dlp.digitalguardian
Introduction
The tags beginning with dlp.digitalguardian
identify events generated by Digital Guardian.
Valid tags and data tablesÂ
The full tag must have 4 levels. The first two are fixed as dlp.digitalguardian
. The third level identifies the type of events sent, and the fourth level indicates the event subtype.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
Digital Guardian |
|
|
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
For more information, read more about Devo tags.
Table structure
These are the fields displayed in these tables:
dlp.digitalguardian.arc.events
Field | Type | Extra field |
---|---|---|
eventdate |
| Â |
hostname |
| Â |
machine_type |
| Â |
file_internal_name |
| Â |
application |
| Â |
md5_hash |
| Â |
original_name |
| Â |
dg_custom_data_dg_scope |
| Â |
parent_application |
| Â |
process_directory |
| Â |
was_rule_violated |
| Â |
process_local_creation_time |
| Â |
process_path |
| Â |
process_file_extension |
| Â |
was_removable |
| Â |
dg_custom_data_dg_values |
| Â |
is_user_local_admin |
| Â |
event_display_name |
| Â |
dg_custom_data_dg_name |
| Â |
company_name |
| Â |
file_version |
| Â |
product_name |
| Â |
user_domain |
| Â |
mac_address |
| Â |
user |
| Â |
agent_version |
| Â |
unique_id |
| Â |
command_line |
| Â |
product_version |
| Â |
computer_name |
| Â |
application_internal_name |
| Â |
was_mobile_device |
| Â |
_time |
| Â |
operation_type |
| Â |
process_file_size |
| Â |
was_detail_blocked |
| Â |
process_domain |
| Â |
event_local_time |
| Â |
was_classified |
| Â |
file_description |
| Â |
parent_md5_hash |
| Â |
sha256_hash |
| Â |
process_pid |
| Â |
server_process_time |
| Â |
event_time |
| Â |
parent_process_internal_name |
| Â |
process_local_modify_time |
| Â |
x86_or_x64 |
| Â |
process_local_access_time |
| Â |
is_virtual_session |
| Â |
bytes_written |
| Â |
destination_drive_type |
| Â |
dg_src_dev_dev_prdname |
| Â |
source_was_classified |
| Â |
destination_file_extension |
| Â |
destination_file_name |
| Â |
attachment_file_size |
| Â |
dg_dst_dev_dev_bt |
| Â |
attachment_source_file_name |
| Â |
destination_was_classified |
| Â |
source_file_extension |
| Â |
dg_dst_dev_dev_dt |
| Â |
dg_src_dev_dev_dt |
| Â |
attachment_source_file_path |
| Â |
destination_file_encryption |
| Â |
dg_dst_dev_dev_vendor |
| Â |
dg_src_dev_dev_bt |
| Â |
dg_dst_dev_dev_prdname |
| Â |
dg_src_dev_dev_vendor |
| Â |
destination_bus_type |
| Â |
attachment_source_directory |
| Â |
attachment_source_drive_type |
| Â |
source_is_removable |
| Â |
source_file_encryption |
| Â |
destination_file_path |
| Â |
destination_is_removable |
| Â |
destination_directory |
| Â |
bytes_read |
| Â |
dns_hostname |
| Â |
url_path |
| Â |
dg_alert_dg_policy_dg_category_name |
| Â |
was_private_address |
| Â |
dg_alert_dg_category_name |
| Â |
network_direction |
| Â |
