Difference between revisions of "Event Record Fields"
(→Sample Records) |
(→Sample Records) |
||
Line 74: | Line 74: | ||
|- | |- | ||
|id | |id | ||
− | | | + | |805729 |
|customerid | |customerid | ||
− | | | + | |0 |
− | + | ||
|- | |- | ||
|device | |device | ||
− | | | + | |"-1407899398" |
− | + | ||
|- | |- | ||
|firstseen | |firstseen | ||
− | | | + | |"1541583542242" |
− | + | ||
|- | |- | ||
|eventtype | |eventtype | ||
+ | |"1541583542242" | ||
|- | |- | ||
|eventsrctype | |eventsrctype | ||
+ | |-11 | ||
|- | |- | ||
|eventsrc | |eventsrc | ||
+ | |8 | ||
|- | |- | ||
|message | |message | ||
+ | |"Black List Src Hit(Botnet Strong) xxx.xxx.208.28->xxx.xxx.166.159" | ||
|- | |- | ||
|datatype | |datatype | ||
+ | |1 | ||
|- | |- | ||
|data | |data | ||
+ | |{"Application":"SSH TCP/22","Black List":"https://lists.blocklist.de/lists/strongips.txt","Black List Type":"Source","Eventer":"xxx.xxx.208.28","appid":393238,"bytes":44,"device":"xxx.xxx.40.250","domain":"","dstadd":"xx.xxx.166.159","dstport":22,"duration":0,"eventname":"Black List Src","flags":2,"fwevent":0,"fwextcode":0,"inif":14,"macdst":"00:00:00:00:00:00","macsrc":"00:00:00:00:00:00","outif":13,"packets":1,"proto":6,"srcadd":"xxx.xxx.208.28","srcport":28148,"time":1541583574022,"timeH":"7-Nov-2018 09:39:34.22","tos":0,"user":""}" | ||
|- | |- | ||
|datasource | |datasource | ||
+ | |"https://lists.blocklist.de/lists/strongips.txt" | ||
|- | |- | ||
|confidence | |confidence | ||
+ | |75 | ||
|- | |- | ||
|severity | |severity | ||
+ | |80 | ||
|- | |- | ||
|category | |category | ||
+ | |"Botnet Strong" | ||
|- | |- | ||
|target | |target | ||
+ | |"xxx.xxx.166.159" | ||
|- | |- | ||
|country_src | |country_src | ||
+ | |"CN" | ||
|- | |- | ||
|division_src | |division_src | ||
+ | |"Gansu" | ||
|- | |- | ||
|latit_src | |latit_src | ||
+ | |"0.00000000000" | ||
|- | |- | ||
|longd_src | |longd_src | ||
+ | |"0.00000000000" | ||
|- | |- | ||
|country_dst | |country_dst | ||
+ | |"IE" | ||
|- | |- | ||
|division_dst | |division_dst | ||
+ | |"County Sligo" | ||
|- | |- | ||
|latit_dst | |latit_dst | ||
+ | |"0.00000000000" | ||
|- | |- | ||
|longd_dst | |longd_dst | ||
+ | |"0.00000000000" | ||
|} | |} |
Revision as of 15:33, 22 November 2018
Field Descriptions
Record Field | Type | Description |
id | ||
customerid | integer | The traffic group source identifier |
device | numeric(39,0) | The numeric IPV6 address of the device sending us the flowsyslog records |
firstseen | bigint | Millisecond timestamp of when this flow started |
eventtype | ||
eventsrctype | ||
eventsrc | ||
message | ||
datatype | ||
data | ||
datasource | ||
confidence | ||
severity | ||
category | ||
target | ||
country_src | ||
division_src | ||
latit_src | ||
longd_src | ||
country_dst | ||
division_dst | ||
latit_dst | ||
longd_dst |
Sample Records
Typical records from an Event table with obfuscated IP addresses and locations:
postureBlackListSrc (-11)
805729 0 "-1407899398" "1541583542242" -11 8 "xxx.xxx.208.28" "Black List Src Hit(Botnet Strong) xxx.xxx.208.28->xxx.xxx.166.159" 1 {"Application":"SSH TCP/22","Black List":"https://lists.blocklist.de/lists/strongips.txt","Black List Type":"Source","Eventer":"xxx.xxx.208.28","appid":393238,"bytes":44,"device":"xxx.xxx.40.250","domain":"","dstadd":"xx.xxx.166.159","dstport":22,"duration":0,"eventname":"Black List Src","flags":2,"fwevent":0,"fwextcode":0,"inif":14,"macdst":"00:00:00:00:00:00","macsrc":"00:00:00:00:00:00","outif":13,"packets":1,"proto":6,"srcadd":"xxx.xxx.208.28","srcport":28148,"time":1541583574022,"timeH":"7-Nov-2018 09:39:34.22","tos":0,"user":""}" "https://lists.blocklist.de/lists/strongips.txt" 75 80 "Botnet Strong" "xxx.xxx.166.159" "CN" "Gansu" "0.00000000000" "0.00000000000" "IE" "County Sligo" "0.00000000000" "0.00000000000"
Record Field | Value | ||
id | 805729 | customerid | 0 |
device | "-1407899398" | ||
firstseen | "1541583542242" | ||
eventtype | "1541583542242" | ||
eventsrctype | |||
eventsrc | 8 | ||
message | "Black List Src Hit(Botnet Strong) xxx.xxx.208.28->xxx.xxx.166.159" | ||
datatype | 1 | ||
data | {"Application":"SSH TCP/22","Black List":"https://lists.blocklist.de/lists/strongips.txt","Black List Type":"Source","Eventer":"xxx.xxx.208.28","appid":393238,"bytes":44,"device":"xxx.xxx.40.250","domain":"","dstadd":"xx.xxx.166.159","dstport":22,"duration":0,"eventname":"Black List Src","flags":2,"fwevent":0,"fwextcode":0,"inif":14,"macdst":"00:00:00:00:00:00","macsrc":"00:00:00:00:00:00","outif":13,"packets":1,"proto":6,"srcadd":"xxx.xxx.208.28","srcport":28148,"time":1541583574022,"timeH":"7-Nov-2018 09:39:34.22","tos":0,"user":""}" | ||
datasource | "https://lists.blocklist.de/lists/strongips.txt" | ||
confidence | 75 | ||
severity | 80 | ||
category | "Botnet Strong" | ||
target | "xxx.xxx.166.159" | ||
country_src | "CN" | ||
division_src | "Gansu" | ||
latit_src | "0.00000000000" | ||
longd_src | "0.00000000000" | ||
country_dst | "IE" | ||
division_dst | "County Sligo" | ||
latit_dst | "0.00000000000" | ||
longd_dst | "0.00000000000" |