Data Structure¶
Data fields¶
This page describes the data structure of the logs produced by Stamus Security Platform, identify all the available fields per protocol and provide sample data for convenience.
Note
Any and all logs produced by the Stamus Central Server are in standard JSON format.
Stamus Central Server generates different types of data that can be used in various cases such as - detection, hunting, matching, statistics and analysis. Each event produced by the Stamus Central Server has its own log event type. Network protocol, flow, file transaction, beacons, sightings and DoC events are generated regardless of alerts.
The available fields are listed below.
DEFAULT¶
Important
Any and all event logs like Network protocol, Flow/Netflow, File transaction, Sightings, Anomaly, DoC and Alerts produced by the Stamus Central Server have a common flow_id field. This field allows for any and all events from the same flow to be correlated.
Each event type has by default, in addition, available the following fields:
app_proto
dest_ip
dest_port
flow_id
pcap_cnt
pkt_src
proto
src_ip
src_port
stream
timestamp
vlan
Each DNS, HTTP and TLS event type has also by default enrichment and in addition, has available the following fields:
hostname_info.domain
hostname_info.domain_without_tld
hostname_info.host
hostname_info.url
Each event type has also by default organisational context (network definitions) enrichment and in addition, has available the following fields:
net_info.dest
net_info.dest_agg
net_info.src
net_info.src_agg
STAMUS Specific¶
Note
Those types of fields can appear in any type of event depending if it is enrichment done by Stamus or a specific generated event type.
Fields:
geoip.continent.code
geoip.continent.geoname_id
geoip.continent.name
geoip.continent_code
geoip.coordinate
geoip.country.geoname_id
geoip.country.is_in_european_union
geoip.country.iso_code
geoip.country.name
geoip.country_code2
geoip.country_code3
geoip.country_name
geoip.ip
geoip.latitude
geoip.location
geoip.longitude
geoip.provider.autonomous_system_number
geoip.provider.autonomous_system_organization
geoip.registered_country.geoname_id
geoip.registered_country.is_in_european_union
geoip.registered_country.iso_code
geoip.registered_country.name
geoip.timezone
host
hostname_info.domain
hostname_info.domain_without_tld
hostname_info.host
hostname_info.url
net_info.dest
net_info.dest_agg
net_info.src
net_info.src_agg
see_id
see_name
stamus.asset
stamus.asset_net_info
stamus.asset_type
stamus.event_id
stamus.extra_info
stamus.family_id
stamus.family_name
stamus.family_type
stamus.kill_chain
stamus.method_id
stamus.pk
stamus.source
stamus.threat_id
stamus.threat_name
ALERTS¶
Note
Any and all protocol fields are also available in the alert event itself. Roughly about 800 more fields in total, specific to the different protocols. Those protocol fields are generated depending on what the particular signature is made to alert on. Each protocol’s available fields are listed further down this page.
Some examples of alert events:
Download an example log of DNS based Alert event
Download an example log of HTTP based Alert event
Download an example log of SMB based Alert event
Download an example log of SN SMB lateral based Alert event (remote administration)
Download an example log of TLS based Alert event
Download an example log of SMTP based Alert event
Download an example log of FTP based Alert event
Download an example log of NRD Entropy DNS based Alert event
Download an example log of NRD Entropy HTTP based Alert event
Download an example log of NRD Entropy TLS based Alert event
Fields:
alert.action
alert.category
alert.gid
alert.metadata
alert.metadata.affected_product
alert.metadata.attack_target
alert.metadata.created_at
alert.metadata.cve
alert.metadata.deployment
alert.metadata.former_category
alert.metadata.lateral_function
alert.metadata.lateral_key
alert.metadata.lateral_asset
alert.metadata.malware_family
alert.metadata.mitre_tactic_id
alert.metadata.mitre_tactic_name
alert.metadata.mitre_technique_id
alert.metadata.mitre_technique_name
alert.metadata.nrd_asset
alert.metadata.nrd_key
alert.metadata.nrd_period
alert.metadata.performance_impact
alert.metadata.provider
alert.metadata.signature_severity
alert.metadata.source
alert.metadata.stamus_classification
alert.metadata.tag
alert.metadata.updated_at
alert.rev
alert.severity
alert.signature
alert.signature_id
app_proto
app_proto_expected
app_proto_orig
app_proto_tc
dest_ip
dest_port
metadata
metadata.flowbits
packet
packet_info
packet_info.linktype
payload
payload_printable
pcap_cnt
pkt_src
proto
src_ip
src_port
stream
timestamp
vlan
ANOMALY¶
Download an example log of the Anomaly event
Fields:
anomaly.app_proto
anomaly.event
anomaly.layer
anomaly.type
DCERPC¶
Download an example log of the DCERPC protocol event
Fields:
dcerpc.call_id
dcerpc.interfaces
dcerpc.interfaces.ack_result
dcerpc.interfaces.uuid
dcerpc.interfaces.version
dcerpc.req
dcerpc.req.frag_cnt
dcerpc.req.opnum
dcerpc.req.stub_data_size
dcerpc.request
dcerpc.res
dcerpc.res.frag_cnt
dcerpc.response
dcerpc.res.stub_data_size
dcerpc.rpc_version
DHCP¶
Download an example log of the DHCP protocol event
Fields:
dhcp.assigned_ip
dhcp.client_id
dhcp.client_ip
dhcp.client_mac
dhcp.dhcp_type
dhcp.dns_servers
dhcp.hostname
dhcp.id
dhcp.lease_time
dhcp.next_server_ip
dhcp.params
dhcp.rebinding_time
dhcp.relay_ip
dhcp.renewal_time
dhcp.requested_ip
dhcp.routers
dhcp.subnet_mask
dhcp.type
DNP3¶
Download an example log of the DNP3 protocol event
Fields:
dnp3.application.complete
dnp3.application.control.con
dnp3.application.control.fin
dnp3.application.control.fir
dnp3.application.control.sequence
dnp3.application.control.uns
dnp3.application.function_code
dnp3.application.objects.count
dnp3.application.objects.group
dnp3.application.objects.points.challenge_data_len
dnp3.application.objects.points.chatter_filter
dnp3.application.objects.points.comm_lost
dnp3.application.objects.points.count
dnp3.application.objects.points.cr
dnp3.application.objects.points.data->mac_value
dnp3.application.objects.points.data->mac_value.keyword
dnp3.application.objects.points.data->wrapped_key_data
