mail.proofpoint.podField | Type | Extra fields |
---|
eventdate | timestamp
| | connection__ip | ip4
| | connection__country | str
| | connection__resolveStatus | str
| | connection__helo | str
| | connection__sid | str
| | connection__protocol | str
| | connection__host | str
| | connection__tls__inbound__cipherBits | int4
| | connection__tls__inbound__version | str
| | connection__tls__inbound__cipher | str
| | metadata__origin__data__agent | str
| | metadata__origin__data__version | str
| | metadata__origin__data__cid | str
| | ts | str
| | msgParts | str
| | filter__qid | str
| | filter__actions | str
| | filter__durationSecs | float8
| | filter__suborgs__sender | str
| | filter__suborgs__rcpts | str
| | filter__startTime | str
| | filter__isMsgReinjected | bool
| | filter__modules__pdr__v2__rscore | int4
| | filter__modules__pdr__v2__response | str
| | filter__modules__urldefense__counts__unique | int4
| | filter__modules__urldefense__counts__rewritten | int4
| | filter__modules__urldefense__counts__total | int4
| | filter__modules__urldefense__counts__noRewriteIsExcludedDomain | int4
| | filter__modules__urldefense__counts__noRewriteIsEmail | int4
| | filter__modules__urldefense__counts__noRewriteIsSchemeless | int4
| | filter__modules__urldefense__counts__noRewriteIsUnsupportedScheme | int4
| | filter__modules__urldefense__version__engine | str
| | filter__modules__spf__domain | str
| | filter__modules__spf__result | str
| | filter__modules__zerohour__score | str
| | filter__modules__spam__charsets | str
| | filter__modules__spam__langs | str
| | filter__modules__spam__version__definitions | str
| | filter__modules__spam__version__engine | str
| | filter__modules__spam__scores__engine | int4
| | filter__modules__spam__scores__classifiers__mlx | int4
| | filter__modules__spam__scores__classifiers__suspect | int4
| | filter__modules__spam__scores__classifiers__lowpriority | int4
| | filter__modules__spam__scores__classifiers__adult | int4
| | filter__modules__spam__scores__classifiers__mlxlog | int4
| | filter__modules__spam__scores__classifiers__spam | int4
| | filter__modules__spam__scores__classifiers__malware | int4
| | filter__modules__spam__scores__classifiers__impostor | int4
| | filter__modules__spam__scores__classifiers__phish | int4
| | filter__modules__spam__scores__classifiers__bulk | int4
| | filter__modules__spam__scores__classifiers__adjust | int4
| | filter__modules__spam__scores__classifiers__ndr | int4
| | filter__modules__spam__scores__overall | int4
| | filter__modules__spam__triggeredClassifier | str
| | filter__modules__spam__safeBlockedListMatches | str
| | filter__modules__regulation__rules | str
| | filter__modules__regulation__matches | str
| | filter__quarantine__folder | str
| | filter__quarantine__rule | str
| | filter__isMsgEncrypted | bool
| | filter__disposition | str
| | filter__routes | str
| | filter__routeDirection | str
| | filter__verified__rcptsHashed | str
| | filter__verified__rcpts | str
| | filter__msgSizeBytes | int8
| | filter__origGuid | str
| | pps__agent | str
| | pps__version | str
| | pps__cid | str
| | envelope__from2 | str
| | envelope__rcptsHashed | str
| | envelope__fromHashed | str
| | envelope__rcpts | str
| | msg__parsedAddresses__fromHashed | str
| | msg__parsedAddresses__toHashed | str
| | msg__parsedAddresses__to | str
| | msg__parsedAddresses__from2 | str
| | msg__parsedAddresses__ccHashed | str
| | msg__parsedAddresses__cc | str
| | msg__lang | str
| | msg__normalizedHeader__fromHashed | str
| | msg__normalizedHeader__reply_to | str
| | msg__normalizedHeader__message_id | str
| | msg__normalizedHeader__from2 | str
| | msg__normalizedHeader__toHashed | str
| | msg__normalizedHeader__to | str
| | msg__normalizedHeader__reply_toHashed | str
| | msg__normalizedHeader__subject | str
| | msg__normalizedHeader__x_originating_ip | str
| | msg__normalizedHeader__x_mailer | str
| | msg__normalizedHeader__return_path | str
| | msg__normalizedHeader__return_pathHashed | str
| | msg__normalizedHeader__ccHashed | str
| | msg__normalizedHeader__cc | str
| | msg__sizeBytes | int8
| | msg__header__fromHashed | str
| | msg__header__reply_to | str
| | msg__header__message_id | str
| | msg__header__from2 | str
| | msg__header__toHashed | str
| | msg__header__to | str
| | msg__header__reply_toHashed | str
| | msg__header__subject | str
| | msg__header__x_originating_ip | str
| | msg__header__x_mailer | str
| | msg__header__return_pathHashed | str
| | msg__header__return_path | str
| | guid | str
| | userId | str
| | userName | str
| | url | str
| | date | timestamp
| | region | str
| | zone | str
| | disposition | str
| | categories_str | str
| | data | str
| | tls__verify | str
| | tls__version | str
| | tls__cipher | str
| | id | str
| | sm__mailer | str
| | sm__stat | str
| | sm__pri | str
| | sm__to_str | str
| | sm__xdelay | str
| | sm__relay | str
| | sm__qid | str
| | sm__dsn | str
| | sm__delay | str
| | metadata__customerId | str
| | metadata__origin__schemaVersion | str
| | msgParts__sizeDecodedBytes_str | str
| | msgParts__isVirtual_str | str
| | msgParts__detectedExt_str | str
| | msgParts__labeledCharset_str | str
| | msgParts__structureId_str | str
| | msgParts__detectedSizeBytes_str | str
| | msgParts__labeledMime_str | str
| | msgParts__detectedCharset_str | str
| | msgParts__isCorrupted_str | str
| | msgParts__sha256_str | str
| | msgParts__isProtected_str | str
| | msgParts__md5_str | str
| | msgParts__urls_str | str
| | msgParts__detectedName_str | str
| | msgParts__isDeleted_str | str
| | msgParts__isTimedOut_str | str
| | msgParts__dataBase64_str | str
| | msgParts__detectedMime_str | str
| | msgParts__disposition_str | str
| | msgParts__isArchive_str | str
| | msgParts__labeledExt_str | str
| | msgParts__sandboxStatus_str | str
| | msgParts__labeledName_str | str
| | msgParts__textExtracted_str | str
| | msg__normalizedHeader__message_id_str | str
| | msg__normalizedHeader__subject_str | str
| | msg__normalizedHeader__to_str | str
| | msg__normalizedHeader__from_str | str
| | msg__parsedAddresses__fromDisplayNames_str | str
| | msg__parsedAddresses__to_str | str
