Introduction
The tags beginning with dlp.digitalguardian
identify events generated by Digital Guardian.
Valid tags and data tables
The full tag must have 4 levels. The first two are fixed as dlp.digitalguardian
. The third level identifies the type of events sent, and the fourth level indicates the event subtype.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
Digital Guardian |
|
|
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
For more information, read more about Devo tags.
Table structure
These are the fields displayed in these tables:
dlp.digitalguardian.arc.events
Field | Type | Extra field |
---|---|---|
eventdate |
| |
hostname |
| |
machine_type |
| |
file_internal_name |
| |
application |
| |
md5_hash |
| |
original_name |
| |
dg_custom_data_dg_scope |
| |
parent_application |
| |
process_directory |
| |
was_rule_violated |
| |
process_local_creation_time |
| |
process_path |
| |
process_file_extension |
| |
was_removable |
| |
dg_custom_data_dg_values |
| |
is_user_local_admin |
| |
event_display_name |
| |
dg_custom_data_dg_name |
| |
company_name |
| |
file_version |
| |
product_name |
| |
user_domain |
| |
mac_address |
| |
user |
| |
agent_version |
| |
unique_id |
| |
command_line |
| |
product_version |
| |
computer_name |
| |
application_internal_name |
| |
was_mobile_device |
| |
_time |
| |
operation_type |
| |
process_file_size |
| |
was_detail_blocked |
| |
process_domain |
| |
event_local_time |
| |
was_classified |
| |
file_description |
| |
parent_md5_hash |
| |
sha256_hash |
| |
process_pid |
| |
server_process_time |
| |
event_time |
| |
parent_process_internal_name |
| |
process_local_modify_time |
| |
x86_or_x64 |
| |
process_local_access_time |
| |
is_virtual_session |
| |
bytes_written |
| |
destination_drive_type |
| |
dg_src_dev_dev_prdname |
| |
source_was_classified |
| |
destination_file_extension |
| |
destination_file_name |
| |
attachment_file_size |
| |
dg_dst_dev_dev_bt |
| |
attachment_source_file_name |
| |
destination_was_classified |
| |
source_file_extension |
| |
dg_dst_dev_dev_dt |
| |
dg_src_dev_dev_dt |
| |
attachment_source_file_path |
| |
destination_file_encryption |
| |
dg_dst_dev_dev_vendor |
| |
dg_src_dev_dev_bt |
| |
dg_dst_dev_dev_prdname |
| |
dg_src_dev_dev_vendor |
| |
destination_bus_type |
| |
attachment_source_directory |
| |
attachment_source_drive_type |
| |
source_is_removable |
| |
source_file_encryption |
| |
destination_file_path |
| |
destination_is_removable |
| |
destination_directory |
| |
bytes_read |
| |
dns_hostname |
| |
url_path |
| |
dg_alert_dg_policy_dg_category_name |
| |
was_private_address |
| |
dg_alert_dg_category_name |
| |
network_direction |
| |
source_ip_address |
| |
dg_alert_alert_etu |
| |
wireless_ssid |
| |
remote_port |
| |
dg_alert_dg_rule_action_type |
| |
dg_alert_alert_ur |
| |
adapter_name |
| |
dg_alert_dg_name |
| |
was_wireless |
| |
local_port |
| |
dg_alert_alert_at |
| |
dg_alert_alert_al |
| |
protocol |
| |
dg_alert_alert_wb |
| |
dg_alert_alert_etl |
| |
dg_alert_dg_policy_dg_name |
| |
dg_alert_dg_detection_source |
| |
encryption_status |
| |
dg_alert_alert_bc |
| |
ip_address |
| |
was_mobile_copy |
| |
dg_recipients_uad_mr |
| |
dg_attachments_dg_src_dir |
| |
dg_attachments_dg_file_size |
| |
event_was_blocked |
| |
