.dlp.digitalguardian vv7.9.0
- Juan Tomás Alonso Nieto (Unlicensed)
Introduction
The tags beginning with dlp.digitalguardian identify events generated by Digital Guardian.
The full tag must have 4 levels. The first two are fixed as dlp.digitalguardian. The third level identifies the type of events sent, and the fourth level indicates the event subtype.
Technology | Brand | Type | Subtype |
|---|---|---|---|
dlp | digitalguardian |
|
|
These are the valid tags and corresponding data tables that will receive the parsers' data:
Tag | Data table |
|---|---|
| dlp.digitalguardian.arc.events | dlp.digitalguardian.arc.events |
Log samples
The following are sample logs sent to each of the dlp.digitalguardian data tables. Also, find how the information will be parsed in your data table under each sample log.
Extra columns
Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.
dlp.digitalguardian.arc.events
2022-02-07 08:42:20.578 localhost=127.0.0.1 dlp.digitalguardian.arc.events: {"Agent Version": "192.168.68.494", "Source Is Removable": "Yes", "Destination Directory": "https://some_user@email/ocs/docs", "Is User Local Admin": "hugheskathy", "Process Local Modify Time": "2021-11-15 04:40:27 AM", "Local Port": "2146", "DNS Hostname": "some_user@email", "Parent Process Internal Name": "runtimebroker.", "Process Local Access Time": "2021-11-16 02:34:02 PM", "Destination File Path": "https://some_user@email/ocs/docs/recent", "Attachment File Size": "2.0 KB", "_time": 1637118848127, "SHA256 Hash": "55FB2E04CD06EEAD8EBBDE256BD0C2FB6666670E8671AF0D9640D5714437641E", "Destination Was Classified": "hugheskathy", "Application": "winword.exe", "File Version": "16.0.13801.21004", "Operation Type": "Network Transfer Upload", "Company Name": "microsoft corporation", "Server Process Time": 1637118848127, "Was Private Address": "hugheskathy", "Was Detail Blocked": "hugheskathy", "Destination Bus Type": "Unknown", "Wireless SSID": "", "Protocol": "TCP", "Command Line": "\\"C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\WINWORD.EXE\\" http:something", "Encryption Status": "0", "File Internal Name": "winword", "Source File Encryption": "hugheskathyne", "Product Name": "microsoft office", "Unique ID": "fb275002-4751-11ec-916d-c8d9d2136870", "Process File Size": "1.9 MB", "Process PID": 18180, "MD5 Hash": "928d8e8ccd1f1cec214a0e6909b20b90", "Network Direction": "Outbound", "Event Display Name": "Network Transfer Upload", "Process Directory": "c:\\\\program files\\\\microsoft office\\\\root\\\\office16", "Attachment Source File Path": "recent", "Was Mobile Device": "hugheskathy", "Attachment Source Drive Type": "Unknown", "Computer Name": "client\\\\T64148", "Destination File Extension": "[no extension]", "Product Version": "16.0.13801.21004", "Bytes Written": "2.0 KB", "Process Path": "c:\\\\program files\\\\microsoft office\\\\root\\\\office16\\\\winword.exe", "Source IP Address": "192.168.128.176", "URL Path": "", "x86 Or x64": "x64", "Destination File Name": "recent", "Machine Type": "Windows", "Source Was Classified": "hugheskathy", "Parent MD5 Hash": "64fe4cba-af61-00a1-4c52-f19c8f2169dc", "Process File Extension": "exe", "User": "vargaskimberly", "Was Classified": "hugheskathy", "Parent Application": "runtimebroker.exe", "Was Removable": "hugheskathy", "Remote Port": "0", "Attachment Source File Name": "recent", "Original Name": "winword.exe", "Process Local Creation Time": "2021-10-26 07:45:17 AM", "User Domain": "zgarner", "Was Wireless": "hugheskathy", "File Description": "microsoft word", "Application Internal Name": "winword.exe", "Bytes Read": "2.0 KB", "Destination Is Removable": "hugheskathy", "MAC Address": "00:11:22:2e:a7:57", "Attachment Source Directory": "[no folder]", "Adapter Name": "", "Source File Extension": "[no extension]", "Is Virtual Session": "Yes", "Process Domain": "zgarner", "Was Rule Violated": "hugheskathy", "Event Time": "2021-11-17 02:56:58 AM", "Destination Drive Type": "Remote", "IP Address": "", "Destination File Encryption": "hugheskathyne", "Event Local Time": "2021-11-16 09:56:58 PM"}
2022-02-07 08:42:20.578 localhost=127.0.0.1 dlp.digitalguardian.arc.events: {"Machine Type": "Windows", "Bytes Written": "25.4 KB", "File Internal Name": "electron.exe", "Destination Drive Type": "Fixed", "dg_src_dev.dev_prdname": "name", "Source Was Classified": "kyle05", "Application": "code.exe", "Was Mobile Device": "kyle05", "Destination File Extension": "[no extension]", "Destination File Name": "5adb6a90-b674-495f-aa71-38b48ea9386f", "Original Name": "electron.exe", "Attachment File Size": "25.4 KB", "Unique ID": "00f1818c-4759-11ec-916d-c8d9d2136870", "Parent Application": "code.exe", "Process Directory": "c:\\\\program files\\\\microsoft vs code", "dg_dst_dev.dev_bt": null, "Was Rule Violated": "kyle05", "Process Local Creation Time": "2021-09-20 03:35:39 PM", "Attachment Source File Name": "-271f7375", "Process File Extension": "exe", "Destination Was Classified": "kyle05", "Source File Extension": "[no extension]", "Is User Local Admin": "kyle05", "Event Display Name": "File Move", "dg_dst_dev.dev_dt": "Fixed", "dg_src_dev.dev_dt": "Fixed", "Company Name": "microsoft corporation", "MAC Address": "00:11:22:fb:81:52", "File Version": "1.56.2", "Attachment Source File Path": "c:\\\\users\\\\gregorydavid\\\\appdata\\\\roaming\\\\code\\\\backups\\\\1632176040615\\\\file\\\\-271f7375", "Product Name": "visual studio code", "User Domain": "thomasricardo", "Destination File Encryption": "kyle05ne", "User": "gregorydavid", "Was Removable": "kyle05", "Agent Version": "192.168.77.524", "dg_dst_dev.dev_vendor": "", "dg_src_dev.dev_bt": null, "dg_dst_dev.dev_prdname": "name", "_time": 1637121248041, "dg_src_dev.dev_vendor": "", "Process Domain": "thomasricardo", "Destination Bus Type": null, "Product Version": "1.56.2", "Computer Name": "client\\\\T64148", "Attachment Source Directory": "c:\\\\users\\\\gregorydavid\\\\appdata\\\\roaming\\\\code\\\\backups\\\\1632176040615\\\\file", "Attachment Source Drive Type": "Fixed", "Application Internal Name": "code.exe", "MD5 Hash": "5dd56f4f1fc0cda7ae60d34c23402bd8", "Parent Process Internal Name": "code.exe", "Operation Type": "File Move", "Process Path": "c:\\\\program files\\\\microsoft vs code\\\\code.exe", "Process File Size": "118.5 MB", "Was Detail Blocked": "kyle05", "Source Is Removable": "kyle05", "Command Line": "\\"C:\\\\Program Files\\\\Microsoft VS Code\\\\Code.exe\\" --type=renderer --disable-color-correct-rendering --field-trial-handle=2748,1331101976909089453,15210884913975035566,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --standard-schemes=vscode-webview,vscode-file --secure-schemes=vscode-webview,vscode-file --bypasscsp-schemes --cors-schemes=vscode-webview,vscode-file --fetch-schemes=vscode-webview,vscode-file --service-worker-schemes=vscode-webview --streaming-schemes --app-user-model-id=Microsoft.VisualStudioCode --app-path=\\"C:\\\\Program