threatintel.anomaly
Valid tags and data tablesÂ
The full tag must have 3 levels. The first two are fixed as threatintel.anomaly
. The third level identifies the type of events sent.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
- |
|
|
For more information, read more About Devo tags.
Table structure
These are the fields displayed in this table:
threatintel.anomaly.threatstream
Field | Type | Source field name | Extra fields |
---|---|---|---|
eventdate |
| Â | Â |
rawMessage |
|  | ✓ |
host |
| vhost | Â |
search_name |
| Â | Â |
search_now |
| Â | Â |
info_min_time |
| Â | Â |
info_max_time |
| Â | Â |
info_search_time |
| Â | Â |
event__time |
| Â | Â |
event_action |
| Â | Â |
event_count |
| Â | Â |
event_dest |
| Â | Â |
event_dest_port |
| Â | Â |
event_et |
| Â | Â |
event_host |
| Â | Â |
event_source |
| Â | Â |
event_sourcetype |
| Â | Â |
event_src |
| Â | Â |
event_src_port |
| Â | Â |
event_ts_asn |
| Â | Â |
event_ts_classification |
| Â | Â |
event_ts_confidence |
| Â | Â |
event_ts_country |
| Â | Â |
event_ts_date_first |
| Â | Â |
event_ts_date_last |
| Â | Â |
event_ts_detail |
| Â | Â |
event_ts_id |
| Â | Â |
event_ts_ip |
| Â | Â |
event_ts_itype |
| Â | Â |
event_ts_lat |
| Â | Â |
event_ts_lon |
| Â | Â |
event_ts_lookup_key_value |
| Â | Â |
event_ts_maltype |
| Â | Â |
event_ts_org |
| Â | Â |
event_ts_resource_uri |
| Â | Â |
event_ts_severity |
| Â | Â |
event_ts_source |
| Â | Â |
event_ts_type |
| Â | Â |
event_victim |
| Â | Â |
hostname |
| Â | Â |
message |
| rawMessage | Â |
hostchain |
|  | ✓ |
tag |
|  | ✓ |