dnp3.application.objects.points.data->wrapped_key_data.keyword
dnp3.application.objects.points.delay_ms
dnp3.application.objects.points.discontinuity
dnp3.application.objects.points.index
dnp3.application.objects.points.key_status
dnp3.application.objects.points.key_wrap_alg
dnp3.application.objects.points.ksq
dnp3.application.objects.points.local_forced
dnp3.application.objects.points.mal
dnp3.application.objects.points.offtime
dnp3.application.objects.points.online
dnp3.application.objects.points.ontime
dnp3.application.objects.points.op_type
dnp3.application.objects.points.over_range
dnp3.application.objects.points.prefix
dnp3.application.objects.points.qu
dnp3.application.objects.points.reference_err
dnp3.application.objects.points.remote_forced
dnp3.application.objects.points.reserved
dnp3.application.objects.points.reserved0
dnp3.application.objects.points.reserved1
dnp3.application.objects.points.restart
dnp3.application.objects.points.rollover
dnp3.application.objects.points.size
dnp3.application.objects.points.state
dnp3.application.objects.points.status_code
dnp3.application.objects.points.tcc
dnp3.application.objects.points.timestamp
dnp3.application.objects.points.user_number
dnp3.application.objects.points.usr
dnp3.application.objects.points.value
dnp3.application.objects.prefix_code
dnp3.application.objects.qualifier
dnp3.application.objects.range_code
dnp3.application.objects.start
dnp3.application.objects.stop
dnp3.application.objects.variation
dnp3.control.dir
dnp3.control.fcb
dnp3.control.fcv
dnp3.control.function_code
dnp3.control.pri
dnp3.dst
dnp3.iin.indicators
dnp3.iin.indicators.keyword
dnp3.src
dnp3.type
dnp3.type.keyword
DNS¶
Download an example log of the DNS protocol event
Fields:
dns.aa
dns.answers
dns.answers.rdata
dns.answers.rrname
dns.answers.rrtype
dns.answers.soa
dns.answers.soa.expire
dns.answers.soa.minimum
dns.answers.soa.mname
dns.answers.soa.refresh
dns.answers.soa.retry
dns.answers.soa.rname
dns.answers.soa.serial
dns.answers.srv
dns.answers.srv.name
dns.answers.srv.port
dns.answers.srv.priority
dns.answers.srv.weight
dns.answers.ttl
dns.authorities
dns.authorities.rdata
dns.authorities.rrname
dns.authorities.rrtype
dns.authorities.soa
dns.authorities.soa.expire
dns.authorities.soa.minimum
dns.authorities.soa.mname
dns.authorities.soa.refresh
dns.authorities.soa.retry
dns.authorities.soa.rname
dns.authorities.soa.serial
dns.authorities.ttl
dns.flags
dns.grouped
dns.grouped.A
dns.grouped.AAAA
dns.grouped.CNAME
dns.grouped.MX
dns.grouped.NS
dns.grouped.PTR
dns.grouped.SOA
dns.grouped.SOA.expire
dns.grouped.SOA.minimum
dns.grouped.SOA.mname
dns.grouped.SOA.refresh
dns.grouped.SOA.retry
dns.grouped.SOA.rname
dns.grouped.SOA.serial
dns.grouped.SRV
dns.grouped.SRV.name
dns.grouped.SRV.port
dns.grouped.SRV.priority
dns.grouped.SRV.weight
dns.grouped.TXT
dns.id
dns.qr
dns.ra
dns.rcode
dns.rd
dns.rrname
dns.rrtype
dns.tc
dns.tx_id
dns.type
dns.version
hostname_info.domain
hostname_info.domain_without_tld
hostname_info.host
hostname_info.url
net_info.dest
net_info.dest_agg
net_info.src
net_info.src_agg
Fileinfo¶
Fileinfo logs are generated based on file transactions done within the following protocols: FTP, HTTP, HTTP2, SMB, SMTP, NFS.
Download an example log of FTP based File transaction record event
Download an example log of HTTP based File transaction record event
Download an example log of SMB based File transaction record event
Download an example log of SMTP based File transaction record event
Fields:
fileinfo.end
fileinfo.filename
fileinfo.gaps
fileinfo.magic
fileinfo.md5
fileinfo.mimetype
fileinfo.sha1
fileinfo.sha256
fileinfo.sid
fileinfo.size
fileinfo.start
fileinfo.state
fileinfo.stored
fileinfo.tx_id
fileinfo.type
FLOW¶
Download an example log of the FLOW record event
Fields:
tls.alpn_ts
tls.alpn_tc
flow.age
flow.alerted
flow.bytes_toclient
flow.bytes_toserver
flow.end
flow.pkts_toclient
flow.pkts_toserver
flow.reason
flow.start
flow.state
tls.ja4
tls.ja4.hash
tcp.tcp_flags
tcp.tcp_flags_ts
tcp.tcp_flags_tc
tcp.syn
tcp.fin
tcp.psh
tcp.ack
tcp.state
FTP¶
Download an example log of the FTP record event
Fields:
ftp.command
ftp.command_data
ftp.command_truncated
ftp.completion_code
FTP_DATA¶
Download an example log of the FTP record event
Fields:
ftp_data
ftp_data.command
ftp_data.filename
Host Insights¶
Download an example log of the Host Insights DHCP host
Download an example log of the Host Insights Domain Controller host
Download an example log of the Host Insights Proxy host
Download an example log of the Host Insights regular host
Fields:
agent.ephemeral_id
agent.hostname
agent.id
agent.name
agent.type
agent.version
ecs.version
event_type
host
host_id.client_service
host_id.client_service_count
host_id.first_seen
host_id.hostname
host_id.hostname_count
host_id.hostname_overflow
host_id.hostname.first_seen
host_id.hostname.last_seen
host_id.http.user_agent
host_id.http.user_agent_count
host_id.http.user_agent.first_seen
host_id.http.user_agent.last_seen
host_id.last_seen
host_id.net_info
host_id.net_info_count
host_id.net_info.first_seen
host_id.net_info.last_seen
host_id.roles
host_id.roles_count
host_id.services
host_id.services_count
host_id.services.values.first_seen
host_id.services.values.last_seen
host_id.services.values.tls.notafter
host_id.services.values.tls.notbefore
host_id.tenant
host_id.tls.ja3
host_id.tls.ja3_count
host_id.tls.ja3.first_seen
host_id.tls.ja3.last_seen
host_id.username
host_id.username_count
host_id.username.first_seen
host_id.username.last_seen
input.type
ip
log.file.path
log.offset
see_id
see_name
tags
type
HTTP¶
Download an example log of the HTTP protocol event
Fields:
http.content_range
http.content_range.end
http.content_range.raw
http.content_range.size
http.content_range.start
http.hostname
http.http_content_type
http.http_method
http.http_port
http.http_refer
http.http_user_agent
http.length
http.protocol
http.redirect
http.status
http.url
http.xff
hostname_info.domain
hostname_info.domain_without_tld
hostname_info.host
hostname_info.url
net_info.dest
net_info.dest_agg
net_info.src
net_info.src_agg
HTTP Header fields¶
Note
Those are additionally available http header sub fields from the HTTP event type.
