entity.behavior
- Anthony Shevlin (Deactivated)
- Juan Tomás Alonso Nieto (Deactivated)
[ Introduction ] [ Valid tags and data tables ] [ Table structure ]
Introduction
The tags beginning with entity.behavior identify events generated by Security Operations.
Valid tags and data tables
The full tag must have four levels. The first two are fixed as entity.behavior. The third level identifies the type of events sent, and the fourth level indicates the event subtype.Â
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
|---|---|---|
Security Operations |
|
|
|
| |
|
| |
|
| |
|
| |
|
|
For more information, read more about Devo tags.
Table structure
These are the fields displayed in these tables:
entity.behavior.list.groups
Field | Type | Extra fields |
|---|---|---|
eventdate |
| Â |
hostname |
| Â |
risk_group |
| Â |
risk_multiplier |
| Â |
last_updated |
| Â |
is_deleted |
| Â |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
entity.behavior.list.members
Field | Type | Extra fields |
|---|---|---|
eventdate |
| Â |
hostname |
| Â |
entity_name |
| Â |
risk_group |
| Â |
last_updated |
| Â |
is_deleted |
| Â |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
entity.behavior.list.notables
Field | Type | Extra fields |
|---|---|---|
eventdate |
| Â |
hostname |
| Â |
entity_name |
| Â |
last_updated |
| Â |
is_deleted |
| Â |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
entity.behavior.risk.events
Field | Type | Extra field |
|---|---|---|
eventdate |
| Â |
entity |
| Â |
total_risk |
| Â |
related |
| Â |
last_risk |
| Â |
alert_metrics_secops |
| Â |
alert_metrics_ueba |
| Â |
priority_metrics_high |
| Â |
priority_metrics_critical |
| Â |
entity_risk |
| Â |
entity_type |
| Â |
global_risk |
| Â |
unique_alerts |
| Â |
unique_techniques |
| Â |
unique_tactics |
| Â |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
entity.behavior.signals.events
Field | Type | Extra field |
|---|---|---|
eventdate |
| Â |
entity_sourceAccount |
| Â |
entity_sourceFile |
| Â |
entity_sourceIP |
| Â |
entity_sourceHostname |
| Â |
entity_sourceDomain |
| Â |
entity_destinationAccount |
| Â |
entity_destinationFile |
| Â |
entity_destinationIP |
| Â |
entity_destinationHostname |
| Â |
entity_destinationDomain |
| Â |
final_outcome |
| Â |
explanation |
| Â |
context |
| Â |
original_eventdate |
| Â |
recipe_name |
| Â |
source_table |
| Â |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
entity.behavior.signals.filtered
Field | Type | Extra fields |
|---|---|---|
eventdate |
| Â |
entity_sourceAccount |
| Â |
entity_sourceFile |
| Â |
entity_sourceIP |
| Â |
entity_sourceHostname |
| Â |
entity_sourceDomain |
| Â |
entity_destinationAccount |
| Â |
entity_destinationFile |
| Â |
entity_destinationIP |
| Â |
entity_destinationHostname |
| Â |
entity_destinationDomain |
| Â |
final_outcome |
| Â |
explanation |
| Â |
context |
| Â |
original_signal_eventdate |
| Â |
recipe_name |
| Â |
source_table |
| Â |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |