Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

[ Introduction ] [ Valid tags and data tables  ] [ Table structure ]

Introduction

The tags beginning with monitor.threatstack identify events generated by Threat Stack.

Valid tags and data tables 

The full tag must have at least three levels. The first two are fixed as monitor.threatstack. The third level identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Threat Stack

monitor.threatstack.alerts.active

monitor.threatstack.alerts

monitor.threatstack.alerts

monitor.threatstack.audit

monitor.threatstack.audit

monitor.threatstack.cve

monitor.threatstack.cve

monitor.threatstack.ec2

monitor.threatstack.ec2

monitor.threatstack.events

monitor.threatstack.events

For more information, read more about Devo tags.

Table structure

These are the fields displayed in these tables:

monitor.threatstack.alerts

Field

Type

Extra field

Field transformation

Source field name

eventdate

timestamp

hostname

str

alertType

str

id

str

title

str

createdAt

timestamp

isDismissed

bool

dismissedAt

timestamp

dismissReason

str

dismissReasonText

str

dismissedBy

str

severity

int4

dataSource

str

agentId

str

ruleId

str

rulesetId

str

aggregates__fieldNames_str

str

join(aggregates__fieldNames, ',')

aggregates__fieldNames

hostchain

str

tag

str

rawMessage

str

monitor.threatstack.audit

Field

Type

Extra field

Field transformation

Source field name

eventdate

timestamp

hostname

str

id

str

userEmail

str

userId

str

organizationId

str

result

str

crud

str

action

str

source

str

description

str

eventTime

timestamp

context__url

str

context__params__from

timestamp

parsedate(context__params__from_str, dateformat("YYYY-MM-DD[T]HH:mm", "UTC"))

context__params__from_str

context__originIp

ip4

context__httpMethod

str

context__responseCode

int4

context__responseSize

int8

godMode

bool

hostchain

str

tag

str

rawMessage

str

monitor.threatstack.cve

Field

Type

Extra field

Field transformation

Source field name

eventdate

timestamp

hostname

str

cveNumber

str

reportedPackage

str

systemPackage

str

vectorType

str

isSuppressed

bool

severity

str

securityNotices__securityNoticeId_str

str

join(securityNotices__securityNoticeId, ',')

securityNotices__securityNoticeId

securityNotices__source_str

str

join(securityNotices__source, ',')

securityNotices__source

securityNotices__url_str

str

join(securityNotices__url, ',')

securityNotices__url

agents__hostname_str

str

join(agents__hostname, ',')

agents__hostname

agents__agentId_str

str

join(agents__agentId, ',')

agents__agentId

hostchain

str

tag

str

rawMessage

str

monitor.threatstack.ec2

Field

Type

Extra field

Field transformation

Source field name

eventdate

timestamp

hostname

str

id

str

kernelId

str

instanceType

str

privateDnsName

str

privateIpAddress

str

groups__id_str

str

join(groups__id, ',')

groups__id

groups__name_str

str

join(groups__name, ',')

groups__name

subnetId

str

keyName

str

region

str

launchTime

str

imageId

str

architecture

str

publicDnsName

str

publicIpAddress

str

vpcId

str

awsProfile__id_str

str

join(awsProfile__id, ',')

awsProfile__id

awsProfile__organizationName_str

str

join(awsProfile__organizationName, ',')

awsProfile__organizationName

awsProfile__description_str

str

join(awsProfile__description, ',')

awsProfile__description

monitored

bool

tags__key_str

str

join(tags__key, ',')

tags__key

tags__value_str

str

join(tags__value, ',')

tags__value

tags__source_str

str

join(tags__source, ',')

tags__source

hostchain

str

tag

str

rawMessage

str

monitor.threatstack.events

Field

Type

Extra field

Field transformation

Source field name

eventdate

timestamp

hostname

str

timestamp

timestamp

id

str

organization_id

str

agent_id

str

ingest_time

timestamp

event_id

str

event_time

timestamp

ts_event_type

str

args_str

str

join(args, ',')

args

auid

int4

command

str

events_str

str

join(events, ',')

events

filename

str

gid

int4

group2_str

str

join(group2, ',')

group2

pid

int4

ppid

int4

rule_id

str

rule_name

str

session

int4

uid

int4

user

str

eventClass

str

containerLabels

str

time_id

str

event_type

str

alert_id

str

hostchain

str

tag

str

rawMessage

str

  • No labels