| | msg__parsedAddresses__from_str | str
| | msg__header__subject_str | str
| | msg__header__message_id_str | str
| | msg__header__from_str | str
| | msg__header__to_str | str
| | msg__sizeBytes_int4 | int4
| | envelope__from | str
| | envelope__rcpts_str | str
| | filter__delivered__rcpts_str | str
| | filter__suborgs__rcpts_str | str
| | filter__modules__spam__charsets_str | str
| | filter__modules__spam__langs_str | str
| | filter__actions__rule_str | str
| | filter__actions__action_str | str
| | filter__actions__module_str | str
| | filter__actions__isFinal_str | str
| | filter__verified__rcpts_str | str
| | filter__msgSizeBytes_int4 | int4
| | filter__routes_str | str
| | filter__quarantine__type | str
| | filter__quarantine__module | str
| | filter__quarantine__folderId | str
| | metadata__origin__data__version_ip4 | ip4
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
mail.proofpoint.pod.eventsField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | hostname | str
| | | | connection__ip | ip4
| | | | connection__country | str
| | | | connection__resolveStatus | str
| | | | connection__helo | str
| | | | connection__sid | str
| | | | connection__protocol | str
| | | | connection__host | str
| | | | connection__tls__inbound__cipherBits | int4
| | | | connection__tls__inbound__version | str
| | | | connection__tls__inbound__cipher | str
| | | | metadata__origin__data__agent | str
| | | | metadata__origin__data__version | str
| | | | metadata__origin__data__cid | str
| | | | ts | str
| | | | msgParts | str
| | | | msgParts__isProtected_str | str
| Code Block |
---|
replace(replace(stringify(json(msgParts__isProtected)), '[', ''), ']', '') |
| msgParts__isProtected | | msgParts__isTimedOut_str | str
| Code Block |
---|
replace(replace(stringify(json(msgParts__isTimedOut)), '[', ''), ']', '') |
| msgParts__isTimedOut | | msgParts__dataBase64_str | str
| Code Block |
---|
join(msgParts__dataBase64, ',') |
| msgParts__dataBase64 | | msgParts__metadata__generator_str | str
| Code Block |
---|
join(msgParts__metadata__generator, ',') |
| msgParts__metadata__generator | | msgParts__metadata__scalecrop_str | str
| Code Block |
---|
replace(replace(stringify(json(msgParts__metadata__scalecrop)), '[', ''), ']', '') |
| msgParts__metadata__scalecrop | | msgParts__metadata__shareddoc_str | str
| Code Block |
---|
replace(replace(stringify(json(msgParts__metadata__shareddoc)), '[', ''), ']', '') |
| msgParts__metadata__shareddoc | | msgParts__metadata__author_str | str
| Code Block |
---|
join(msgParts__metadata__author, ',') |
| msgParts__metadata__author | | msgParts__metadata__linksdirty_str | str
| Code Block |
---|
replace(replace(stringify(json(msgParts__metadata__linksdirty)), '[', ''), ']', '') |
| msgParts__metadata__linksdirty | | msgParts__metadata__codepage_str | str
| Code Block |
---|
replace(replace(stringify(json(msgParts__metadata__codepage)), '[', ''), ']', '') |
| msgParts__metadata__codepage | | msgParts__metadata__lastauthor_str | str
| Code Block |
---|
join(msgParts__metadata__lastauthor, ',') |
| msgParts__metadata__lastauthor | | msgParts__metadata__security_str | str
| Code Block |
---|
replace(replace(stringify(json(msgParts__metadata__security)), '[', ''), ']', '') |
| msgParts__metadata__security | | msgParts__metadata__hyperlinkschanged_str | str
| Code Block |
---|
replace(replace(stringify(json(msgParts__metadata__hyperlinkschanged)), '[', ''), ']', '') |
| msgParts__metadata__hyperlinkschanged | | msgParts__metadata__appname_str | str
| Code Block |
---|
join(msgParts__metadata__appname, ',') |
| msgParts__metadata__appname | | msgParts__metadata__headingpairs_str | str
| Code Block |
---|
join(msgParts__metadata__headingpairs, ',') |
| msgParts__metadata__headingpairs | | msgParts__metadata__titlesofparts_str | str
| Code Block |
---|
join(msgParts__metadata__titlesofparts, ',') |
| msgParts__metadata__titlesofparts | | msgParts__metadata__appversion_str | str
| Code Block |
---|
join(msgParts__metadata__appversion, ',') |
| msgParts__metadata__appversion | | msgParts__labeledExt_str | str
| Code Block |
---|
join(msgParts__labeledExt, ',') |
| msgParts__labeledExt | | msgParts__labeledCharset_str | str
| Code Block |
---|
join(msgParts__labeledCharset, ',') |
| msgParts__labeledCharset | | msgParts__labeledName_str | str
| Code Block |
---|
join(msgParts__labeledName, ',') |
| msgParts__labeledName | | msgParts__isVirtual_str | str
| Code Block |
---|
replace(replace(stringify(json(msgParts__isVirtual)), '[', ''), ']', '') |
| msgParts__isVirtual | | msgParts__detectedExt_str | str
| Code Block |
---|
join(msgParts__detectedExt, ',') |
| msgParts__detectedExt | | msgParts__md5_str | str
| Code Block |
---|
join(msgParts__md5, ',') |
| msgParts__md5 | | msgParts__detectedCharset_str | str
| Code Block |
---|
join(msgParts__detectedCharset, ',') |
| msgParts__detectedCharset | | msgParts__labeledMime_str | str
| Code Block |
---|
join(msgParts__labeledMime, ',') |
| msgParts__labeledMime | | msgParts__textExtracted_str | str
| Code Block |
---|
join(msgParts__textExtracted, ',') |
| msgParts__textExtracted | | msgParts__isDeleted_str | str
| Code Block |
---|
replace(replace(stringify(json(msgParts__isDeleted)), '[', ''), ']', '') |
| msgParts__isDeleted | | msgParts__urls_str | str
| Code Block |
---|
join(msgParts__urls, ',') |
| msgParts__urls | | msgParts__detectedSizeBytes_str | str
| Code Block |
---|
replace(replace(stringify(json(msgParts__detectedSizeBytes)), '[', ''), ']', '') |
| msgParts__detectedSizeBytes | | msgParts__structureId_str | str
| Code Block |
---|
join(msgParts__structureId, ',') |
| msgParts__structureId | | msgParts__sizeDecodedBytes_str | str
| Code Block |
---|
replace(replace(stringify(json(msgParts__sizeDecodedBytes)), '[', ''), ']', '') |
| msgParts__sizeDecodedBytes | | msgParts__disposition_str | str
| Code Block |
---|
join(msgParts__disposition, ',') |
| msgParts__disposition | | msgParts__sha256_str | str
| Code Block |
---|
join(msgParts__sha256, ',') |
| msgParts__sha256 | | msgParts__isArchive_str | str
| Code Block |
---|
