Versions Compared

Old Version 2

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

compared with

New Version Current

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Rw ui tabs macro
Rw tab
title1-5

Anchor
tag1
tag1
ndr.vectra.cognito_stream

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

hostname

str

 

type

str

vtype

metadata_type

str

 

timestamp

timestamp

 

uid

str

 

id_ip_ver

str

 

id_orig_h

ip4

 

id_orig_p

int4

 

id_destination_ip

ip4

 

id_destination_port

int4

 

orig_hostname

str

 

resp_hostname

str

 

local_orig

bool

 

local_resp

bool

 

orig_huid

str

 

orig_sluid

str

 

resp_huid

str

 

resp_sluid

str

 

sensor_uid

str

 

community_id

str

 

hostchain

str

 

tag

str

 

rawMessage

str

 

Anchor
tag2
tag2
ndr.vectra.cognito_stream.dcerpc

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

community_id

str

 

endpoint

str

 

id_ip_ver

str

 

id_orig_h

ip4

 

id_orig_p

int4

 

id_destination_ip

ip4

 

id_destination_port

int4

 

local_orig

bool

 

local_resp

bool

 

metadata_type

str

 

operation

str

 

orig_hostname

str

 

orig_sluid

str

 

resp_hostname

str

 

resp_sluid

str

 

rtt

int4

 

sensor_uid

str

 

timestamp

timestamp

 

uid

str

 

hostchain

str

tag

str

rawMessage

str

 

Anchor
tag3
tag3
ndr.vectra.cognito_stream.dhcp

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

community_id

str

 

lease_time

str

 

lease_time_int

int4

 

mac

str

 

metadata_type

str

 

orig_hostname

str

 

sensor_uid

str

 

trans_id

str

 

timestamp

timestamp

 

uid

str

 

dhcp_server_ip

ip4

 

hostchain

str

 

tag

str

 

rawMessage

str

 

Anchor
tag4
tag4
ndr.vectra.cognito_stream.dns

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

hostname

str

 

 

aa

bool

 

 

ra

bool

 

 

rd

bool

 

 

tc

bool

 

 

ttls_json

str

 

 

ttls

str

Code Block
ttls_array[0]

ttls_array

ttls_values

str

Code Block
join(ttls_array, ", ")

ttls_array

answers_json

str

 

 

answers

str

Code Block
answers_array[0]

answers_array

answers_values

str

Code Block
join(answers_array, ", ")

answers_array

auth

str

 

 

community_id

str

 

 

id_ip_ver

str

 

 

id_orig_h

ip4

 

 

id_orig_p

int4

 

 

id_destination_ip

ip4

 

 

id_destination_port

int4

 

 

local_orig

bool

 

 

local_resp

bool

 

 

metadata_type

str

 

 

orig_hostname

str

 

 

orig_huid

str

 

 

orig_sluid

str

 

 

protocol

int4

 

 

qclass

int4

 

 

qclass_name

str

 

 

qtype

int4

 

 

qtype_name

str

 

 

query

str

 

 

rcode

int4

 

 

rcode_name

str

 

 

rejected

bool

 

 

saw_query

bool

 

 

saw_reply

bool

 

 

sensor_uid

str

 

 

total_answers

int4

 

 

total_replies

int4

 

 

trans_id

int4

 

 

timestamp

timestamp

 

 

uid

str

 

 

resp_hostname

str

 

 

resp_sluid

str

 

 

resp_huid

str

 

 

hostchain

str

 

 

tag

str

 

 

rawMessage

str

 

 

Anchor
tag5
tag5
ndr.vectra.cognito_stream.httpsessioninfo

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

community_id

str

 

cookie

str

 

cookie_vars

str

 

hostname2

str

 

host_multihomed

bool

 

id_ip_ver

str

 

id_orig_h

ip4

 

id_orig_p

int4

 

id_destination_ip

ip4

 

id_destination_port

int4

 

is_proxied

bool

 

local_orig

bool

 

local_resp

bool

 

metadata_type

str

 

method

str

 

orig_hostname

str

 

orig_huid

str

 

orig_ip_bytes

str

 

orig_pkts

int4

 

orig_sluid

str

 

request_body_len

int4

 

request_header_count

int4

 

resp_hostname

str

 

resp_ip_bytes

str

 

resp_mime_types

str

 

resp_pkts

int4

 

response_body_len

int4

 

response_cache_control

str

 

response_expires

str

 

response_header_count

int4

 

sensor_uid

str

 

status_code

int4

 

status_msg

str

 

timestamp

timestamp

 

uid

str

 

uri

str

 

user_agent

str

 

hostchain

str

 

tag

str

 

rawMessage

str

 

