dlp.digitalguardian

[ 1 Introduction ] [ 2 Valid tags and data tables ] [ 3 Table structure ]

Introduction

The tags beginning with dlp.digitalguardian identify events generated by Digital Guardian.

Valid tags and data tables

The full tag must have 4 levels. The first two are fixed as dlp.digitalguardian. The third level identifies the type of events sent, and the fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service	Tags	Data tables

Product / Service	Tags	Data tables
Digital Guardian	`dlp.digitalguardian.arc.events`	`dlp.digitalguardian.arc.events`
	`dlp.digitalguardian.endpointdlp.alerts`	`dlp.digitalguardian.endpointdlp.alerts`
	`dlp.digitalguardian.endpointdlp.audit`	`dlp.digitalguardian.endpointdlp.audit`
	`dlp.digitalguardian.endpointdlp.classification`	`dlp.digitalguardian.endpointdlp.classification`
	`dlp.digitalguardian.endpointdlp.events`	`dlp.digitalguardian.endpointdlp.events`
	`dlp.digitalguardian.endpointdlp.alerts`	`dlp.digitalguardian.endpointdlp`
	`dlp.digitalguardian.networkdlp.events`	`dlp.digitalguardian.networkdlp.events`
	`dlp.digitalguardian.networkdlp.system`	`dlp.digitalguardian.networkdlp.system`
	`dlp.digitalguardian.networkdlp.events`	`dlp.digitalguardian.networkdlp`

For more information, read more about Devo tags.

Table structure

These are the fields displayed in these tables:

dlp.digitalguardian.arc.events
dlp.digitalguardian.endpointdlp.alerts
dlp.digitalguardian.endpointdlp.audit
dlp.digitalguardian.endpointdlp.classification
dlp.digitalguardian.endpointdlp.events
dlp.digitalguardian.endpointdlp
dlp.digitalguardian.networkdlp.events
dlp.digitalguardian.networkdlp.system
dlp.digitalguardian.networkdlp

dlp.digitalguardian.arc.events

Field	Type	Extra field

Field	Type	Extra field
eventdate	`timestamp`
hostname	`str`
machine_type	`str`
file_internal_name	`str`
application	`str`
md5_hash	`str`
original_name	`str`
dg_custom_data_dg_scope	`str`
parent_application	`str`
process_directory	`str`
was_rule_violated	`str`
process_local_creation_time	`str`
process_path	`str`
process_file_extension	`str`
was_removable	`str`
dg_custom_data_dg_values	`str`
is_user_local_admin	`str`
event_display_name	`str`
dg_custom_data_dg_name	`str`
company_name	`str`
file_version	`str`
product_name	`str`
user_domain	`str`
mac_address	`str`
user	`str`
agent_version	`str`
unique_id	`str`
command_line	`str`
product_version	`str`
computer_name	`str`
application_internal_name	`str`
was_mobile_device	`str`
_time	`timestamp`
operation_type	`str`
process_file_size	`str`
was_detail_blocked	`str`
process_domain	`str`
event_local_time	`str`
was_classified	`str`
file_description	`str`
parent_md5_hash	`str`
sha256_hash	`str`
process_pid	`int4`
server_process_time	`timestamp`
event_time	`str`
parent_process_internal_name	`str`
process_local_modify_time	`str`
x86_or_x64	`str`
process_local_access_time	`str`
is_virtual_session	`str`
bytes_written	`str`
destination_drive_type	`str`
dg_src_dev_dev_prdname	`str`
source_was_classified	`str`
destination_file_extension	`str`
destination_file_name	`str`
attachment_file_size	`str`
dg_dst_dev_dev_bt	`str`
attachment_source_file_name	`str`
destination_was_classified	`str`
source_file_extension	`str`
dg_dst_dev_dev_dt	`str`
dg_src_dev_dev_dt	`str`
attachment_source_file_path	`str`
destination_file_encryption	`str`
dg_dst_dev_dev_vendor	`str`
dg_src_dev_dev_bt	`str`
dg_dst_dev_dev_prdname	`str`
dg_src_dev_dev_vendor	`str`
destination_bus_type	`str`
attachment_source_directory	`str`
attachment_source_drive_type	`str`
source_is_removable	`str`
source_file_encryption	`str`
destination_file_path	`str`
destination_is_removable	`str`
destination_directory	`str`
bytes_read	`str`
dns_hostname	`str`
url_path	`str`
dg_alert_dg_policy_dg_category_name	`str`
was_private_address	`str`
dg_alert_dg_category_name	`str`
network_direction	`str`
source_ip_address	`str`
dg_alert_alert_etu	`str`
wireless_ssid	`str`
remote_port	`str`
dg_alert_dg_rule_action_type	`str`
dg_alert_alert_ur	`str`
adapter_name	`str`
dg_alert_dg_name	`str`
was_wireless	`str`
local_port	`str`
dg_alert_alert_at	`str`
dg_alert_alert_al	`str`
protocol	`str`
dg_alert_alert_wb	`str`
dg_alert_alert_etl	`str`
dg_alert_dg_policy_dg_name	`str`
dg_alert_dg_detection_source	`str`
encryption_status	`str`
dg_alert_alert_bc	`str`
ip_address	`str`
was_mobile_copy	`str`
dg_recipients_uad_mr	`str`
dg_attachments_dg_src_dir	`str`
dg_attachments_dg_file_size	`str`
event_was_blocked	`str`
event_has_rule_violation	`str`
dg_recipients_uad_mrt	`str`
dg_attachments_uad_sdt	`str`
email_subject	`str`
dg_attachments_uad_sp	`str`
email_sender	`str`
dg_attachments_dg_src_file_name	`str`
dg_recipients_dg_rec_email_domain	`str`
url_host	`str`
url_context_path	`str`
url_port	`int4`
url_scheme	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

