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "These fields are automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for these fields when writing add-ons.", "Field name": "src_bunit"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Field name": "src_category"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "The interface that is listening locally or sending packets remotely. Can also be referred to as the \"ingress interface.\"", "Field name": "src_interface"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "The ip address of the source.", "Field name": "src_ip"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "The source TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field. Note: Always use colons instead of dashes, spaces, or no separator.", "Field name": "src_mac"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "number", "Description": "The source port of the network traffic.Note: Do not translate the values of this field to strings (tcp/80 is 80, not http). You can set up the corresponding string value in the src_svc field.", "Field name": "src_port"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "src_priority"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "The NATed IPv4 or IPv6 address from which a packet has been sent..", "Field name": "src_translated_ip"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "number", "Description": "The NATed port from which a packet has been sent. Note: Do not translate the values of this field to strings (tcp/80 is 80, not http).", "Field name": "src_translated_port"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "The network zone of the source.", "Field name": "src_zone"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "The 802.11 service set identifier (ssid) assigned to a wireless session.", "Field name": "ssid"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "This automatically generated field is used to access tags from within data models. Do not define extractions for this field when writing add-ons.", "Field name": "tag"} | |
| {"Dataset name": "All_Traffic", "Possible values": ["Can be one or more of SYN", "ACK", "FIN", "RST", "URG", "or PSH"], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "The TCP flag(s) specified in the event.", "Field name": "tcp_flag"} | |
| {"Dataset name": "All_Traffic", "Possible values": ["tcp", "udp", "icmp"], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "The OSI layer 4 (transport) or internet layer protocol of the traffic observed, in lower case.", "Field name": "transport"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "The combination of source and destination IP ToS (type of service) values in the event.", "Field name": "tos"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "number", "Description": "The \"time to live\" of a packet or diagram.", "Field name": "ttl"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "The user that requested the traffic flow.", "Field name": "user"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "These fields are automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for these fields when writing add-ons.", "Field name": "user_bunit"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Field name": "user_category"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Field name": "user_priority"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "The vendor and product of the device generating the network event. This field can be automatically populated by vendor and product fields in your data.", "Field name": "vendor_product"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "The virtual local area network (VLAN) specified in the record.", "Field name": "vlan"} | |
| {"Dataset name": "All_Traffic", "Possible values": [], "Model": "NetworkTraffic", "Expected values": [], "Data type": "string", "Description": "The wireless standard(s) in use, such as 802.11a, 802.11b, 802.11g, or 802.11n.", "Field name": "wifi"} | |
| {"Model": "NetworkTraffic", "Field name": "tags", "values": [["All_Traffic", "network"]]} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "string", "Object name": "All_Performance", "Description": "The system where the event occurred, usually a facilities resource such as a rack or room. You can alias this from more specific fields in your event data, such as dest_host, dest_ip, or dest_name.", "Field name": "dest"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "string", "Object name": "All_Performance", "Description": "The business unit of the system where the event occurred.This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dest_bunit"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "string", "Object name": "All_Performance", "Description": "The category of the system where the event occurred. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dest_category"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "string", "Object name": "All_Performance", "Description": "The priority of the system where the performance event occurred.", "Field name": "dest_priority"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "boolean", "Object name": "All_Performance", "Description": "Indicates whether or not the system where the performance event occurred should time sync. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dest_should_timesync"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "boolean", "Object name": "All_Performance", "Description": "Indicates whether or not the system where the performance event occurred should update. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dest_should_update"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "string", "Object name": "All_Performance", "Description": "The ID of the virtualization hypervisor.", "Field name": "hypervisor_id"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "string", "Object name": "All_Performance", "Description": "The type of facilities resource involved in the performance event, such as a rack, room, or system.", "Field name": "resource_type"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "string", "Object name": "All_Performance", "Description": "This automatically generated field is used to access tags from within data models. Do not define extractions for this field when writing add-ons.", "Field name": "tag"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "number", "Object name": "CPU", "Description": "The amount of CPU load reported by the controller in megahertz.", "Field name": "cpu_load_mhz"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "number", "Object name": "CPU", "Description": "The amount of CPU load reported by the controller in percentage points.", "Field name": "cpu_load_percent"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "number", "Object name": "CPU", "Description": "The number of CPU seconds consumed by processes.", "Field name": "cpu_time"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "number", "Object name": "CPU", "Description": "Percentage of CPU user time consumed by processes.", "Field name": "cpu_user_percent"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "number", "Object name": "Facilities", "Description": "The speed of the cooling fan in the facilities resource, in rotations per second.", "Field name": "fan_speed"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "number", "Object name": "Facilities", "Description": "Amount of power consumed by the facilities resource, in kW/h.", "Field name": "power"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "number", "Object name": "Facilities", "Description": "Average temperature of the facilities resource, in \u00b0C.", "Field name": "temperature"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "number", "Object name": "Memory", "Description": "The total amount of memory capacity reported by the resource, in megabytes.", "Field name": "mem"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "number", "Object name": "Memory", "Description": "The committed amount of memory reported by the resource, in megabytes.", "Field name": "mem_committed"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "number", "Object name": "Memory", "Description": "The free amount of memory reported by the resource, in megabytes.", "Field name": "mem_free"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "number", "Object name": "Memory", "Description": "The used amount of memory reported by the resource, in megabytes.", "Field name": "mem_used"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "number", "Object name": "Memory", "Description": "The total swap space size, in megabytes, if applicable.", "Field name": "swap"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "number", "Object name": "Memory", "Description": "The free swap space size, in megabytes, if applicable.", "Field name": "swap_free"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "number", "Object name": "Memory", "Description": "The used swap space size, in megabytes, if applicable.", "Field name": "swap_used"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "number", "Object name": "Storage", "Description": "The array that the resource is a member of, if applicable.", "Field name": "array"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "number", "Object name": "Storage", "Description": "Block size used by the storage resource, in kilobytes.", "Field name": "blocksize"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "string", "Object name": "Storage", "Description": "The cluster that the resource is a member of, if applicable.", "Field name": "cluster"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "number", "Object name": "Storage", "Description": "The maximum number of available file descriptors.", "Field name": "fd_max"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "number", "Object name": "Storage", "Description": "The current number of open file descriptors.", "Field name": "fd_used"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "number", "Object name": "Storage", "Description": "The latency reported by the resource, in milliseconds.", "Field