Fields:
Accept
Accept-Charset
Accept-Encoding
Accept-Language
Accept-Ranges
Access-Control-Allow-Credentials
Access-Control-Allow-Headers
Access-Control-Allow-Methods
Access-Control-Allow-Origin
Access-Control-MaX-Age
Age
apikey
Attachment; filename
Authorization
Cache-Control
Cache-Tags
CDNUUID
CF-Cache-Status
CF-Connecting-IP
CF-IPCountry
CF-RAY
CF-Visitor
Connection
Content-Disposition
Content-Encoding
Content-Language
Content-length
Content-Length
Content-MD5
Content-Range
Content-Security-Policy
Content-type
Content-Type
Cookie
Date
DNT
Etag
ETag
Expect
Expires
Fastly-Debug-Digest
grace
iCloud-DSID
Icy-MetaData
If-Modified-Since
If-None-Match
If-Range
If-Unmodified-Since
Keep-Alive
Last-Modified
Link
LM-UAgent
Location
MS-CorrelationId
MS-CV
MS-RequestId
normalized-lang
Origin
P3P
Pragma
Range
Referer
Referrer-Policy
Request-Context
Retry-After
Server
Set-Cookie
SOAPAction
Strict-Transport-Security
TE
Transfer-Encoding
True-Source-IP
UA-CPU
Upgrade
Upgrade-Insecure-Requests
Vary
Via
WWW-Authenticate
X-Abuse-Info
X-ac
X-amz-id-2
X-amz-meta-put-by-correlation-key
X-amz-meta-repo-checksum
X-amz-meta-worker
X-amz-request-id
X-Anycast
X-Apple-Client-Versions
X-Apple-Connection-Type
X-Apple-Cuid
X-Apple-I-Client-Time
X-Apple-I-Locale
X-Apple-I-MD
X-Apple-I-MD-M
X-Apple-I-MD-RINFO
X-Apple-I-TimeZone
X-Apple-Partner
X-Apple-Software-Cuid
X-Apple-Store-Front
X-AspNetMvc-Version
X-AspNet-Version
X-Backend
X-Backend-Server
X-BackendServer
X-Cache
X-Cacheable
X-Cacheable-status
X-Cache-Hits
X-CCC
X-CID
X-Content-Type-Options
X-drupal-authcache
X-Drupal-Authcache
X-Drupal-Cache
X-Dsid
X-FB-Connection-Type
X-FB-HTTP-Engine
X-FB-SIM-HNI
X-Forwarded-For
X-Forwarded-Port
X-Forwarded-Proto
X-Frame-Options
X-Generator
X-Hacker
X-HCandersen
X-HW
xkey
X-Logged-In
X-Mme-Device-Id
X-mono-id
X-mono-ssl
X-ms-blob-type
X-ms-lease-status
X-ms-request-id
X-ms-version
X-Muppet
X-NewRelic-ID
X-Newrelic-Ignore
X-NewRelic-Synthetics
X-Newrelic-Target
X-NewRelic-Transaction
X-original-at
X-Origin-Platform
X-Origin-UID
X-PH-Static-Cache
X-Playback-Session-Id
X-Powered-By
X-Proxy-Cache
X-Purpose
X-Real-IP
X-Requested-With
X-Robots-Tag
X-Served-By
X-Server
X-Server-IP
X-Server-Port
X-Status
X-Timer
X-UA-Compatible
X-UA-Device
X-Varnish
X-Varnish-Cache
X-vmode
X-XSS-Protection
IKE¶
Download an example log of the IKE protocol event
Fields:
ike.alg_auth
ike.alg_auth_raw
ike.alg_dh
ike.alg_dh_raw
ike.alg_enc
ike.alg_enc_raw
ike.alg_esn
ike.alg_hash
ike.alg_hash_raw
ike.alg_prf
ike.exchange_type
ike.ikev1
ike.ikev1.client
ike.ikev1.client.key_exchange_payload
ike.ikev1.client.key_exchange_payload_length
ike.ikev1.client.nonce_payload
ike.ikev1.client.nonce_payload_length
ike.ikev1.client.proposals
ike.ikev1.client.proposals.alg_auth
ike.ikev1.client.proposals.alg_auth_raw
ike.ikev1.client.proposals.alg_dh
ike.ikev1.client.proposals.alg_dh_raw
ike.ikev1.client.proposals.alg_enc
ike.ikev1.client.proposals.alg_enc_raw
ike.ikev1.client.proposals.alg_hash
ike.ikev1.client.proposals.alg_hash_raw
ike.ikev1.client.proposals.sa_key_length
ike.ikev1.client.proposals.sa_key_length_raw
ike.ikev1.client.proposals.sa_life_duration
ike.ikev1.client.proposals.sa_life_duration_raw
ike.ikev1.client.proposals.sa_life_type
ike.ikev1.client.proposals.sa_life_type_raw
ike.ikev1.doi
ike.ikev1.encrypted_payloads
ike.ikev1.encrypted_payloads
ike.ikev1.server
ike.ikev1.server.key_exchange_payload
ike.ikev1.server.key_exchange_payload_length
ike.ikev1.server.nonce_payload
ike.ikev1.server.nonce_payload_length
ike.ikev1.vendor_ids
ike.ikev2
ike.ikev2.errors
ike.ikev2.notify
ike.init_spi
ike.message_id
ike.payload
ike.resp_spi
ike.role
ike.sa_key_length
ike.sa_key_length_raw
ike.sa_life_duration
ike.sa_life_duration_raw
ike.sa_life_type
ike.sa_life_type_raw
ike.version_major
ike.version_minor
KRB5¶
Download an example log of the KRB5 protocol event
Fields:
krb5.cname
krb5.encryption
krb5.error_code
krb5.failed_request
krb5.msg_type
krb5.realm
krb5.sname
krb5.ticket_encryption
krb5.ticket_weak_encryption
krb5.weak_encryption
MQTT¶
Download an example log of the MQTT protocol event
Fields:
mqtt.connack
mqtt.connack.dup
mqtt.connack.qos
mqtt.connack.retain
mqtt.connack.return_code
mqtt.connack.session_present
mqtt.connect
mqtt.connect.client_id
mqtt.connect.dup
mqtt.connect.flags
mqtt.connect.flags.clean_session
mqtt.connect.flags.clean_session
mqtt.connect.flags.password
mqtt.connect.flags.username
mqtt.connect.flags.will
mqtt.connect.flags.will_retain
mqtt.connect.password
mqtt.connect.protocol_string
mqtt.connect.protocol_version
mqtt.connect.qos
