Field Name GlossaryΒΆ

The following table is glossary of the common field names used for events in Sift Security CloudHunter. For each field name, the table describes the information contained in that field. If you are trying to integrate a new data source, see Data Model.

Field Description
@timestamp The timestamp of the event according to the service that generated it
_type Either generic for events or alert for alerts.
account The cloud account associated with the storage component.
acl_association Association entity for ACL to Subnets (firewall functionality).
acl_grantee The entity being granted permission.
acl_grantee_URI The URI related to the entity being granted permission.
acl_grantee_type The type of entity being granted permission.
acl_owner The entity that owns the ACL.
acl_permission The permission being granted.
acting_role The role taking action in this event.
acting_user The user taking action in this event.
action An action taken by an firewall, proxy, or other network device.
action_type Indicates the type of action perform, either modified if it was a mutating action or accessed otherwise
alert_category The category of an alert. TODO: Link to what these are the meaning of them.
alert_description Description of alert that contains specific information about this specific alert. Tokenized for search.
alert_description.keyword Use this field if you want to do a full-text match against alert_description.
alert_name Name of the alert. For internal alerts, the name of the rule or anomaly that generated the alert. Tokenized for search.
alert_name.keyword Use this field if you want to do a full-text match against alert_name.
alert_notes Free form text about an alert entered by the user.
alert_notes.keyword Use this field if you want to do a full-text match against alert_notes.
alert_priority Priority score of the alert (1-100, where each 20 points represents a severity level)
alert_priority_string Severity of the alert. One of Informational, Low, Medium, High, Critical.
alert_rationale Description of why this alert is important.
alert_recommendation What actions should be taken in response to this alert
alert_source The source that generated this alert. Tokenized for search.
alert_source.keyword Use this field if you want to do a full-text match against alert_source.
alert_stage Stage of the Cloud Attack Chain associated with this alert. One of Exposure, Access, Lateral Movement, Actions, or Other for alerts that are configuration compliance or otherwise do not map to the cloud attack chain.
alert_status The resolution status of this alert TODO: Link to what these are the meaning of them.
alert_tags Array of tags applied to this alert for easy searching and sorting. Tags can be modified in the rules or anomalies tab.
alert_window For alerts, the time window over which an aggregation was performed in milliseconds. This means that the events that underly the alert fall within the range @timestamp - alert_window to @timestamp
allocated_storage The amount of storage allocated.
app For network traffic, the network application in use based on port usage.
apply_immediately If a change should be applied to the database component immediately
attribute_name The attribute of a database component.
attribute_type The type of the database attribute.
attribute_value The value of a database attribute.
auto_upgrade_major Automatically perform major version upgrades.
auto_upgrade_minor Automatically perform minor version upgrades.
availability_zone The availability zone hosting the networking component.
bytes The total number of bytes transferred.
certificate_id The ID of the certificate being used by the database component.
cidr The IP address range being referenced in the event.
cloud_provider The cloud service provider for which the event was generated, such as AWS or Azure.
cluster A logical grouping of compute instances.
cluster_config Configuration to launch a cluster.
compute_disk The virtual disk storage associated to a compute instance.
compute_disk_snapshot A snapshot of a compute disk.
compute_image The compute instance template.
compute_image_location The originating location of the compute image
compute_image_public A boolean value that indicates if the compute image is publicly accessible.
compute_instance A virtual machine or compute instance.
compute_type The type of instance according to cloud service provider
creation_time_cluster The creation time of the database cluster.
creation_time_instance The creation time of the database instance.
creation_time_snapshot The creation time of the database snapshot.
creation_time_table The creation time of the database table.
cve Common Vulnerabilities and Exposures identifier (searchable at http://cve.mitre.org).
database The database name
db_cluster A cluster of databases.
db_cluster_members The database instances included in the database cluster.
db_copy_tags_to_snapshot If the tags associated to the database instance or cluster should be copied to the snapshots.
db_encrypted If the data in the database is being encrypted at rest.
db_engine The type of database software used.
db_engine_family The family of database (engine type and version) supported by a parameter group.
db_engine_license_model The license model of the database software used.
db_engine_version The version of the database software used.
db_force_failover Force the database instance to failover to a replica.
db_hosted_zone_id The DNS hosting zone ID for the database instance or cluster.
db_index The name of the database index.
db_instance An isolated environment hosting database software.
db_instance_type The type or class of database instance which indicates CPU
db_log_file The database log file being downloaded.
db_log_lines_amount How many log lines were downloaded.
db_log_lines_marker The last log line that was downloaded.
db_replica The set of replicas for this database instance or cluster.
db_replication_group The regions where a global database table is being hosted.
db_resource_id The immutable identifier for the database instance or cluster. This identifier is found in log entries whenever the associated encryption key is accessed.
db_restorable_time_earliest The earliest backup of the database instance or cluster available for restoration.