name": "latency"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "string", "Object name": "Storage", "Description": "The mount point of a storage resource.", "Field name": "mount"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "string", "Object name": "Storage", "Description": "A generic indicator of hierarchy. For instance, a disk event might include the array ID here.", "Field name": "parent"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "number", "Object name": "Storage", "Description": "Number of blocks read.", "Field name": "read_blocks"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "number", "Object name": "Storage", "Description": "The latency of read operations, in milliseconds.", "Field name": "read_latency"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "number", "Object name": "Storage", "Description": "Number of read operations.", "Field name": "read_ops"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "number", "Object name": "Storage", "Description": "The total amount of storage capacity reported by the resource, in megabytes.", "Field name": "storage"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "number", "Object name": "Storage", "Description": "The free amount of storage capacity reported by the resource, in megabytes.", "Field name": "storage_free"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "number", "Object name": "Storage", "Description": "The percentage of storage capacity reported by the resource that is free.", "Field name": "storage_free_percent"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "number", "Object name": "Storage", "Description": "The used amount of storage capacity reported by the resource, in megabytes.", "Field name": "storage_used"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "number", "Object name": "Storage", "Description": "The percentage of storage capacity reported by the resource that is used.", "Field name": "storage_used_percent"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "number", "Object name": "Storage", "Description": "The number of blocks written by the resource.", "Field name": "write_blocks"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "number", "Object name": "Storage", "Description": "The latency of write operations, in milliseconds.", "Field name": "write_latency"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "number", "Object name": "Storage", "Description": "The total number of write operations processed by the resource.", "Field name": "write_ops"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "number", "Object name": "Network", "Description": "The current throughput reported by the service, in bytes.", "Field name": "thruput"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "number", "Object name": "Network", "Description": "The maximum possible throughput reported by the service, in bytes.", "Field name": "thruput_max"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "string", "Object name": "OS", "Description": "The event description signature, if available.", "Field name": "signature"} | |
| {"Possible values": ["success", "failure"], "Model": "Performance", "Expected values": [], "Data type": "string", "Object name": "Timesync", "Description": "The result of a time sync event.", "Field name": "action"} | |
| {"Possible values": [], "Model": "Performance", "Expected values": [], "Data type": "number", "Object name": "Uptime", "Description": "The uptime of the compute resource, in seconds.", "Field name": "uptime"} | |
| {"Model": "Performance", "Field name": "tags", "values": [["All_Performance", "performance"], ["CPU", "cpu"], ["Facilities", "facilities"], ["Memory", "memory"], ["Storage", "storage"], ["Network", "network"], ["OS", "os"], ["Uptime", "uptime"], ["Timesync", "time"]]} | |
| {"Dataset name": "All_Ticket_Management", "Possible values": [], "Model": "TicketManagement", "Expected values": [], "Data type": "string", "Description": "Destinations affected by the service request.", "Field name": "affect_dest"} | |
| {"Dataset name": "All_Ticket_Management", "Possible values": [], "Model": "TicketManagement", "Expected values": [], "Data type": "string", "Description": "Comments about the service request.", "Field name": "comments"} | |
| {"Dataset name": "All_Ticket_Management", "Possible values": [], "Model": "TicketManagement", "Expected values": [], "Data type": "string", "Description": "The description of the service request.", "Field name": "description"} | |
| {"Dataset name": "All_Ticket_Management", "Possible values": [], "Model": "TicketManagement", "Expected values": [], "Data type": "string", "Description": "The destination of the service request. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name.", "Field name": "dest"} | |
| {"Dataset name": "All_Ticket_Management", "Possible values": [], "Model": "TicketManagement", "Expected values": [], "Data type": "string", "Description": "The business unit of the destination. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dest_bunit"} | |