replace(replace(stringify(json(msgParts__isArchive)), '[', ''), ']', '') |
| msgParts__isArchive | | msgParts__detectedMime_str | str
| Code Block |
---|
join(msgParts__detectedMime, ',') |
| msgParts__detectedMime | | msgParts__detectedName_str | str
| Code Block |
---|
join(msgParts__detectedName, ',') |
| msgParts__detectedName | | msgParts__isCorrupted_str | str
| Code Block |
---|
replace(replace(stringify(json(msgParts__isCorrupted)), '[', ''), ']', '') |
| msgParts__isCorrupted | | filter__qid | str
| | | | filter__actions | str
| | | | filter__durationSecs | float8
| | | | filter__suborgs__sender | str
| | | | filter__suborgs__rcpts | str
| | | | filter__startTime | str
| | | | filter__isMsgReinjected | bool
| | | | filter__modules__pdr__v2__rscore | int4
| | | | filter__modules__pdr__v2__response | str
| | | | filter__modules__urldefense__counts__unique | int4
| | | | filter__modules__urldefense__counts__rewritten | int4
| | | | filter__modules__urldefense__counts__total | int4
| | | | filter__modules__urldefense__counts__noRewriteIsExcludedDomain | int4
| | | | filter__modules__urldefense__counts__noRewriteIsEmail | int4
| | | | filter__modules__urldefense__counts__noRewriteIsSchemeless | int4
| | | | filter__modules__urldefense__counts__noRewriteIsUnsupportedScheme | int4
| | | | filter__modules__urldefense__version__engine | str
| | | | filter__modules__spf__domain | str
| | | | filter__modules__spf__result | str
| | | | filter__modules__zerohour__score | str
| | | | filter__modules__spam__charsets | str
| | | | filter__modules__spam__langs | str
| | | | filter__modules__spam__version__definitions | str
| | | | filter__modules__spam__version__engine | str
| | | | filter__modules__spam__scores__engine | int4
| | | | filter__modules__spam__scores__classifiers__mlx | int4
| | | | filter__modules__spam__scores__classifiers__suspect | int4
| | | | filter__modules__spam__scores__classifiers__lowpriority | int4
| | | | filter__modules__spam__scores__classifiers__adult | int4
| | | | filter__modules__spam__scores__classifiers__mlxlog | int4
| | | | filter__modules__spam__scores__classifiers__spam | int4
| | | | filter__modules__spam__scores__classifiers__malware | int4
| | | | filter__modules__spam__scores__classifiers__impostor | int4
| | | | filter__modules__spam__scores__classifiers__phish | int4
| | | | filter__modules__spam__scores__classifiers__bulk | int4
| | | | filter__modules__spam__scores__classifiers__adjust | int4
| | | | filter__modules__spam__scores__classifiers__ndr | int4
| | | | filter__modules__spam__scores__overall | int4
| | | | filter__modules__spam__triggeredClassifier | str
| | | | filter__modules__spam__safeBlockedListMatches | str
| | | | filter__modules__regulation__rules | str
| | | | filter__modules__regulation__matches | str
| | | | filter__quarantine__folder | str
| | | | filter__quarantine__rule | str
| | | | filter__isMsgEncrypted | bool
| | | | filter__disposition | str
| | | | filter__routes | str
| | | | filter__routeDirection | str
| | | | filter__verified__rcptsHashed | str
| | | | filter__verified__rcpts | str
| | | | filter__msgSizeBytes | int8
| | | | filter__origGuid | str
| | | | pps__agent | str
| | | | pps__version | str
| | | | pps__cid | str
| | | | envelope__from2 | str
| | | | envelope__rcptsHashed | str
| | | | envelope__fromHashed | str
| | | | envelope__rcpts | str
| | | | msg__parsedAddresses__fromHashed | str
| | | | msg__parsedAddresses__toHashed | str
| | | | msg__parsedAddresses__to | str
| | | | msg__parsedAddresses__from2 | str
| | | | msg__parsedAddresses__ccHashed | str
| | | | msg__parsedAddresses__cc | str
| | | | msg__lang | str
| | | | msg__normalizedHeader__fromHashed | str
| | | | msg__normalizedHeader__reply_to | str
| | | | msg__normalizedHeader__message_id | str
| | | | msg__normalizedHeader__from2 | str
| | | | msg__normalizedHeader__toHashed | str
| | | | msg__normalizedHeader__to | str
| | | | msg__normalizedHeader__reply_toHashed | str
| | | | msg__normalizedHeader__subject | str
| | | | msg__normalizedHeader__x_originating_ip | str
| | | | msg__normalizedHeader__x_mailer | str
| | | | msg__normalizedHeader__return_path | str
| | | | msg__normalizedHeader__return_pathHashed | str
| | | | msg__normalizedHeader__ccHashed | str
| | | | msg__normalizedHeader__cc | str
| | | | msg__sizeBytes | int8
| | | | msg__header__fromHashed | str
| | | | msg__header__reply_to | str
| | | | msg__header__message_id | str
| | | | msg__header__from2 | str
| | | | msg__header__toHashed | str
| | | | msg__header__to | str
| | | | msg__header__reply_toHashed | str
| | | | msg__header__subject | str
| | | | msg__header__x_originating_ip | str
| | | | msg__header__x_mailer | str
| | | | msg__header__return_pathHashed | str
| | | | msg__header__return_path | str
| | | | guid | str
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
mail.proofpoint.pod.isolationField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | hostname | str
| | | | userId | str
| | | | userName | str
| | | | url | str
| | | | date | timestamp
| | | | region | str
| | | | zone | str
| | | | disposition | str
| | | | categories_str | str
| Code Block |
---|
join(categories, ',') |
| categories | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
mail.proofpoint.pod.maillogField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | hostname | str
| | | | data | str
| | | | tls__verify | str
| | | | tls__version | str
| | | | tls__cipher | str
| | | | ts | str
| | | | pps__agent | str
| | | | pps__cid | str
| | | | id | str
| | | | sm__mailer | str
| | | | sm__stat | str
| | | | sm__pri | str
| | | | sm__to_str | str
| Code Block |
---|
join(sm__to, ',') |
| sm__to | | sm__xdelay | str
| | | | sm__relay | str
| | | | sm__qid | str
| | | | sm__dsn | str
| | | | sm__delay | str
| | | | metadata__customerId | str
| | | | metadata__origin__schemaVersion | str
| | | | metadata__origin__data__agent | str
| | | | metadata__origin__data__cid | str
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
mail.proofpoint.pod.messageField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | hostname | str