Rw tab
title6-10

Anchor
tag6
tag6
ndr.vectra.cognito_stream.isession

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

community_id

str

 

conn_state

str

 

dir_confidence

int4

 

duration

int4

 

first_orig_resp_data_pkt

str

 

first_orig_resp_data_pkt_time

timestamp

 

first_orig_resp_pkt_time

timestamp

 

first_resp_orig_data_pkt

str

 

first_resp_orig_data_pkt_time

timestamp

 

first_resp_orig_pkt_time

timestamp

 

id_ip_ver

str

 

id_orig_h

ip4

 

id_orig_p

int4

 

id_destination_ip

ip4

 

id_destination_port

int4

 

local_orig

bool

 

local_resp

bool

 

metadata_type

str

 

orig_hostname

str

 

orig_huid

str

 

orig_ip_bytes

str

 

orig_pkts

int4

 

orig_sluid

str

 

orig_vlan_id

int4

 

protocol

int4

 

proto_name

str

 

resp_domain

ip4

 

resp_hostname

str

 

resp_ip_bytes

str

 

resp_multihomed

bool

 

resp_pkts

int4

 

resp_sluid

str

 

resp_vlan_id

int4

 

sensor_uid

str

 

service

str

 

session_start_time

timestamp

 

timestamp

timestamp

 

uid

str

 

resp_huid

str

 

hostchain

str

tag

str

 

rawMessage

str

Anchor
tag7
tag7
ndr.vectra.cognito_stream.kerberos_txn

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

hostname

str

 

 

client2

str

 

 

community_id

str

 

 

data_source

str

 

 

error_code

str

 

 

error_msg

str

 

 

id_ip_ver

str

 

 

id_orig_h

ip4

 

 

id_orig_p

int4

 

 

id_destination_ip

ip4

 

 

id_destination_port

int4

 

 

local_orig

bool

 

 

local_resp

bool

 

 

metadata_type

str

 

 

orig_hostname

str

 

 

orig_huid

str

 

 

orig_sluid

str

 

 

protocol

int4

 

 

rep_cipher

str

 

 

reply_timestamp

str

 

 

req_ciphers

str

Code Block
req_ciphers_array[0]

req_ciphers_array

req_ciphers_values

str

Code Block
join(req_ciphers_array, ", ")

req_ciphers_array

request_type

str

 

 

resp_hostname

str

 

 

resp_huid

str

 

 

resp_sluid

str

 

 

sensor_uid

str

 

 

service

str

 

 

success

str

 

 

timestamp

timestamp

 

 

uid

str

 

 

hostchain

str

 

 

tag

str

 

 

rawMessage

str

 

 

Anchor
tag8
tag8
ndr.vectra.cognito_stream.ldap

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

hostname

str

 

 

attributes

str

Code Block
attributes_array[0]

attributes_array

attributes_values

str

Code Block
join(attributes_array, ", ")

attributes_array

bind_error_count

str

 

 

community_id

str

 

 

duration

int4

 

 

encrypted_sasl_payload_count

str

 

 

id_ip_ver

str

 

 

id_orig_h

ip4

 

 

id_orig_p

int4

 

 

id_destination_ip

ip4

 

 

id_destination_port

int4

 

 

is_close

bool

 

 

is_query

bool

 

 

local_orig

bool

 

 

local_resp

bool

 

 

logon_failure_error_count

str

 

 

message_id

str

 

 

metadata_type

str

 

 

orig_hostname

str

 

 

orig_sluid

str

 

 

query

str

 

 

query_scope

str

 

 

request_bytes

str

 

 

resp_hostname

str

 

 

resp_sluid

str

 

 

response_bytes

str

 

 

result

str

 

 

result_code

str

 

 

result_count

str

 

 

sensor_uid

str

 

 

timestamp

timestamp

 

 

uid

str

 

 

hostchain

str

 

