Document toolboxDocument toolbox

dlp.digitalguardian

Introduction

The tags beginning with dlp.digitalguardian identify events generated by Digital Guardian.

Valid tags and data tables 

The full tag must have 4 levels. The first two are fixed as dlp.digitalguardian. The third level identifies the type of events sent, and the fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Digital Guardian

dlp.digitalguardian.arc.events

dlp.digitalguardian.arc.events

dlp.digitalguardian.endpointdlp.alerts

dlp.digitalguardian.endpointdlp.alerts

dlp.digitalguardian.endpointdlp.audit

dlp.digitalguardian.endpointdlp.audit

dlp.digitalguardian.endpointdlp.classification

dlp.digitalguardian.endpointdlp.classification

dlp.digitalguardian.endpointdlp.events

dlp.digitalguardian.endpointdlp.events

dlp.digitalguardian.endpointdlp.alerts

dlp.digitalguardian.endpointdlp

dlp.digitalguardian.networkdlp.events

dlp.digitalguardian.networkdlp.events

dlp.digitalguardian.networkdlp.system

dlp.digitalguardian.networkdlp.system

dlp.digitalguardian.networkdlp.events

dlp.digitalguardian.networkdlp

For more information, read more about Devo tags.

Table structure

These are the fields displayed in these tables:

dlp.digitalguardian.arc.events

Field

Type

Extra field

Field

Type

Extra field

eventdate

timestamp

 

hostname

str

 

machine_type

str

 

file_internal_name

str

 

application

str

 

md5_hash

str

 

original_name

str

 

dg_custom_data_dg_scope

str

 

parent_application

str

 

process_directory

str

 

was_rule_violated

str

 

process_local_creation_time

str

 

process_path

str

 

process_file_extension

str

 

was_removable

str

 

dg_custom_data_dg_values

str

 

is_user_local_admin

str

 

event_display_name

str

 

dg_custom_data_dg_name

str

 

company_name

str

 

file_version

str

 

product_name

str

 

user_domain

str

 

mac_address

str

 

user

str

 

agent_version

str

 

unique_id

str

 

command_line

str

 

product_version

str

 

computer_name

str

 

application_internal_name

str

 

was_mobile_device

str

 

_time

timestamp

 

operation_type

str

 

process_file_size

str

 

was_detail_blocked

str

 

process_domain

str

 

event_local_time

str

 

was_classified

str

 

file_description

str

 

parent_md5_hash

str

 

sha256_hash

str

 

process_pid

int4

 

server_process_time

timestamp

 

event_time

str

 

parent_process_internal_name

str

 

process_local_modify_time

str

 

x86_or_x64

str

 

process_local_access_time

str

 

is_virtual_session

str

 

bytes_written

str

 

destination_drive_type

str

 

dg_src_dev_dev_prdname

str

 

source_was_classified

str

 

destination_file_extension

str

 

destination_file_name

str

 

attachment_file_size

str

 

dg_dst_dev_dev_bt

str

 

attachment_source_file_name

str

 

destination_was_classified

str

 

source_file_extension

str

 

dg_dst_dev_dev_dt

str

 

dg_src_dev_dev_dt

str

 

attachment_source_file_path

str

 

destination_file_encryption

str

 

dg_dst_dev_dev_vendor

str

 

dg_src_dev_dev_bt

str

 

dg_dst_dev_dev_prdname

str

 

dg_src_dev_dev_vendor

str

 

destination_bus_type

str

 

attachment_source_directory

str

 

attachment_source_drive_type

str

 

source_is_removable

str

 

source_file_encryption

str

 

destination_file_path

str

 

destination_is_removable

str

 

destination_directory

str

 

bytes_read

str

 

dns_hostname

str

 

url_path

str

 

dg_alert_dg_policy_dg_category_name

str

 

was_private_address

str

 

dg_alert_dg_category_name

str

 

network_direction

str

 

source_ip_address

str

 

dg_alert_alert_etu

str

 

wireless_ssid

str

 

remote_port

str

 

dg_alert_dg_rule_action_type

str

 

dg_alert_alert_ur

str

 

adapter_name

str

 

dg_alert_dg_name

str

 

was_wireless

str

 

local_port

str

 

dg_alert_alert_at

str

 

dg_alert_alert_al

str

 

protocol

str

 

dg_alert_alert_wb

str

 

dg_alert_alert_etl

str

 

dg_alert_dg_policy_dg_name

str

 

dg_alert_dg_detection_source

str

 

encryption_status

str

 

dg_alert_alert_bc

str

 

ip_address

str

 

was_mobile_copy

str

 

dg_recipients_uad_mr

str

 

dg_attachments_dg_src_dir

str

 

dg_attachments_dg_file_size

str

 

event_was_blocked

str

 

event_has_rule_violation

str

 

dg_recipients_uad_mrt

str

 

dg_attachments_uad_sdt

str

 

email_subject

str

 

dg_attachments_uad_sp

str

 

email_sender

str

 

dg_attachments_dg_src_file_name

str

 

dg_recipients_dg_rec_email_domain

str

 

url_host

str

 

url_context_path

str

 

url_port

int4

 

url_scheme

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

dlp.digitalguardian.endpointdlp.alerts

Field

Type

Extra field

Field transformation

Source field name

Field

Type

Extra field

Field transformation

Source field name

eventdate

timestamp

 

 

 

priority

int4

 

 

 

Agent_Local_Time

str

 

 

 

Agent_UTC_Time

str

 

 

 

timestamp

timestamp

 

parsedate(Agent_UTC_Time_TZ, "MM/DD/YYYY h:mm:ss AZZ")

Agent_UTC_Time_TZ

Application

str

 

 

 

Computer_Name

str

 

ifthenelse(Computer_Name_len > 1, Computer_Name_tmp[1], Computer_Name_wDomain)

Computer_Name_wDomain

Computer_Name_tmp

Computer_Name_len

Domain

str

 

ifthenelse(Computer_Name_len > 1, Computer_Name_tmp[0], null)

Computer_Name_tmp

Computer_Name_len

Computer_Type

str

 

 

 

Email_Sender

str

 

 

 

Email_Subject

str

 

 

 

Operation

str

 

 

 

Policy

str

 

 

 

Rule

str

 

 

 

Rule_Category

str

 

 

 

Severity

str

 

 

 

User_Response

str

 

 

 

Was_Blocked

str

 

 

 

Destination_Directory

str

 

 

 

Destination_File

str

 

 

 

Destination_File_Encryption

str

 

 

 

DNS_Hostname

str

 

 

 

Email_Recipient

str

 

 

 

Email_Recipient_Type

str

 

 

 

IP_Address

str

 

 

 

Local_Port

str

 

 

 

Network_Direction

str

 

 

 

Object_Type

str

 

 

 

Printer

str

 

 

 

Printer_Jobname

str

 

 

 

Protocol

str

 

 

 

Remote_Port

str

 

 

 

Source_Directory

str

 

 

 

Source_File

str

 

 

 

Source_File_Encryption

str

 

 

 

URL_Path

str

 

 

 

Was_Destination_Classified

str

 

 

 

Was_Destination_Removable

str

 

 

 

Was_S_MIME_Encrypted

str

 

 

 

Was_S_MIME_Signed

str

 

 

 

Was_Source_Classified

str

 

 

 

Source_Drive_Type

str

 

 

 

Source_Device_ID

str

 

 

 

Destination_Drive_Type

str

 

 

 

Destination_Device_ID

str

 

 

 

Email_Address

str

 

 

 

User_Name

str

 

User_Name_tmp

User_Name_wDomain

User_Name_len

Custom_Int_4

str

 

 

 

Custom_String_1

str

 

 

 

Custom_String_3

str

 

 

 

Custom_String_4

str

 

 

 

Detail_Event_ID

str

 

 

 

Dll_SHA1_Hash

str

 

 

 

Dll_SHA256_Hash

str

 

 

 

Registry_Value

str

 

 

 

Event_ID

str

 

 

 

Detail_File_Size_MB

float8

 

 

 

Destination_Device_Friendly_Name

str

 

 

 

Destination_Device_Product_ID

str

 

 

 

Destination_Device_Product_Name

str

 

 

 

Destination_Device_Serial_Number

str

 

 

 

Destination_Device_Vendor

str

 

 

 

Destination_Device_Vendor_ID

str

 

 

 

Prompt_Survey_Text

str

 

 

 

Source_Device_Friendly_Name

str

 

 

 

Source_Device_Product_ID

str

 

 

 

Source_Device_Product_Name

str

 

 

 

Source_Device_Serial_Number

str

 

 

 

Source_Device_Vendor

str

 

 

 

Source_Device_Vendor_ID

str

 

 

 

Source_IP_Address

str

 

 

 

Alert_ID

str

 

 

 

Server_Local_Timestamp

str

 

 

 

User_Name_Text

str

 

 

 

Category

str

 

 

 

Detail

str

 

 

 

message

str

 

 

rawSource

hostchain

str

✓

 

 

tag

str

✓

 

 

rawMessage

str

✓

 

rawSource

dlp.digitalguardian.endpointdlp.audit

Field

Type

Extra field

Source field name

Field

Type

Extra field

Source field name

eventdate

timestamp

 

 

priority

int4

 

 

Server_Local_Timestamp

str

 

 

User_Name_Text

str

 

 

Category

str

 

 

Detail

str

 

 

hostchain

str

✓

 

tag

str

✓

 

rawMessage

str

✓

rawSource

dlp.digitalguardian.endpointdlp.classification

Field

Type

Extra field

Source field name

Field

Type

Extra field

Source field name

eventdate

timestamp

 

 

priority

int4

 

 

Event_ID

str

 

 

Detail_Classification_Policy

str

 

 

hostchain

str

✓

 

tag

str

✓

 

rawMessage

str

✓

rawSource

dlp.digitalguardian.endpointdlp.events

Field

Type

Extra field

Field

Type

Extra field

eventdate

timestamp

 

Agent_Local_Date

str

 

Agent_Local_Time

str

 

Agent_UTC_Time

str

 

Application

str

 

Computer_Name

str

 

Computer_Type

str

 

DNS_Hostname

str

 

Email_Sender

str

 

Email_Subject

str

 

Event_ID

str

 

Detail_Event_ID

str

 

IP_Address

str

 

Local_Port

str

 

Network_Direction

str

 

Operation

str

 

Protocol

str

 

Remote_Port

str

 

URL_Path

str

 

Was_Classified

str

 

Was_Removable

str

 

Was_Rule_Violation

str

 

Was_S_MIME_Encrypted

str

 

Was_S_MIME_Signed

str

 

Device_ID

str

 

Drive_Type

str

 

Friendly_Name

str

 

Product_ID

str

 

Removal_Policy

str

 

Serial_Number

str

 

Vendor

str

 

Vendor_ID

str

 

Destination_Directory

str

 

Destination_File

str

 

Destination_File_Extension

str

 

Email_Domain_Name

str

 

Email_Recipient

str

 

Printer

str

 

Printer_Jobname

str

 

Source_Directory

str

 

Source_File

str

 

Source_File_Extension

str

 

User_Response

str

 

Was_Destination_Classified

str

 

Was_Detail_Rule_Violation

str

 

Was_Source_Classified

str

 

Was_Source_Removable

str

 

Source_Drive_Type

str

 

Source_Device_ID

str

 

Destination_Drive_Type

str

 

Destination_Device_ID

str

 

Domain_Name

str

 

Email_Address

str

 

User_ID

str

 

User_Name

str

 

Custom_String_1

str

 

Custom_String_3

str

 

Custom_String_4

str

 

Company_Name

str

 

Product_Name

str

 

Product_Version

str

 

Scan_Value_Status

str

 

Scan_Value_Status_Local_Time

str

 

Scan_Value_Status_Text

str

 

Dll_SHA1_Hash

str

 

Dll_SHA256_Hash

str

 

Parent_Application_V2

str

 

Parent_MD5_Checksum_V2

str

 

Destination_Device_Friendly_Name

str

 

Destination_Device_Product_ID

str

 

Destination_Device_Product_Name

str

 

Destination_Device_Serial_Number

str

 

Destination_Device_Vendor

str

 

Destination_Device_Vendor_ID

str

 

Rule

str

 

Source_Device_Friendly_Name

str

 

Source_Device_Serial_Number

str

 

Source_Device_Product_ID

str

 

Source_Device_Product_Name

str

 

Source_Device_Vendor

str

 

Source_Device_Vendor_ID

str

 

Was_Blocked

str

 

MD5_Checksum

str

 

Dll_Created_Local_Time

str

 

Detail_File_Size_MB

str

 

Detail_Classification_Content_Pattern

str

 

Detail_Classification_Frequency

str

 

Detail_Classification_Policy

str

 

Detail_Classification_Rule

str

 

Detail_Classification_Type

str

 

Source_IP_Address

str

 

Registry_Value

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

 

dlp.digitalguardian.endpointdlp

Field

Type

Extra field

Source field name

Field

Type

Extra field

Source field name

eventdate

timestamp

 

 

type

str

 

vtype

message

str

 

rawSource

hostchain

str

✓

 

tag

str

✓

 

rawMessage

str

✓

rawSource

dlp.digitalguardian.networkdlp.events

Field

Type

Extra field

Field

Type

Extra field

eventdate

timestamp

 

hostname

str

 

incident_id

str

 

managed_device_id

str

 

number_of_incidents

str

 

incident_status

str

 

matched_policies_by_severity

str

 

action_taken

str

 

matches

str

 

protocol

str

 

http_url

str

 

inspected_document

str

 

source

str

 

source_ip

ip4

 

source_port

str

 

destination

str

 

destination_ip

ip4

 

destination_port

str

 

email_subject

str

 

email_sender

str

 

email_recipients

str

 

timestamp

str

 

managed_device_name

str

 

incidents_url

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

 

dlp.digitalguardian.networkdlp.system

Field

Type

Extra field

Field

Type

Extra field

eventdate

timestamp

 

hostname

str

 

category

str

 

managed_device_id

str

 

managed_device_name

str

 

managed_device_ip

ip4

 

source_ip

ip4

 

source_user

str

 

timestamp

str

 

summary

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

 

dlp.digitalguardian.networkdlp

Field

Type

Extra field

Source field name

Field

Type

Extra field

Source field name

eventdate

timestamp

 

 

hostchain

str

✓

 

tag

str

✓

 

rawMessage

str

✓

rawSource