event_has_rule_violation |
| |
dg_recipients_uad_mrt |
| |
dg_attachments_uad_sdt |
| |
email_subject |
| |
dg_attachments_uad_sp |
| |
email_sender |
| |
dg_attachments_dg_src_file_name |
| |
dg_recipients_dg_rec_email_domain |
| |
url_host |
| |
url_context_path |
| |
url_port |
| |
url_scheme |
| |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
dlp.digitalguardian.endpointdlp.alerts
Field | Type | Extra field | Field transformation | Source field name |
---|---|---|---|---|
eventdate |
| |||
priority |
| |||
Agent_Local_Time |
| |||
Agent_UTC_Time |
| |||
timestamp |
| parsedate(Agent_UTC_Time_TZ, "MM/DD/YYYY h:mm:ss AZZ") | Agent_UTC_Time_TZ | |
Application |
| |||
Computer_Name |
| ifthenelse(Computer_Name_len > 1, Computer_Name_tmp[1], Computer_Name_wDomain) | Computer_Name_wDomain Computer_Name_tmp Computer_Name_len | |
Domain |
| ifthenelse(Computer_Name_len > 1, Computer_Name_tmp[0], null) | Computer_Name_tmp Computer_Name_len | |
Computer_Type |
| |||
Email_Sender |
| |||
Email_Subject |
| |||
Operation |
| |||
Policy |
| |||
Rule |
| |||
Rule_Category |
| |||
Severity |
| |||
User_Response |
| |||
Was_Blocked |
| |||
Destination_Directory |
| |||
Destination_File |
| |||
Destination_File_Encryption |
| |||
DNS_Hostname |
| |||
Email_Recipient |
| |||
Email_Recipient_Type |
| |||
IP_Address |
| |||
Local_Port |
| |||
Network_Direction |
| |||
Object_Type |
| |||
Printer |
| |||
Printer_Jobname |
| |||
Protocol |
| |||
Remote_Port |
| |||
Source_Directory |
| |||
Source_File |
| |||
Source_File_Encryption |
| |||
URL_Path |
| |||
Was_Destination_Classified |
| |||
Was_Destination_Removable |
| |||
Was_S_MIME_Encrypted |
| |||
Was_S_MIME_Signed |
| |||
Was_Source_Classified |
| |||
Source_Drive_Type |
| |||
Source_Device_ID |
| |||
Destination_Drive_Type |
| |||
Destination_Device_ID |
| |||
Email_Address |
| |||
User_Name |
| ifthenelse(User_Name_len > 1, User_Name_tmp[1], User_Name_wDomain) | User_Name_tmp User_Name_wDomain User_Name_len | |
Custom_Int_4 |
| |||
Custom_String_1 |
| |||
Custom_String_3 |
| |||
Custom_String_4 |
| |||
Detail_Event_ID |
| |||
Dll_SHA1_Hash |
| |||
Dll_SHA256_Hash |
| |||
Registry_Value |
| |||
Event_ID |
| |||
Detail_File_Size_MB |
| |||
Destination_Device_Friendly_Name |
| |||
Destination_Device_Product_ID |
| |||
Destination_Device_Product_Name |
| |||
Destination_Device_Serial_Number |
| |||
Destination_Device_Vendor |
| |||
Destination_Device_Vendor_ID |
| |||
Prompt_Survey_Text |
| |||
Source_Device_Friendly_Name |
| |||
Source_Device_Product_ID |
| |||
Source_Device_Product_Name |
| |||
Source_Device_Serial_Number |
| |||
Source_Device_Vendor |
| |||
Source_Device_Vendor_ID |
| |||
Source_IP_Address |
| |||
Alert_ID |
| |||
Server_Local_Timestamp |
| |||
User_Name_Text |
| |||
Category |
| |||
Detail |
| |||
message |
| rawSource | ||
hostchain |
| ✓ | ||
tag |
| ✓ | ||
rawMessage |
| ✓ | rawSource |
dlp.digitalguardian.endpointdlp.audit
Field | Type | Extra field | Source field name |
---|---|---|---|
eventdate |
| ||
priority |
| ||
Server_Local_Timestamp |
| ||
User_Name_Text |
| ||
Category |
| ||
Detail |
| ||
hostchain |
| ✓ | |
tag |
| ✓ | |
rawMessage |
| ✓ | rawSource |
dlp.digitalguardian.endpointdlp.classification
Field | Type | Extra field | Source field name |
---|---|---|---|
eventdate |
| ||
