Authentication

Table	Secops Entity	Original parameter
auth.all	entity_destinationDomain	domain
	entity_destinationIP	machine
	entity_sourceAccount	user
	entity_sourceIP	str(srcIp)

AWS

This union table joins every AWS-related table. Although this is not ideal, the divergence between the customers in collector adoption forced us to create the alerts on this union table.

In the future, it will be a good idea to move the AWS alerts to child tables in order to improve performance.

Table	SecOps Entity	Original Parameter
cloud.aws.cloudtrail	entity_sourceAccount	userIdentity_accountId
	entity_sourceIP	sourceIPAddress5
	entity_sourceName	userIdentity_arn

Azure

These union tables join every Microsoft Azure Cloud Services related table.

Table	SecOps Entity	Original Parameter
cloud.azure	entity_sourceHostname	hostname
cloud.azure.activity.events	entity_sourceAccount	split(split(split(stringify(jqeval(jqcompile(".identity.claims"), jsonparse(rawMessage))), "claims/upn", 1),":",1),",",0)
cloud.azure.activity.events	entity_sourceIP	callerIpAddress
cloud.azure.ad.audit	entity_destinationAccount	str(jqeval(jqcompile(".properties.additionalDetails[5].value"), jsonparse(rawMessage)))
	entity_destinationIP	str(jqeval(jqcompile(".properties.additionalDetails[9].value"), jsonparse(rawMessage)))
	entity_sourceAccount	properties_initiatedBy_user_userPrincipalName
	entity_sourceIP	callerIpAddress
cloud.azure.ad.signin	entity_sourceAccount	properties_userPrincipalName
cloud.azure.ad.signin	entity_sourceIP	callerIpAddress
cloud.azure.eh.events	entity_sourceAccount	str(jqeval(jqcompile(".properties.initiatedBy.user.id"), jsonparse(rawMessage)))
	entity_sourceEmail	split(split(split(stringify(jqeval(jqcompile(".identity.claims"), jsonparse(rawMessage))), "claims/upn", 1),":",1),",",0)
	entity_sourceIP	callerIpAddress
cloud.azure.other.administrative	entity_sourceAccount	str(jqeval(jqcompile(".identity.claims.name"), jsonparse(rawMessage)))
cloud.azure.other.administrative	entity_sourceIP	callerIpAddress
cloud.azure.others.policy	entity_sourceIP	callerIpAddress
cloud.azure.vm.unknown_events	entity_sourceAccount	str(jqeval(jqcompile(".ActorUPN"), jsonparse(message)))
cloud.azure.vm.unknown_events	entity_sourceIP	str(jqeval(jqcompile(".IpAddress"), jsonparse(message)))

Google Cloud Platform

These union tables are related to Google Cloud Platform.

Table	SecOps Entity	Original Parameter
cloud.gcp	entity_destinationAccount	account
	entity_destinationIP	split(stringify(jqeval(jqcompile(".jsonPayload.request.headers"), jsonparse(rawMessage))),",",10)
	entity_sourceAccount	protoPayload_authenticationInfo_principalEmail
	entity_sourceHostname	hostname
	entity_sourceIP	['str(jqeval(jqcompile(".protoPayload.request.ip"), jsonparse(rawMessage)))', 'protoPayload_requestMetadata_callerIp']
	entity_sourceUrl	protoPayload_resourceName
cloud.gcp.compute.firewall	entity_destinationIP	jsonPayload__connection__dest_ip
cloud.gcp.compute.firewall	entity_sourceIP	jsonPayload__connection__src_ip
cloud.gsuite.alerts	entity_sourceAccount	str(jqeval(jqcompile(".email"), jsonparse(data)))
cloud.gsuite.reports.access_transparency	entity_destinationAccount	ev_param_owner_email
	entity_sourceAccount	actor_email
	entity_sourceIP	ipAddress
cloud.gsuite.reports.admin	entity_sourceAccount	actor_email
cloud.gsuite.reports.admin	entity_sourceIP	ipAddress
cloud.gsuite.reports.drive	entity_destinationAccount	ev_param_target_user
	entity_sourceAccount	actor_email
	entity_sourceIP	ipAddress
cloud.gsuite.reports.login	entity_sourceAccount	ev_param_affected_email_address
cloud.gsuite.reports.login	entity_sourceIP	ipAddress
cloud.gsuite.reports.mobile	entity_sourceAccount	actor_email
cloud.gsuite.reports.mobile	entity_sourceIP	ipAddress
cloud.gsuite.reports.token	entity_sourceAccount	actor_email
	entity_sourceIP	ipAddress
	entity_sourceName	ev_param_app_name
cloud.office365	entity_destinationAccount	ObjectId
	entity_sourceIP	ClientIP
	entity_sourceName	UserId
cloud.office365.management	entity_destinationAccount	ObjectId
	entity_sourceIP	ClientIP
	entity_sourceName	UserId
cloud.office365.management.azureactivedirectory	entity_destinationAccount	ObjectId
	entity_sourceAccount	UserId
	entity_sourceIP	ClientIP
cloud.office365.management.exchange	entity_destinationName	Parameters_Identity
	entity_sourceAccount	UserId
	entity_sourceHostname	OriginatingServer
	entity_sourceIP	ClientIP
	entity_sourceName	Parameters_User
cloud.office365.management.secruitycompliancecenter	entity_sourceAccount	str(jqeval(jqcompile(".f3u"), Data))
cloud.office365.siem_agent_alert	entity_sourceName	suser
cloud.office365.siem_agent_event	entity_sourceIP	str(dvc)