| | | | msgParts__sizeDecodedBytes_str | str
| Code Block |
---|
replace(replace(stringify(json(msgParts__sizeDecodedBytes)), '[', ''), ']', '') |
| msgParts__sizeDecodedBytes | | msgParts__isVirtual_str | str
| Code Block |
---|
replace(replace(stringify(json(msgParts__isVirtual)), '[', ''), ']', '') |
| msgParts__isVirtual | | msgParts__detectedExt_str | str
| Code Block |
---|
join(msgParts__detectedExt, ',') |
| msgParts__detectedExt | | msgParts__labeledCharset_str | str
| Code Block |
---|
join(msgParts__labeledCharset, ',') |
| msgParts__labeledCharset | | msgParts__structureId_str | str
| Code Block |
---|
join(msgParts__structureId, ',') |
| msgParts__structureId | | msgParts__detectedSizeBytes_str | str
| Code Block |
---|
replace(replace(stringify(json(msgParts__detectedSizeBytes)), '[', ''), ']', '') |
| msgParts__detectedSizeBytes | | msgParts__labeledMime_str | str
| Code Block |
---|
join(msgParts__labeledMime, ',') |
| msgParts__labeledMime | | msgParts__detectedCharset_str | str
| Code Block |
---|
join(msgParts__detectedCharset, ',') |
| msgParts__detectedCharset | | msgParts__isCorrupted_str | str
| Code Block |
---|
replace(replace(stringify(json(msgParts__isCorrupted)), '[', ''), ']', '') |
| msgParts__isCorrupted | | msgParts__sha256_str | str
| Code Block |
---|
join(msgParts__sha256, ',') |
| msgParts__sha256 | | msgParts__isProtected_str | str
| Code Block |
---|
replace(replace(stringify(json(msgParts__isProtected)), '[', ''), ']', '') |
| msgParts__isProtected | | msgParts__md5_str | str
| Code Block |
---|
join(msgParts__md5, ',') |
| msgParts__md5 | | msgParts__urls_str | str
| Code Block |
---|
join(msgParts__urls, ',') |
| msgParts__urls | | msgParts__detectedName_str | str
| Code Block |
---|
join(msgParts__detectedName, ',') |
| msgParts__detectedName | | msgParts__isDeleted_str | str
| Code Block |
---|
replace(replace(stringify(json(msgParts__isDeleted)), '[', ''), ']', '') |
| msgParts__isDeleted | | msgParts__isTimedOut_str | str
| Code Block |
---|
replace(replace(stringify(json(msgParts__isTimedOut)), '[', ''), ']', '') |
| msgParts__isTimedOut | | msgParts__dataBase64_str | str
| Code Block |
---|
join(msgParts__dataBase64, ',') |
| msgParts__dataBase64 | | msgParts__detectedMime_str | str
| Code Block |
---|
join(msgParts__detectedMime, ',') |
| msgParts__detectedMime | | msgParts__disposition_str | str
| Code Block |
---|
join(msgParts__disposition, ',') |
| msgParts__disposition | | msgParts__isArchive_str | str
| Code Block |
---|
replace(replace(stringify(json(msgParts__isArchive)), '[', ''), ']', '') |
| msgParts__isArchive | | msgParts__labeledExt_str | str
| Code Block |
---|
join(msgParts__labeledExt, ',') |
| msgParts__labeledExt | | msgParts__sandboxStatus_str | str
| Code Block |
---|
join(msgParts__sandboxStatus, ',') |
| msgParts__sandboxStatus | | msgParts__labeledName_str | str
| Code Block |
---|
join(msgParts__labeledName, ',') |
| msgParts__labeledName | | msgParts__textExtracted_str | str
| Code Block |
---|
join(msgParts__textExtracted, ',') |
| msgParts__textExtracted | | msg__lang | str
| | | | msg__normalizedHeader__message_id_str | str
| Code Block |
---|
join(msg__normalizedHeader__message_id, ',') |
| msg__normalizedHeader__message_id | | msg__normalizedHeader__subject_str | str
| Code Block |
---|
join(msg__normalizedHeader__subject, ',') |
| msg__normalizedHeader__subject | | msg__normalizedHeader__to_str | str
| Code Block |
---|
join(msg__normalizedHeader__to, ',') |
| msg__normalizedHeader__to | | msg__normalizedHeader__from_str | str
| Code Block |
---|
join(msg__normalizedHeader__from, ',') |
| msg__normalizedHeader__from | | msg__parsedAddresses__fromDisplayNames_str | str
| Code Block |
---|
join(msg__parsedAddresses__fromDisplayNames, ',') |
| msg__parsedAddresses__fromDisplayNames | | msg__parsedAddresses__to_str | str
| Code Block |
---|
join(msg__parsedAddresses__to, ',') |
| msg__parsedAddresses__to | | msg__parsedAddresses__from_str | str
| Code Block |
---|
join(msg__parsedAddresses__from, ',') |
| msg__parsedAddresses__from | | msg__header__subject_str | str
| Code Block |
---|
join(msg__header__subject, ',') |
| msg__header__subject | | msg__header__message_id_str | str
| Code Block |
---|
join(msg__header__message_id, ',') |
| msg__header__message_id | | msg__header__from_str | str
| Code Block |
---|
join(msg__header__from, ',') |
| msg__header__from | | msg__header__to_str | str
| Code Block |
---|
join(msg__header__to, ',') |
| msg__header__to | | msg__sizeBytes | int4
| | | | connection__resolveStatus | str
| | | | connection__helo | str
| | | | connection__host | str
| | | | connection__sid | str
| | | | connection__protocol | str
| | | | connection__ip | ip4
| | | | connection__country | str
| | | | connection__tls__inbound__cipher | str
| | | | connection__tls__inbound__cipherBits | int4
| | | | connection__tls__inbound__version | str
| | | | envelope__from | str
| | | | envelope__rcpts_str | str
| Code Block |
---|
join(envelope__rcpts, ',') |
| envelope__rcpts | | filter__durationSecs | float8
| | | | filter__delivered__rcpts_str | str
| Code Block |
---|
join(filter__delivered__rcpts, ',') |
| filter__delivered__rcpts | | filter__suborgs__rcpts_str | str
| Code Block |
---|
join(filter__suborgs__rcpts, ',') |
| filter__suborgs__rcpts | | filter__suborgs__sender | str
| | | | filter__modules__urldefense__counts__unique | int4
| | | | filter__modules__urldefense__counts__rewritten | int4
| | | | filter__modules__urldefense__counts__total | int4
| | | | filter__modules__urldefense__version__engine | str
| | | | filter__modules__spf__result | str
| | | | filter__modules__spf__domain | str
| | | | filter__modules__zerohour__score | str
| | | | filter__modules__spam__charsets_str | str
| Code Block |
---|
join(filter__modules__spam__charsets, ',') |
| filter__modules__spam__charsets | | filter__modules__spam__version__definitions | str
| | | | filter__modules__spam__version__engine | str
| | | | filter__modules__spam__scores__classifiers__mlxlog | int4
| | | | filter__modules__spam__scores__classifiers__suspect | int4