Files\\\\Microsoft VS Code\\\\resources\\\\app\\" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1 --vscode-window-config=vscode:7a0ee6c2-3ad1-4525-af19-ca55e28a859d", "x86 Or x64": "x64", "Was Classified": "kyle05", "File Description": "visual studio code", "Parent MD5 Hash": "4f6fd55d-c01f-a7cd-ae60-d34c23402bd8", "Event Local Time": "2021-11-16 10:47:03 PM", "Source File Encryption": "kyle05ne", "SHA256 Hash": "3DFD2D6123C1FA3AB44CC117FBBF9811AC4B039011AB94B736251855142F65C5", "Destination File Path": "c:\\\\users\\\\gregorydavid\\\\appdata\\\\local\\\\temp\\\\5adb6a90-b674-495f-aa71-38b48ea9386f", "Process PID": 26600, "Server Process Time": 1637121248041, "Destination Is Removable": "kyle05", "Event Time": "2021-11-17 03:47:03 AM", "Destination Directory": "c:\\\\users\\\\gregorydavid\\\\appdata\\\\local\\\\temp", "Process Local Modify Time": "2021-11-15 05:00:29 PM", "Bytes Read": "25.4 KB", "Process Local Access Time": "2021-11-15 05:00:29 PM", "Is Virtual Session": "Yes"}
2022-02-07 08:42:20.579 localhost=127.0.0.1 dlp.digitalguardian.arc.events: {"URL Host": "mydomain.net", "Process Local Creation Time": "2019-06-20 10:54:36 AM", "Protocol": "HTTP", "Event Time": "2021-11-17 10:18:10 PM", "Wireless SSID": "", "Operation Type": "Network Operation", "DNS Hostname": "mydomain.net", "Original Name": "chrome.exe", "Bytes Written": "0 B", "Is User Local Admin": "njohnson", "_time": 1637188694825, "Event Display Name": "Network Operation", "Was Removable": "njohnson", "Remote Port": "80", "Process Directory": "c:\\\\program files (x86)\\\\google\\\\chrome\\\\application", "Was Detail Blocked": "njohnson", "Was Classified": "njohnson", "Computer Name": "client\\\\T64148", "Company Name": "google llc", "URL Context Path": "/somepath", "URL Path": "http://mydomain.net/somepath", "IP Address": "192.168.24.74", "Process File Extension": "exe", "Encryption Status": "0", "MAC Address": "00:11:22:36:54:85", "URL Port": 80, "File Version": "94.0.4606.61", "Application": "chrome.exe", "Parent MD5 Hash": "82534946-644e-104f-ffdc-9e093fd18f94", "Bytes Read": "0 B", "Is Virtual Session": "Yes", "File Internal Name": "chrome_exe", "Process PID": 25804, "Adapter Name": "", "Process File Size": "2.4 MB", "Product Name": "google chrome", "Network Direction": "Outbound", "Process Domain": "harrismatthew", "Local Port": "2110", "Parent Process Internal Name": "chrome.exe", "User Domain": "harrismatthew", "Was Mobile Device": "njohnson", "Source IP Address": "192.168.5.53", "Was Wireless": "njohnson", "File Description": "google chrome", "Process Path": "c:\\\\program files (x86)\\\\google\\\\chrome\\\\application\\\\chrome.exe", "Event Local Time": "2021-11-17 05:18:10 PM", "Process Local Modify Time": "2021-10-20 12:12:55 AM", "Machine Type": "Windows", "SHA256 Hash": "97F7C592D69DFE06FE51B758886798AB62E03BF8EAB5F9E17CE4DD1323875FE2", "Was Private Address": "Yes", "User": "kelly07", "URL Scheme": "http", "Parent Application": "chrome.exe", "Process Local Access Time": "2021-11-15 08:17:27 AM", "Agent Version": "192.168.146.2414", "Product Version": "94.0.4606.61", "Was Rule Violated": "njohnson", "Unique ID": "c1a5429c-98ac-103b-5d09-806e7f2e9c1d", "MD5 Hash": "464953824e644f10ffdc9e093fd18f94", "x86 Or x64": "x64", "Command Line": "\\"C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2948,3652731506834864307,6137009968055880687,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3244 /prefetch:8", "Server Process Time": 1637188694825, "Application Internal Name": "chrome.exe"}