source_ip_address |
| Â |
dg_alert_alert_etu |
| Â |
wireless_ssid |
| Â |
remote_port |
| Â |
dg_alert_dg_rule_action_type |
| Â |
dg_alert_alert_ur |
| Â |
adapter_name |
| Â |
dg_alert_dg_name |
| Â |
was_wireless |
| Â |
local_port |
| Â |
dg_alert_alert_at |
| Â |
dg_alert_alert_al |
| Â |
protocol |
| Â |
dg_alert_alert_wb |
| Â |
dg_alert_alert_etl |
| Â |
dg_alert_dg_policy_dg_name |
| Â |
dg_alert_dg_detection_source |
| Â |
encryption_status |
| Â |
dg_alert_alert_bc |
| Â |
ip_address |
| Â |
was_mobile_copy |
| Â |
dg_recipients_uad_mr |
| Â |
dg_attachments_dg_src_dir |
| Â |
dg_attachments_dg_file_size |
| Â |
event_was_blocked |
| Â |
event_has_rule_violation |
| Â |
dg_recipients_uad_mrt |
| Â |
dg_attachments_uad_sdt |
| Â |
email_subject |
| Â |
dg_attachments_uad_sp |
| Â |
email_sender |
| Â |
dg_attachments_dg_src_file_name |
| Â |
dg_recipients_dg_rec_email_domain |
| Â |
url_host |
| Â |
url_context_path |
| Â |
url_port |
| Â |
url_scheme |
| Â |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
dlp.digitalguardian.endpointdlp.alerts
Field | Type | Extra field | Field transformation | Source field name |
---|---|---|---|---|
eventdate |
| Â | Â | Â |
priority |
| Â | Â | Â |
Agent_Local_Time |
| Â | Â | Â |
Agent_UTC_Time |
| Â | Â | Â |
timestamp |
| Â | parsedate(Agent_UTC_Time_TZ, "MM/DD/YYYY h:mm:ss AZZ") | Agent_UTC_Time_TZ |
Application |
| Â | Â | Â |
Computer_Name |
| Â | ifthenelse(Computer_Name_len > 1, Computer_Name_tmp[1], Computer_Name_wDomain) | Computer_Name_wDomain Computer_Name_tmp Computer_Name_len |
Domain |
| Â | ifthenelse(Computer_Name_len > 1, Computer_Name_tmp[0], null) | Computer_Name_tmp Computer_Name_len |
Computer_Type |
| Â | Â | Â |
Email_Sender |
| Â | Â | Â |
Email_Subject |
| Â | Â | Â |
Operation |
| Â | Â | Â |
Policy |
| Â | Â | Â |
Rule |
| Â | Â | Â |
Rule_Category |
| Â | Â | Â |
Severity |
| Â | Â | Â |
User_Response |
| Â | Â | Â |
Was_Blocked |
| Â | Â | Â |
Destination_Directory |
| Â | Â | Â |
Destination_File |
| Â | Â | Â |
Destination_File_Encryption |
| Â | Â | Â |
DNS_Hostname |
| Â | Â | Â |
Email_Recipient |
| Â | Â | Â |
Email_Recipient_Type |
| Â | Â | Â |
IP_Address |
| Â | Â | Â |
Local_Port |
| Â | Â | Â |
Network_Direction |
| Â | Â | Â |
Object_Type |
| Â | Â | Â |
Printer |
| Â | Â | Â |
Printer_Jobname |
| Â | Â | Â |
Protocol |
| Â | Â | Â |
Remote_Port |
| Â | Â | Â |
Source_Directory |
| Â | Â | Â |
Source_File |
| Â | Â | Â |
Source_File_Encryption |
| Â | Â | Â |
URL_Path |
| Â | Â | Â |
Was_Destination_Classified |
| Â | Â | Â |
Was_Destination_Removable |
| Â | Â | Â |
Was_S_MIME_Encrypted |
| Â | Â | Â |
Was_S_MIME_Signed |
| Â | Â | Â |
Was_Source_Classified |
| Â | Â | Â |
Source_Drive_Type |
| Â | Â | Â |
Source_Device_ID |
| Â | Â | Â |
Destination_Drive_Type |
| Â | Â | Â |
Destination_Device_ID |
| Â | Â | Â |
Email_Address |
| Â | Â | Â |
User_Name |