EDR

Table	SecOps Entity	Original Parameter
edr.all.threats	entity_sourceIP	str(ip)
edr.cbef.endpoint_event	entity_sourceHostname	device_name
edr.cbef.endpoint_event	entity_sourceIP	str(local_ip)
edr.crowdstrike.cannon.processrollup2	entity_sourceAccount	UserName
	entity_sourceHostname	ComputerName
	entity_sourceIP	str(aip)

Table	SecOps Entity	Original Parameter
mail.proofpoint.tapsiem_v2	entity_destinationAccount	recipient
	entity_sourceAccount	sender
	entity_sourceIP	senderIP

Network

Table	SecOps Entity	Original Parameter
dns.windows	entity_destinationHostname	hostname
dns.windows	entity_sourceIP	str(remote_ip)
firewall.all.traffic	entity_destinationIP	str(dstIp)
firewall.all.traffic	entity_sourceIP	str(srcIp)
firewall.fortinet.traffic.forward	entity_destinationIP	str(dstIp)
firewall.fortinet.traffic.forward	entity_sourceIP	str(srcIp)
firewall.paloalto.system	entity_sourceAccount	user_name
firewall.paloalto.system	entity_sourceIP	str(client_ip) srcIp
netstat.netflow.all	entity_destinationIP	str(dstIp)
netstat.netflow.all	entity_sourceIP	str(srcIp)
network.dns	entity_destinationHostname	name
network.dns	entity_sourceIP	srcIp

Proxy

Table	SecOps Entity	Original Parameter
proxy.all.access	entity_destinationDomain	dstHost
	entity_destinationIP	str(dstIp)
	entity_destinationUrl	url
	entity_sourceAccount	user
	entity_sourceIP	str(srcIp)
firewall.paloalto.system	entity_sourceAccount	user_name
firewall.paloalto.system	entity_sourceIP	str(client_ip) srcIp
netstat.netflow.all	entity_destinationIP	str(dstIp)
netstat.netflow.all	entity_sourceIP	str(srcIp)
network.dns	entity_destinationHostname	name
network.dns	entity_sourceIP	srcIp

Threat systems

Table	SecOps Entity	Original Parameter
ids.bro.http	entity_destinationIP	destHost
ids.bro.http	entity_sourceIP	origHost
ids.bro.rdp	entity_destinationIP	destHost
ids.bro.rdp	entity_sourceIP	origHost
ids.bro.ssl	entity_destinationIP	destHost
ids.bro.ssl	entity_sourceIP	origHost
ids.bro.notice	entity_destinationIP	destHost
ids.bro.notice	entity_sourceIP	origHost
ids.bro.dce_rpc	entity_destinationIP	destHost
ids.bro.dce_rpc	entity_sourceIP	origHost

Web

Table	SecOps Entity	Original Parameter
domains.all	entity_destinationDomain	domain
domains.all	entity_destinationUrl	url
web.all.access	entity_destinationAccount	user
	entity_destinationHostname	serverName
	entity_destinationUrl	url
	entity_sourceHostname	urihost(referer)
	entity_sourceIP	str(srcIp)

Windows

This union table collects information from a set of tables that contain system events generated and sent from Windows machines.

Table	SecOps Entity	Original Parameter
box.all.win	entity_destinationAccount	account
	entity_destinationIp	dstIp
	entity_sourceAccount	['subjectUsername', 'serviceAccount']
	entity_sourceDomain	['subjectDomain', 'domain']
	entity_sourceHostname	srcHost
	entity_sourceIP	srcIp
	entity_sourceName	subjectUsername

Unix

This table details system logs from Unix machines.

Table	SecOps Entity	Original Parameter
box.unix	entity_sourceAccount	user
	entity_sourceHostname	machine
	entity_sourceIp	str(machineIp)

Security Operations Entities Mapping

Entities mapping