Event Types and Keys

Also referred to as fields, keys define the data in your logs. Each event type contains a specific set of keys. Keys are the constant, while the values of a key can vary.

This topic contains the list of keys that occur in each standard event type in InsightIDR. This is known as the schema; the data structure that allows data to be read by the application.

It is helpful to know which keys you want to search in Log Search, so that you can create queries on the key-value pair and easily find the data you need for your investigation.

It is also helpful to know which type of data the values are presented in–are they strings, timestamps, or numbers, for example–so that you can create precise queries to search them.

Most event types go to both Log Search and the Detection Engine. However, you can view the solely detection-based event types in the last section of this topic.

Log Search and detection-based event types

All event types contain keys that can be referenced in your Log Search queries. The lists under each event type display one key on each line and the format of its corresponding value.

For example, "action": "STRING" refers to a field or key named 'action' and the type of data it contains-in this case, it's a string of alphanumeric characters.

When you know which key you want to investigate, you can find the corresponding log set to select in Log Search.

This section contains the event types and keys that correspond to the log sets that are visible in Log Search. It also includes the event types and keys that inform the logic on which Detection Rules are created.

In the user interface, the Rules Logic tab of the Detection Rules screen specifies the source event type that the detection rule will monitor. For example, look at the from parameter in the rule logic.

1
from(
2
event_type = "third_party_alert"
3
)

The order of keys in the list

This documentation lists the event type keys in alphabetical order for easy reference. The user interface may show them in a different order.

The keys are presented in a list format, which shows parent fields and child fields where they exist. This can help you to search keys by using the query syntax where(parentfield.childfield="value").

Active Directory Admin Activity

ad_admin

1
{
2
"action": "STRING",
3
"group": "STRING",
4
"group_domain": "STRING",
5
"group_scope": "STRING",
6
"r7_context": {
7
"source_user": {
8
"rrn": "RRN",
9
"name": "STRING",
10
"type": "STRING",
11
"domain": "STRING"
12
},
13
"target_user": {
14
"rrn": "RRN",
15
"name": "STRING",
16
"type": "STRING",
17
"domain": "STRING"
18
},
19
"source_account": {
20
"rrn": "RRN",
21
"name": "STRING",
22
"type": "STRING"
23
},
24
"target_account": {
25
"rrn": "RRN",
26
"name": "STRING",
27
"type": "STRING"
28
}
29
},
30
"source_account": "STRING",
31
"source_asset": "STRING",
32
"source_data": "STRING",
33
"source_json": {},
34
"source_user": "STRING",
35
"source_user_domain": "STRING",
36
"target_account": "STRING",
37
"target_user": "STRING",
38
"target_user_domain": "STRING"
39
"timestamp": "TIMESTAMP",
40
}
41

Advanced Malware Alert

advanced_malware

1
{
2
"asset": "STRING",
3
"alert_name": "STRING",
4
"custom_data": {},
5
"destination_address": "STRING",
6
"destination_port": "STRING",
7
"destination_user": "STRING",
8
"destination_user_domain": "STRING"
9
"geoip_city": "STRING",
10
"geoip_country_code": "STRING",
11
"geoip_country_name": "STRING",
12
"geoip_organization": "STRING",
13
"geoip_region": "STRING",
14
"protocol": "STRING",
15
"r7_context": {
16
"asset": {
17
"rrn": "RRN",
18
"name": "STRING",
19
"type": "STRING"
20
},
21
"source_user": {
22
"rrn": "RRN",
23
"name": "STRING",
24
"type": "STRING",
25
"domain": "STRING"
26
},
27
"secondary_asset": {
28
"rrn": "RRN",
29
"name": "STRING",
30
"type": "STRING"
31
},
32
"destination_user": {
33
"rrn": "RRN",
34
"name": "STRING",
35
"type": "STRING",
36
"domain": "STRING"
37
}
38
},
39
"secondary_asset": "STRING",
40
"severity": "STRING",
41
"signature_name": "STRING",
42
"source_address": "STRING",
43
"source_data": "STRING",
44
"source_port": "STRING",
45
"source_user": "STRING",
46
"source_user_domain": "STRING",
47
"timestamp": "TIMESTAMP",
48
}
49