| Â | User_Name_tmp User_Name_wDomain User_Name_len | |
Custom_Int_4 |
| Â | Â | Â |
Custom_String_1 |
| Â | Â | Â |
Custom_String_3 |
| Â | Â | Â |
Custom_String_4 |
| Â | Â | Â |
Detail_Event_ID |
| Â | Â | Â |
Dll_SHA1_Hash |
| Â | Â | Â |
Dll_SHA256_Hash |
| Â | Â | Â |
Registry_Value |
| Â | Â | Â |
Event_ID |
| Â | Â | Â |
Detail_File_Size_MB |
| Â | Â | Â |
Destination_Device_Friendly_Name |
| Â | Â | Â |
Destination_Device_Product_ID |
| Â | Â | Â |
Destination_Device_Product_Name |
| Â | Â | Â |
Destination_Device_Serial_Number |
| Â | Â | Â |
Destination_Device_Vendor |
| Â | Â | Â |
Destination_Device_Vendor_ID |
| Â | Â | Â |
Prompt_Survey_Text |
| Â | Â | Â |
Source_Device_Friendly_Name |
| Â | Â | Â |
Source_Device_Product_ID |
| Â | Â | Â |
Source_Device_Product_Name |
| Â | Â | Â |
Source_Device_Serial_Number |
| Â | Â | Â |
Source_Device_Vendor |
| Â | Â | Â |
Source_Device_Vendor_ID |
| Â | Â | Â |
Source_IP_Address |
| Â | Â | Â |
Alert_ID |
| Â | Â | Â |
Server_Local_Timestamp |
| Â | Â | Â |
User_Name_Text |
| Â | Â | Â |
Category |
| Â | Â | Â |
Detail |
| Â | Â | Â |
message |
| Â | Â | rawSource |
hostchain |
| ✓ |  |  |
tag |
| ✓ |  |  |
rawMessage |
| ✓ |  | rawSource |
dlp.digitalguardian.endpointdlp.audit
Field | Type | Extra field | Source field name |
---|---|---|---|
eventdate |
| Â | Â |
priority |
| Â | Â |
Server_Local_Timestamp |
| Â | Â |
User_Name_Text |
| Â | Â |
Category |
| Â | Â |
Detail |
| Â | Â |
hostchain |
| ✓ |  |
tag |
| ✓ |  |
rawMessage |
| ✓ | rawSource |
dlp.digitalguardian.endpointdlp.classification
Field | Type | Extra field | Source field name |
---|---|---|---|
eventdate |
| Â | Â |
priority |
| Â | Â |
Event_ID |
| Â | Â |
Detail_Classification_Policy |
| Â | Â |
hostchain |
| ✓ |  |
tag |
| ✓ |  |
rawMessage |
| ✓ | rawSource |
dlp.digitalguardian.endpointdlp.events
Field | Type | Extra field |
---|---|---|
eventdate |
| Â |
Agent_Local_Date |
| Â |
Agent_Local_Time |
| Â |
Agent_UTC_Time |
| Â |
Application |
| Â |
Computer_Name |
| Â |
Computer_Type |
| Â |
DNS_Hostname |
| Â |
Email_Sender |
| Â |
Email_Subject |
| Â |
Event_ID |
| Â |
Detail_Event_ID |
| Â |
IP_Address |
| Â |
Local_Port |
| Â |
Network_Direction |
| Â |
Operation |
| Â |
Protocol |
| Â |
Remote_Port |
| Â |
URL_Path |
| Â |
Was_Classified |
| Â |
Was_Removable |
| Â |
Was_Rule_Violation |
| Â |
Was_S_MIME_Encrypted |
| Â |
Was_S_MIME_Signed |
| Â |
Device_ID |
| Â |
Drive_Type |
| Â |
Friendly_Name |
| Â |
Product_ID |
| Â |
Removal_Policy |
| Â |
Serial_Number |
| Â |
Vendor |
| Â |
Vendor_ID |
| Â |
Destination_Directory |
| Â |
Destination_File |
| Â |
Destination_File_Extension |
| Â |
Email_Domain_Name |
| Â |
Email_Recipient |
| Â |
Printer |
| Â |
Printer_Jobname |
| Â |
Source_Directory |
| Â |
Source_File |
| Â |
Source_File_Extension |
| Â |
User_Response |
| Â |
Was_Destination_Classified |
| Â |