 

tag

str

 

 

rawMessage

str

 

 

Anchor
tag9
tag9
ndr.vectra.cognito_stream.ntlm

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

community_id

str

 

domain

str

 

hostname2

str

 

id_ip_ver

str

 

id_orig_h

ip4

 

id_orig_p

int4

 

id_destination_ip

ip4

 

id_destination_port

int4

 

local_orig

bool

 

local_resp

bool

 

metadata_type

str

 

orig_hostname

str

 

orig_huid

str

 

orig_sluid

str

 

resp_hostname

str

 

resp_huid

str

 

resp_sluid

str

 

sensor_uid

str

 

status

str

 

success

str

 

timestamp

timestamp

 

uid

str

 

username

str

 

hostchain

str

tag

str

 

rawMessage

str

Anchor
tag10
tag10
ndr.vectra.cognito_stream.rdp

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

client_build

str

 

community_id

str

 

cookie

str

 

desktop_height

str

 

desktop_width

str

 

id_ip_ver

str

 

id_orig_h

ip4

 

id_orig_p

int4

 

id_destination_ip

ip4

 

id_destination_port

int4

 

keyboard_layout

str

 

local_orig

bool

 

local_resp

bool

 

metadata_type

str

 

orig_hostname

str

 

orig_sluid

str

 

resp_hostname

str

 

resp_sluid

str

 

result

str

 

sensor_uid

str

 

timestamp

timestamp

 

uid

str

 

hostchain

str

tag

str

rawMessage

str

Rw tab
title11-16

Anchor
tag11
tag11
ndr.vectra.cognito_stream.smbfiles

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

action

str

 

community_id

str

 

delete_on_close

bool

 

id_ip_ver

str

 

id_orig_h

ip4

 

id_orig_p

int4

 

id_destination_ip

ip4

 

id_destination_port

int4

 

local_orig

bool

 

local_resp

bool

 

metadata_type

str

 

name

str

 

orig_hostname

str

 

orig_huid

str

 

orig_sluid

str

 

file_path

str

 

resp_hostname

str

 

resp_huid

str

 

resp_sluid

str

 

sensor_uid

str

 

timestamp

timestamp

 

uid

str

 

version

str

 

hostchain

str

 

tag

str

 

rawMessage

str

 

Anchor
tag12
tag12
ndr.vectra.cognito_stream.smbmapping

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

community_id

str

 

id_ip_ver

str

 

id_orig_h

ip4

 

id_orig_p

int4

 

id_destination_ip

ip4

 

id_destination_port

int4

 

local_orig

bool

 

local_resp

bool

 

metadata_type

str

 

orig_hostname

str

 

orig_huid

str

 

orig_sluid

str

 

file_path

str

 

resp_hostname

str

 

resp_huid

str

 

resp_sluid

str

 

sensor_uid

str

 

service

str

 

timestamp

timestamp

 

uid

str

 

version

str

 

hostchain

str

 

tag

str

 

rawMessage

str

 

Anchor
tag13
tag13
ndr.vectra.cognito_stream.smtp

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

community_id

str

 

date

str

 

from

str

 

helo

str

 

id_ip_ver

str

 

id_orig_h

ip4

 

id_orig_p

int4

 

id_destination_ip

ip4

 

id_destination_port

int4

 

local_orig

bool

 

local_resp

bool

 

mail_from

str

 

metadata_type

str

 

msgid

str

 

orig_hostname

str

 

orig_sluid

str

 

rcpt_to

str

 

resp_hostname

str

 

resp_sluid

str

 

sensor_uid

str

 

subject

str

 

tls

bool

 

to

str

 

timestamp

timestamp

 

uid

str

 

hostchain

str

 

tag

str

 

rawMessage

str

 

Anchor
tag14
tag14
ndr.vectra.cognito_stream.ssl

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

hostname

str

 

 

cipher

str

 

 

client_curve_num_json

str

 

 

client_curve_num

str

Code Block
client_curve_num_array[0]

client_curve_num_array

client_curve_num_values

str

Code Block
join(client_curve_num_array, ", ")

client_curve_num_array

client_ec_point_format

str

 

 

client_extension_json

str

 

 

client_extension

str

Code Block
client_extension_array[0]

client_extension_array

client_extension_values

str

Code Block
join(client_extension_array, ", ")

client_extension_array

client_version

str

 

 

client_version_num

int4

 

 

community_id

str

 

 

curve

str

 

 

established

bool

 

 

id_ip_ver

str

 

 

id_orig_h

ip4

 

 

id_orig_p

int4

 

 

id_destination_ip

ip4

 

 

id_destination_port

int4

 

 

issuer

str

 

 

ja3

str

 

 

ja3s

str

 

 

local_orig

bool

 

 

local_resp

bool

 

 

metadata_type

str

 

 

orig_hostname

str

 

 

orig_huid

str

 

 

orig_sluid

str

 

 

resp_hostname

str

 

 

resp_sluid

str

 

 

sensor_uid

str

 

 

server_extensions_json

str

 

 

server_extensions

str

Code Block
server_extensions_array[0]

server_extensions_array

server_extensions_values

str

Code Block
join(server_extensions_array, ", ")

server_extensions_array

server_name

str

 

 

subject

str

 

 

timestamp

timestamp

 

 

uid

str

 

 

version

str

 

 

version_num

int4

 

 

resp_huid

str

 

 

conn_state

str

 

 

dir_confidence

int4

 

 

duration

int4

 

 

first_orig_resp_data_pkt_time

timestamp

 

 

first_orig_resp_pkt_time

timestamp

 

 

first_resp_orig_data_pkt

str

 

 

first_resp_orig_data_pkt_time

timestamp

 

 

first_resp_orig_pkt_time

timestamp

 

 

orig_ip_bytes

int4

 

 

orig_pkts

int4

 

 

orig_vlan_id

int4

 

 

protocol

int4

 

 

proto_name

str

 

 

resp_ip_bytes

int4

 

 

resp_multihomed

bool

 

 

resp_pkts

int4

 

 

resp_vlan_id

int4

 

 

service

str

 

 

session_start_time

timestamp

 

 

hostchain

str

 

 

tag

str

 

 

rawMessage

str

 

 

Anchor
tag15
tag15
ndr.vectra.cognito_stream.x509

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

hostname

str

 

 

basic_constraints_ca

bool

 

 

basic_constraints_path_len

int4

 

 

certificate_cn

str

 

 

certificate_exponent

str

 

 

certificate_issuer

str

 

 

certificate_key_alg

str

 

 

certificate_key_length

str

 

 

certificate_key_type

str

 

 

certificate_not_valid_after

timestamp

 

 

certificate_not_valid_before

timestamp

 

 

certificate_self_issued

bool

 

 

certificate_serial

str

 

 

certificate_sig_alg

str

 

 

certificate_subject

str

 

 

certificate_version

int4

 

 

community_id

str

 

 

id_ip_ver

str

 

 

id_orig_h

ip4

 

 

id_orig_p

int4

 

 

id_destination_ip

ip4

 

 

id_destination_port

int4

 

 

local_orig

bool

 

 

local_resp

bool

 

 

metadata_type

str

 

 

orig_hostname

str

 

 

orig_huid

str

 

 

orig_sluid

str

 

 

resp_hostname

str

 

 

resp_sluid

str

 

 

san_dns_json

str

 

 

san_dns

str

Code Block
san_dns_array[0]

san_dns_array

san_dns_values

str

Code Block
join(san_dns_array, ", ")

san_dns_array

san_other_fields

bool

 

 

sensor_uid

str

 

 

timestamp

timestamp

 

 

uid

str

 

 

resp_huid

str

 

 

hostchain

str

 

 

tag

str

 

 

rawMessage

str

 

 

Anchor
tag16
tag16
ndr.vectra.platform.detection

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

hostname

str

 

 

date

timestamp

 

 

index

int4

 

 

value__custom_detection

str

 

 

value__filtered_by_user

bool

 

 

value__sensor_name

str

 

 

value__src_account__privilege_level

str

 

 

value__src_account__threat

float8

 

 

value__src_account__url

str

 

 

value__src_account__certainty

float8

 

 

value__src_account__id

float8

 

 

value__src_account__name

str

 

 

value__src_account__privilege_category

str

 

 

value__src_ip_ipv4

ip4

 

 

value__src_ip_ipv6

ip6

 

 

value__url

str

 

 

value__assigned_date

str

 