Asset Authentication

asset_auth

1
{
2
"destination_account": "STRING",
3
"destination_account_sid": "STRING",
4
"destination_asset": "STRING",
5
"destination_asset_address": "STRING",
6
"destination_domain": "STRING",
7
"destination_local_account": "STRING",
8
"destination_user": "STRING",
9
"logon_type": "STRING",
10
"new_authentication": "STRING",
11
"new_source_authentication": "STRING"
12
"new_source_for_account": "STRING",
13
"r7_context": {
14
"source_asset": {
15
"rrn": "RRN",
16
"name": "STRING",
17
"type": "STRING"
18
},
19
"destination_user": {
20
"rrn": "RRN",
21
"name": "STRING",
22
"type": "STRING",
23
"domain": "STRING"
24
},
25
"destination_asset": {
26
"rrn": "RRN",
27
"name": "STRING",
28
"type": "STRING"
29
},
30
"destination_account": {
31
"rrn": "RRN",
32
"name": "STRING",
33
"type": "STRING"
34
}
35
},
36
"result": "STRING",
37
"service": "STRING",
38
"source_account": "STRING",
39
"source_asset": "STRING",
40
"source_asset_address": "STRING",
41
"source_data": "STRING",
42
"source_domain": "STRING",
43
"source_json": {},
44
"source_user": "STRING",
45
"timestamp": "TIMESTAMP",
46
}

Cloud Service Activity

cloud_service_activity

1
{
2
"action": "STRING",
3
"service": "STRING",
4
"source_account": "STRING"
5
"source_json": {},
6
"source_user": "STRING",
7
"timestamp": "TIMESTAMP",
8
"user_agent": "STRING",
9
}

Cloud Service Admin Activity

cloud_service_admin

1
{
2
"action": "STRING",
3
"service": "STRING",
4
"source_account": "STRING",
5
"source_json": {},
6
"source_user": "STRING",
7
"target_account": "STRING"
8
"target_user": "STRING",
9
"timestamp": "TIMESTAMP",
10
"user_agent": "STRING",
11
}

DNS Query

dns

1
{
2
"asset": "STRING",
3
"custom_data": {},
4
"dns_server_port": "STRING",
5
"dns_server_address": "STRING",
6
"public_suffix": "STRING",
7
"query": "STRING",
8
"query_blocked": "STRING",
9
"query_class": "STRING",
10
"query_type": "STRING",
11
"r7_context": {
12
"user": {
13
"rrn": "RRN",
14
"name": "STRING",
15
"type": "STRING",
16
"domain": "STRING"
17
},
18
"asset": {
19
"rrn": "RRN",
20
"name": "STRING",
21
"type": "STRING"
22
}
23
},
24
"source_address": "STRING",
25
"source_data": "STRING",
26
"source_port": "STRING",
27
"top_private_domain": "STRING"
28
"timestamp": "TIMESTAMP",
29
"user": "STRING",
30
"user_domain": "STRING",
31
}