dlp.digitalguardian.endpointdlp.alerts

Field	Type	Extra field	Field transformation	Source field name

Field	Type	Extra field	Field transformation	Source field name
eventdate	`timestamp`
priority	`int4`
Agent_Local_Time	`str`
Agent_UTC_Time	`str`
timestamp	`timestamp`		`parsedate(Agent_UTC_Time_TZ, "MM/DD/YYYY h:mm:ss AZZ")`	Agent_UTC_Time_TZ
Application	`str`
Computer_Name	`str`		`ifthenelse(Computer_Name_len > 1, Computer_Name_tmp[1], Computer_Name_wDomain)`	Computer_Name_wDomain Computer_Name_tmp Computer_Name_len
Domain	`str`		`ifthenelse(Computer_Name_len > 1, Computer_Name_tmp[0], null)`	Computer_Name_tmp Computer_Name_len
Computer_Type	`str`
Email_Sender	`str`
Email_Subject	`str`
Operation	`str`
Policy	`str`
Rule	`str`
Rule_Category	`str`
Severity	`str`
User_Response	`str`
Was_Blocked	`str`
Destination_Directory	`str`
Destination_File	`str`
Destination_File_Encryption	`str`
DNS_Hostname	`str`
Email_Recipient	`str`
Email_Recipient_Type	`str`
IP_Address	`str`
Local_Port	`str`
Network_Direction	`str`
Object_Type	`str`
Printer	`str`
Printer_Jobname	`str`
Protocol	`str`
Remote_Port	`str`
Source_Directory	`str`
Source_File	`str`
Source_File_Encryption	`str`
URL_Path	`str`
Was_Destination_Classified	`str`
Was_Destination_Removable	`str`
Was_S_MIME_Encrypted	`str`
Was_S_MIME_Signed	`str`
Was_Source_Classified	`str`
Source_Drive_Type	`str`
Source_Device_ID	`str`
Destination_Drive_Type	`str`
Destination_Device_ID	`str`
Email_Address	`str`
User_Name	`str`			User_Name_tmp User_Name_wDomain User_Name_len
Custom_Int_4	`str`
Custom_String_1	`str`
Custom_String_3	`str`
Custom_String_4	`str`
Detail_Event_ID	`str`
Dll_SHA1_Hash	`str`
Dll_SHA256_Hash	`str`
Registry_Value	`str`
Event_ID	`str`
Detail_File_Size_MB	`float8`
Destination_Device_Friendly_Name	`str`
Destination_Device_Product_ID	`str`
Destination_Device_Product_Name	`str`
Destination_Device_Serial_Number	`str`
Destination_Device_Vendor	`str`
Destination_Device_Vendor_ID	`str`
Prompt_Survey_Text	`str`
Source_Device_Friendly_Name	`str`
Source_Device_Product_ID	`str`
Source_Device_Product_Name	`str`
Source_Device_Serial_Number	`str`
Source_Device_Vendor	`str`
Source_Device_Vendor_ID	`str`
Source_IP_Address	`str`
Alert_ID	`str`
Server_Local_Timestamp	`str`
User_Name_Text	`str`
Category	`str`
Detail	`str`
message	`str`			rawSource
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓		rawSource

dlp.digitalguardian.endpointdlp.audit

Field	Type	Extra field	Source field name

Field	Type	Extra field	Source field name
eventdate	`timestamp`
priority	`int4`
Server_Local_Timestamp	`str`
User_Name_Text	`str`
Category	`str`
Detail	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓	rawSource