db_restorable_time_latest The most recent backup of the database instance or cluster available for restoration.
db_security_group A security group specific to database instances or clusters of instances.
db_security_group_description Description of the database security group.
db_security_group_owner The ID of the owner of the database security group (such as the AWS account number).
db_snapshot A snapshot or backup of a database.
db_snapshot_encrypted If a database snapshot is encrypted.
db_snapshot_type Indicates if this database snapshot was automatic or manual
db_stream_enabled If a stream is enabled for the database component.
db_stream_view_type The type of information written to the database stream.
db_subnet_group A group of subnets allowed to host your database instances.
db_subnet_group_description Description of the database subnet group.
db_table The name of the database table (SQL or NoSQL).
dest_cidr The destination cidr for an event
dest_host Hostname of the destination of traffic, or only hostname if there is no src.
dest_ip IP address of the destination of traffic, or only IP if there is no src.
dest_ip_geo.city_name City name from GeoIP lookup
dest_ip_geo.country_code2 ISO country code from GeoIP lookup
dest_ip_geo.country_name Country name from GeoIP lookup
dest_ip_geo.location.lat Latitude from GeoIP lookup
dest_ip_geo.location.lon Longitude from GeoIP lookup
dest_ip_geo.postal_code Postal code from GeoIP lookup
dest_ip_geo.region_name Region from GeoIP lookup
dest_ip_geo.timezone Timezone from GeoIP lookup
dest_ip_geo_country_code2 ISO country code from GeoIP lookup
dest_ip_geo_location Latlong from GeoIP lookup for map visualization
dest_mac MAC address of the destination of the traffic.
dest_port Port number of the destination of the traffic.
dest_vpc The destination VPC for an event
domain_membership The Active Directory domain (or other domain type) membership of the database component.
duration Duration in seconds
encryption_service_key The encryption key being accessed or modified.
encryption_service_key_alias The alias name for an encryption key.
error_code Error code received if event failed.
error_message Error message received if event failed.
eventtype Event name provided by the cloud provider or data source.
http_user_agent The HTTP user agent of the caller.
iam_access_key Access key ID used to access cloud resource
iam_authentication_enabled If the database takes authentication from the cloud provider IAM service.
iam_group A cloud group that contains users.
iam_identity_type The type of identity that invoked the event.
iam_session The ID of an IAM session.
iam_session_mfa Indicates if the event happened during a multi-factor authenticated session.
iam_session_mfa_detail Additional MFA details provided by the vendor.
iam_session_mfa_method Information about the MFA method used.
iam_session_mfa_required If MFA was required for this session.
ingestion_datasource Describes how the data was ingested by CloudHunter.
ingestion_timestamp The time at which the data was ingested by CloudHunter.
iops The input/output operations per second (iops) setting for the database.
ip_allocation ID of the allocation of an IP address.
key_fingerprint The unique fingerprint of a key.
load_balancer The cloud hosted load balancer.
mac The MAC address of the resource described in the event
master_user The name of the master user of the database
member_security_groups During the creation of a database security group
monitoring_interval The time interval of database monitoring.
monitoring_role The role being used to monitor the database.
multi_zone_support If the database component is able to cross availability zones.
network_acl The network access control list (firewall functionality).
network_interface A cloud network interface
network_security_group A network security group
network_security_group_status The status of the network security group.
node_removed The ID of the node(s) being removed from a database cluster.
notification_topic The notification topic name associated to the database component.
notification_topic_status The status of the notification topic.
option_group The name of the database option group.
option_group_allows_non_vpc_instances If the option group can be associated to databases outside of a VPC.
option_group_description The description of the database option group.
options The set of database options in the option group.
options_added The set of database options being added.
options_removed The set of database options being removed.
packets The total count of packets described by this event
parameter_group The name of the database parameter group.
parameter_group_description The description of the database parameter group.
parameters The set of database parameters in the parameter group.
performance_insights_enabled If the database instance has performance insights enabled.
policy A cloud policy that defines permissions on a resource
policy_action The type of action being enabled or disabled.
policy_condition The condition required in order to receive the permission specified in the policy.
policy_effect The effective permission being applied.
policy_principal The entity being granted permission.
policy_resource The resource being referenced in the policy statement.
policy_statement The overall policy statement being modified.
port The network port used to connect to the database directly.
port_range_end The end of the specified port range
port_range_start The beginning of the specified port range
preferred_window_backup The time window designated for database backups.
preferred_window_maintenance The time window designated for database maintenance.
pretty_sourcetype A human readable version of sourcetype, which describes the cloud service associated with the event.
primary_key The primary key used in a database query.
private_ip The IP address assigned on the internal network.
promotion_tier The order in which to promote a database replica to master during a failure.
protocol The network protocol (numeric) referenced in the event.
public_access Indicates if the database is available for public access.
