Keys to Use in Your Queries

Also referred to as fields, keys define the data in your logs. Each event type contains a specific set of keys. Keys are the constant, while the values of a key can vary.

This topic contains the list of keys that occur in each standard event type in InsightIDR. This is known as the schema; the data structure that allows data to be read by the application.

It is helpful to know which keys you want to search in Log Search, so that you can create queries on the key-value pair and easily find the data you need for your investigation.

It is also helpful to know which type of data the values are presented in–are they strings, timestamps, or numbers, for example–so that you can create precise queries to search them.

Most event types go to both Log Search and the Detection Engine, however, some event types are solely detection-based. There are also some schemas that do not have associated event types, which are part of the Audit Log.

Log Search and detection-based event types

All event types contain keys that can be referenced in your Log Search queries. The lists under each event type display one key on each line and the format of its corresponding value.

For example, "action": "STRING" refers to a field or key named 'action' and the type of data it contains-in this case, it's a string of alphanumeric characters.

When you know which key you want to investigate, you can find the corresponding log set to select in Log Search.

This section contains the event types and keys that correspond to the log sets that are visible in Log Search. It also includes the event types and keys that inform the logic on which Detection Rules are created.

In the user interface, the Rules Logic tab of the Detection Rules screen specifies the source event type that the detection rule will monitor. For example, look at the from parameter in the rule logic.

1
from(
2
event_type = "third_party_alert"
3
)

The order of keys in the list

This documentation lists the event type keys in alphabetical order for easy reference. The user interface may show them in a different order.

The keys are presented in a list format, which shows parent fields and child fields where they exist. This can help you to search keys by using the query syntax where(parentfield.childfield="value").

Active Directory Admin Activity

ad_admin

KeyValue format
actionSTRING
groupSTRING
group_domainSTRING
group_scopeSTRING
r7_context
   source_user
       rrnRRN
       nameSTRING
       typeSTRING
       domainSTRING
   target_user
       rrnRRN
       nameSTRING
       typeSTRING
       domainSTRING
   source_account
       rrnRRN
       nameSTRING
       typeSTRING
   target_account
       rrnRRN
       nameSTRING
       typeSTRING
source_accountSTRING
source_assetSTRING
source_dataSTRING
source_json{}
source_userSTRING
source_user_domainSTRING
target_accountSTRING
target_userSTRING
target_user_domainSTRING
timestampTIMESTAMP
Active Directory Admin Activity event type code block
1
{
2
"action": "STRING",
3
"group": "STRING",
4
"group_domain": "STRING",
5
"group_scope": "STRING",
6
"r7_context": {
7
"source_user": {
8
"rrn": "RRN",
9
"name": "STRING",
10
"type": "STRING",
11
"domain": "STRING"
12
},
13
"target_user": {
14
"rrn": "RRN",
15
"name": "STRING",
16
"type": "STRING",
17
"domain": "STRING"
18
},
19
"source_account": {
20
"rrn": "RRN",
21
"name": "STRING",
22
"type": "STRING"
23
},
24
"target_account": {
25
"rrn": "RRN",
26
"name": "STRING",
27
"type": "STRING"
28
}
29
},
30
"source_account": "STRING",
31
"source_asset": "STRING",
32
"source_data": "STRING",
33
"source_json": {{}},
34
"source_user": "STRING",
35
"source_user_domain": "STRING",
36
"target_account": "STRING",
37
"target_user": "STRING",
38
"target_user_domain": "STRING"
39
"timestamp": "TIMESTAMP",
40
}

