Document toolboxDocument toolbox

monitor.threatstack

Owned by Anthony Shevlin (Deactivated)
Last updated: Sept 07, 2023
1 min read

[ Introduction ] [ Valid tags and data tables  ] [ Table structure ]

Introduction

The tags beginning with monitor.threatstack identify events generated by Threat Stack.

Valid tags and data tables 

The full tag must have at least three levels. The first two are fixed as monitor.threatstack. The third level identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Threat Stack

monitor.threatstack.alerts.active

monitor.threatstack.alerts

monitor.threatstack.alerts

monitor.threatstack.audit

monitor.threatstack.audit

monitor.threatstack.cve

monitor.threatstack.cve

monitor.threatstack.ec2

monitor.threatstack.ec2

monitor.threatstack.events

monitor.threatstack.events

For more information, read more about Devo tags.

Table structure

These are the fields displayed in these tables:

monitor.threatstack.alerts

Field

Type

Extra field

Field transformation

Source field name

Field

Type

Extra field

Field transformation

Source field name

eventdate

timestamp

 

 

 

hostname

str

 

 

 

alertType

str

 

 

 

id

str

 

 

 

title

str

 

 

 

createdAt

timestamp

 

 

 

isDismissed

bool

 

 

 

dismissedAt

timestamp

 

 

 

dismissReason

str

 

 

 

dismissReasonText

str

 

 

 

dismissedBy

str

 

 

 

severity

int4

 

 

 

dataSource

str

 

 

 

agentId

str

 

 

 

ruleId

str

 

 

 

rulesetId

str

 

 

 

aggregates__fieldNames_str

str

 

join(aggregates__fieldNames, ',')

aggregates__fieldNames

hostchain

str

✓

 

 

tag

str

✓

 

 

rawMessage

str

 

 

 

monitor.threatstack.audit

Field

Type

Extra field

Field transformation

Source field name

Field

Type

Extra field

Field transformation

Source field name

eventdate

timestamp

 

 

 

hostname

str

 

 

 

id

str

 

 

 

userEmail

str

 

 

 

userId

str

 

 

 

organizationId

str

 

 

 

result

str

 

 

 

crud

str

 

 

 

action

str

 

 

 

source

str

 

 

 

description

str

 

 

 

eventTime

timestamp

 

 

 

context__url

str

 

 

 

context__params__from

timestamp

 

parsedate(context__params__from_str, dateformat("YYYY-MM-DD[T]HH:mm", "UTC"))

context__params__from_str

context__originIp

ip4

 

 

 

context__httpMethod

str

 

 

 

context__responseCode

int4

 

 

 

context__responseSize

int8

 

 

 

godMode

bool

 

 

 

hostchain

str

✓

 

 

tag

str

✓

 

 

rawMessage

str

 

 

 

monitor.threatstack.cve

Field

Type

Extra field

Field transformation

Source field name

Field

Type

Extra field

Field transformation

Source field name

eventdate

timestamp

 

 

 

hostname

str

 

 

 

cveNumber

str

 

 

 

reportedPackage

str

 

 

 

systemPackage

str

 

 

 

vectorType

str

 

 

 

isSuppressed

bool

 

 

 

severity

str

 

 

 

securityNotices__securityNoticeId_str

str

 

join(securityNotices__securityNoticeId, ',')

securityNotices__securityNoticeId

securityNotices__source_str

str

 

securityNotices__source

securityNotices__url_str

str

 

securityNotices__url

agents__hostname_str

str

 

agents__hostname

agents__agentId_str

str

 

agents__agentId

hostchain

str

✓

 

 

tag

str

✓

 

 

rawMessage

str

 

 

 

monitor.threatstack.ec2

Field

Type

Extra field

Field transformation

Source field name

Field

Type

Extra field

Field transformation

Source field name

eventdate

timestamp

 

 

 

hostname

str

 

 

 

id

str

 

 

 

kernelId

str

 

 

 

instanceType

str

 

 

 

privateDnsName

str

 

 

 

privateIpAddress

str

 

 

 

groups__id_str

str

 

groups__id

groups__name_str

str

 

groups__name

subnetId

str

 

 

 

keyName

str

 

 

 

region

str

 

 

 

launchTime

str

 

 

 

imageId

str

 

 

 

architecture

str

 

 

 

publicDnsName

str

 

 

 

publicIpAddress

str

 

 

 

vpcId

str

 

 

 

awsProfile__id_str

str

 

awsProfile__id

awsProfile__organizationName_str

str

 

awsProfile__organizationName

awsProfile__description_str

str

 

awsProfile__description

monitored

bool

 

 

 

tags__key_str

str

 

tags__key

tags__value_str

str

 

tags__value

tags__source_str

str

 

tags__source

hostchain

str

✓

 

 

tag

str

✓

 

 

rawMessage

str

 

 

 

monitor.threatstack.events

Field

Type

Extra field

Field transformation

Source field name

Field

Type

Extra field

Field transformation

Source field name

eventdate

timestamp

 

 

 

hostname

str

 

 

 

timestamp

timestamp

 

 

 

id

str

 

 

 

organization_id

str

 

 

 

agent_id

str

 

 

 

ingest_time

timestamp

 

 

 

event_id

str

 

 

 

event_time

timestamp

 

 

 

ts_event_type

str

 

 

 

args_str

str

 

args

auid

int4

 

 

 

command

str

 

 

 

events_str

str

 

events

filename

str

 

 

 

gid

int4

 

 

 

group2_str

str

 

group2

pid

int4

 

 

 

ppid

int4

 

 

 

rule_id

str

 

 

 

rule_name

str

 

 

 

session

int4

 

 

 

uid

int4

 

 

 

user

str

 

 

 

eventClass

str

 

 

 

containerLabels

str

 

 

 

time_id

str

 

 

 

event_type

str

 

 

 

alert_id

str

 

 

 

hostchain

str

✓

 

 

tag

str

✓

 

 

rawMessage

str

 

 

Â