mqtt.connect.retain
mqtt.connect.username
mqtt.disconnect
mqtt.disconnect.dup
mqtt.disconnect.qos
mqtt.disconnect.retain
mqtt.pingreq
mqtt.pingreq.dup
mqtt.pingreq.qos
mqtt.pingreq.retain
mqtt.pingresp
mqtt.pingresp.dup
mqtt.pingresp.qos
mqtt.pingresp.retain
mqtt.puback
mqtt.puback.dup
mqtt.puback.message_id
mqtt.puback.qos
mqtt.puback.retain
mqtt.publish
mqtt.publish.dup
mqtt.publish.message
mqtt.publish.message
mqtt.publish.message_id
mqtt.publish.qos
mqtt.publish.retain
mqtt.publish.topic
mqtt.suback
mqtt.suback.dup
mqtt.suback.message_id
mqtt.suback.qos
mqtt.suback.qos_granted
mqtt.suback.retain
mqtt.subscribe
mqtt.subscribe.dup
mqtt.subscribe.message_id
mqtt.subscribe.qos
mqtt.subscribe.retain
mqtt.subscribe.topics
mqtt.subscribe.topics.qos
mqtt.subscribe.topics.topic
mqtt.unsuback
mqtt.unsuback.dup
mqtt.unsuback.message_id
mqtt.unsuback.qos
mqtt.unsuback.retain
mqtt.unsubscribe
mqtt.unsubscribe.dup
mqtt.unsubscribe.message_id
mqtt.unsubscribe.qos
mqtt.unsubscribe.retain
mqtt.unsubscribe.topics
mqtt.unsubscribe.topics
NETFLOW¶
Download an example log of the NETFLOW protocol event
Fields:
netflow.age
netflow.bytes
netflow.end
netflow.max_ttl
netflow.min_ttl
netflow.pkts
netflow.start
NFS¶
Download an example log of the NFS protocol event
Fields:
nfs.filename
nfs.file_tx
nfs.hhash
nfs.id
nfs.procedure
nfs.read
nfs.read.chunks
nfs.read.chunks
nfs.read.first
nfs.read.last
nfs.read.last_xid
nfs.rename
nfs.rename.from
nfs.rename.to
nfs.status
nfs.status
nfs.type
nfs.version
nfs.write
nfs.write.chunks
nfs.write.first
nfs.write.last
nfs.write.last_xid
RDP¶
Download an example log of the NFS protocol event
Fields:
rdp.channels
rdp.client
rdp.client.build
rdp.client.capabilities
rdp.client.client_name
rdp.client.color_depth
rdp.client.desktop_height
rdp.client.desktop_width
rdp.client.function_keys
rdp.client.keyboard_layout
rdp.client.keyboard_type
rdp.client.product_id
rdp.client.version
rdp.cookie
rdp.error_code
rdp.event_type
rdp.protocol
rdp.reason
rdp.server_supports
rdp.tx_id
rdp.x509_serials
RFB¶
Download an example log of the RFB protocol event
Fields:
rfb.authentication
rfb.authentication.security_type
rfb.authentication.security_type
rfb.authentication.vnc
rfb.authentication.vnc
rfb.authentication.vnc.challenge
rfb.authentication.vnc.challenge
rfb.authentication.vnc.response
rfb.authentication.vnc.response
rfb.client_protocol_version
rfb.client_protocol_version.major
rfb.client_protocol_version.minor
rfb.screen_shared
rfb.server_protocol_version
rfb.server_protocol_version.major
rfb.server_protocol_version.minor
rfb.server_security_failure_reason
SIP¶
Download an example log of the SIP protocol event
Fields:
sip.code
sip.method
sip.reason
sip.request_line
sip.response_line
sip.uri
sip.version
SMB¶
Download an example log of the SMB protocol event
Fields:
smb.access
smb.accessed
smb.changed
smb.client_dialects
smb.client_guid
smb.command
smb.created
smb.dcerpc
smb.dcerpc.call_id
smb.dcerpc.interface
smb.dcerpc.interfaces
smb.dcerpc.interfaces.ack_reason
smb.dcerpc.interfaces.ack_result
smb.dcerpc.interfaces.uuid
smb.dcerpc.interface.uuid
smb.dcerpc.interface.version
smb.dcerpc.opnum
smb.dcerpc.req
smb.dcerpc.req.frag_cnt
smb.dcerpc.req.stub_data_size
smb.dcerpc.request
smb.dcerpc.res
smb.dcerpc.res.frag_cnt
smb.dcerpc.response
smb.dcerpc.res.stub_data_size
smb.dialect
smb.directory
smb.disposition
smb.filename
smb.fuid
smb.function
smb.id
smb.kerberos
smb.kerberos.realm
smb.kerberos.snames
smb.max_read_size
smb.max_write_size
smb.modified
smb.named_pipe
smb.ntlmssp
smb.ntlmssp.domain
smb.ntlmssp.host
smb.ntlmssp.user
smb.request
smb.request.native_lm
smb.request.native_os
smb.response
smb.response.native_lm
smb.response.native_os
smb.server_guid
smb.service
smb.service.request
smb.service.response
smb.session_id
smb.share
smb.share_type
smb.size
smb.status
smb.status_code
smb.tree_id
SMTP¶
Download an example log of the SMTP protocol event
Download an example log of the SMTP protocol event 2
Fields:
smtp.helo
smtp.mail_from
smtp.rcpt_to
email.helo
email.from
email.status
email.to
email.has_ipv6_url
email.has_ipv4_url
email.has_exe_url
email.url
SNMP¶
Download an example log of the SNMP protocol event
Fields:
snmp.community
snmp.pdu_type
snmp.pdu_type
snmp.usm
snmp.vars
snmp.version
SIGHTINGS¶
Note
Any and all protocol fields are also available in the Sightings event itself wherever relevant.Roughly about 800 more fields in total, specific to the different protocols. Those protocol fields are generated depending on what the particular application layer or Sighting is made to alert on.