| | | | filter__modules__spam__scores__classifiers__phish | int4
| | | | filter__modules__spam__scores__classifiers__impostor | int4
| | | | filter__modules__spam__scores__classifiers__malware | int4
| | | | filter__modules__spam__scores__classifiers__bulk | int4
| | | | filter__modules__spam__scores__classifiers__spam | int4
| | | | filter__modules__spam__scores__classifiers__mlx | int4
| | | | filter__modules__spam__scores__classifiers__lowpriority | int4
| | | | filter__modules__spam__scores__classifiers__adult | int4
| | | | filter__modules__spam__scores__engine | int4
| | | | filter__modules__spam__scores__overall | int4
| | | | filter__modules__spam__langs_str | str
| Code Block |
---|
join(filter__modules__spam__langs, ',') |
| filter__modules__spam__langs | | filter__isMsgReinjected | bool
| | | | filter__actions__rule_str | str
| Code Block |
---|
join(filter__actions__rule, ',') |
| filter__actions__rule | | filter__actions__action_str | str
| Code Block |
---|
join(filter__actions__action, ',') |
| filter__actions__action | | filter__actions__module_str | str
| Code Block |
---|
join(filter__actions__module, ',') |
| filter__actions__module | | filter__actions__isFinal_str | str
| Code Block |
---|
replace(replace(stringify(json(filter__actions__isFinal)), '[', ''), ']', '') |
| filter__actions__isFinal | | filter__verified__rcpts_str | str
| Code Block |
---|
join(filter__verified__rcpts, ',') |
| filter__verified__rcpts | | filter__msgSizeBytes | int4
| | | | filter__routes_str | str
| Code Block |
---|
join(filter__routes, ',') |
| filter__routes | | filter__disposition | str
| | | | filter__routeDirection | str
| | | | filter__origGuid | str
| | | | filter__quarantine__rule | str
| | | | filter__quarantine__type | str
| | | | filter__quarantine__module | str
| | | | filter__quarantine__folderId | str
| | | | filter__quarantine__folder | str
| | | | filter__qid | str
| | | | guid | str
| | | | metadata__origin__data__version | ip4
| | | | metadata__origin__data__cid | str
| | | | metadata__origin__data__agent | str
| | | | ts | str
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
mail.proofpoint.sendmailField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | host | str
| Code Block |
---|
split(hostchain, "=", 0) |
| hostchain | | process_name | str
| | | | process_id | str
| | | | messageID | str
| | | | sender | str
| | | | size | str
| | | | class | str
| | | | nrcpts | str
| | | | msgid | str
| | | | proto | str
| | | | daemon | str
| | | | tls_verify | str
| | | | auth | str
| | | | relay | str
| | | | to | str
| | | | delay | str
| | | | xdelay | str
| | | | mailer | str
| | | | pri | str
| | | | dsn | str
| | | | reply | str
| | | | ctladdr | str
| | | | stat | str
| | | | unknown | str
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
mail.proofpoint.stdoutField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | host | str
| Code Block |
---|
split(hostchain, "=", 0) |
| hostchain | | process_name | str
| | | | process_id | str
| | | | messageID | str
| | | | s | str
| | | | mod | str
| | | | cmd | str
| | | | lint | str
| | | | ip | ip4
| | | | perlwait | float8
| | | | m | int4
| | | | x | str
| | | | value | str
| | | | qid | str
| | | | r | int4
| | | | verified | str
| | | | tls | str
| | | | routes | str
| | | | notroutes | str
| | | | score | int4
| | | | ipScore | int4
| | | | spamScore | int4
| | | | suspectScore | int4
| | | | phishScore | int4
| | | | bulkScore | int4
| | | | adultScore | int4
| | | | duration | float8
| | | | module | str
| | | | rule | str
| | | | action | str
| | | | attachments | int4
| | | | rcpts | int4
| | | | subject | str
| | | | helo | str
| | | | msgs | int4
| | | | elapsed | float8
| | | | host_msg | str
| | | | country | str
| | | | lip | ip4
| | | | prot | str
| | | | hops_active | str
| | | | resolve | str
| | | | reverse | str
| | | | size | int4
| | | | guid | str
| | | | hdr_mid | str
| | | | hops_ip | ip4
| | | | virusname | str
| | | | folder | str
| | | | pri | int4
| | | | form | str
| | | | id | int4
| | | | file | str
| | | | mime | str
| | | | type | str
| | | | omime | str
| | | | oext | str
| | | | corrupted | int4
| | | | protected | int4
| | | | sha256 | str
| | | | virtual | int4
| | | | a | int4
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | rawSource | ✓ |
mail.proofpoint.tapsiemField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | eventType | str
| | | | messageTime | timestamp
| | | | messageSize | int8
| | | | messageID | str
| | | | senderIP | str
| | | | sender | str
| | | | recipient | str
| | | | headerFrom | str
| | | | headerReplyTo | str
| | | | replyToAddress_str | str
| Code Block |
---|
join(replyToAddress, ",") |
| replyToAddress | | fromAddress_str | str
| Code Block |
---|
join(fromAddress, ",") |
| fromAddress | | toAddresses_str | str
| Code Block |
---|
join(toAddresses, ",") |
| toAddresses | | ccAddresses_str | str
| Code Block |
---|
join(ccAddresses, ",") |
| ccAddresses | | quarantineRule | str
| | | | quarantineFolder | str
| | | | cluster | str
| | | | phishScore | int4
| | | | spamScore | int4
| | | | malwareScore | int4
| | | | impostorScore | float8
| | | | modulesRun_str | str
| Code Block |
---|
join(modulesRun, ",") |
| modulesRun | | subject | str
| | | | messageParts_sha256_str | str
| Code Block |
---|
join(messageParts_sha256, ",") |
| messageParts_sha256 | | messageParts_disposition_str | str
| Code Block |
---|
join(messageParts_disposition, ",") |
| messageParts_disposition | | messageParts_contentType_str | str
| Code Block |
---|
join(messageParts_contentType, ",") |
| messageParts_contentType | | messageParts_md5_str | str
| Code Block |
---|
join(messageParts_md5, ",") |
| messageParts_md5 | | messageParts_sandboxStatus_str | str
| Code Block |
---|
join(messageParts_sandboxStatus, ",") |
| messageParts_sandboxStatus | | messageParts_filename_str | str
| Code Block |
---|
join(messageParts_filename, ",") |
| messageParts_filename | | messageParts_oContentType_str | str
| Code Block |
---|
join(messageParts_oContentType, ",") |
| messageParts_oContentType | | policyRoutes_str | str
