Introduction
The tags beginning with dlp.digitalguardian
identify events generated by Digital Guardian.
Valid tags and data tables
The full tag must have 4 levels. The first two are fixed as dlp.digitalguardian
. The third level identifies the type of events sent, and the fourth level indicates the event subtype.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
Digital Guardian |
|
|
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
For more information, read more about Devo tags.
Table structure
These are the fields displayed in these tables:
dlp.digitalguardian.arc.events
dlp.digitalguardian.endpointdlp.alerts
dlp.digitalguardian.endpointdlp.audit
dlp.digitalguardian.endpointdlp.classification
dlp.digitalguardian.endpointdlp.events
dlp.digitalguardian.endpointdlp
dlp.digitalguardian.networkdlp.events
dlp.digitalguardian.networkdlp.system
dlp.digitalguardian.networkdlp
dlp.digitalguardian.arc.events
Field | Type | Extra field |
---|---|---|
eventdate |
| |
hostname |
| |
machine_type |
| |
file_internal_name |
| |
application |
| |
md5_hash |
| |
original_name |
| |
dg_custom_data_dg_scope |
| |
parent_application |
| |
process_directory |
| |
was_rule_violated |
| |
process_local_creation_time |
| |
process_path |
| |
process_file_extension |
| |
was_removable |
| |
dg_custom_data_dg_values |
| |
is_user_local_admin |
| |
event_display_name |
| |
dg_custom_data_dg_name |
| |
company_name |
| |
file_version |
| |
product_name |
| |
user_domain |
| |
mac_address |
| |
user |
| |
agent_version |
| |
unique_id |
| |
command_line |
| |
product_version |
| |
computer_name |
| |
application_internal_name |
| |
was_mobile_device |
| |
_time |
| |
operation_type |
| |
process_file_size |
| |
was_detail_blocked |
| |
process_domain |
| |
event_local_time |
| |
was_classified |
| |
file_description |
| |
parent_md5_hash |
| |
sha256_hash |
| |
process_pid |
| |
server_process_time |
| |
event_time |
| |
parent_process_internal_name |
| |
process_local_modify_time |
| |
x86_or_x64 |
| |
process_local_access_time |
| |
is_virtual_session |
| |
bytes_written |
| |
destination_drive_type |
| |
dg_src_dev_dev_prdname |
| |
source_was_classified |
| |
destination_file_extension |
| |
destination_file_name |
| |
attachment_file_size |
| |
dg_dst_dev_dev_bt |
| |
attachment_source_file_name |
| |
destination_was_classified |
| |
source_file_extension |
| |
dg_dst_dev_dev_dt |
| |
dg_src_dev_dev_dt |
| |
attachment_source_file_path |
| |
destination_file_encryption |
| |
dg_dst_dev_dev_vendor |
| |
dg_src_dev_dev_bt |
| |
dg_dst_dev_dev_prdname |
| |
dg_src_dev_dev_vendor |
| |
destination_bus_type |
| |
attachment_source_directory |
| |
attachment_source_drive_type |
| |
source_is_removable |
| |
source_file_encryption |
| |
destination_file_path |
| |
destination_is_removable |
| |
destination_directory |
| |
bytes_read |
| |
dns_hostname |
| |
url_path |
| |
dg_alert_dg_policy_dg_category_name |
| |
was_private_address |
| |
dg_alert_dg_category_name |
| |
network_direction |
| |
source_ip_address |
| |
dg_alert_alert_etu |
| |
wireless_ssid |
| |
remote_port |
| |
dg_alert_dg_rule_action_type |
| |
dg_alert_alert_ur |
| |
adapter_name |
| |
dg_alert_dg_name |
| |
was_wireless |
| |
local_port |
| |
dg_alert_alert_at |
| |
dg_alert_alert_al |
| |
protocol |
| |
dg_alert_alert_wb |
| |
dg_alert_alert_etl |
| |
dg_alert_dg_policy_dg_name |
| |
dg_alert_dg_detection_source |
| |
encryption_status |
| |
dg_alert_alert_bc |
| |
ip_address |
| |
was_mobile_copy |
| |
dg_recipients_uad_mr |
| |
dg_attachments_dg_src_dir |
| |