Download an example log of the SIGHTINGS http internal server discovery event
Download an example log of the SIGHTINGS http server discovery event
Download an example log of the SIGHTINGS remote http server discovery event
Download an example log of the SIGHTINGS http useragent discovery event
Download an example log of the SIGHTINGS smb file access executable discovery event
Download an example log of the SIGHTINGS smb file transfer executable discovery event
Download an example log of the SIGHTINGS tls issuer discovery event
Download an example log of the SIGHTINGS tls ja3 discovery event
Download an example log of the SIGHTINGS tls ja3s discovery event
Download an example log of the SIGHTINGS tls serial discovery event
Download an example log of the SIGHTINGS-tls sni discovery event
Download an example log of the SIGHTINGS tls subject discovery event
Fields:
app_proto
app_proto_expected
app_proto_orig
app_proto_tc
dest_ip
dest_port
metadata
metadata.flowbits
net_info.dest
net_info.dest_agg
net_info.src
net_info.src_agg
packet
packet_info
packet_info.linktype
payload
payload_printable
pcap_cnt
pkt_src
proto
src_ip
src_port
stream
timestamp
vlan
Note
For DNS, HTTP and TLS also the below are available:
hostname_info.domain
hostname_info.domain_without_tld
hostname_info.host
hostname_info.url
STATS¶
Download an example log of the Stats event
Fields:
stats.app_layer
stats.app_layer.error
stats.app_layer.error.dcerpc_tcp
stats.app_layer.error.dcerpc_tcp.alloc
stats.app_layer.error.dcerpc_tcp.gap
stats.app_layer.error.dcerpc_tcp.internal
stats.app_layer.error.dcerpc_tcp.parser
stats.app_layer.error.dcerpc_udp
stats.app_layer.error.dcerpc_udp.alloc
stats.app_layer.error.dcerpc_udp.internal
stats.app_layer.error.dcerpc_udp.parser
stats.app_layer.error.dhcp
stats.app_layer.error.dhcp.alloc
stats.app_layer.error.dhcp.gap
stats.app_layer.error.dhcp.internal
stats.app_layer.error.dhcp.parser
stats.app_layer.error.dnp3
stats.app_layer.error.dnp3.alloc
stats.app_layer.error.dnp3.gap
stats.app_layer.error.dnp3.internal
stats.app_layer.error.dnp3.parser
stats.app_layer.error.dns_tcp
stats.app_layer.error.dns_tcp.alloc
stats.app_layer.error.dns_tcp.gap
stats.app_layer.error.dns_tcp.internal
stats.app_layer.error.dns_tcp.parser
stats.app_layer.error.dns_udp
stats.app_layer.error.dns_udp.alloc
stats.app_layer.error.dns_udp.internal
stats.app_layer.error.dns_udp.parser
stats.app_layer.error.failed_tcp
stats.app_layer.error.failed_tcp.gap
stats.app_layer.error.ftp
stats.app_layer.error.ftp.alloc
stats.app_layer.error.ftp.data
stats.app_layer.error.ftp.data.alloc
stats.app_layer.error.ftp.data.gap
stats.app_layer.error.ftp.data.internal
stats.app_layer.error.ftp.data.parser
stats.app_layer.error.ftp.gap
stats.app_layer.error.ftp.internal
stats.app_layer.error.ftp.parser
stats.app_layer.error.http
stats.app_layer.error.http2
stats.app_layer.error.http2.alloc
stats.app_layer.error.http2.gap
stats.app_layer.error.http2.internal
stats.app_layer.error.http2.parser
stats.app_layer.error.http.alloc
stats.app_layer.error.http.gap
stats.app_layer.error.http.internal
stats.app_layer.error.http.parser
stats.app_layer.error.ike
stats.app_layer.error.ike.alloc
stats.app_layer.error.ike.gap
stats.app_layer.error.ike.internal
stats.app_layer.error.ike.parser
stats.app_layer.error.imap
stats.app_layer.error.imap.alloc
stats.app_layer.error.imap.gap
stats.app_layer.error.imap.internal
stats.app_layer.error.imap.parser
stats.app_layer.error.krb5_tcp
stats.app_layer.error.krb5_tcp.alloc
stats.app_layer.error.krb5_tcp.gap
stats.app_layer.error.krb5_tcp.internal
stats.app_layer.error.krb5_tcp.parser
stats.app_layer.error.krb5_udp
stats.app_layer.error.krb5_udp.alloc
stats.app_layer.error.krb5_udp.internal
stats.app_layer.error.krb5_udp.parser
stats.app_layer.error.mqtt
stats.app_layer.error.mqtt.alloc
stats.app_layer.error.mqtt.gap
stats.app_layer.error.mqtt.internal
stats.app_layer.error.mqtt.parser
stats.app_layer.error.nfs_tcp
stats.app_layer.error.nfs_tcp.alloc
stats.app_layer.error.nfs_tcp.gap
stats.app_layer.error.nfs_tcp.internal
stats.app_layer.error.nfs_tcp.parser
stats.app_layer.error.nfs_udp
stats.app_layer.error.nfs_udp.alloc
stats.app_layer.error.nfs_udp.internal
stats.app_layer.error.nfs_udp.parser
stats.app_layer.error.ntp
stats.app_layer.error.ntp.alloc
stats.app_layer.error.ntp.gap
stats.app_layer.error.ntp.internal
stats.app_layer.error.ntp.parser
stats.app_layer.error.pgsql
stats.app_layer.error.pgsql.alloc
stats.app_layer.error.pgsql.gap
stats.app_layer.error.pgsql.internal
stats.app_layer.error.pgsql.parser
stats.app_layer.error.quic
stats.app_layer.error.quic.alloc
stats.app_layer.error.quic.gap
stats.app_layer.error.quic.internal