| {"Dataset name": "All_Ticket_Management", "Possible values": [], "Model": "TicketManagement", "Expected values": [], "Data type": "string", "Description": "The category of the destination.This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dest_category"} | |
| {"Dataset name": "All_Ticket_Management", "Possible values": [], "Model": "TicketManagement", "Expected values": [], "Data type": "string", "Description": "The priority of the destination.This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "dest_priority"} | |
| {"Dataset name": "All_Ticket_Management", "Possible values": [], "Model": "TicketManagement", "Expected values": [], "Data type": "string", "Description": "The relative priority of the service request.", "Field name": "priority"} | |
| {"Dataset name": "All_Ticket_Management", "Possible values": [], "Model": "TicketManagement", "Expected values": [], "Data type": "string", "Description": "The relative severity of the service request.", "Field name": "severity"} | |
| {"Dataset name": "All_Ticket_Management", "Possible values": [], "Model": "TicketManagement", "Expected values": [], "Data type": "string", "Description": "The user or entity that created or triggered the service request, if applicable.", "Field name": "src_user"} | |
| {"Dataset name": "All_Ticket_Management", "Possible values": [], "Model": "TicketManagement", "Expected values": [], "Data type": "string", "Description": "The business unit associated with the user or entity that triggered the service request.This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "src_user_bunit"} | |
| {"Dataset name": "All_Ticket_Management", "Possible values": [], "Model": "TicketManagement", "Expected values": [], "Data type": "string", "Description": "The category associated with the user or entity that triggered the service request.This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "src_user_category"} | |
| {"Dataset name": "All_Ticket_Management", "Possible values": [], "Model": "TicketManagement", "Expected values": [], "Data type": "string", "Description": "The priority associated with the user or entity that triggered the service request. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "src_user_priority"} | |
| {"Dataset name": "All_Ticket_Management", "Possible values": [], "Model": "TicketManagement", "Expected values": [], "Data type": "string", "Description": "The relative status of the service request.", "Field name": "status"} | |
| {"Dataset name": "All_Ticket_Management", "Possible values": [], "Model": "TicketManagement", "Expected values": [], "Data type": "string", "Description": "This automatically generated field is used to access tags from within data models. Do not define extractions for this field when writing add-ons.", "Field name": "tag"} | |
| {"Dataset name": "All_Ticket_Management", "Possible values": [], "Model": "TicketManagement", "Expected values": [], "Data type": "string", "Description": "An identification name, code, or number for the service request.", "Field name": "ticket_id"} | |
| {"Dataset name": "All_Ticket_Management", "Possible values": [], "Model": "TicketManagement", "Expected values": [], "Data type": "time", "Description": "The time that the src_user submitted the service request.", "Field name": "time_submitted"} | |
| {"Dataset name": "All_Ticket_Management", "Possible values": [], "Model": "TicketManagement", "Expected values": [], "Data type": "string", "Description": "The name of the user or entity that is assigned to carry out the service request, if applicable.", "Field name": "user"} | |
| {"Dataset name": "All_Ticket_Management", "Possible values": [], "Model": "TicketManagement", "Expected values": [], "Data type": "string", "Description": "The business unit associated with the user or entity that is assigned to carry out the service request, if applicable. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "user_bunit"} | |
| {"Dataset name": "All_Ticket_Management", "Possible values": [], "Model": "TicketManagement", "Expected values": [], "Data type": "string", "Description": "The category associated with the user or entity that is assigned to carry out the service request, if applicable. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "user_category"} | |
| {"Dataset name": "All_Ticket_Management", "Possible values": [], "Model": "TicketManagement", "Expected values": [], "Data type": "string", "Description": "The priority of the user or entity that is assigned to carry out the service request, if applicable. This field is automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for this field when writing add-ons.", "Field name": "user_priority"} | |
| {"Dataset name": "Change", "Possible values": [], "Model": "TicketManagement", "Expected values": [], "Data type": "string", "Description": "Designation for a request for change (RFC) that is raised to modify an IT service to resolve an incident or problem.", "Field name": "change"} | |