| Code Block |
---|
join(policyRoutes, ",") |
| policyRoutes | | xmailer | str
| | | | completelyRewritten | bool
| | | | GUID | str
| | | | QID | str
| | | | campaignId | str
| | | | classification | str
| | | | clickTime | str
| | | | clickIP | str
| | | | url | str
| | | | userAgent | str
| | | | threatID | str
| | | | threatTime | str
| | | | threatURL | str
| | | | threatStatus | str
| | | | threatsInfoMap_threatID_str | str
| Code Block |
---|
join(threatsInfoMap_threatID, ",") |
| threatsInfoMap_threatID | | threatsInfoMap_threatType_str | str
| Code Block |
---|
join(threatsInfoMap_threatType, ",") |
| threatsInfoMap_threatType | | threatsInfoMap_threatStatus_str | str
| Code Block |
---|
join(threatsInfoMap_threatStatus, ",") |
| threatsInfoMap_threatStatus | | threatsInfoMap_threatTime_str | str
| Code Block |
---|
join(threatsInfoMap_threatTime, ",") |
| threatsInfoMap_threatTime | | threatsInfoMap_classification_str | str
| Code Block |
---|
join(threatsInfoMap_classification, ",") |
| threatsInfoMap_classification | | threatsInfoMap_campaignID_str | str
| Code Block |
---|
join(threatsInfoMap_campaignID, ",") |
| threatsInfoMap_campaignID | | threatsInfoMap_threat_str | str
| Code Block |
---|
join(threatsInfoMap_threat, ",") |
| threatsInfoMap_threat | | threatsInfoMap_threatUrl_str | str
| Code Block |
---|
join(threatsInfoMap_threatUrl, ",") |
| threatsInfoMap_threatUrl | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
mail.proofpoint.tapsiem_syslogField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | host | str
| Code Block |
---|
split(hostchain, "=", 0) |
| hostchain | | process_name | str
| | | | process_id | str
| | | | PriorityValue | int4
| | | | HeaderValue | str
| | | | EventTime | timestamp
| | | | HeaderValue2 | str
| | | | EventType | str
| | | | SD_ID | str
| | | | ccAddresses | str
| | | | clusterId | str
| | | | completelyRewritten | str
| | | | fromAddress | str
| | | | GUID | str
| | | | headerReplyTo | str
| | | | messageID | str
| | | | messageParts | str
| | | | messageSize | str
| | | | modulesRun | str
| | | | policyRoutes | str
| | | | QID | str
| | | | quarantineFolder | str
| | | | quarantineRule | str
| | | | recipient | str
| | | | replyToAddress | str
| | | | sender | str
| | | | subject | str
| | | | threatsInfoMap | str
| | | | threatsInfoMap__threatID | [str]
| | | | threatsInfoMap__threatID_str | str
| Code Block |
---|
join(threatsInfoMap__threatID, ", ") |
| threatsInfoMap__threatID | | threatsInfoMap__threatStatus | [str]
| | | | threatsInfoMap__threatStatus_str | str
| Code Block |
---|
join(threatsInfoMap__threatStatus, ", ") |
| threatsInfoMap__threatStatus | | threatsInfoMap__classification | [str]
| | | | threatsInfoMap__classification_str | str
| Code Block |
---|
join(threatsInfoMap__classification, ", ") |
| threatsInfoMap__classification | | threatsInfoMap__threatUrl | [str]
| | | | threatsInfoMap__threatUrl_str | str
| Code Block |
---|
join(threatsInfoMap__threatUrl, ", ") |
| threatsInfoMap__threatUrl | | threatsInfoMap__threatTime | [str]
| | | | threatsInfoMap__threatTime_str | str
| Code Block |
---|
join(threatsInfoMap__threatTime, ", ") |
| threatsInfoMap__threatTime | | threatsInfoMap__threat | [str]
| | | | threatsInfoMap__threat_str | str
| Code Block |
---|
join(threatsInfoMap__threat, ", ") |
| threatsInfoMap__threat | | threatsInfoMap__campaignID | [str]
| | | | threatsInfoMap__campaignID_str | str
| Code Block |
---|
join(threatsInfoMap__campaignID, ", ") |
| threatsInfoMap__campaignID | | threatsInfoMap__threatType | [str]
| | | | threatsInfoMap__threatType_str | str
| Code Block |
---|
join(threatsInfoMap__threatType, ", ") |
| threatsInfoMap__threatType | | toAddresses | str
| | | | xmailer | str
| | | | cluster | str
| | | | headerFrom | str
| | | | impostorScore | float8
| | | | malwareScore | int4
| | | | phishScore | int4
| | | | spamScore | int4
| | | | messageTime | timestamp
| | | | campaignID | str
| | | | class | str
| | | | threatID | str
| | | | threatURL | str
| | | | url | str
| | | | userAgent | str
| | | | threatStatus | str
| | | | clickIP | ip4
| | | | senderIP | ip4
| | | | clickTime | timestamp
| | | | threatTime | timestamp
| | | | unknown | str
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
mail.proofpoint.tapsiem_v2Field | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | eventType | str
| | | | messageTime | timestamp
| | | | messageSize | int8
| | | | messageID | str
| | | | senderIP | str
| | | | sender | str
| | | | recipient | str
| | | | headerFrom | str
| | | | headerReplyTo | str
| | | | replyToAddress_str | str
| Code Block |
---|
join(replyToAddress, ",") |
| replyToAddress | | fromAddress_str | str
| Code Block |
---|
join(fromAddress, ",") |
| fromAddress | | toAddresses_str | str
| Code Block |
---|
join(toAddresses, ",") |
| toAddresses | | ccAddresses_str | str
| Code Block |
---|
join(ccAddresses, ",") |
| ccAddresses | | quarantineRule | str
| | | | quarantineFolder | str
| | | | cluster | str
| | | | phishScore | int4
| | | | spamScore | int4
| | | | malwareScore | int4
| | | | impostorScore | float8
| | | | modulesRun_str | str
| Code Block |
---|
join(modulesRun, ",") |
| modulesRun | | subject | str
| | | | messageParts_sha256_str | str
| Code Block |
---|
join(messageParts_sha256, ",") |
| messageParts_sha256 | | messageParts_disposition_str | str
| Code Block |
---|
join(messageParts_disposition, ",") |
| messageParts_disposition | | messageParts_contentType_str | str
| Code Block |
---|
join(messageParts_contentType, ",") |
| messageParts_contentType | | messageParts_md5_str | str
| Code Block |
---|
join(messageParts_md5, ",") |
| messageParts_md5 | | messageParts_sandboxStatus_str | str
| Code Block |
---|
join(messageParts_sandboxStatus, ",") |
| messageParts_sandboxStatus | | messageParts_filename_str | str
| Code Block |
---|
join(messageParts_filename, ",") |
| messageParts_filename | | messageParts_oContentType_str | str
| Code Block |
---|
join(messageParts_oContentType, ",") |
| messageParts_oContentType | | policyRoutes_str | str
| Code Block |
---|
join(policyRoutes, ",") |