stats.app_layer.error.quic.parser
stats.app_layer.error.rdp
stats.app_layer.error.rdp.alloc
stats.app_layer.error.rdp.gap
stats.app_layer.error.rdp.internal
stats.app_layer.error.rdp.parser
stats.app_layer.error.rfb
stats.app_layer.error.rfb.alloc
stats.app_layer.error.rfb.gap
stats.app_layer.error.rfb.internal
stats.app_layer.error.rfb.parser
stats.app_layer.error.sip
stats.app_layer.error.sip.alloc
stats.app_layer.error.sip.gap
stats.app_layer.error.sip.internal
stats.app_layer.error.sip.parser
stats.app_layer.error.smb
stats.app_layer.error.smb.alloc
stats.app_layer.error.smb.gap
stats.app_layer.error.smb.internal
stats.app_layer.error.smb.parser
stats.app_layer.error.smtp
stats.app_layer.error.smtp.alloc
stats.app_layer.error.smtp.gap
stats.app_layer.error.smtp.internal
stats.app_layer.error.smtp.parser
stats.app_layer.error.snmp
stats.app_layer.error.snmp.alloc
stats.app_layer.error.snmp.gap
stats.app_layer.error.snmp.internal
stats.app_layer.error.snmp.parser
stats.app_layer.error.ssh
stats.app_layer.error.ssh.alloc
stats.app_layer.error.ssh.gap
stats.app_layer.error.ssh.internal
stats.app_layer.error.ssh.parser
stats.app_layer.error.telnet
stats.app_layer.error.telnet.alloc
stats.app_layer.error.telnet.gap
stats.app_layer.error.telnet.internal
stats.app_layer.error.telnet.parser
stats.app_layer.error.tftp
stats.app_layer.error.tftp.alloc
stats.app_layer.error.tftp.gap
stats.app_layer.error.tftp.internal
stats.app_layer.error.tftp.parser
stats.app_layer.error.tls
stats.app_layer.error.tls.alloc
stats.app_layer.error.tls.gap
stats.app_layer.error.tls.internal
stats.app_layer.error.tls.parser
stats.app_layer.expectations
stats.app_layer.flow
stats.app_layer.flow.dcerpc_tcp
stats.app_layer.flow.dcerpc_udp
stats.app_layer.flow.dhcp
stats.app_layer.flow.dnp3
stats.app_layer.flow.dns_tcp
stats.app_layer.flow.dns_udp
stats.app_layer.flow.failed_tcp
stats.app_layer.flow.failed_udp
stats.app_layer.flow.ftp
stats.app_layer.flow.ftp.data
stats.app_layer.flow.http
stats.app_layer.flow.http2
stats.app_layer.flow.ike
stats.app_layer.flow.imap
stats.app_layer.flow.krb5_tcp
stats.app_layer.flow.krb5_udp
stats.app_layer.flow.mqtt
stats.app_layer.flow.nfs_tcp
stats.app_layer.flow.nfs_udp
stats.app_layer.flow.ntp
stats.app_layer.flow.pgsql
stats.app_layer.flow.quic
stats.app_layer.flow.rdp
stats.app_layer.flow.rfb
stats.app_layer.flow.sip
stats.app_layer.flow.smb
stats.app_layer.flow.smtp
stats.app_layer.flow.snmp
stats.app_layer.flow.ssh
stats.app_layer.flow.telnet
stats.app_layer.flow.tftp
stats.app_layer.flow.tls
stats.app_layer.tx
stats.app_layer.tx.dcerpc_tcp
stats.app_layer.tx.dcerpc_udp
stats.app_layer.tx.dhcp
stats.app_layer.tx.dnp3
stats.app_layer.tx.dns_tcp
stats.app_layer.tx.dns_udp
stats.app_layer.tx.ftp
stats.app_layer.tx.ftp.data
stats.app_layer.tx.http
stats.app_layer.tx.http2
stats.app_layer.tx.ike
stats.app_layer.tx.imap
stats.app_layer.tx.krb5_tcp
stats.app_layer.tx.krb5_udp
stats.app_layer.tx.mqtt
stats.app_layer.tx.nfs_tcp
stats.app_layer.tx.nfs_udp
stats.app_layer.tx.ntp
stats.app_layer.tx.pgsql
stats.app_layer.tx.quic
stats.app_layer.tx.rdp
stats.app_layer.tx.rfb
stats.app_layer.tx.sip
stats.app_layer.tx.smb
stats.app_layer.tx.smtp
stats.app_layer.tx.snmp
stats.app_layer.tx.ssh
stats.app_layer.tx.telnet
stats.app_layer.tx.tftp
stats.app_layer.tx.tls
stats.decoder
stats.decoder.avg_pkt_size
stats.decoder.bytes
stats.decoder.chdlc
stats.decoder.erspan
stats.decoder.esp
stats.decoder.ethernet
stats.decoder.event
stats.decoder.event.chdlc
stats.decoder.event.chdlc.pkt_too_small
stats.decoder.event.dce
stats.decoder.event.dce.pkt_too_small
stats.decoder.event.erspan
stats.decoder.event.erspan.header_too_small
stats.decoder.event.erspan.too_many_vlan_layers
stats.decoder.event.erspan.unsupported_version
stats.decoder.event.esp
stats.decoder.event.esp.pkt_too_small
stats.decoder.event.ethernet
stats.decoder.event.ethernet.pkt_too_small
stats.decoder.event.geneve
stats.decoder.event.geneve.unknown_payload_type
stats.decoder.event.gre
stats.decoder.event.gre.pkt_too_small
stats.decoder.event.gre.version0_flags
stats.decoder.event.gre.version0_hdr_too_big
stats.decoder.event.gre.version0_malformed_sre_hdr
stats.decoder.event.gre.version0_recur
stats.decoder.event.gre.version1_chksum
stats.decoder.event.gre.version1_flags
stats.decoder.event.gre.version1_hdr_too_big
stats.decoder.event.gre.version1_malformed_sre_hdr
stats.decoder.event.gre.version1_no_key
stats.decoder.event.gre.version1_recur
stats.decoder.event.gre.version1_route
stats.decoder.event.gre.version1_ssr
stats.decoder.event.gre.version1_wrong_protocol
stats.decoder.event.gre.wrong_version
stats.decoder.event.icmpv4
stats.decoder.event.icmpv4.ipv4_trunc_pkt