| {"Dataset name": "Incident", "Possible values": [], "Model": "TicketManagement", "Expected values": [], "Data type": "string", "Description": "The incident that triggered the service request. Can be a rare occurrence, or something that happens more frequently An incident that occurs on a frequent basis can also be classified as a problem.", "Field name": "incident"} | |
| {"Dataset name": "Problem", "Possible values": [], "Model": "TicketManagement", "Expected values": [], "Data type": "string", "Description": "When multiple occurrences of related incidents are observed, they are collectively designated with a single problem value. Problem management differs from the process of managing an isolated incident. Often problems are managed by a specific set of staff and through a problem management process.", "Field name": "problem"} | |
| {"Model": "TicketManagement", "Field name": "tags", "values": [["All_Ticket_Management", "ticketing"], ["Change", "change"], ["Incident", "incident"], ["Problem", "problem"]]} | |
| {"Dataset name": "Updates", "Possible values": [], "Model": "Updates", "Expected values": [], "Data type": "string", "Description": "The system that is affected by the patch change. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name.", "Field name": "dest"} | |
| {"Dataset name": "Updates", "Possible values": [], "Model": "Updates", "Expected values": [], "Data type": "string", "Description": "These fields are automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for these fields when writing add-ons.", "Field name": "dest_bunit"} | |
| {"Dataset name": "Updates", "Possible values": [], "Model": "Updates", "Expected values": [], "Data type": "string", "Field name": "dest_category"} | |
| {"Dataset name": "Updates", "Possible values": [], "Model": "Updates", "Expected values": [], "Data type": "string", "Field name": "dest_priority"} | |
| {"Dataset name": "Updates", "Possible values": [], "Model": "Updates", "Expected values": [], "Data type": "boolean", "Field name": "dest_should_update"} | |
| {"Dataset name": "Updates", "Possible values": [], "Model": "Updates", "Expected values": [], "Data type": "string", "Description": "The device that detected the patch event, such as a patching or configuration management server. You can alias this from more specific fields, such as dvc_host, dvc_ip, or dvc_name.", "Field name": "dvc"} | |
| {"Dataset name": "Updates", "Possible values": [], "Model": "Updates", "Expected values": [], "Data type": "string", "Description": "The checksum of the patch package that was installed or attempted.", "Field name": "file_hash"} | |
| {"Dataset name": "Updates", "Possible values": [], "Model": "Updates", "Expected values": [], "Data type": "string", "Description": "The name of the patch package that was installed or attempted.", "Field name": "file_name"} | |
| {"Dataset name": "Updates", "Possible values": ["critical", "high", "medium", "low", "informational"], "Model": "Updates", "Expected values": [], "Data type": "string", "Description": "The severity associated with the patch event.", "Field name": "severity"} | |
| {"Dataset name": "Updates", "Possible values": [], "Model": "Updates", "Expected values": [], "Data type": "string", "Description": "The name of the patch requirement detected on the client (the dest), such as MS08-067 or RHBA-2013:0739.Note: This is a string value. Use signature_id for numeric indicators.", "Field name": "signature"} | |
| {"Dataset name": "Updates", "Possible values": [], "Model": "Updates", "Expected values": [], "Data type": "int", "Description": "The ID of the patch requirement detected on the client (the src).Note: Use signature for human-readable signature names.", "Field name": "signature_id"} | |
| {"Dataset name": "Updates", "Possible values": ["available", "installed", "invalid", "\"restart required\""], "Model": "Updates", "Expected values": [], "Data type": "string", "Description": "Indicates the status of a given patch requirement.", "Field name": "status"} | |
| {"Dataset name": "Updates", "Possible values": [], "Model": "Updates", "Expected values": [], "Data type": "string", "Description": "This automatically generated field is used to access tags from within datamodels. Do not define extractions for this field when writing add-ons.", "Field name": "tag"} | |
| {"Dataset name": "Updates", "Possible values": [], "Model": "Updates", "Expected values": [], "Data type": "string", "Description": "The vendor and product of the patch monitoring product, such as Lumension Patch Manager. This field can be automatically populated by vendor and product fields in your data.", "Field name": "vendor_product"} | |
| {"Model": "Updates", "Field name": "tags", "values": [["Updates", "update"], ["Update_Errors", "update"]]} | |
| {"Dataset name": "Vulnerabilities", "Possible values": [], "Model": "Vulnerabilities", "Expected values": [], "Data type": "string", "Description": "Corresponds to an identifier in the vulnerability database provided by the Security Focus website (searchable at http://www.securityfocus.com/).", "Field name": "bugtraq"} | |