| policyRoutes | | xmailer | str
| | | | completelyRewritten | bool
| | | | GUID | str
| | | | QID | str
| | | | campaignId | str
| | | | classification | str
| | | | clickTime | str
| | | | clickIP | str
| | | | url | str
| | | | userAgent | str
| | | | threatID | str
| | | | threatTime | str
| | | | threatURL | str
| | | | threatStatus | str
| | | | threatsInfoMap_threatID_str | str
| Code Block |
---|
join(threatsInfoMap_threatID, ",") |
| threatsInfoMap_threatID | | threatsInfoMap_threatType_str | str
| Code Block |
---|
join(threatsInfoMap_threatType, ",") |
| threatsInfoMap_threatType | | threatsInfoMap_threatStatus_str | str
| Code Block |
---|
join(threatsInfoMap_threatStatus, ",") |
| threatsInfoMap_threatStatus | | threatsInfoMap_threatTime_str | str
| Code Block |
---|
join(threatsInfoMap_threatTime, ",") |
| threatsInfoMap_threatTime | | threatsInfoMap_classification_str | str
| Code Block |
---|
join(threatsInfoMap_classification, ",") |
| threatsInfoMap_classification | | threatsInfoMap_campaignID_str | str
| Code Block |
---|
join(threatsInfoMap_campaignID, ",") |
| threatsInfoMap_campaignID | | threatsInfoMap_threat_str | str
| Code Block |
---|
join(threatsInfoMap_threat, ",") |
| threatsInfoMap_threat | | threatsInfoMap_threatUrl_str | str
| Code Block |
---|
join(threatsInfoMap_threatUrl, ",") |
| threatsInfoMap_threatUrl | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
mail.proofpoint.tapsiem_v2.clicksblockedField | Type | Extra fields |
---|
eventdate | timestamp
| | eventType | str
| | messageTime | timestamp
| | messageSize | int8
| | messageID | str
| | GUID | str
| | id | str
| | senderIP | str
| | sender | str
| | recipient | str
| | campaignId | str
| | classification | str
| | clickTime | str
| | clickIP | str
| | url | str
| | userAgent | str
| | threatID | str
| | threatTime | str
| | threatURL | str
| | threatStatus | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| |
mail.proofpoint.tapsiem_v2.clickspermittedField | Type | Extra fields |
---|
eventdate | timestamp
| | eventType | str
| | messageTime | timestamp
| | messageSize | int8
| | messageID | str
| | GUID | str
| | id | str
| | senderIP | str
| | sender | str
| | recipient | str
| | campaignId | str
| | classification | str
| | clickTime | str
| | clickIP | str
| | url | str
| | userAgent | str
| | threatID | str
| | threatTime | str
| | threatURL | str
| | threatStatus | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| |
mail.proofpoint.tapsiem_v2.messagesblockedField | Type | Extra fields |
---|
eventdate | timestamp
| | eventType | str
| | messageTime | timestamp
| | messageSize | int8
| | messageID | str
| | senderIP | str
| | sender | str
| | recipient | str
| | headerFrom | str
| | headerReplyTo | str
| | replyToAddress_str | str
| | fromAddress_str | str
| | toAddresses_str | str
| | ccAddresses_str | str
| | quarantineRule | str
| | quarantineFolder | str
| | cluster | str
| | phishScore | int4
| | spamScore | int4
| | malwareScore | int4
| | impostorScore | float8
| | modulesRun_str | str
| | subject | str
| | messageParts_sha256_str | str
| | messageParts_disposition_str | str
| | messageParts_contentType_str | str
| | messageParts_md5_str | str
| | messageParts_sandboxStatus_str | str
| | messageParts_filename_str | str
| | messageParts_oContentType_str | str
| | policyRoutes_str | str
| | xmailer | str
| | completelyRewritten | bool
| | GUID | str
| | QID | str
| | campaignId | str
| | classification | str
| | clickTime | str
| | clickIP | str
| | url | str
| | userAgent | str
| | threatID | str
| | threatTime | str
| | threatURL | str
| | threatStatus | str
| | threatsInfoMap_threatID_str | str
| | threatsInfoMap_threatType_str | str
| | threatsInfoMap_threatStatus_str | str
| | threatsInfoMap_threatTime_str | str
| | threatsInfoMap_classification_str | str
| | threatsInfoMap_campaignID_str | str
| | threatsInfoMap_threat_str | str
| | threatsInfoMap_threatUrl_str | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| |
mail.proofpoint.tapsiem_v2.messagesdeliveredField | Type | Extra fields |
---|
eventdate | timestamp
| | eventType | str
| | messageTime | timestamp
| | messageSize | int8
| | messageID | str
| | senderIP | str
| | sender | str
| | recipient | str
| | headerFrom | str
| | headerReplyTo | str
| | replyToAddress_str | str
| | fromAddress_str | str
| | toAddresses_str | str
| | ccAddresses_str | str
| | quarantineRule | str
| | quarantineFolder | str
| | cluster | str
| | phishScore | int4
| | spamScore | int4
| | malwareScore | int4
| | impostorScore | float8
| | modulesRun_str | str
| | subject | str
| | messageParts_sha256_str | str
| | messageParts_disposition_str | str
| | messageParts_contentType_str | str
| | messageParts_md5_str | str
| | messageParts_sandboxStatus_str | str
| | messageParts_filename_str | str
| | messageParts_oContentType_str | str
| | policyRoutes_str | str
| | xmailer | str
| | completelyRewritten | bool
| | GUID | str
| | QID | str
| | id | str
| | campaignId | str
| | classification | str
| | clickTime | str
| | clickIP | str
| | url | str
| | userAgent | str
| | threatID | str
| | threatTime | str
| | threatURL | str
| | threatStatus | str
| | threatsInfoMap_threatID_str | str
| | threatsInfoMap_threatType_str | str
| | threatsInfoMap_threatStatus_str | str
| | threatsInfoMap_threatTime_str | str
| | threatsInfoMap_classification_str | str
| | threatsInfoMap_campaignID_str | str
| | threatsInfoMap_threat_str | str
| | threatsInfoMap_threatUrl_str | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| |
mail.proofpoint.trap Field | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | application_version | str
| | event | str
| | identity | str
| | identity_type | str
| | identity_id | str
| | incident_data | str
| | incident_id | str
| | activity_type | str
| | summary | str
| | old_value | str
| | new_value | str
| | type | str
| | automated | bool
| | name | str
| | state | str
| | severity | str
| | alert_id | int4
| | username | str
| | ip | ip4
| | result | str
| | host | ip4
| | ips | ip4
| | ttl | int4
| | enabled | str
| | condition_list | str