And this is how the log would be parsed:
Field | Value | Type | Extra fields |
|---|---|---|---|
eventdate |
|
| |
hostname |
|
| |
machine_type |
|
| |
file_internal_name |
|
| |
application |
|
| |
md5_hash |
|
| |
original_name |
|
| |
dg_custom_data_dg_scope |
|
| |
parent_application |
|
| |
process_directory |
|
| |
was_rule_violated |
|
| |
process_local_creation_time |
|
| |
process_path |
|
| |
process_file_extension |
|
| |
was_removable |
|
| |
dg_custom_data_dg_values |
|
| |
is_user_local_admin |
|
| |
event_display_name |
|
| |
dg_custom_data_dg_name |
|
| |
company_name |
|
| |
file_version |
|
| |
product_name |
|
| |
user_domain |
|
| |
mac_address |
|
| |
user |
|
| |
agent_version |
|
| |
unique_id |
|
| |
command_line |
|
| |
product_version |
|
| |
computer_name |
|
| |
application_internal_name |
|
| |
was_mobile_device |
|
| |
_time |
|
| |
operation_type |
|
| |
process_file_size |
|
| |
was_detail_blocked |
|
| |
process_domain |
|
| |
event_local_time |
|
| |
was_classified |
|
| |
file_description |
|
| |
parent_md5_hash |
|
| |
sha256_hash |
|
| |
process_pid |
|
| |
server_process_time |
|
| |
event_time |
|
| |
parent_process_internal_name |
|
| |
process_local_modify_time |
|
| |
x86_or_x64 |
|
| |
process_local_access_time |
|
| |
is_virtual_session |
|
| |
bytes_written |
|
| |
destination_drive_type |
|
| |
dg_src_dev_dev_prdname |
|
| |
source_was_classified |
|
| |
destination_file_extension |
|
| |
destination_file_name |
|
| |
attachment_file_size |
|
| |
dg_dst_dev_dev_bt |
|
| |
attachment_source_file_name |
|
| |
destination_was_classified |
|
| |
source_file_extension |
|
| |
dg_dst_dev_dev_dt |
|
| |
dg_src_dev_dev_dt |
|
| |
attachment_source_file_path |
|
| |
destination_file_encryption |
|
| |
dg_dst_dev_dev_vendor |
|
| |
dg_src_dev_dev_bt |
|
| |
dg_dst_dev_dev_prdname |
|
| |
dg_src_dev_dev_vendor |
|
| |
destination_bus_type |
|
| |
attachment_source_directory |
|
| |
attachment_source_drive_type |
|
| |
source_is_removable |
|
| |
source_file_encryption |
|
| |
destination_file_path |
| ||
destination_is_removable |
|
| |
destination_directory |
| ||
bytes_read |
|
| |
dns_hostname |
|
| |
url_path |
|
| |
dg_alert_dg_policy_dg_category_name |
|
| |
was_private_address |
|
| |
dg_alert_dg_category_name |
|
| |
network_direction |
|
| |
source_ip_address |
|
| |
dg_alert_alert_etu |
|
| |
wireless_ssid |
|
| |
remote_port |
|
| |
dg_alert_dg_rule_action_type |
|
| |
dg_alert_alert_ur |
|
| |
adapter_name |
|
| |
dg_alert_dg_name |
|
| |
was_wireless |
|
| |
local_port |
|
| |
dg_alert_alert_at |
|
| |
dg_alert_alert_al |
|
| |
protocol |
|
| |
dg_alert_alert_wb |
|
| |
dg_alert_alert_etl |
|
| |
dg_alert_dg_policy_dg_name |
|
| |
dg_alert_dg_detection_source |
|
| |
encryption_status |
|
| |
dg_alert_alert_bc |
|
| |
ip_address |
|
| |
was_mobile_copy |
|
| |
dg_recipients_uad_mr |
|
| |
dg_attachments_dg_src_dir |
|
| |
dg_attachments_dg_file_size |
|
| |
event_was_blocked |
|
| |
event_has_rule_violation |
|
| |
dg_recipients_uad_mrt |
|
| |
dg_attachments_uad_sdt |
|
| |
email_subject |
|
| |
dg_attachments_uad_sp |
|
| |
email_sender |
|
| |
dg_attachments_dg_src_file_name |
|
| |
dg_recipients_dg_rec_email_domain |
|
| |
url_host |
|
| |
url_context_path |
|
| |
url_port |
|
| |
url_scheme |
|
| |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
rawMessage |
|
| ✓ |