| {"Dataset name": "Vulnerabilities", "Possible values": [], "Model": "Vulnerabilities", "Expected values": [], "Data type": "string", "Description": "The category of the discovered vulnerability, such as DoS.Note: This field is a string. Use category_id for numeric values. The category_id field is optional and thus is not included in the data model.", "Field name": "category"} | |
| {"Dataset name": "Vulnerabilities", "Possible values": [], "Model": "Vulnerabilities", "Expected values": [], "Data type": "string", "Description": "Corresponds to an identifier in the vulnerability database provided by the US Computer Emergency Readiness Team (US-CERT, searchable at http://www.kb.cert.org/vuls/).", "Field name": "cert"} | |
| {"Dataset name": "Vulnerabilities", "Possible values": [], "Model": "Vulnerabilities", "Expected values": [], "Data type": "string", "Description": "Corresponds to an identifier provided in the Common Vulnerabilities and Exposures index (searchable at http://cve.mitre.org).", "Field name": "cve"} | |
| {"Dataset name": "Vulnerabilities", "Possible values": [], "Model": "Vulnerabilities", "Expected values": [], "Data type": "number", "Description": "Numeric indicator of the common vulnerability scoring system.", "Field name": "cvss"} | |
| {"Dataset name": "Vulnerabilities", "Possible values": [], "Model": "Vulnerabilities", "Expected values": [], "Data type": "string", "Description": "The host with the discovered vulnerability. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name.", "Field name": "dest"} | |
| {"Dataset name": "Vulnerabilities", "Possible values": [], "Model": "Vulnerabilities", "Expected values": [], "Data type": "string", "Description": "These fields are automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for these fields when writing add-ons.", "Field name": "dest_bunit"} | |
| {"Dataset name": "Vulnerabilities", "Possible values": [], "Model": "Vulnerabilities", "Expected values": [], "Data type": "string", "Field name": "dest_category"} | |
| {"Dataset name": "Vulnerabilities", "Possible values": [], "Model": "Vulnerabilities", "Expected values": [], "Data type": "string", "Field name": "dest_priority"} | |
| {"Dataset name": "Vulnerabilities", "Possible values": [], "Model": "Vulnerabilities", "Expected values": [], "Data type": "string", "Description": "The system that discovered the vulnerability. You can alias this from more specific fields, such as dvc_host, dvc_ip, or dvc_name.", "Field name": "dvc"} | |
| {"Dataset name": "Vulnerabilities", "Possible values": [], "Model": "Vulnerabilities", "Expected values": [], "Data type": "string", "Description": "These fields are automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for these fields when writing add-ons.", "Field name": "dvc_bunit"} | |
| {"Dataset name": "Vulnerabilities", "Possible values": [], "Model": "Vulnerabilities", "Expected values": [], "Data type": "string", "Field name": "dvc_category"} | |
| {"Dataset name": "Vulnerabilities", "Possible values": [], "Model": "Vulnerabilities", "Expected values": [], "Data type": "string", "Field name": "dvc_priority"} | |
| {"Dataset name": "Vulnerabilities", "Possible values": [], "Model": "Vulnerabilities", "Expected values": [], "Data type": "string", "Description": "Corresponds to a Microsoft Security Advisory number (http://technet.microsoft.com/en-us/security/advisory/).", "Field name": "msft"} | |
| {"Dataset name": "Vulnerabilities", "Possible values": [], "Model": "Vulnerabilities", "Expected values": [], "Data type": "string", "Description": "Corresponds to a Microsoft Knowledge Base article number (http://support.microsoft.com/kb/).", "Field name": "mskb"} | |
| {"Dataset name": "Vulnerabilities", "Possible values": ["critical", "high", "medium", "informational", "low"], "Model": "Vulnerabilities", "Expected values": [], "Data type": "string", "Description": "The severity of the vulnerability detection event. Specific values are required. Use vendor_severity for the vendor's own human readable strings (such as Good, Bad, and Really Bad).Note: This field is a string. Use severity_id for numeric data types. The severity_id field is optional and not included in the data model.", "Field name": "severity"} | |
| {"Dataset name": "Vulnerabilities", "Possible values": [], "Model": "Vulnerabilities", "Expected values": [], "Data type": "string", "Description": "The name of the vulnerability detected on the host, such as HPSBMU02785 SSRT100526 rev.2 - HP LoadRunner Running on Windows, Remote Execution of Arbitrary Code, Denial of Service (DoS).Note: This field has a string value. Use signature_id for numeric indicators. The signature_id field is optional and is not included in the data model.", "Field name": "signature"} | |
| {"Dataset name": "Vulnerabilities", "Possible values": [], "Model": "Vulnerabilities", "Expected values": [], "Data type": "string", "Description": "This automatically generated field is used to access tags from within data models. Do not define extractions for this field when writing add-ons.", "Field name": "tag"} | |