Endpoint Activity

process_start_event

1
{
2
"dns_domain": "STRING",
3
"duplicated_events": "LONG",
4
"endpoint_id": "STRING",
5
"endpoint_vendor": "STRING",
6
"env_vars": [
7
{
8
"var": "STRING",
9
"val": "STRING",
10
"parent_val": "STRING"
11
}
12
],
13
"hostname": "STRING",
14
"os_type": "STRING",
15
"parent_process":{
16
"account_domain": "STRING",
17
"addr": "STRING",
18
"cmd_line": "STRING",
19
"egid": "NUMERIC",
20
"egid_name": "STRING",
21
"euid": "NUMERIC",
22
"euid_name": "STRING",
23
"exe_file": {
24
"author": "STRING",
25
"countersigning_chain": [
26
{
27
"subject": "STRING",
28
"issuer": "STRING",
29
"thumbprint": "STRING"
30
}
31
],
32
"created": "STRING",
33
"description": "STRING",
34
"gid": "NUMERIC",
35
"group": "STRING",
36
"hashes":{
37
"hashes.md5": "STRING",
38
"hashes.sha256": "STRING",
39
"hashes.sha1": "STRING"
40
},
41
"internal_name": "STRING",
42
"last_accessed": "STRING",
43
"last_modified": "STRING",
44
"orig_filename": "STRING",
45
"owner": "STRING",
46
"permissions": "STRING",
47
"product_name": "STRING",
48
"signing_chain": [
49
{
50
"subject": "STRING",
51
"issuer": "STRING",
52
"thumbprint": "STRING"
53
}
54
],
55
"signing_status": "STRING",
56
"size": "LONG",
57
"uid": "NUMERIC",
58
"version": "STRING"
59
},
60
"exe_path": "STRING",
61
"fsgid": "NUMERIC",
62
"fsuid": "NUMERIC",
63
"gid": "NUMERIC",
64
"group": "STRING",
65
"hash_reputation": {
66
"engine_count": "NUMERIC",
67
"engine_match": "NUMERIC",
68
"engine_percent": "DOUBLE",
69
"first_analyzed_time": "STRING",
70
"reliability": "STRING",
71
"reputation": "STRING",
72
"threat_level": "STRING"
73
},
74
"img_path": "STRING",
75
"name": "STRING",
76
"pid": "NUMERIC",
77
"port": "NUMERIC",
78
"ppid": "NUMERIC",
79
"r7_id": "STRING",
80
"rgid": "NUMERIC",
81
"rgid_name": "STRING",
82
"ruid": "NUMERIC",
83
"ruid_name": "STRING",
84
"session": "LONG",
85
"sgid": "NUMERIC",
86
"start_time": "STRING",
87
"suid": "NUMERIC",
88
"uid": "NUMERIC",
89
"username": "STRING"
90
}
91
},
92
"process": {
93
"account_domain": "STRING",
94
"addr": "STRING",
95
"cmd_line": "STRING",
96
"egid": "NUMERIC",
97
"egid_name": "STRING",
98
"euid": "NUMERIC",
99
"euid_name": "STRING",
100
"exe_file": {
101
"author": "STRING",
102
"countersigning_chain": [
103
{
104
"subject": "STRING",
105
"issuer": "STRING",
106
"thumbprint": "STRING"
107
}
108
],
109
"created": "STRING",
110
"description": "STRING",
111
"gid": "NUMERIC",
112
"group": "STRING",
113
"hashes": {
114
"hashes.md5": "STRING",
115
"hashes.sha256": "STRING",
116
"hashes.sha1": "STRING"
117
},
118
"internal_name": "STRING",
119
"last_accessed": "STRING",
120
"last_modified": "STRING",
121
"orig_filename": "STRING",
122
"owner": "STRING",
123
"permissions": "STRING",
124
"product_name": "STRING",
125
"signing_chain": [
126
{
127
"subject": "STRING",
128
"issuer": "STRING",
129
"thumbprint": "STRING"
130
}
131
],
132
"signing_status": "STRING",
133
"size": "LONG",
134
"uid": "NUMERIC",
135
"version": "STRING"
136
},
137
"exe_path": "STRING",
138
"fsgid": "NUMERIC",
139
"fsuid": "NUMERIC",
140
"gid": "NUMERIC",
141
"group": "STRING",
142
"hash_reputation": {
143
"engine_count": "NUMERIC",
144
"engine_match": "NUMERIC",
145
"engine_percent": "DOUBLE",
146
"first_analyzed_time": "STRING",
147
"reliability": "STRING",
148
"reputation": "STRING",
149
"threat_level": "STRING"
150
},
151
"img_path": "STRING",
152
"name": "STRING",
153
"pid": "NUMERIC",
154
"port": "NUMERIC",
155
"r7_id": "STRING",
156
"rgid": "NUMERIC",
157
"rgid_name": "STRING",
158
"ruid": "NUMERIC",
159
"ruid_name": "STRING",
160
"session": "LONG",
161
"sgid": "NUMERIC",
162
"start_time": "STRING",
163
"suid": "NUMERIC",
164
"uid": "NUMERIC",
165
"username": "STRING"
166
}
167
},
168
"r7_hostid": "STRING"
169
}