dg_attachments_dg_file_size |
| |
event_was_blocked |
| |
event_has_rule_violation |
| |
dg_recipients_uad_mrt |
| |
dg_attachments_uad_sdt |
| |
email_subject |
| |
dg_attachments_uad_sp |
| |
email_sender |
| |
dg_attachments_dg_src_file_name |
| |
dg_recipients_dg_rec_email_domain |
| |
url_host |
| |
url_context_path |
| |
url_port |
| |
url_scheme |
| |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
dlp.digitalguardian.endpointdlp.alerts
Field | Type | Extra field | Field transformation | Source field name |
---|---|---|---|---|
eventdate |
| |||
priority |
| |||
Agent_Local_Time |
| |||
Agent_UTC_Time |
| |||
timestamp |
| parsedate(Agent_UTC_Time_TZ, "MM/DD/YYYY h:mm:ss AZZ") | Agent_UTC_Time_TZ | |
Application |
| |||
Computer_Name |
| ifthenelse(Computer_Name_len > 1, Computer_Name_tmp[1], Computer_Name_wDomain) | Computer_Name_wDomain Computer_Name_tmp Computer_Name_len | |
Domain |
| ifthenelse(Computer_Name_len > 1, Computer_Name_tmp[0], null) | Computer_Name_tmp Computer_Name_len | |
Computer_Type |
| |||
Email_Sender |
| |||
Email_Subject |
| |||
Operation |
| |||
Policy |
| |||
Rule |
| |||
Rule_Category |
| |||
Severity |
| |||
User_Response |
| |||
Was_Blocked |
| |||
Destination_Directory |
| |||
Destination_File |
| |||
Destination_File_Encryption |
| |||
DNS_Hostname |
| |||
Email_Recipient |
| |||
Email_Recipient_Type |
| |||
IP_Address |
| |||
Local_Port |
| |||
Network_Direction |
| |||
Object_Type |
| |||
Printer |
| |||
Printer_Jobname |
| |||
Protocol |
| |||
Remote_Port |
| |||
Source_Directory |
| |||
Source_File |
| |||
Source_File_Encryption |
| |||
URL_Path |
| |||
Was_Destination_Classified |
| |||
Was_Destination_Removable |
| |||
Was_S_MIME_Encrypted |
| |||
Was_S_MIME_Signed |
| |||
Was_Source_Classified |
| |||
Source_Drive_Type |
| |||
Source_Device_ID |
| |||
Destination_Drive_Type |
| |||
Destination_Device_ID |
| |||
Email_Address |
| |||
User_Name |
| ifthenelse(User_Name_len > 1, User_Name_tmp[1], User_Name_wDomain) | User_Name_tmp User_Name_wDomain User_Name_len | |
Custom_Int_4 |
| |||
Custom_String_1 |
| |||
Custom_String_3 |
| |||
Custom_String_4 |
| |||
Detail_Event_ID |
| |||
Dll_SHA1_Hash |
| |||
Dll_SHA256_Hash |
| |||
Registry_Value |
| |||
Event_ID |
| |||
Detail_File_Size_MB |
| |||
Destination_Device_Friendly_Name |
| |||
Destination_Device_Product_ID |
| |||
Destination_Device_Product_Name |
| |||
Destination_Device_Serial_Number |
| |||
Destination_Device_Vendor |
| |||
Destination_Device_Vendor_ID |
| |||
Prompt_Survey_Text |
| |||
Source_Device_Friendly_Name |
| |||
Source_Device_Product_ID |
| |||
Source_Device_Product_Name |
| |||
Source_Device_Serial_Number |
| |||
Source_Device_Vendor |
| |||
Source_Device_Vendor_ID |
| |||
Source_IP_Address |
| |||
Alert_ID |
| |||
Server_Local_Timestamp |
| |||
User_Name_Text |
| |||
Category |
| |||
Detail |
| |||
message |
| rawSource | ||
hostchain |
| ✓ | ||
tag |
| ✓ | ||
rawMessage |
| ✓ | rawSource |
dlp.digitalguardian.endpointdlp.audit
Field | Type | Extra field | Source field name |
---|---|---|---|
eventdate |
| ||
priority |
| ||
Server_Local_Timestamp |
| ||
User_Name_Text |
| ||
Category |
| ||
Detail |
| ||
hostchain |
| ✓ | |
tag |
| ✓ | |
rawMessage |
| ✓ | rawSource |
dlp.digitalguardian.endpointdlp.classification
Field | Type | Extra field | Source field name |
---|---|---|---|
eventdate |
| ||
priority |
| ||
Event_ID |
| ||
Detail_Classification_Policy |
| ||
hostchain |
| ✓ | |
tag |
| ✓ | |
rawMessage |
| ✓ | rawSource |
dlp.digitalguardian.endpointdlp.events
Field | Type | Extra field |
---|---|---|
eventdate |
