Version:

List of Fields

The following field words are used to write signatures that normalizes the raw logs. We recommended you to use these fields to write signatures.

A

access
access_control_list
access_list
access_mask
access_point
access_rights
account_name
acl_name
action
action_code
action_flags
action_group
action_id
actual_action
actual_mps
admin
admin_id
admin_name
agent
alarm_type
alert_id
alert_message
alert_name
alert_type
alertrule_id
algorithm_name
another_patient
another_patient_id
answer
antivirus
application
application_action
application_category
application_hash
application_id
application_list
application_name
application_type
application_version
attack_group
attack_id
attack_message
attack_type
attacking_ip
attribute_name
audit_name
authentication_source

B

backend_name
branch
browser
bss_id

C

cache_info
caller_address
caller_computer
caller_database_user
caller_domain
caller_login
caller_logon_id
caller_object
caller_user
callout_name
cat_id
category
category_id
certificate_name
change_type
changes
channel
child_object_type
child_object_url
class_type
cleaned_items
cleanup_time
client
client_address
client_agent
client_domain
client_port
client_type
client_user
code
command
command_name
comment
company_name
component
component_version
computer_name
confidence
configuration_path
connection_id
connection_name
connection_time
consumer
consumer_id
content_type
context_name
correlation_id
count
counter
cpu_time
cpu_usage
current_time

D

database
database_id
database_name
database_option
database_principal_id
database_principal_name
datarate
datasize
datatypeid
date
default_context
deleted_datasize
deleted_mailboxes
description
destination
destination_address
destination_dns
destination_domain
destination_email
destination_interface
destination_ip
destination_location
destination_mac_address
destination_network
destination_object
destination_port
destination_release
destination_url
destination_zone
destinaton_address
detection_timestamp
device
device_address
device_address_ipv6
device_host
device_id
device_type
dhcid
direction
directory
disk
dispatch_type
display_name
disposition
DNS
doable_mps
document_id
domain
download_site
downloaded_by
dst_ip
dst_name
duration
duration_seconds
dvc_host

E

email_id
email_port
encryption
end_datasize
end_items
end_time
endpoint_address
endpoint_domain
error
error_code
error_message
error_messsage
establish_time
event
event_category
event_id
event_level
event_log
event_name
event_source
event_tag
event_time
event_type
exception

F

facility
failure_code
feature
file
file_name
file_path
file_size
file_type
files_skipped
filter
filter_action
filter_info
first_seen
flags
folder
folder_id
folder_name
free_size
from_release
frontend_name
function_name
funtion_name

G

gateway
generated_bytes
generated_records
generated_time
group
group_id
group_name

H

handle
handle_id
hardware_address
hash_key
hash_type
healthy
hierarchy
hip_name
hip_type
host
host_name
host_url
host_user
http

I

id
identity
imap
in_use
inbound_spi
incident_id
infected
infection_destination
infection_destination_address
infection_source
infection_source_address
inserted_time
inspection_subrule
instance
institution
interface
interface_address
interface_name
interface_state
intrusion_id
intrusion_url
investigation_id
IoDepth
is_column_permission

J

job
job_id
job_name

K

kernel_time
key

L

last_update_time
layer_name
lease_address
lease_duration
license
life_id
link
local_address
local_proxy
location
log_ts
log_type
login_id
login_name
logon_id
logon_ID
logon_type
lower_limit

M

mac_address
machine
mail_id
mailbox
mailbox_guid
mailbox_owner
mailer
malware_id_mcafee
malware_id_sophos
malware_id_webroot
map
mapped_name
match_option
matched_criteria
mdb_guid
member_id
member_name
message
message_id
message_subject
message_type
method
mime_type
mobile_number
mobile_station
most_used
mount_point
msg_idmac_address

