Document toolboxDocument toolbox

entity.behavior

[ Introduction ] [ Valid tags and data tables ] [ Table structure ]

Introduction

The tags beginning with entity.behavior identify events generated by Security Operations.

Valid tags and data tables

The full tag must have four levels. The first two are fixed as entity.behavior. The third level identifies the type of events sent, and the fourth level indicates the event subtype. 

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Security Operations

entity.behavior.list.groups

entity.behavior.list.groups

entity.behavior.list.members

entity.behavior.list.members

entity.behavior.list.notables

entity.behavior.list.notables

entity.behavior.risk.events

entity.behavior.risk.events

entity.behavior.signals.events

entity.behavior.signals.events

entity.behavior.signals.filtered

entity.behavior.signals.filtered

For more information, read more about Devo tags.

Table structure

These are the fields displayed in these tables:

entity.behavior.list.groups

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

risk_group

str

 

risk_multiplier

float8

 

last_updated

timestamp

 

is_deleted

bool

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

entity.behavior.list.members

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

entity_name

str

 

risk_group

str

 

last_updated

timestamp

 

is_deleted

bool

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

entity.behavior.list.notables

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

entity_name

str

 

last_updated

timestamp

 

is_deleted

bool

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

entity.behavior.risk.events

Field

Type

Extra field

Field

Type

Extra field

eventdate

timestamp

 

entity

str

 

total_risk

float8

 

related

str

 

last_risk

timestamp

 

alert_metrics_secops

int4

 

alert_metrics_ueba

int4

 

priority_metrics_high

int4

 

priority_metrics_critical

int4

 

entity_risk

float8

 

entity_type

str

 

global_risk

float8

 

unique_alerts

int4

 

unique_techniques

int4

 

unique_tactics

int4

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

entity.behavior.signals.events

Field

Type

Extra field

Field

Type

Extra field

eventdate

timestamp

 

entity_sourceAccount

str

 

entity_sourceFile

str

 

entity_sourceIP

ip4

 

entity_sourceHostname

str

 

entity_sourceDomain

str

 

entity_destinationAccount

str

 

entity_destinationFile

str

 

entity_destinationIP

ip4

 

entity_destinationHostname

str

 

entity_destinationDomain

str

 

final_outcome

float8

 

explanation

str

 

context

str

 

original_eventdate

str

 

recipe_name

str

 

source_table

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

entity.behavior.signals.filtered

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

entity_sourceAccount

str

 

entity_sourceFile

str

 

entity_sourceIP

ip4

 

entity_sourceHostname

str

 

entity_sourceDomain

str

 

entity_destinationAccount

str

 

entity_destinationFile

str

 

entity_destinationIP

ip4

 

entity_destinationHostname

str

 

entity_destinationDomain

str

 

final_outcome

float8

 

explanation

str

 

context

str

 

original_signal_eventdate

str

 

recipe_name

str

 

source_table

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