stats.decoder.event.icmpv4.ipv4_unknown_ver
stats.decoder.event.icmpv4.pkt_too_small
stats.decoder.event.icmpv4.unknown_code
stats.decoder.event.icmpv4.unknown_type
stats.decoder.event.icmpv6
stats.decoder.event.icmpv6.experimentation_type
stats.decoder.event.icmpv6.ipv6_trunc_pkt
stats.decoder.event.icmpv6.ipv6_unknown_version
stats.decoder.event.icmpv6.mld_message_with_invalid_hl
stats.decoder.event.icmpv6.pkt_too_small
stats.decoder.event.icmpv6.unassigned_type
stats.decoder.event.icmpv6.unknown_code
stats.decoder.event.icmpv6.unknown_type
stats.decoder.event.ieee8021ah
stats.decoder.event.ieee8021ah.header_too_small
stats.decoder.event.ipraw
stats.decoder.event.ipraw.invalid_ip_version
stats.decoder.event.ipv4
stats.decoder.event.ipv4.frag_ignored
stats.decoder.event.ipv4.frag_overlap
stats.decoder.event.ipv4.frag_pkt_too_large
stats.decoder.event.ipv4.hlen_too_small
stats.decoder.event.ipv4.icmpv6
stats.decoder.event.ipv4.iplen_smaller_than_hlen
stats.decoder.event.ipv4.opt_duplicate
stats.decoder.event.ipv4.opt_eol_required
stats.decoder.event.ipv4.opt_invalid
stats.decoder.event.ipv4.opt_invalid_len
stats.decoder.event.ipv4.opt_malformed
stats.decoder.event.ipv4.opt_pad_required
stats.decoder.event.ipv4.opt_unknown
stats.decoder.event.ipv4.pkt_too_small
stats.decoder.event.ipv4.trunc_pkt
stats.decoder.event.ipv4.wrong_ip_version
stats.decoder.event.ipv6
stats.decoder.event.ipv6.data_after_none_header
stats.decoder.event.ipv6.dstopts_only_padding
stats.decoder.event.ipv6.dstopts_unknown_opt
stats.decoder.event.ipv6.exthdr_ah_res_not_null
stats.decoder.event.ipv6.exthdr_dupl_ah
stats.decoder.event.ipv6.exthdr_dupl_dh
stats.decoder.event.ipv6.exthdr_dupl_eh
stats.decoder.event.ipv6.exthdr_dupl_fh
stats.decoder.event.ipv6.exthdr_dupl_hh
stats.decoder.event.ipv6.exthdr_dupl_rh
stats.decoder.event.ipv6.exthdr_invalid_optlen
stats.decoder.event.ipv6.exthdr_useless_fh
stats.decoder.event.ipv6.fh_non_zero_reserved_field
stats.decoder.event.ipv6.frag_ignored
stats.decoder.event.ipv6.frag_invalid_length
stats.decoder.event.ipv6.frag_overlap
stats.decoder.event.ipv6.frag_pkt_too_large
stats.decoder.event.ipv6.hopopts_only_padding
stats.decoder.event.ipv6.hopopts_unknown_opt
stats.decoder.event.ipv6.icmpv4
stats.decoder.event.ipv6.ipv4_in_ipv6_too_small
stats.decoder.event.ipv6.ipv4_in_ipv6_wrong_version
stats.decoder.event.ipv6.ipv6_in_ipv6_too_small
stats.decoder.event.ipv6.ipv6_in_ipv6_wrong_version
stats.decoder.event.ipv6.pkt_too_small
stats.decoder.event.ipv6.rh_type_0
stats.decoder.event.ipv6.trunc_exthdr
stats.decoder.event.ipv6.trunc_pkt
stats.decoder.event.ipv6.unknown_next_header
stats.decoder.event.ipv6.wrong_ip_version
stats.decoder.event.ipv6.zero_len_padn
stats.decoder.event.ltnull
stats.decoder.event.ltnull.pkt_too_small
stats.decoder.event.ltnull.unsupported_type
stats.decoder.event.mpls
stats.decoder.event.mpls.bad_label_implicit_null
stats.decoder.event.mpls.bad_label_reserved
stats.decoder.event.mpls.bad_label_router_alert
stats.decoder.event.mpls.header_too_small
stats.decoder.event.mpls.pkt_too_small
stats.decoder.event.mpls.unknown_payload_type
stats.decoder.event.nsh
stats.decoder.event.nsh.bad_header_length
stats.decoder.event.nsh.header_too_small
stats.decoder.event.nsh.reserved_type
stats.decoder.event.nsh.unknown_payload
stats.decoder.event.nsh.unsupported_type
stats.decoder.event.nsh.unsupported_version
stats.decoder.event.ppp
stats.decoder.event.ppp.ip4_pkt_too_small
stats.decoder.event.ppp.ip6_pkt_too_small
stats.decoder.event.pppoe
stats.decoder.event.pppoe.malformed_tags
stats.decoder.event.pppoe.pkt_too_small
stats.decoder.event.pppoe.wrong_code
stats.decoder.event.ppp.pkt_too_small
stats.decoder.event.ppp.unsup_proto
stats.decoder.event.ppp.vju_pkt_too_small
stats.decoder.event.ppp.wrong_type
stats.decoder.event.sctp
stats.decoder.event.sctp.pkt_too_small
stats.decoder.event.sll
stats.decoder.event.sll.pkt_too_small
stats.decoder.event.tcp
stats.decoder.event.tcp.hlen_too_small
stats.decoder.event.tcp.invalid_optlen
stats.decoder.event.tcp.opt_duplicate
stats.decoder.event.tcp.opt_invalid_len
stats.decoder.event.tcp.pkt_too_small
stats.decoder.event.udp
stats.decoder.event.udp.hlen_invalid
stats.decoder.event.udp.hlen_too_small
stats.decoder.event.udp.pkt_too_small
stats.decoder.event.vlan
stats.decoder.event.vlan.header_too_small
stats.decoder.event.vlan.too_many_layers
stats.decoder.event.vlan.unknown_type
stats.decoder.event.vntag
stats.decoder.event.vntag.header_too_small
stats.decoder.event.vntag.unknown_type
stats.decoder.event.vxlan
stats.decoder.event.vxlan.unknown_payload_type
stats.decoder.geneve
stats.decoder.gre
stats.decoder.icmpv4
stats.decoder.icmpv6
stats.decoder.ieee8021ah
stats.decoder.invalid