netbios_poisoning

1
{
2
"timestamp": "TIMESTAMP",
3
"poisoner_asset": "STRING",
4
"observing_asset": "STRING",
5
"poisoner_address": "1STRING",
6
"protocol": "STRING",
7
"queried_hostname": "STRING",
8
"source_json": {
9
"protocol": "STRING",
10
"poisonerAddresses": [
11
"STRING"
12
],
13
"queriedHostname": "STRING",
14
"agentHostname": "STRING"
15
},
16
"r7_context": {
17
"poisoner_asset": {
18
"type": "STRING",
19
"rrn": "RRN",
20
"name": "STRING"
21
},
22
"observing_asset": {
23
"type": "STRING",
24
"rrn": "RRN",
25
"name": "STRING"
26
}
27
}
28
}

local_service_creation

1
{
2
"timestamp": "TIMESTAMP",
3
"asset": "STRING",
4
"service_name": "STRING",
5
"service_cmdline": "STRING",
6
"source_json": {
7
"sourceName": "STRING",
8
"insertionStrings": [
9
"STRING",
10
"STRING",
11
"STRING",
12
"STRING",
13
""
14
],
15
"eventCode": STRING,
16
"computerName": "STRING",
17
"sid": "STRING",
18
"isDomainController": STRING,
19
"eventData": STRING,
20
"timeWritten": "TIMESTAMP"
21
},
22
"r7_context": {
23
"asset": {
24
"type": "STRING",
25
"rrn": "RRN",
26
"name": "STRING"
27
}
28
}
29
}

File Access Activity

file_access

1
{
2
"access_types": "STRING",
3
"account": "STRING",
4
"file_extension": "STRING",
5
"file_name": "STRING",
6
"file_path": "STRING",
7
"file_share": "STRING",
8
"service": "STRING",
9
"source_address": "STRING",
10
"source_asset": "STRING",
11
"source_json": {},
12
"target_address": "STRING"
13
"timestamp": "TIMESTAMP",
14
"user": "STRING",
15
}

File Modification Activity

file_modification

1
{
2
"account": "STRING",
3
"asset": "STRING",
4
"asset_address": "STRING",
5
"asset_os_family": "STRING"
6
"file_event": "STRING",
7
"file_extension": "STRING",
8
"file_name": "STRING",
9
"file_path": "STRING",
10
"process": "STRING",
11
"process_id": "STRING",
12
"source_json": {},
13
"timestamp": "TIMESTAMP",
14
"user": "STRING",
15
}

Firewall Activity

firewall

1
{
2
"asset": "STRING",
3
"community_id": "STRING",
4
"connection_status": "STRING",
5
"custom_data": {},
6
"destination_address": "STRING"
7
"destination_port": "STRING",
8
"direction": "STRING",
9
"geoip_city": "STRING",
10
"geoip_country_code": "STRING",
11
"geoip_country_name": "STRING",
12
"geoip_organization": "STRING",
13
"geoip_region": "STRING",
14
"incoming_bytes": "STRING",
15
"r7_context": {
16
"user": {
17
"rrn": "RRN",
18
"name": "STRING",
19
"type": "STRING"
20
},
21
"asset": {
22
"rrn": "RRN",
23
"name": "STRING",
24
"type": "STRING"
25
}
26
},
27
"outgoing_bytes": "STRING",
28
"source_address": "STRING",
29
"source_data": "STRING",
30
"source_json": {},
31
"source_port": "STRING",
32
"transport_protocol": "STRING",
33
"timestamp": "TIMESTAMP",
34
"user": "STRING",
35
}

Host To IP Observations

host_name_to_ip

1
{
2
"account": "STRING",
3
"account_domain": "STRING",
4
"action": "STRING",
5
"asset": "STRING",
6
"client_mac": "STRING",
7
"custom_data": {},
8
"host": "STRING",
9
"ip": "STRING",
10
"observation_status": "STRING"
11
"r7_context": {
12
"host": {
13
"rrn": "RRN",
14
"name": "STRING",
15
"type": "STRING"
16
},
17
"user": {
18
"rrn": "RRN",
19
"name": "STRING",
20
"type": "STRING",
21
"domain": "STRING"
22
},
23
"asset": {
24
"rrn": "RRN",
25
"name": "STRING",
26
"type": "STRING"
27
},
28
"account": {
29
"rrn": "RRN",
30
"name": "STRING",
31
"type": "STRING"
32
}
33
},
34
"source_data": "STRING",
35
"source_json": {},
36
"timestamp": "TIMESTAMP",
37
"user": "STRING",
38
}