| | threshold_type | str
| | threshold_inequality | str
| | incident_severity_threshold | str
| | send_to_incident_owner | str
| | send_to_team | str
| | send_to_reporter | str
| | include_reported_email | str
| | additional_recipients | str
| | exclude_recipients | str
| | content | str
| | email_body_preface | str
| | email_subject | str
| | beginning_delimiter | str
| | ending_delimiter | str
| | messageId | str
| | originalMailbox | str
| | isMessageRead | bool
| | quarantineFolder | str
| | quarantineMailbox | str
| | mailProvider | str
| | updateMessage | str
| | source | str
| | category | str
| | attacker | str
| | target | str
| | cnc | str
| | other | str
| | url | str
| | role | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
mail.proofpoint.trap_incidentField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | hostname | str
| | | | id | int4
| | | | score | int4
| | | | state | str
| | | | created_at | timestamp
| | | | updated_at | timestamp
| | | | closed_at | timestamp
| | | | close_summary | str
| | | | close_detail | str
| | | | event_count | int4
| | | | false_positive_count | int4
| | | | event_sources_str | str
| Code Block |
---|
join(event_sources, ',') |
| event_sources | | assignee | str
| | | | team | str
| | | | hosts__attacker_str | str
| Code Block |
---|
join(hosts__attacker, ',') |
| hosts__attacker | | incident_field_values__name_str | str
| Code Block |
---|
join(incident_field_values__name, ',') |
| incident_field_values__name | | incident_field_values__value_str | str
| Code Block |
---|
join(incident_field_values__value, ',') |
| incident_field_values__value | | quarantine_results__alertSource_str | str
| Code Block |
---|
join(quarantine_results__alertSource, ',') |
| quarantine_results__alertSource | | quarantine_results__startTime_str | str
| Code Block |
---|
join(quarantine_results__startTime, ',') |
| quarantine_results__startTime | | quarantine_results__endTime_str | str
| Code Block |
---|
join(quarantine_results__endTime, ',') |
| quarantine_results__endTime | | quarantine_results__status_str | str
| Code Block |
---|
join(quarantine_results__status, ',') |
| quarantine_results__status | | quarantine_results__recipientType_str | str
| Code Block |
---|
join(quarantine_results__recipientType, ',') |
| quarantine_results__recipientType | | quarantine_results__recipient_str | str
| Code Block |
---|
join(quarantine_results__recipient, ',') |
| quarantine_results__recipient | | quarantine_results__messageId_str | str
| Code Block |
---|
join(quarantine_results__messageId, ',') |
| quarantine_results__messageId | | quarantine_results__isRead_str | str
| Code Block |
---|
join(quarantine_results__isRead, ',') |
| quarantine_results__isRead | | quarantine_results__wasUndone_str | str
| Code Block |
---|
join(quarantine_results__wasUndone, ',') |
| quarantine_results__wasUndone | | quarantine_results__details_str | str
| Code Block |
---|
join(quarantine_results__details, ',') |
| quarantine_results__details | | successful_quarantines | int4
| | | | failed_quarantines | int4
| | | | pending_quarantines | int4
| | | | events__id | int4
| | | | events__category | str
| | | | events__alertType | str
| | | | events__severity | str
| | | | events__source | str
| | | | events__state | str
| | | | events__attackDirection | str
| | | | events__received | timestamp
| | | | events__emails__sender__email_str | str
| Code Block |
---|
join(events__emails__sender__email, ',') |
| events__emails__sender__email | | events__emails__recipient__email_str | str
| Code Block |
---|
join(events__emails__recipient__email, ',') |
| events__emails__recipient__email | | events__emails__subject_str | str
| Code Block |
---|
join(events__emails__subject, ',') |
| events__emails__subject | | events__emails__messageId_str | str
| Code Block |
---|
join(events__emails__messageId, ',') |
| events__emails__messageId | | events__emails__messageDeliveryTime__chronology__zone__fixed_str | str
| Code Block |
---|
replace(replace(stringify(json(events__emails__messageDeliveryTime__chronology__zone__fixed)), '[', ''), ']', '') |
| events__emails__messageDeliveryTime__chronology__zone__fixed | | events__emails__messageDeliveryTime__chronology__zone__id_str | str
| Code Block |
---|
join(events__emails__messageDeliveryTime__chronology__zone__id, ',') |
| events__emails__messageDeliveryTime__chronology__zone__id | | events__emails__messageDeliveryTime__millis_str | str
| Code Block |
---|
replace(replace(stringify(json(events__emails__messageDeliveryTime__millis)), '[', ''), ']', '') |
| events__emails__messageDeliveryTime__millis | | events__emails__messageDeliveryTime__zone__fixed_str | str
| Code Block |
---|
replace(replace(stringify(json(events__emails__messageDeliveryTime__zone__fixed)), '[', ''), ']', '') |
| events__emails__messageDeliveryTime__zone__fixed | | events__emails__messageDeliveryTime__zone__id_str | str
| Code Block |
---|
join(events__emails__messageDeliveryTime__zone__id, ',') |
| events__emails__messageDeliveryTime__zone__id | | events__emails__messageDeliveryTime__afterNow_str | str
| Code Block |
---|
replace(replace(stringify(json(events__emails__messageDeliveryTime__afterNow)), '[', ''), ']', '') |
| events__emails__messageDeliveryTime__afterNow | | events__emails__messageDeliveryTime__beforeNow_str | str
| Code Block |
---|
replace(replace(stringify(json(events__emails__messageDeliveryTime__beforeNow)), '[', ''), ']', '') |
| events__emails__messageDeliveryTime__beforeNow | | events__emails__messageDeliveryTime__equalNow_str | str
| Code Block |
---|
replace(replace(stringify(json(events__emails__messageDeliveryTime__equalNow)), '[', ''), ']', '') |
| events__emails__messageDeliveryTime__equalNow | | events__emails__abuseCopy_str | str
| Code Block |
---|
replace(replace(stringify(json(events__emails__abuseCopy)), '[', ''), ']', '') |
| events__emails__abuseCopy | | events__attackers__location_str | str
| Code Block |
---|
join(events__attackers__location, ',') |
| events__attackers__location | | events__falsePositive | bool
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
|