stats.decoder.ipv4
stats.decoder.ipv4_in_ipv6
stats.decoder.ipv6
stats.decoder.ipv6_in_ipv6
stats.decoder.max_mac_addrs_dst
stats.decoder.max_mac_addrs_src
stats.decoder.max_pkt_size
stats.decoder.mpls
stats.decoder.nsh
stats.decoder.null
stats.decoder.pkts
stats.decoder.ppp
stats.decoder.pppoe
stats.decoder.raw
stats.decoder.sctp
stats.decoder.sll
stats.decoder.tcp
stats.decoder.teredo
stats.decoder.too_many_layers
stats.decoder.udp
stats.decoder.vlan
stats.decoder.vlan_qinq
stats.decoder.vntag
stats.decoder.vxlan
stats.defrag
stats.defrag.ipv4
stats.defrag.ipv4.fragments
stats.defrag.ipv4.reassembled
stats.defrag.ipv4.timeouts
stats.defrag.ipv6
stats.defrag.ipv6.fragments
stats.defrag.ipv6.reassembled
stats.defrag.ipv6.timeouts
stats.defrag.max_frag_hits
stats.detect
stats.detect.alert
stats.detect.alert_queue_overflow
stats.detect.alerts_suppressed
stats.detect.engines
stats.detect.engines.id
stats.detect.engines.last_reload
stats.detect.engines.rules_failed
stats.detect.engines.rules_loaded
stats.detect.fnonmpm_list
stats.detect.match_list
stats.detect.mpm_list
stats.detect.nonmpm_list
stats.file_store
stats.file_store.fs_errors
stats.file_store.open_files
stats.file_store.open_files_max_hit
stats.flow
stats.flow.active
stats.flow_bypassed
stats.flow_bypassed.bytes
stats.flow_bypassed.closed
stats.flow_bypassed.local_bytes
stats.flow_bypassed.local_capture_bytes
stats.flow_bypassed.local_capture_pkts
stats.flow_bypassed.local_pkts
stats.flow_bypassed.pkts
stats.flow.emerg_mode_entered
stats.flow.emerg_mode_over
stats.flow.end
stats.flow.end.state
stats.flow.end.state.closed
stats.flow.end.state.established
stats.flow.end.state.local_bypassed
stats.flow.end.state.new
stats.flow.end.tcp_liberal
stats.flow.end.tcp_state
stats.flow.end.tcp_state.closed
stats.flow.end.tcp_state.close_wait
stats.flow.end.tcp_state.closing
stats.flow.end.tcp_state.established
stats.flow.end.tcp_state.fin_wait1
stats.flow.end.tcp_state.fin_wait2
stats.flow.end.tcp_state.last_ack
stats.flow.end.tcp_state.none
stats.flow.end.tcp_state.syn_recv
stats.flow.end.tcp_state.syn_sent
stats.flow.end.tcp_state.time_wait
stats.flow.get_used
stats.flow.get_used_eval
stats.flow.get_used_eval_busy
stats.flow.get_used_eval_reject
stats.flow.get_used_failed
stats.flow.icmpv4
stats.flow.icmpv6
stats.flow.memcap
stats.flow.memuse
stats.flow.mgr
stats.flow.mgr.bypassed_pruned
stats.flow.mgr.closed_pruned
stats.flow.mgr.est_pruned
stats.flow.mgr.flows_checked
stats.flow.mgr.flows_evicted
stats.flow.mgr.flows_evicted_needs_work
stats.flow.mgr.flows_notimeout
stats.flow.mgr.flows_timeout
stats.flow.mgr.flows_timeout_inuse
stats.flow.mgr.full_hash_pass
stats.flow.mgr.new_pruned
stats.flow.mgr.rows_maxlen
stats.flow.mgr.rows_per_sec
stats.flow.recycler
stats.flow.recycler.queue_avg
stats.flow.recycler.queue_max
stats.flow.recycler.recycled
stats.flow.spare
stats.flow.tcp
stats.flow.tcp_reuse
stats.flow.total
stats.flow.udp
stats.flow.wrk
stats.flow.wrk.flows_evicted
stats.flow.wrk.flows_evicted_needs_work
stats.flow.wrk.flows_evicted_pkt_inject
stats.flow.wrk.flows_injected
stats.flow.wrk.spare_sync
stats.flow.wrk.spare_sync_avg
stats.flow.wrk.spare_sync_empty
stats.flow.wrk.spare_sync_incomplete
stats.ftp
stats.ftp.memcap
stats.ftp.memuse
stats.http
stats.http.memcap
stats.http.memuse
stats.tcp
stats.tcp.active_sessions
stats.tcp.insert_data_normal_fail
stats.tcp.insert_data_overlap_fail
stats.tcp.invalid_checksum
stats.tcp.memuse
stats.tcp.midstream_pickups
stats.tcp.no_flow
stats.tcp.overlap
stats.tcp.overlap_diff_data
stats.tcp.pkt_on_wrong_thread
stats.tcp.pseudo
stats.tcp.pseudo_failed
stats.tcp.reassembly_gap
stats.tcp.reassembly_memuse
stats.tcp.rst
stats.tcp.segment_memcap_drop
stats.tcp.sessions
stats.tcp.ssn_memcap_drop
stats.tcp.stream_depth_reached
stats.tcp.syn
stats.tcp.synack
stats.uptime
SSH¶
Download an example log of the SSH protocol event
Fields:
ssh.client.hassh
ssh.client.hassh.hash
ssh.client.hassh.string
ssh.client.hassh.string
ssh.client.proto_version
ssh.client.software_version
ssh.client.software_version
ssh.server.hassh
ssh.server.hassh.hash
ssh.server.hassh.string
ssh.server.proto_version
ssh.server.software_version
ssh.server.software_version
TLS¶
Download an example log of the TLS protocol event
Fields:
tls.alpn_ts
tls.alpn_tc
tls.cipher_suite
tls.cipher_security
tls.fingerprint
tls.from_proto
tls.issuerdn
tls.ja3
tls.ja3.hash
tls.ja3s
tls.ja3s.hash
tls.ja3s.string
tls.ja3.string
tls.ja4
tls.ja4.hash
tls.notafter
tls.notbefore
tls.serial
tls.session_resumed
tls.sni
tls.subject
tls.version
hostname_info.domain
hostname_info.domain_without_tld
hostname_info.host
hostname_info.url
net_info.dest
net_info.dest_agg
net_info.src
net_info.src_agg