priority |
| ||
Event_ID |
| ||
Detail_Classification_Policy |
| ||
hostchain |
| ✓ | |
tag |
| ✓ | |
rawMessage |
| ✓ | rawSource |
dlp.digitalguardian.endpointdlp.events
Field | Type | Extra field |
---|---|---|
eventdate |
| |
Agent_Local_Date |
| |
Agent_Local_Time |
| |
Agent_UTC_Time |
| |
Application |
| |
Computer_Name |
| |
Computer_Type |
| |
DNS_Hostname |
| |
Email_Sender |
| |
Email_Subject |
| |
Event_ID |
| |
Detail_Event_ID |
| |
IP_Address |
| |
Local_Port |
| |
Network_Direction |
| |
Operation |
| |
Protocol |
| |
Remote_Port |
| |
URL_Path |
| |
Was_Classified |
| |
Was_Removable |
| |
Was_Rule_Violation |
| |
Was_S_MIME_Encrypted |
| |
Was_S_MIME_Signed |
| |
Device_ID |
| |
Drive_Type |
| |
Friendly_Name |
| |
Product_ID |
| |
Removal_Policy |
| |
Serial_Number |
| |
Vendor |
| |
Vendor_ID |
| |
Destination_Directory |
| |
Destination_File |
| |
Destination_File_Extension |
| |
Email_Domain_Name |
| |
Email_Recipient |
| |
Printer |
| |
Printer_Jobname |
| |
Source_Directory |
| |
Source_File |
| |
Source_File_Extension |
| |
User_Response |
| |
Was_Destination_Classified |
| |
Was_Detail_Rule_Violation |
| |
Was_Source_Classified |
| |
Was_Source_Removable |
| |
Source_Drive_Type |
| |
Source_Device_ID |
| |
Destination_Drive_Type |
| |
Destination_Device_ID |
| |
Domain_Name |
| |
Email_Address |
| |
User_ID |
| |
User_Name |
| |
Custom_String_1 |
| |
Custom_String_3 |
| |
Custom_String_4 |
| |
Company_Name |
| |
Product_Name |
| |
Product_Version |
| |
Scan_Value_Status |
| |
Scan_Value_Status_Local_Time |
| |
Scan_Value_Status_Text |
| |
Dll_SHA1_Hash |
| |
Dll_SHA256_Hash |
| |
Parent_Application_V2 |
| |
Parent_MD5_Checksum_V2 |
| |
Destination_Device_Friendly_Name |
| |
Destination_Device_Product_ID |
| |
Destination_Device_Product_Name |
| |
Destination_Device_Serial_Number |
| |
Destination_Device_Vendor |
| |
Destination_Device_Vendor_ID |
| |
Rule |
| |
Source_Device_Friendly_Name |
| |
Source_Device_Serial_Number |
| |
Source_Device_Product_ID |
| |
Source_Device_Product_Name |
| |
Source_Device_Vendor |
| |
Source_Device_Vendor_ID |
| |
Was_Blocked |
| |
MD5_Checksum |
| |
Dll_Created_Local_Time |
| |
Detail_File_Size_MB |
| |
Detail_Classification_Content_Pattern |
| |
Detail_Classification_Frequency |
| |
Detail_Classification_Policy |
| |
Detail_Classification_Rule |
| |
Detail_Classification_Type |
| |
Source_IP_Address |
| |
Registry_Value |
| |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
|
dlp.digitalguardian.endpointdlp
Field | Type | Extra field | Source field name |
---|---|---|---|
eventdate |
| ||
type |
| vtype | |
message |
| rawSource | |
hostchain |
| ✓ | |
tag |
| ✓ | |
rawMessage |
| ✓ | rawSource |
dlp.digitalguardian.networkdlp.events
Field | Type | Extra field |
---|---|---|
eventdate |
| |
hostname |
| |
incident_id |
| |
managed_device_id |
| |
number_of_incidents |
| |
incident_status |
| |
matched_policies_by_severity |
| |
action_taken |
| |
matches |
| |
protocol |
| |
http_url |
| |
inspected_document |
| |
source |
| |
source_ip |
| |
source_port |
| |
destination |
| |
destination_ip |
| |
destination_port |
| |
email_subject |
| |
email_sender |
| |
email_recipients |
| |
timestamp |
| |
managed_device_name |
| |
incidents_url |
| |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
|