Document toolboxDocument toolbox

ids.attivo

Owned by Juan Tomás Alonso Nieto (Deactivated)
Last updated: Aug 21, 2023
1 min read
[ 1 Introduction ] [ 2 Valid tags and data tables ] [ 3 Table structure ]

Introduction

The tags beginning with ids.attivo identify events generated by Attivo.

Valid tags and data tables

The full tag must have 3 levels. The first two are fixed as ids.attivo. The third level identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Attivo BOTsink

ids.attivo.botsink

ids.attivo.botsink

For more information, read more about Devo tags.

Table structure

These are the fields displayed in this table:

ids.attivo.botsink

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

Severity

str

 

Attacker_IP

ip4

 

Target_Host

str

 

Target_IP

ip4

 

Target_OS

str

 

Description

str

 

Details

str

 

Phase

str

 

Service

str

 

VLANID

str

 

Forwarder

str

 

Attacker_IP_Domain

str

 

Target_IP_Domain

str

 

Attacker_HostName

str

 

Attacker_UserNames

str

 

TargetIP_List

str

 

Target_Ports

str

 

Target_IP_Ports

str

 

Forwarder_IP

ip4

 

Dest_UserName

str

 

subscriberName

str

 

Attacker_MAC

str

 

Attivo_AlertID

str

 

MITRE_Technique_ID

str

 

MITRE_Technique_Name

str

 

MITRE_Tactic_Name

str

 

VTSummaryResult

str

 

WebRootReputation

str

 

rawMessage

str

 ✓

hostchain

str

✓ 

tag

str

 ✓