Document toolboxDocument toolbox

rbi.menlo

Owned by Borja Moro Moreno, created
Last updated: Aug 22, 2023
1 min read
[ 1 Introduction ] [ 2 Valid tags and data tables  ] [ 3 Table structure ]

Introduction

The tags beginning with rbi.menlo identify events generated by Menlo Security Browser Isolation (inside the Menlo Security Cloud Platform) belonging to Menlo Security.

Valid tags and data tables 

The full tag must have 3 levels. The first two are fixed as rbi.menlo. The third level identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Menlo Security Browser Isolation (inside the Menlo Security Cloud Platform)

rbi.menlo.attachment

rbi.menlo.attachment

rbi.menlo.audit

rbi.menlo.audit

rbi.menlo.email

rbi.menlo.email

rbi.menlo.smtp

rbi.menlo.smtp

rbi.menlo.web

rbi.menlo.web

For more information, read more About Devo tags.

Table structure

These are the fields displayed in these tables:

rbi.menlo.attachment

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

product

str

 

rvlabs_factor

str

 

vendor

str

 

rewritten

str

 

event_time

timestamp

 

file_type

str

 

bytes

str

 

name

str

 

message_tid

str

 

reason

str

 

version

str

 

email_date

str

 

sha256

str

 

message_id

str

 

mime_type

str

 

severity

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

rbi.menlo.audit

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

product

str

 

vendor

str

 

uid

str

 

event_time

timestamp

 

name

str

 

version

str

 

audit_actions

str

 

sub_event_type

str

 

rev_id

str

 

severity

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

rbi.menlo.email

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

domain

str

 

vendor

str

 

rewritten

str

 

event_time

timestamp

 

message_tid

str

 

charset

str

 

product

str

 

name

str

 

url

str

 

reason

str

 

version

str

 

email_date

str

 

message_id

str

 

severity

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

rbi.menlo.smtp

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

severity

str

 

smtp_reply

str

 

time_handoff_down

float8

 

total_links

int4

 

rows

int4

 

from2

str

 

next_hop_reason

str

 

event_time

timestamp

 

src_tls

str

 

hostname2

str

 

src_ip

ip4

 

to

str

 

version

str

 

message_id

str

 

product

str

 

vendor

str

 

timestamp

timestamp

 

src_port

str

 

reason

str

 

dst_tls

str

 

rewritten_links

int4

 

time_taken

float8

 

rewrite_success

str

 

time_handoff_up

float8

 

name

str

 

message_tid

str

 

region

str

 

unix_time

str

 

unix_time_iso

timestamp

 

mode

str

 

dst_ip

ip4

 

dst_from_port

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

rbi.menlo.web

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

top_url

str

 

domain

str

 

protocol

str

 

risk_tally

str

 

is_iframe

str

 

origin_ip

ip4

 

has_password

str

 

file_size

str

 

browser_and_version

str

 

user_agent

str

 

egress_ip

ip4

 

severity

str

 

event_time

timestamp

 

dst

ip4

 

filename

str

 

risk_score

str

 

version

str

 

soph_dlp_ref

str

 

xff_ip

str

 

product

str

 

vendor

str

 

request_type

str

 

tab_id

str

 

pe_reason

str

 

categories

str

 

x_client_ip

ip4

 

name

str

 

url

str

 

response_code

str

 

userid

str

 

full_session_id

str

 

pe_action

str

 

ua_type

str

 

content_type

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