N

name
nas_address
nas_identifier
nas_port
nat_address
nat_destination_address
nat_destination_port
nat_source_address
nat_source_port
nc_address
net_mask
network_device_name
network_user
network_view
new_bandwidth
new_memory
new_policy
new_port
new_status
new_user
new_value
new_value_type
node
ns_name
number

O

object
object_count
object_id
object_name
object_server
object_source
object_type
object_url
occurrences
oid
old_bandwidth
old_memory
old_port
old_status
old_value
old_value_type
omitted
operation
operation_type
operations
outbound_datasize
outbound_spi
OutgoingConnections
owner

P

package
package_name
packet
pages_read
pages_updated
palyload_name
parent_network
parent_object_filepath
parent_object_subtype
parent_object_type
parent_object_url
parent_process
parent_process_id
passcode_type
path
patient_id
patient_name
payload_url
peer_address
peer_interface
peer_interface_state
peer_ip
peer_name
permission_bitmask
permission_level_id
physical_memory
physical_memory_percent
pin_code
policy
policy_applied
policy_id
policy_name
pool_name
pop3
port
port_channel
port_id
port_name
portnum
prevalence
previous_time
primary_dns_address
priority
private_address
privilege
probation_time
probe_name
process
process_id
process_name
processed_mailboxes
product
profile
profile_changed
profile_name
profile_used
property
protocol
protocol_id
protocol_map
provider_name

Q

query
query_result
queue_id

R

radioband
realm
reason
reason_code
received_datasize
received_packetsize
receiver
recipient
record
record_name
record_type
referer
relay_address
relay_interface
remaining_mailboxes
remote_address
remote_proxy
remote_user
repeat_count
repos
reputation
reputation_score
request_date
request_guid
request_id
request_method
requested_action
resolved_domain
resource
response_time
result
result_code
retained_datasize
retained_mailboxes
return_code
risk
risk_level
risk_name
risk_type
roaming
role
role_id
role_name
root_context
rows_deleted
rule
rule_id
rule_name
rulebase

S

scan_id
scanned
scanned_items
scanner_address
scanner_node
schema
schema_name
scheme
scope
search_id
search_name
secondary_actions
secondary_dns_address
secondary_user
security
sender
sensitivity
sensor_id
sent_datasize
sent_packetsize
seperated_mailboxes
sequence_number
serial
serial_number
server
server_address
server_host
server_instance_name
server_name
server_principal_id
server_principal_name
server_principal_sid
server_time
service
service_name
Service_start_type
Service_type
service_type
session
session_id
session_name
session_server_principal_name
sever_address
severity
shutdown_type
signature_id
site
size
size_limit
skipped_mailboxes
smoke
smtp
snapshot
snort_id
source
source_addresss
source_computer
source_destination
source_dns
source_domain
source_handle_id
source_host
source_interface
source_ip
source_location
source_mac_address
source_network
source_object
source_port
source_zone
spi
spi_code
spyware
ssid
start_datasize
start_items
start_time
state
statement
station_identifier
status
status_code
status_msg
sub_category
sub_status_code
subject
substatus_code
succeeded
synchronized_files
system
system_id

T

table
target_account
target_database_principal_id
target_database_principal_name
target_database_user
target_domain
target_entity
target_handle_id
target_login
target_logon_id
target_name
target_object
target_process
target_server_principal_id
target_server_principal_name
target_server_principal_sid
target_type
target_user
task
tenant
tenant_id
terminal
terrmination_state
thread_id
threat
threat_category
threat_id
threat_level
threat_severity
tid
time
time_zone
timerange_end
timerange_start
token_type
total
transaction_id
transport
type

U

unit
update
update_ts
upper_limit
url
url_category
url_category_name
url_query
url_tracking
use
used
user
user_time
user_type

V

value
vendor
vendor_id
virtual_address
virtual_firewall
virtual_memory
virus
virus_name
vpn_address
vpn_variant

W

waiting_time
web_domain
workstation

Z

zone
Helpful?

We are glad this guide helped.


Please don't include any personal information in your comment

Contact Support