| |
Agent_Local_Date |
| |
Agent_Local_Time |
| |
Agent_UTC_Time |
| |
Application |
| |
Computer_Name |
| |
Computer_Type |
| |
DNS_Hostname |
| |
Email_Sender |
| |
Email_Subject |
| |
Event_ID |
| |
Detail_Event_ID |
| |
IP_Address |
| |
Local_Port |
| |
Network_Direction |
| |
Operation |
| |
Protocol |
| |
Remote_Port |
| |
URL_Path |
| |
Was_Classified |
| |
Was_Removable |
| |
Was_Rule_Violation |
| |
Was_S_MIME_Encrypted |
| |
Was_S_MIME_Signed |
| |
Device_ID |
| |
Drive_Type |
| |
Friendly_Name |
| |
Product_ID |
| |
Removal_Policy |
| |
Serial_Number |
| |
Vendor |
| |
Vendor_ID |
| |
Destination_Directory |
| |
Destination_File |
| |
Destination_File_Extension |
| |
Email_Domain_Name |
| |
Email_Recipient |
| |
Printer |
| |
Printer_Jobname |
| |
Source_Directory |
| |
Source_File |
| |
Source_File_Extension |
| |
User_Response |
| |
Was_Destination_Classified |
| |
Was_Detail_Rule_Violation |
| |
Was_Source_Classified |
| |
Was_Source_Removable |
| |
Source_Drive_Type |
| |
Source_Device_ID |
| |
Destination_Drive_Type |
| |
Destination_Device_ID |
| |
Domain_Name |
| |
Email_Address |
| |
User_ID |
| |
User_Name |
| |
Custom_String_1 |
| |
Custom_String_3 |
| |
Custom_String_4 |
| |
Company_Name |
| |
Product_Name |
| |
Product_Version |
| |
Scan_Value_Status |
| |
Scan_Value_Status_Local_Time |
| |
Scan_Value_Status_Text |
| |
Dll_SHA1_Hash |
| |
Dll_SHA256_Hash |
| |
Parent_Application_V2 |
| |
Parent_MD5_Checksum_V2 |
| |
Destination_Device_Friendly_Name |
| |
Destination_Device_Product_ID |
| |
Destination_Device_Product_Name |
| |
Destination_Device_Serial_Number |
| |
Destination_Device_Vendor |
| |
Destination_Device_Vendor_ID |
| |
Rule |
| |
Source_Device_Friendly_Name |
| |
Source_Device_Serial_Number |
| |
Source_Device_Product_ID |
| |
Source_Device_Product_Name |
| |
Source_Device_Vendor |
| |
Source_Device_Vendor_ID |
| |
Was_Blocked |
| |
MD5_Checksum |
| |
Dll_Created_Local_Time |
| |
Detail_File_Size_MB |
| |
Detail_Classification_Content_Pattern |
| |
Detail_Classification_Frequency |
| |
Detail_Classification_Policy |
| |
Detail_Classification_Rule |
| |
Detail_Classification_Type |
| |
Source_IP_Address |
| |
Registry_Value |
| |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
|
dlp.digitalguardian.endpointdlp
Field | Type | Extra field | Source field name |
---|---|---|---|
eventdate |
| ||
type |
| vtype | |
message |
| rawSource | |
hostchain |
| ✓ | |
tag |
| ✓ | |
rawMessage |
| ✓ | rawSource |
dlp.digitalguardian.networkdlp.events
Field | Type | Extra field |
---|---|---|
eventdate |
| |
hostname |
| |
incident_id |
| |
managed_device_id |
| |
number_of_incidents |
| |
incident_status |
| |
matched_policies_by_severity |
| |
action_taken |
| |
matches |
| |
protocol |
| |
http_url |
| |
inspected_document |
| |
source |
| |
source_ip |
| |
source_port |
| |
destination |
| |
destination_ip |
| |
destination_port |
| |
email_subject |
| |
email_sender |
| |
email_recipients |
| |
timestamp |
| |
managed_device_name |
| |
incidents_url |
| |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
|
dlp.digitalguardian.networkdlp.system
Field | Type | Extra field |
---|---|---|
eventdate |
| |
hostname |
| |
category |
| |
managed_device_id |
| |
managed_device_name |
| |
managed_device_ip |
| |
source_ip |
| |
source_user |
| |
timestamp |
| |
summary |
| |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
|
dlp.digitalguardian.networkdlp
Field | Type | Extra field | Source field name |
---|---|---|---|
eventdate |
| ||
hostchain |
| ✓ | |
tag |
| ✓ | |
rawMessage |
| ✓ | rawSource |