IDS Alert

ids

1
{
2
"asset": "STRING",
3
"category": "STRING",
4
"community_id": "STRING",
5
"description": "STRING",
6
"destination_bytes": "STRING",
7
"destination_ip": "STRING",
8
"destination_port": "STRING",
9
"destination_packet_count": "STRING"
10
"ids_app_protocol": "STRING",
11
"ids_app_protocol_info": {
12
"ja3": {
13
"hash": "STRING",
14
"string": "STRING"
15
},
16
"ja3s": {
17
"hash": "STRING",
18
"string": "STRING"
19
},
20
"serial": "STRING",
21
"subject": "STRING",
22
"version": "STRING",
23
"issuerdn": "STRING",
24
"notafter": "STRING",
25
"notbefore": "STRING",
26
"fingerprint": "STRING"
27
},
28
"ids_flow_initiated": "TIMESTAMP",
29
"protocol": "STRING",
30
"severity": "STRING",
31
"signature": "STRING",
32
"signature_revision": "STRING",
33
"source_bytes": "STRING",
34
"source_ip": "STRING",
35
"source_packet_count": "STRING",
36
"source_port": "STRING",
37
"timestamp": "TIMESTAMP",
38
"total_bytes": "STRING",
39
"total_packet_count": "STRING",
40
"user": "STRING",
41
}

Ingress Authentication

ingress_auth

1
{
2
"account": "STRING",
3
"authentication_target": "STRING"
4
"custom_data": {},
5
"geoip_city": "STRING",
6
"geoip_country_code": "STRING",
7
"geoip_country_name": "STRING",
8
"geoip_organization": "STRING",
9
"geoip_region": "STRING",
10
"mobile_device_id": "STRING",
11
"r7_context": {
12
"user": {
13
"rrn": "RRN",
14
"name": "STRING",
15
"type": "STRING",
16
"domain": "STRING"
17
},
18
"account": {
19
"rrn": "RRN",
20
"name": "STRING",
21
"type": "STRING"
22
}
23
},
24
"result": "STRING",
25
"service": "STRING",
26
"service_address": "STRING",
27
"source_data": "STRING",
28
"source_ip": "STRING",
29
"source_json": {},
30
"timestamp": "TIMESTAMP",
31
"user": "STRING",
32
"user_agent": "STRING",
33
"user_domain": "STRING",
34
}

Network Flow

flow

1
{
2
"app_protocol": "STRING",
3
"app_protocol_description": "STRING",
4
"community_id": "STRING",
5
"destination_address": "STRING",
6
"destination_asset": "STRING",
7
"destination_bytes": "STRING",
8
"destination_packet_count": "STRING"
9
"destination_port": "STRING",
10
"destination_user": "STRING",
11
"direction": "STRING",
12
"first_packet_time": "TIMESTAMP",
13
"flow_initiated": "TIMESTAMP",
14
"geoip_city": "STRING",
15
"geoip_country_code": "STRING",
16
"geoip_country_name": "STRING",
17
"geoip_organization": "STRING",
18
"geoip_region": "STRING",
19
"last_packet_time": "TIMESTAMP",
20
"r7_context": {
21
"source_user": {
22
"rrn": "RRN",
23
"name": "STRING",
24
"type": "STRING"
25
},
26
"source_asset": {
27
"rrn": "RRN",
28
"name": "STRING",
29
"type": "STRING"
30
},
31
"destination_user": {
32
"rrn": "RRN",
33
"name": "STRING",
34
"type": "STRING"
35
},
36
"destination_asset": {
37
"rrn": "RRN",
38
"name": "STRING",
39
"type": "STRING"
40
}
41
},
42
"source_address": "STRING",
43
"source_asset": "STRING",
44
"source_bytes": "STRING",
45
"source_port": "STRING",
46
"source_packet_count": "STRING",
47
"source_user": "STRING",
48
"timestamp": "TIMESTAMP",
49
"total_bytes": "STRING",
50
"total_packet_count": "STRING",
51
"transport_protocol": "STRING",
52
}

Third Party Alert

third_party_alert

1
{
2
"alert_id": "UUID",
3
"asset": "STRING",
4
"custom_data": {},
5
"description": "STRING",
6
"r7_context": {
7
"user": {
8
"rrn": "RRN",
9
"name": "STRING",
10
"type": "STRING"
11
},
12
"asset": {
13
"rrn": "RRN",
14
"name": "STRING",
15
"type": "STRING"
16
}
17
},
18
"product": "STRING",
19
"severity": "STRING",
20
"source_data": "STRING",
21
"source_json": {}
22
"timestamp": "TIMESTAMP",
23
"title": "STRING",
24
"type": "STRING",
25
"user": "STRING",
26
}

Virus Alert

virus

1
{
2
"account": "STRING",
3
"action": "STRING",
4
"action_status": "STRING",
5
"asset": "STRING",
6
"custom_data": {},
7
"error_code": "STRING",
8
"error_description": "STRING"
9
"file_path": "STRING",
10
"r7_context": {
11
"user": {
12
"rrn": "RRN",
13
"name": "STRING",
14
"type": "STRING",
15
"domain": "STRING"
16
},
17
"asset": {
18
"rrn": "RRN",
19
"name": "STRING",
20
"type": "STRING"
21
},
22
"account": {
23
"rrn": "RRN",
24
"name": "STRING",
25
"type": "STRING"
26
}
27
},
28
"risk": "STRING",
29
"source_address": "STRING",
30
"source_data": "STRING",
31
"source_json": {},
32
"timestamp": "TIMESTAMP",
33
"user": "STRING",
34
"user_domain": "STRING",
35
}

Web Proxy Activity

web_proxy

1
{
2
"asset": "STRING",
3
"custom_data": {},
4
"destination_ip": "STRING",
5
"geoip_city": "STRING",
6
"geoip_country_code": "STRING",
7
"geoip_country_name": "STRING",
8
"geoip_organization": "STRING",
9
"geoip_region": "STRING",
10
"http_method": "STRING",
11
"incoming_bytes": "STRING",
12
"is_blocked": "STRING",
13
"outgoing_bytes": "STRING",
14
"public_suffix": "STRING",
15
"r7_context": {
16
"user": {
17
"rrn": "RRN",
18
"name": "STRING",
19
"type": "STRING",
20
"domain": "STRING"
21
},
22
"asset": {
23
"rrn": "RRN",
24
"name": "STRING",
25
"type": "STRING"
26
}
27
},
28
"scheme": "STRING",
29
"source_data": "STRING",
30
"source_ip": "STRING",
31
"source_json": {},
32
"timestamp": "TIMESTAMP",
33
"top_private_domain": "STRING"
34
"url": "STRING",
35
"url_host": "STRING",
36
"url_path": "STRING",
37
"url_query": "STRING",
38
"user": "STRING",
39
"user_agent": "STRING",
40
"user_domain": "STRING",
41
}

Detection-based Event Types

Anomalous Data Transfer

anomalous_data_transfer

1
{
2
"analysis_hour_destinations": [
3
{
4
"city": "STRING",
5
"dst_addr": "NUMERIC",
6
"dst_port": "NUMERIC",
7
"hostname": "STRING",
8
"cert_name": "STRING",
9
"country_code": "STRING",
10
"organization": "STRING",
11
"dst_bytes_human": "STRING",
12
"src_bytes_human": "STRING",
13
"dst_bytes_percent": "NUMERIC",
14
"src_bytes_percent": "NUMERIC"
15
}
16
]
17
"analysis_hour_stats": {
18
"bytes_ratio": "STRING",
19
"num_destinations": "NUMERIC",
20
"incoming_bytes_human": "STRING",
21
"outgoing_bytes_human": "STRING",
22
"num_destination_ports": "NUMERIC"
23
},
24
"date": "TIMESTAMP",
25
"source_addresses": "STRING",
26
"source_asset_id": "UUID",
27
"source_asset_names": "STRING",
28
}