 

value__filtered_by_ai

bool

 

 

value__is_targeting_key_asset

bool

 

 

value__note_modified_by

str

 

 

value__detection

str

 

 

value__detection_type

str

 

 

value__groups__id

str

Code Block
replace(replace(stringify(json(value__groups__id_array)), '[', ''), ']', '')

value__groups__id_array

value__groups__last_modified

str

Code Block
join(value__groups__last_modified_array, ',')

value__groups__last_modified_array

value__groups__last_modified_by

str

Code Block
join(value__groups__last_modified_by_array, ',')

value__groups__last_modified_by_array

value__groups__name

str

Code Block
join(value__groups__name_array, ',')

value__groups__name_array

value__groups__type

str

Code Block
join(value__groups__type_array, ',')

value__groups__type_array

value__groups__description

str

Code Block
join(value__groups__description_array, ',')

value__groups__description_array

value__id

float8

 

 

value__sensor

str

 

 

value__c_score

float8

 

 

value__note_modified_timestamp

str

 

 

value__t_score

float8

 

 

value__tags

str

Code Block
join(value__tags_array, ',')

value__tags_array

value__threat

float8

 

 

value__assigned_to

str

 

 

value__category

str

 

 

value__first_timestamp

timestamp

 

 

value__last_timestamp

timestamp

 

 

value__note

str

 

 

value__summary__description

str

 

 

value__summary__operations

str

Code Block
join(value__summary__operations_array, ',')

value__summary__operations_array

value__summary__reasons

str

Code Block
join(value__summary__reasons_array, ',')

value__summary__reasons_array

value__summary__shares

str

Code Block
join(value__summary__shares_array, ',')

value__summary__shares_array

value__targets_key_asset

bool

 

 

value__detection_category

str

 

 

value__grouped_details__directories_table

str

Code Block
join(value__grouped_details__directories_table_array, ',')

value__grouped_details__directories_table_array

value__grouped_details__files_shared

str

Code Block
replace(replace(stringify(json(value__grouped_details__files_shared_array)), '[', ''), ']', '')

value__grouped_details__files_shared_array

value__grouped_details__last_timestamp

str

Code Block
join(value__grouped_details__last_timestamp_array, ',')

value__grouped_details__last_timestamp_array

value__grouped_details__reason

str

Code Block
join(value__grouped_details__reason_array, ',')

value__grouped_details__reason_array

value__grouped_details__target_table

str

Code Block
join(value__grouped_details__target_table_array, ',')

value__grouped_details__target_table_array

value__grouped_details__user_agent

str

Code Block
join(value__grouped_details__user_agent_array, ',')

value__grouped_details__user_agent_array

value__grouped_details__first_timestamp

str

Code Block
join(value__grouped_details__first_timestamp_array, ',')

value__grouped_details__first_timestamp_array

value__grouped_details__operation

str

Code Block
join(value__grouped_details__operation_array, ',')

value__grouped_details__operation_array

value__grouped_details__share

str

Code Block
join(value__grouped_details__share_array, ',')

value__grouped_details__share_array

value__is_custom_model

bool

 

 

value__notes__date_created

str

Code Block
join(value__notes__date_created_array, ',')

value__notes__date_created_array

value__notes__date_modified

str

Code Block
join(value__notes__date_modified_array, ',')

value__notes__date_modified_array

value__notes__id

str

Code Block
replace(replace(stringify(json(value__notes__id_array)), '[', ''), ']', '')

value__notes__id_array

value__notes__modified_by

str

Code Block
join(value__notes__modified_by_array, ',')

value__notes__modified_by_array

value__notes__note

str

Code Block
join(value__notes__note_array, ',')

value__notes__note_array

value__notes__created_by

str

Code Block
join(value__notes__created_by_array, ',')

value__notes__created_by_array

value__certainty

float8

 

 

value__created_timestamp

timestamp

 

 

value__data_source__connection_name

str

 

 

value__data_source__type

str

 

 

value__data_source__connection_id

str

 

 

value__detection_url

str

 

 

value__filtered_by_rule

bool

 

 

value__is_marked_custom

bool

 

 

value__description

str

 

 

value__state

str

 

 

value__triage_rule_id

float8

 

 

hostchain

str

 

 

tag

str

 

 

rawMessage

str