dlp.digitalguardian.endpointdlp.classification

Field	Type	Extra field	Source field name

Field	Type	Extra field	Source field name
eventdate	`timestamp`
priority	`int4`
Event_ID	`str`
Detail_Classification_Policy	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓	rawSource

dlp.digitalguardian.endpointdlp.events

Field	Type	Extra field

Field	Type	Extra field
eventdate	`timestamp`
Agent_Local_Date	`str`
Agent_Local_Time	`str`
Agent_UTC_Time	`str`
Application	`str`
Computer_Name	`str`
Computer_Type	`str`
DNS_Hostname	`str`
Email_Sender	`str`
Email_Subject	`str`
Event_ID	`str`
Detail_Event_ID	`str`
IP_Address	`str`
Local_Port	`str`
Network_Direction	`str`
Operation	`str`
Protocol	`str`
Remote_Port	`str`
URL_Path	`str`
Was_Classified	`str`
Was_Removable	`str`
Was_Rule_Violation	`str`
Was_S_MIME_Encrypted	`str`
Was_S_MIME_Signed	`str`
Device_ID	`str`
Drive_Type	`str`
Friendly_Name	`str`
Product_ID	`str`
Removal_Policy	`str`
Serial_Number	`str`
Vendor	`str`
Vendor_ID	`str`
Destination_Directory	`str`
Destination_File	`str`
Destination_File_Extension	`str`
Email_Domain_Name	`str`
Email_Recipient	`str`
Printer	`str`
Printer_Jobname	`str`
Source_Directory	`str`
Source_File	`str`
Source_File_Extension	`str`
User_Response	`str`
Was_Destination_Classified	`str`
Was_Detail_Rule_Violation	`str`
Was_Source_Classified	`str`
Was_Source_Removable	`str`
Source_Drive_Type	`str`
Source_Device_ID	`str`
Destination_Drive_Type	`str`
Destination_Device_ID	`str`
Domain_Name	`str`
Email_Address	`str`
User_ID	`str`
User_Name	`str`
Custom_String_1	`str`
Custom_String_3	`str`
Custom_String_4	`str`
Company_Name	`str`
Product_Name	`str`
Product_Version	`str`
Scan_Value_Status	`str`
Scan_Value_Status_Local_Time	`str`
Scan_Value_Status_Text	`str`
Dll_SHA1_Hash	`str`
Dll_SHA256_Hash	`str`
Parent_Application_V2	`str`
Parent_MD5_Checksum_V2	`str`
Destination_Device_Friendly_Name	`str`
Destination_Device_Product_ID	`str`
Destination_Device_Product_Name	`str`
Destination_Device_Serial_Number	`str`
Destination_Device_Vendor	`str`
Destination_Device_Vendor_ID	`str`
Rule	`str`
Source_Device_Friendly_Name	`str`
Source_Device_Serial_Number	`str`
Source_Device_Product_ID	`str`
Source_Device_Product_Name	`str`
Source_Device_Vendor	`str`
Source_Device_Vendor_ID	`str`
Was_Blocked	`str`
MD5_Checksum	`str`
Dll_Created_Local_Time	`str`
Detail_File_Size_MB	`str`
Detail_Classification_Content_Pattern	`str`
Detail_Classification_Frequency	`str`
Detail_Classification_Policy	`str`
Detail_Classification_Rule	`str`
Detail_Classification_Type	`str`
Source_IP_Address	`str`
Registry_Value	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`

dlp.digitalguardian.endpointdlp

Field	Type	Extra field	Source field name

Field	Type	Extra field	Source field name
eventdate	`timestamp`
type	`str`		vtype
message	`str`		rawSource
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓	rawSource

dlp.digitalguardian.networkdlp.events

Field	Type	Extra field

Field	Type	Extra field
eventdate	`timestamp`
hostname	`str`
incident_id	`str`
managed_device_id	`str`
number_of_incidents	`str`
incident_status	`str`
matched_policies_by_severity	`str`
action_taken	`str`
matches	`str`
protocol	`str`
http_url	`str`
inspected_document	`str`
source	`str`
source_ip	`ip4`
source_port	`str`
destination	`str`
destination_ip	`ip4`
destination_port	`str`
email_subject	`str`
email_sender	`str`
email_recipients	`str`
timestamp	`str`
managed_device_name	`str`
incidents_url	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`

dlp.digitalguardian.networkdlp.system

Field	Type	Extra field

Field	Type	Extra field
eventdate	`timestamp`
hostname	`str`
category	`str`
managed_device_id	`str`
managed_device_name	`str`
managed_device_ip	`ip4`
source_ip	`ip4`
source_user	`str`
timestamp	`str`
summary	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`

dlp.digitalguardian.networkdlp

Field	Type	Extra field	Source field name

Field	Type	Extra field	Source field name
eventdate	`timestamp`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓	rawSource