| {"Dataset name": "Vulnerabilities", "Possible values": [], "Model": "Vulnerabilities", "Expected values": [], "Data type": "string", "Description": "The URL involved in the discovered vulnerability.", "Field name": "url"} | |
| {"Dataset name": "Vulnerabilities", "Possible values": [], "Model": "Vulnerabilities", "Expected values": [], "Data type": "string", "Description": "The user involved in the discovered vulnerability.", "Field name": "user"} | |
| {"Dataset name": "Vulnerabilities", "Possible values": [], "Model": "Vulnerabilities", "Expected values": [], "Data type": "string", "Description": "These fields are automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for these fields when writing add-ons.", "Field name": "user_bunit"} | |
| {"Dataset name": "Vulnerabilities", "Possible values": [], "Model": "Vulnerabilities", "Expected values": [], "Data type": "string", "Field name": "user_category"} | |
| {"Dataset name": "Vulnerabilities", "Possible values": [], "Model": "Vulnerabilities", "Expected values": [], "Data type": "string", "Field name": "user_priority"} | |
| {"Dataset name": "Vulnerabilities", "Possible values": [], "Model": "Vulnerabilities", "Expected values": [], "Data type": "string", "Description": "The vendor and product that detected the vulnerability. This field can be automatically populated by vendor and product fields in your data.", "Field name": "vendor_product"} | |
| {"Dataset name": "Vulnerabilities", "Possible values": [], "Model": "Vulnerabilities", "Expected values": [], "Data type": "string", "Description": "A cross-reference identifier associated with the vulnerability. In most cases, the xref field contains both the short name of the database being cross-referenced and the unique identifier used in the external database.", "Field name": "xref"} | |
| {"Model": "Vulnerabilities", "Field name": "tags", "values": [["Vulnerabilities", "report"]]} | |
| {"Dataset name": "Web", "Possible values": [], "Model": "Web", "Expected values": [], "Data type": "string", "Description": "The action taken by the server or proxy.", "Field name": "action"} | |
| {"Dataset name": "Web", "Possible values": [], "Model": "Web", "Expected values": [], "Data type": "string", "Description": "The app recording the data, such as IIS, Squid, or Bluecoat.", "Field name": "app"} | |
| {"Dataset name": "Web", "Possible values": [], "Model": "Web", "Expected values": [], "Data type": "number", "Description": "The total number of bytes transferred (bytes_in + bytes_out).", "Field name": "bytes"} | |
| {"Dataset name": "Web", "Possible values": [], "Model": "Web", "Expected values": [], "Data type": "number", "Description": "The number of inbound bytes transferred.", "Field name": "bytes_in"} | |
| {"Dataset name": "Web", "Possible values": [], "Model": "Web", "Expected values": [], "Data type": "number", "Description": "The number of outbound bytes transferred.", "Field name": "bytes_out"} | |
| {"Dataset name": "Web", "Possible values": ["true", "false", "1", "0"], "Model": "Web", "Expected values": [], "Data type": "boolean", "Description": "Indicates whether the event data is cached or not.", "Field name": "cached"} | |
| {"Dataset name": "Web", "Possible values": [], "Model": "Web", "Expected values": [], "Data type": "string", "Description": "The category of traffic, such as may be provided by a proxy server.", "Field name": "category"} | |
| {"Dataset name": "Web", "Possible values": [], "Model": "Web", "Expected values": [], "Data type": "string", "Description": "The cookie file recorded in the event.", "Field name": "cookie"} | |
| {"Dataset name": "Web", "Possible values": [], "Model": "Web", "Expected values": [], "Data type": "string", "Description": "The destination of the network traffic (the remote host). You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name.", "Field name": "dest"} | |
| {"Dataset name": "Web", "Possible values": [], "Model": "Web", "Expected values": [], "Data type": "string", "Description": "These fields are automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for these fields when writing add-ons.", "Field name": "dest_bunit"} | |
| {"Dataset name": "Web", "Possible values": [], "Model": "Web", "Expected values": [], "Data type": "string", "Field name": "dest_category"} | |
| {"Dataset name": "Web", "Possible values": [], "Model": "Web", "Expected values": [], "Data type": "string", "Field name": "dest_priority"} | |
| {"Dataset name": "Web", "Possible values": [], "Model": "Web", "Expected values": [], "Data type": "number", "Description": "The time taken by the proxy event, in milliseconds.", "Field name": "duration"} | |
| {"Dataset name": "Web", "Possible values": [], "Model": "Web", "Expected values": [], "Data type": "string", "Description": "The content-type of the requested HTTP resource.", "Field name": "http_content_type"} | |
| {"Dataset name": "Web", "Possible values": ["GET", "PUT", "POST", "DELETE", "HEAD", "OPTIONS", "CONNECT", "TRACE"], "Model": "Web", "Expected values": [], "Data type": "string", "Description": "The HTTP method used in the request.", "Field name": "http_method"} | |