Was_Detail_Rule_Violation |
| Â |
Was_Source_Classified |
| Â |
Was_Source_Removable |
| Â |
Source_Drive_Type |
| Â |
Source_Device_ID |
| Â |
Destination_Drive_Type |
| Â |
Destination_Device_ID |
| Â |
Domain_Name |
| Â |
Email_Address |
| Â |
User_ID |
| Â |
User_Name |
| Â |
Custom_String_1 |
| Â |
Custom_String_3 |
| Â |
Custom_String_4 |
| Â |
Company_Name |
| Â |
Product_Name |
| Â |
Product_Version |
| Â |
Scan_Value_Status |
| Â |
Scan_Value_Status_Local_Time |
| Â |
Scan_Value_Status_Text |
| Â |
Dll_SHA1_Hash |
| Â |
Dll_SHA256_Hash |
| Â |
Parent_Application_V2 |
| Â |
Parent_MD5_Checksum_V2 |
| Â |
Destination_Device_Friendly_Name |
| Â |
Destination_Device_Product_ID |
| Â |
Destination_Device_Product_Name |
| Â |
Destination_Device_Serial_Number |
| Â |
Destination_Device_Vendor |
| Â |
Destination_Device_Vendor_ID |
| Â |
Rule |
| Â |
Source_Device_Friendly_Name |
| Â |
Source_Device_Serial_Number |
| Â |
Source_Device_Product_ID |
| Â |
Source_Device_Product_Name |
| Â |
Source_Device_Vendor |
| Â |
Source_Device_Vendor_ID |
| Â |
Was_Blocked |
| Â |
MD5_Checksum |
| Â |
Dll_Created_Local_Time |
| Â |
Detail_File_Size_MB |
| Â |
Detail_Classification_Content_Pattern |
| Â |
Detail_Classification_Frequency |
| Â |
Detail_Classification_Policy |
| Â |
Detail_Classification_Rule |
| Â |
Detail_Classification_Type |
| Â |
Source_IP_Address |
| Â |
Registry_Value |
| Â |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| Â |
dlp.digitalguardian.endpointdlp
Field | Type | Extra field | Source field name |
---|---|---|---|
eventdate |
| Â | Â |
type |
| Â | vtype |
message |
| Â | rawSource |
hostchain |
| ✓ |  |
tag |
| ✓ |  |
rawMessage |
| ✓ | rawSource |
dlp.digitalguardian.networkdlp.events
Field | Type | Extra field |
---|---|---|
eventdate |
| Â |
hostname |
| Â |
incident_id |
| Â |
managed_device_id |
| Â |
number_of_incidents |
| Â |
incident_status |
| Â |
matched_policies_by_severity |
| Â |
action_taken |
| Â |
matches |
| Â |
protocol |
| Â |
http_url |
| Â |
inspected_document |
| Â |
source |
| Â |
source_ip |
| Â |
source_port |
| Â |
destination |
| Â |
destination_ip |
| Â |
destination_port |
| Â |
email_subject |
| Â |
email_sender |
| Â |
email_recipients |
| Â |
timestamp |
| Â |
managed_device_name |
| Â |
incidents_url |
| Â |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| Â |
dlp.digitalguardian.networkdlp.system
Field | Type | Extra field |
---|---|---|
eventdate |
| Â |
hostname |
| Â |
category |
| Â |
managed_device_id |
| Â |
managed_device_name |
| Â |
managed_device_ip |
| Â |
source_ip |
| Â |
source_user |
| Â |
timestamp |
| Â |
summary |
| Â |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| Â |
dlp.digitalguardian.networkdlp
Field | Type | Extra field | Source field name |
---|---|---|---|
eventdate |
| Â | Â |
hostchain |
| ✓ |  |
tag |
| ✓ |  |
rawMessage |
| ✓ | rawSource |