public_ip The public IP address assigned to this resource.
read_capacity_units The maximum number of strongly consistent reads per second for the database component.
region The geographical region where the storage is being hosted.
replication_factor The number of nodes in the database cluster.
resource_label_compute_disk The resource label associated to the compute disk.
resource_label_compute_disk_snapshot The resource label associated to the snapshot.
resource_label_compute_image The resource label associated to the compute image.
resource_label_compute_instance The resource label associated to the compute instance.
resource_label_network_interface The resource label associated to the network interface.
resource_label_network_security_group The resource label associated to the network security group.
resource_label_policy A name associated to a policy.
resource_label_subnet The resource label associated to the subnet.
resource_label_vpc The resource label associated to the vpc.
restore_time The time to which the database has been restored.
restore_time_latest_available If the database was restored to the most recent backup.
retention_period_backup How long to retain database backups.
role The role being assumed or described.
role_status The status of the role associated to the database cluster.
service_invoking_event Indicates which service invoked the event.
size_desired The new number of compute instances desired for a cluster.
size_maximum The maximum number of compute instances allowed for a cluster.
size_minimum The minimum number of compute instances allowed for a cluster.
skip_final_snapshot If a final snapshot was skipped during the deletion of a database instance or cluster.
sourcetype The cloud service that generated the event.
src_account The account where a cross-account request originated.
src_cidr The source cidr for an event
src_db_cluster Used in the case of a database cluster replica
src_db_engine When restoring a database cluster or instance
src_db_engine_version When restoring a database cluster or instance
src_db_instance Used in the case of a database instance replica
src_db_snapshot Used in the case of snapshot copy
src_host Hostname of the source of traffic or request.
src_ip IP of the source of traffic or request.
src_ip_geo.city_name City name from GeoIP lookup
src_ip_geo.country_code2 ISO country code from GeoIP lookup
src_ip_geo.country_name Country name from GeoIP lookup
src_ip_geo.location.lat Latitude from GeoIP lookup
src_ip_geo.location.lon Longitude from GeoIP lookup
src_ip_geo.postal_code Postal code from GeoIP lookup
src_ip_geo.region_name Region from GeoIP lookup
src_ip_geo.timezone Timezone from GeoIP lookup
src_ip_geo_country_code2 ISO country code from GeoIP lookup
src_ip_geo_location Latlong from GeoIP lookup for map visualization
src_mac MAC address of the source of the traffic.
src_parameter_group When copying a parameter group
src_port Port number of the source of the traffic.
src_region When copying a snapshot
src_role The cloud role that took action on another role.
src_user The cloud user that took action on another user.
src_vpc The source VPC for an event
ssh_key_pair The name associated with an SSH key pair.
status The status of a resource or request.
status_type Indicates whether the underlying represents a success or failure.
storage_service_bucket A storage bucket
storage_service_bucket_policy_statement A permissions statement in the storage service bucket policy.
storage_service_bucket_policy_version The version of the storage service bucket policy.
storage_service_object A storage object (file) stored in a bucket.
storage_type The type of storage selected for the database
subnet The virtual subnet containing the resource.
tags User-configurable tags for easy search and sorting of alerts
unindexed_fields All other fields that are part of the original record but not part of the data model are available here as a serialized JSON string.
url The endpoint associated with the database instance or cluster.
url_reader The read-only endpoint associated with the database instance or cluster.
user User for which this event contains contextual information about.
vendor_db_cluster_resource_id A unique ID from the vendor to identify the database cluster.
vendor_db_instance_resource_id A unique ID from the vendor to identify the database instance.
vendor_db_shard_iterator_resource_id A unique ID from the vendor to identify the database shard iterator.
vendor_db_snapshot_resource_id A unique ID from the vendor to identify the database snapshot.
vendor_db_stream_resource_id A unique ID from the vendor to identify the database stream.
vendor_db_table_resource_id A unique ID from the vendor to identify the database table.
vendor_enhanced_monitoring_resource_id A unique ID from the vendor to identify the enhanced logging resource.
vendor_event_correlation_id Sometimes, a singe action might trigger multiple events. This is a unique ID to correlate multiple events to a single action.
vendor_event_id During ingestion, a single event is sometimes split into multiple documents for indexing. This is a unique ID to correlate multiple documents to a single event.
vendor_event_type Additional, vendor-specific information about the type of event.
vendor_log_name For logging events, vendor-specific naming of the affected log.
vendor_message The raw message from the authentication service (e.g. the SSHD log line)
vendor_modified_values_pending Any modified values related to the database instance
vendor_option_group_resource_id A unique ID from the vendor to identify the database option group.
vendor_product The name of the product that generated the logs, such as CloudTrail.
vpc The name or ID of the virtual private cloud to which the resource belongs.
write_capacity_units The maximum number of writes allowed per second for the database component.