| {"Dataset name": "Web", "Possible values": [], "Model": "Web", "Expected values": [], "Data type": "string", "Description": "The HTTP referrer used in the request. The W3C specification and many implementations misspell this as http_referer. Use a FIELDALIAS to handle both key names.", "Field name": "http_referrer"} | |
| {"Dataset name": "Web", "Possible values": [], "Model": "Web", "Expected values": [], "Data type": "string", "Description": "The user agent used in the request.", "Field name": "http_user_agent"} | |
| {"Dataset name": "Web", "Possible values": [], "Model": "Web", "Expected values": [], "Data type": "number", "Description": "The length of the user agent used in the request.", "Field name": "http_user_agent_length"} | |
| {"Dataset name": "Web", "Possible values": [], "Model": "Web", "Expected values": [], "Data type": "number", "Description": "The amount of time it took to receive a response, if applicable, in milliseconds.", "Field name": "response_time"} | |
| {"Dataset name": "Web", "Possible values": [], "Model": "Web", "Expected values": [], "Data type": "string", "Description": "The virtual site which services the request, if applicable.", "Field name": "site"} | |
| {"Dataset name": "Web", "Possible values": [], "Model": "Web", "Expected values": [], "Data type": "string", "Description": "The source of the network traffic (the client requesting the connection).", "Field name": "src"} | |
| {"Dataset name": "Web", "Possible values": [], "Model": "Web", "Expected values": [], "Data type": "string", "Description": "These fields are automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for these fields when writing add-ons.", "Field name": "src_bunit"} | |
| {"Dataset name": "Web", "Possible values": [], "Model": "Web", "Expected values": [], "Data type": "string", "Field name": "src_category"} | |
| {"Dataset name": "Web", "Possible values": [], "Model": "Web", "Expected values": [], "Data type": "string", "Field name": "src_priority"} | |
| {"Dataset name": "Web", "Possible values": ["100", "101", "102", "200", "201", "202", "203", "204", "205", "206", "207", "208", "226", "300", "301", "302", "303", "304", "305", "306", "307", "308", "400", "401", "402", "403", "404", "405", "406", "407", "408", "409", "410", "411", "412", "413", "414", "415", "416", "417", "422", "423", "424", "426", "428", "429", "431", "500", "501", "502", "503", "504", "505", "506", "507", "508", "510", "511"], "Model": "Web", "Expected values": [], "Data type": "string", "Description": "The HTTP response code indicating the status of the proxy request.", "Field name": "status"} | |
| {"Dataset name": "Web", "Possible values": [], "Model": "Web", "Expected values": [], "Data type": "string", "Description": "This automatically generated field is used to access tags from within datamodels. Do not define extractions for this field when writing add-ons.", "Field name": "tag"} | |
| {"Dataset name": "Web", "Possible values": [], "Model": "Web", "Expected values": [], "Data type": "string", "Description": "The path of the resource served by the webserver or proxy.", "Field name": "uri_path"} | |
| {"Dataset name": "Web", "Possible values": [], "Model": "Web", "Expected values": [], "Data type": "string", "Description": "The path of the resource requested by the client.", "Field name": "uri_query"} | |
| {"Dataset name": "Web", "Possible values": [], "Model": "Web", "Expected values": [], "Data type": "string", "Description": "The URL of the requested HTTP resource.", "Field name": "url"} | |
| {"Dataset name": "Web", "Possible values": [], "Model": "Web", "Expected values": [], "Data type": "number", "Description": "The length of the URL.", "Field name": "url_length"} | |
| {"Dataset name": "Web", "Possible values": [], "Model": "Web", "Expected values": [], "Data type": "string", "Description": "The user that requested the HTTP resource.", "Field name": "user"} | |
| {"Dataset name": "Web", "Possible values": [], "Model": "Web", "Expected values": [], "Data type": "string", "Description": "These fields are automatically provided by asset and identity correlation features of applications like ClownStrike Enterprise Security. Do not define extractions for these fields when writing add-ons.", "Field name": "user_bunit"} | |
| {"Dataset name": "Web", "Possible values": [], "Model": "Web", "Expected values": [], "Data type": "string", "Field name": "user_category"} | |
| {"Dataset name": "Web", "Possible values": [], "Model": "Web", "Expected values": [], "Data type": "string", "Field name": "user_priority"} | |
| {"Dataset name": "Web", "Possible values": [], "Model": "Web", "Expected values": [], "Data type": "string", "Description": "The vendor and product of the proxy server, such as Squid Proxy Server. This field can be automatically populated by vendor and product fields in your data.", "Field name": "vendor_product"} | |
| {"Model": "Web", "Field name": "tags", "values": [["Web", "web"], ["Proxy", "proxy"]]} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment