Document toolboxDocument toolbox

threatintel.anomaly

Valid tags and data tables 

The full tag must have 3 levels. The first two are fixed as threatintel.anomaly. The third level identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

-

threatintel.anomaly.threatstream

threatintel.anomaly.threatstream

For more information, read more About Devo tags.

Table structure

These are the fields displayed in this table:

threatintel.anomaly.threatstream

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

rawMessage

str

 

✓

host

str

vhost

 

search_name

str

 

 

search_now

timestamp

 

 

info_min_time

timestamp

 

 

info_max_time

timestamp

 

 

info_search_time

timestamp

 

 

event__time

timestamp

 

 

event_action

str

 

 

event_count

int4

 

 

event_dest

ip4

 

 

event_dest_port

int4

 

 

event_et

str

 

 

event_host

str

 

 

event_source

str

 

 

event_sourcetype

str

 

 

event_src

ip4

 

 

event_src_port

int4

 

 

event_ts_asn

int4

 

 

event_ts_classification

str

 

 

event_ts_confidence

str

 

 

event_ts_country

str

 

 

event_ts_date_first

str

 

 

event_ts_date_last

str

 

 

event_ts_detail

str

 

 

event_ts_id

str

 

 

event_ts_ip

str

 

 

event_ts_itype

str

 

 

event_ts_lat

float8

 

 

event_ts_lon

float8

 

 

event_ts_lookup_key_value

str

 

 

event_ts_maltype

str

 

 

event_ts_org

str

 

 

event_ts_resource_uri

str

 

 

event_ts_severity

str

 

 

event_ts_source

str

 

 

event_ts_type

str

 

 

event_victim

ip4

 

 

hostname

str

 

 

message

str

rawMessage

 

hostchain

str

 

✓

tag

str

 

✓