Advanced Malware Alert

advanced_malware

KeyValue format
assetSTRING
alert_nameSTRING
custom_data{}
destination_addressSTRING
destination_portSTRING
destination_userSTRING
destination_user_domainSTRING
geoip_citySTRING
geoip_country_codeSTRING
geoip_country_nameSTRING
geoip_organizationSTRING
geoip_regionSTRING
protocolSTRING
r7_context
   asset
       rrnRRN
       nameSTRING
       typeSTRING
   source_user
       rrnRRN
       nameSTRING
       typeSTRING
       domainSTRING
   secondary_asset
       rrnRRN
       nameSTRING
       typeSTRING
   destination_user
       rrnRRN
       nameSTRING
       typeSTRING
       domainSTRING
secondary_assetSTRING
severitySTRING
signature_nameSTRING
source_addressSTRING
source_dataSTRING
source_portSTRING
source_userSTRING
source_user_domainSTRING
timestampTIMESTAMP
Advanced Malware Alert event type code block
1
{
2
"asset": "STRING",
3
"alert_name": "STRING",
4
"custom_data": {},
5
"destination_address": "STRING",
6
"destination_port": "STRING",
7
"destination_user": "STRING",
8
"destination_user_domain": "STRING"
9
"geoip_city": "STRING",
10
"geoip_country_code": "STRING",
11
"geoip_country_name": "STRING",
12
"geoip_organization": "STRING",
13
"geoip_region": "STRING",
14
"protocol": "STRING",
15
"r7_context": {
16
"asset": {
17
"rrn": "RRN",
18
"name": "STRING",
19
"type": "STRING"
20
},
21
"source_user": {
22
"rrn": "RRN",
23
"name": "STRING",
24
"type": "STRING",
25
"domain": "STRING"
26
},
27
"secondary_asset": {
28
"rrn": "RRN",
29
"name": "STRING",
30
"type": "STRING"
31
},
32
"destination_user": {
33
"rrn": "RRN",
34
"name": "STRING",
35
"type": "STRING",
36
"domain": "STRING"
37
}
38
},
39
"secondary_asset": "STRING",
40
"severity": "STRING",
41
"signature_name": "STRING",
42
"source_address": "STRING",
43
"source_data": "STRING",
44
"source_port": "STRING",
45
"source_user": "STRING",
46
"source_user_domain": "STRING",
47
"timestamp": "TIMESTAMP",
48
}
49

Asset Authentication

asset_auth

KeyValue format
destination_accountSTRING
destination_account_sidSTRING
destination_assetSTRING
destination_asset_addressSTRING
destination_domainSTRING
destination_local_accountSTRING
destination_userSTRING
logon_typeSTRING
new_authenticationSTRING
new_source_authenticationSTRING
new_source_for_accountSTRING
r7_context
   source_asset
       rrnRRN
       nameSTRING
       typeSTRING
   destination_user
       rrnRRN
       nameSTRING
       typeSTRING
       domainSTRING
   destination_asset
       rrnRRN
       nameSTRING
       typeSTRING
   destination_account
       rrnRRN
       nameSTRING
       typeSTRING
resultSTRING
serviceSTRING
source_accountSTRING
source_assetSTRING
source_asset_addressSTRING
source_dataSTRING
source_domainSTRING
source_json{}
source_userSTRING
timestampTIMESTAMP
Asset Authentication event type code block
1
{
2
"destination_account": "STRING",
3
"destination_account_sid": "STRING",
4
"destination_asset": "STRING",
5
"destination_asset_address": "STRING",
6
"destination_domain": "STRING",
7
"destination_local_account": "STRING",
8
"destination_user": "STRING",
9
"logon_type": "STRING",
10
"new_authentication": "STRING",
11
"new_source_authentication": "STRING"
12
"new_source_for_account": "STRING",
13
"r7_context": {
14
"source_asset": {
15
"rrn": "RRN",
16
"name": "STRING",
17
"type": "STRING"
18
},
19
"destination_user": {
20
"rrn": "RRN",
21
"name": "STRING",
22
"type": "STRING",
23
"domain": "STRING"
24
},
25
"destination_asset": {
26
"rrn": "RRN",
27
"name": "STRING",
28
"type": "STRING"
29
},
30
"destination_account": {
31
"rrn": "RRN",
32
"name": "STRING",
33
"type": "STRING"
34
}
35
},
36
"result": "STRING",
37
"service": "STRING",
38
"source_account": "STRING",
39
"source_asset": "STRING",
40
"source_asset_address": "STRING",
41
"source_data": "STRING",
42
"source_domain": "STRING",
43
"source_json": {},
44
"source_user": "STRING",
45
"timestamp": "TIMESTAMP",
46
}

Cloud Service Activity

cloud_service_activity

KeyValue format
actionSTRING
serviceSTRING
source_accountSTRING
source_json{}
source_userSTRING
timestampTIMESTAMP
user_agentSTRING
Cloud Service Activity event type code block
1
{
2
"action": "STRING",
3
"service": "STRING",
4
"source_account": "STRING"
5
"source_json": {},
6
"source_user": "STRING",
7
"timestamp": "TIMESTAMP",
8
"user_agent": "STRING",
9
}

Cloud Service Admin Activity

cloud_service_admin

KeyValue format
actionSTRING
serviceSTRING
source_accountSTRING
source_json{}
source_userSTRING
target_accountSTRING
target_userSTRING
timestampTIMESTAMP
user_agentSTRING
Cloud Service Admin Activity event type code block
1
{
2
"action": "STRING",
3
"service": "STRING",
4
"source_account": "STRING",
5
"source_json": {},
6
"source_user": "STRING",
7
"target_account": "STRING"
8
"target_user": "STRING",
9
"timestamp": "TIMESTAMP",
10
"user_agent": "STRING",
11
}

DNS Query

dns

KeyValue format
assetSTRING
custom_data{}
dns_server_portSTRING
dns_server_addressSTRING
public_suffixSTRING
querySTRING
query_blockedSTRING
query_classSTRING
query_typeSTRING
r7_context
   user
       rrnRRN
       nameSTRING
       typeSTRING
       domainSTRING
   asset
       rrnRRN
       nameSTRING
       typeSTRING
source_addressSTRING
source_dataSTRING
source_portSTRING
top_private_domainSTRING
timestampTIMESTAMP
userSTRING
observation_countNUMERIC
first_observed_timeTIMESTAMP
last_observed_timeTIMESTAMP
user_domainSTRING

This event type contains deduplicated data.

DNS Query event type code block
1
{
2
"asset": "STRING",
3
"custom_data": {},
4
"dns_server_port": "STRING",
5
"dns_server_address": "STRING",
6
"public_suffix": "STRING",
7
"query": "STRING",
8
"query_blocked": "STRING",
9
"query_class": "STRING",
10
"query_type": "STRING",
11
"r7_context": {
12
"user": {
13
"rrn": "RRN",
14
"name": "STRING",
15
"type": "STRING",
16
"domain": "STRING"
17
},
18
"asset": {
19
"rrn": "RRN",
20
"name": "STRING",
21
"type": "STRING"
22
}
23
},
24
"source_address": "STRING",
25
"source_data": "STRING",
26
"source_port": "STRING",
27
"top_private_domain": "STRING"
28
"timestamp": "TIMESTAMP",
29
"user": "STRING",
30
"observation_count": "NUMERIC",
31
"first_observed_time": "TIMESTAMP",
32
"last_observed_time": "TIMESTAMP",
33
"user_domain": "STRING",
34
}

Endpoint Activity

Process Start Event

process_start_event

KeyValue format
dns_domainSTRING
duplicated_eventsLONG
endpoint_idSTRING
endpoint_vendorSTRING
env_vars
   varSTRING
   valSTRING
   parent_valSTRING
hostnameSTRING
os_typeSTRING
parents_process
   account_domainSTRING
   addrSTRING
   cmd_lineSTRING
   egidNUMERIC
   egid_nameSTRING
   euidNUMERIC
   euid_nameSTRING
   exe_file
       authorSTRING
       countersigning_chain
           subjectSTRING
           issueSTRING
           thumbprintSTRING
       createdSTRING
       descriptionSTRING
       gidNUMERIC
       groupSTRING
       hashes
           hashes.m5STRING
           hashes.sha256STRING
           hashes.sha1STRING
       internal_nameSTRING
       last_accessedSTRING
       last_modifiedSTRING
       orig_filenameSTRING
       ownerSTRING
       permissionsSTRING
       product_nameSTRING
       signing_chain
           subjectSTRING
           issuerSTRING
           thumbprintSTRING
       signing_statusSTRING
       sizeLONG
       uidNUMERIC
       versionSTRING
   exe_pathSTRING
   fsgidNUMERIC
   fsuidNUMERIC
   gidNUMERIC
   groupSTRING
   hash_reputation
       engine_countNUMERIC
       engine_matchNUMERIC
       engine_percentDOUBLE
       first_analyzed_timeSTRING
       reliabilitySTRING
       reputationSTRING
       threat_levelSTRING
   img_pathSTRING
   nameSTRING
   pidNUMERIC
   portNUMERIC
   ppidNUMERIC
   r7_idSTRING
   rgidNUMERIC
   rgid_nameSTRING
   ruidNUMERIC
   ruid_nameSTRING
   sessionNUMERIC
   sgidNUMERIC
   start_timeSTRING
   suidNUMERIC
   uidNUMERIC
   usernameSTRING
process
   account_domainSTRING
   addrSTRING
   cmd_lineSTRING
   egidNUMERIC
   egid_nameSTRING
   euidNUMERIC
   euid_nameSTRING
   exe_file
       authorSTRING
       countersigning_chain
           subjectSTRING
           issuerSTRING
           thumbprintSTRING
       createdSTRING
       descriptionSTRING
       gidNUMERIC
       groupSTRING
       hashes
           hashes.m5STRING
           hashes.sha256STRING
           hashes.sha1STRING
       internal_nameSTRING
       last_accessedSTRING
       last_modifiedSTRING
       orig_filenameSTRING
       ownerSTRING
       permissionsSTRING
       product_nameSTRING
       signing_chain
           subjectSTRING
           issuerSTRING
           thumbprintSTRING
       signing_statusSTRING
       sizeLONG
       uidNUMERIC
       versionSTRING
   exe_pathSTRING
   fsgidNUMERIC
   fsuidNUMERIC
   gidNUMERIC
   groupSTRING
   hash_reputation
       engine_countNUMERIC
       engine_matchNUMERIC
       engine_percentDOUBLE
       first_analyzed_timeSTRING
       reliabilitySTRING
       reputationSTRING
       threat_levelSTRING
   img_pathSTRING
   nameSTRING
   pidNUMERIC
   portNUMERIC
   r7_idSTRING
   rgidNUMERIC
   rgid_nameSTRING
   ruidNUMERIC
   ruid_nameSTRING
   sessionLONG
   sgidNUMERIC
   start_timeSTRING
   suidNUMERIC
   uidNUMERIC
   usernameSTRING
r7_hostidSTRING
Endpoint Activity, process_start_event event type code block
1
{
2
"dns_domain": "STRING",
3
"duplicated_events": "LONG",
4
"endpoint_id": "STRING",
5
"endpoint_vendor": "STRING",
6
"env_vars": [
7
{
8
"var": "STRING",
9
"val": "STRING",
10
"parent_val": "STRING"
11
}
12
],
13
"hostname": "STRING",
14
"os_type": "STRING",
15
"parent_process":{
16
"account_domain": "STRING",
17
"addr": "STRING",
18
"cmd_line": "STRING",
19
"egid": "NUMERIC",
20
"egid_name": "STRING",
21
"euid": "NUMERIC",
22
"euid_name": "STRING",
23
"exe_file": {
24
"author": "STRING",
25
"countersigning_chain": [
26
{
27
"subject": "STRING",
28
"issuer": "STRING",
29
"thumbprint": "STRING"
30
}
31
],
32
"created": "STRING",
33
"description": "STRING",
34
"gid": "NUMERIC",
35
"group": "STRING",
36
"hashes":{
37
"hashes.md5": "STRING",
38
"hashes.sha256": "STRING",
39
"hashes.sha1": "STRING"
40
},
41
"internal_name": "STRING",
42
"last_accessed": "STRING",
43
"last_modified": "STRING",
44
"orig_filename": "STRING",
45
"owner": "STRING",
46
"permissions": "STRING",
47
"product_name": "STRING",
48
"signing_chain": [
49
{
50
"subject": "STRING",
51
"issuer": "STRING",
52
"thumbprint": "STRING"
53
}
54
],
55
"signing_status": "STRING",
56
"size": "LONG",
57
"uid": "NUMERIC",
58
"version": "STRING"
59
},
60
"exe_path": "STRING",
61
"fsgid": "NUMERIC",
62
"fsuid": "NUMERIC",
63
"gid": "NUMERIC",
64
"group": "STRING",
65
"hash_reputation": {
66
"engine_count": "NUMERIC",
67
"engine_match": "NUMERIC",
68
"engine_percent": "DOUBLE",
69
"first_analyzed_time": "STRING",
70
"reliability": "STRING",
71
"reputation": "STRING",
72
"threat_level": "STRING"
73
},
74
"img_path": "STRING",
75
"name": "STRING",
76
"pid": "NUMERIC",
77
"port": "NUMERIC",
78
"ppid": "NUMERIC",
79
"r7_id": "STRING",
80
"rgid": "NUMERIC",
81
"rgid_name": "STRING",
82
"ruid": "NUMERIC",
83
"ruid_name": "STRING",
84
"session": "LONG",
85
"sgid": "NUMERIC",
86
"start_time": "STRING",
87
"suid": "NUMERIC",
88
"uid": "NUMERIC",
89
"username": "STRING"
90
}
91
},
92
"process": {
93
"account_domain": "STRING",
94
"addr": "STRING",
95
"cmd_line": "STRING",
96
"egid": "NUMERIC",
97
"egid_name": "STRING",
98
"euid": "NUMERIC",
99
"euid_name": "STRING",
100
"exe_file": {
101
"author": "STRING",
102
"countersigning_chain": [
103
{
104
"subject": "STRING",
105
"issuer": "STRING",
106
"thumbprint": "STRING"
107
}
108
],
109
"created": "STRING",
110
"description": "STRING",
111
"gid": "NUMERIC",
112
"group": "STRING",
113
"hashes": {
114
"hashes.md5": "STRING",
115
"hashes.sha256": "STRING",
116
"hashes.sha1": "STRING"
117
},
118
"internal_name": "STRING",
119
"last_accessed": "STRING",
120
"last_modified": "STRING",
121
"orig_filename": "STRING",
122
"owner": "STRING",
123
"permissions": "STRING",
124
"product_name": "STRING",
125
"signing_chain": [
126
{
127
"subject": "STRING",
128
"issuer": "STRING",
129
"thumbprint": "STRING"
130
}
131
],
132
"signing_status": "STRING",
133
"size": "LONG",
134
"uid": "NUMERIC",
135
"version": "STRING"
136
},
137
"exe_path": "STRING",
138
"fsgid": "NUMERIC",
139
"fsuid": "NUMERIC",
140
"gid": "NUMERIC",
141
"group": "STRING",
142
"hash_reputation": {
143
"engine_count": "NUMERIC",
144
"engine_match": "NUMERIC",
145
"engine_percent": "DOUBLE",
146
"first_analyzed_time": "STRING",
147
"reliability": "STRING",
148
"reputation": "STRING",
149
"threat_level": "STRING"
150
},
151
"img_path": "STRING",
152
"name": "STRING",
153
"pid": "NUMERIC",
154
"port": "NUMERIC",
155
"r7_id": "STRING",
156
"rgid": "NUMERIC",
157
"rgid_name": "STRING",
158
"ruid": "NUMERIC",
159
"ruid_name": "STRING",
160
"session": "LONG",
161
"sgid": "NUMERIC",
162
"start_time": "STRING",
163
"suid": "NUMERIC",
164
"uid": "NUMERIC",
165
"username": "STRING"
166
}
167
},
168
"r7_hostid": "STRING"
169
}

Netbios Poisoning

netbios_poisoning

KeyValue format
timestampTIMESTAMP
poisoner_assetSTRING
observing_assetSTRING
poisoner_addressSTRING
protocolSTRING
queried_hostnameSTRING
source_json
   protocolSTRING
   poisonerAddressesSTRING
   queriedHostnameSTRING
   agentHostnameSTRING
r7_context
   poisoner_asset
       typeSTRING
       rrnRRN
       nameSTRING
   observing_asset
       typeSTRING
       rrnRRN
       nameSTRING
Endpoint Activity, netbios_poisoning event type code block
1
{
2
"timestamp": "TIMESTAMP",
3
"poisoner_asset": "STRING",
4
"observing_asset": "STRING",
5
"poisoner_address": "STRING",
6
"protocol": "STRING",
7
"queried_hostname": "STRING",
8
"source_json": {
9
"protocol": "STRING",
10
"poisonerAddresses": [
11
"STRING"
12
],
13
"queriedHostname": "STRING",
14
"agentHostname": "STRING"
15
},
16
"r7_context": {
17
"poisoner_asset": {
18
"type": "STRING",
19
"rrn": "RRN",
20
"name": "STRING"
21
},
22
"observing_asset": {
23
"type": "STRING",
24
"rrn": "RRN",
25
"name": "STRING"
26
}
27
}
28
}

Local Service Creation

local_service_creation

KeyValue format
timestampTIMESTAMP
assetSTRING
service_nameSTRING
service_cmdlineSTRING
source_json
   sourceNameSTRING
   insertionStringsSTRING
eventCodeSTRING
computerNameSTRING
sidSTRING
isDomainControllerSTRING
eventDataSTRING
timeWrittenTIMESTAMP
r7_context
   asset
       typeSTRING
       rrnRRN
       nameSTRING
Endpoint Activity, local_service_creation event type code block
1
{
2
"timestamp": "TIMESTAMP",
3
"asset": "STRING",
4
"service_name": "STRING",
5
"service_cmdline": "STRING",
6
"source_json": {
7
"sourceName": "STRING",
8
"insertionStrings": [
9
"STRING",
10
"STRING",
11
"STRING",
12
"STRING",
13
""
14
],
15
"eventCode": STRING,
16
"computerName": "STRING",
17
"sid": "STRING",
18
"isDomainController": STRING,
19
"eventData": STRING,
20
"timeWritten": "TIMESTAMP"
21
},
22
"r7_context": {
23
"asset": {
24
"type": "STRING",
25
"rrn": "RRN",
26
"name": "STRING"
27
}
28
}
29
}

Sysmon

sysmon

InsightIDR collects these Sysmon event IDs from Microsoft:

  • Network Connection
  • Create Remote Thread
  • Process Access
  • Registry Event
  • Process Tampering

Depending on which event ID is collected, the shape of the event object will differ. The event object is defined by Microsoft and passed to InsightIDR. To learn more, read Microsoft’s documentation at: https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon

Note: geoip lookups will only be populated for events with external IP addresses, for example, Network Connection events.

KeyValue format
hostnameSTRING
dns_domainSTRING
r7_hostidSTRING
os_typeSTRING
event_idNUMBER
event_nameSTRING
event_providerSTRING
eventOBJECT
r7_contextOBJECT
geoip_ipSTRING
geoip_citySTRING
geoip_country_codeSTRING
geoip_country_nameSTRING
geoip_organizationSTRING
geoip_regionSTRING
Sysmon event type code block
1
{
2
"hostname": "STRING",
3
"dns_domain": "STRING",
4
"r7_hostid": "STRING",
5
"os_type": "STRING",
6
"event_id": "NUMBER",
7
"event_name": "STRING",
8
"event_provider": "STRING",
9
"event": "OBJECT",
10
"r7_context": "OBJECT",
11
"geoip_ip": "STRING",
12
"geoip_city": "STRING",
13
"geoip_country_code": "STRING",
14
"geoip_country_name": "STRING",
15
"geoip_organization": "STRING",
16
"geoip_region": "STRING",
17
}

Endpoint Health

Job Status

job_status

KeyValue format
timestampTIMESTAMP
jobSTRING
hostnameSTRING
statusSTRING
messageSTRING
invocation_idSTRING
events_reportedNUMERIC
queued_timeTIMESTAMP
started_timeTIMESTAMP
finished_timeTIMESTAMP
r7_context
   asset
      rrnSTRING
      nameSTRING
      typeSTRING
r7_hostidSTRING
source_jsonOBJECT
Endpoint Health, job_status event type code block
1
{
2
"timestamp": "TIMESTAMP",
3
"job": "STRING",
4
"hostname": "STRING",
5
"status": "STRING",
6
"message": "STRING",
7
"invocation_id": "STRING",
8
"events_reported": "STRING",
9
"queued_time": "TIMESTAMP",
10
"started_time": "TIMESTAMP",
11
"finished_time": "TIMESTAMP",
12
"r7_context": {
13
"asset": {
14
"rrn": "STRING",
15
"name": "STRING",
16
"type": "STRING",
17
}
18
}
19
"r7_hostid": "STRING",
20
"source_json": "OBJECT",
21
}

File Access Activity

file_access

KeyValue format
access_typesSTRING
accountSTRING
file_extensionSTRING
file_nameSTRING
file_pathSTRING
file_shareSTRING
serviceSTRING
source_addressSTRING
source_assetSTRING
source_json{}
target_addressSTRING
timestampTIMESTAMP
userSTRING
File Access Activity event type code block
1
{
2
"access_types": "STRING",
3
"account": "STRING",
4
"file_extension": "STRING",
5
"file_name": "STRING",
6
"file_path": "STRING",
7
"file_share": "STRING",
8
"service": "STRING",
9
"source_address": "STRING",
10
"source_asset": "STRING",
11
"source_json": {},
12
"target_address": "STRING"
13
"timestamp": "TIMESTAMP",
14
"user": "STRING",
15
}

File Modification Activity

file_modification

KeyValue format
accountSTRING
assetSTRING
asset_addressSTRING
asset_os_familySTRING
file_eventSTRING
file_extensionSTRING
file_nameSTRING
file_pathSTRING
processSTRING
process_idSTRING
source_json{}
timestampTIMESTAMP
userSTRING
File Modification Activity event type code block
1
{
2
"account": "STRING",
3
"asset": "STRING",
4
"asset_address": "STRING",
5
"asset_os_family": "STRING"
6
"file_event": "STRING",
7
"file_extension": "STRING",
8
"file_name": "STRING",
9
"file_path": "STRING",
10
"process": "STRING",
11
"process_id": "STRING",
12
"source_json": {},
13
"timestamp": "TIMESTAMP",
14
"user": "STRING",
15
}

Firewall Activity

firewall

KeyValue format
assetSTRING
community_idSTRING
connection_statusSTRING
custom_data{}
destination_addressSTRING
destination_portSTRING
directionSTRING
geoip_citySTRING
geoip_country_codeSTRING
geoip_country_nameSTRING
geoip_organizationSTRING
geoip_regionSTRING
incoming_bytesSTRING
r7_context
   user
       rrnRRN
       nameSTRING
       typeSTRING
   asset
       rrnRRN
       nameSTRING
       typeSTRING
outgoing_bytesSTRING
source_addressSTRING
source_dataSTRING
source_json{}
source_portSTRING
transport_protocolSTRING
timestampTIMESTAMP
userSTRING
observation_countNUMERIC
first_observed_timeTIMESTAMP
last_observed_timeTIMESTAMP

This event type contains deduplicated data.

Firewall Activity event type code block
1
{
2
"asset": "STRING",
3
"community_id": "STRING",
4
"connection_status": "STRING",
5
"custom_data": {},
6
"destination_address": "STRING"
7
"destination_port": "STRING",
8
"direction": "STRING",
9
"geoip_city": "STRING",
10
"geoip_country_code": "STRING",
11
"geoip_country_name": "STRING",
12
"geoip_organization": "STRING",
13
"geoip_region": "STRING",
14
"incoming_bytes": "STRING",
15
"r7_context": {
16
"user": {
17
"rrn": "RRN",
18
"name": "STRING",
19
"type": "STRING"
20
},
21
"asset": {
22
"rrn": "RRN",
23
"name": "STRING",
24
"type": "STRING"
25
}
26
},
27
"outgoing_bytes": "STRING",
28
"source_address": "STRING",
29
"source_data": "STRING",
30
"source_json": {},
31
"source_port": "STRING",
32
"transport_protocol": "STRING",
33
"timestamp": "TIMESTAMP",
34
"user": "STRING",
35
"observation_count": "NUMERIC",
36
"first_observed_time": "TIMESTAMP",
37
"last_observed_time": "TIMESTAMP",
38
}

Host To IP Observations

host_name_to_ip

KeyValue format
accountSTRING
account_domainSTRING
actionSTRING
assetSTRING
client_macSTRING
custom_data{}
hostSTRING
ipSTRING
r7_context
   host
       rrnRRN
       nameSTRING
       typeSTRING
   user
       rrnRRN
       nameSTRING
       typeSTRING
       domainSTRING
   asset
       rrnRRN
       nameSTRING
       typeSTRING
   account
       rrnRRN
       nameSTRING
       typeSTRING
source_dataSTRING
source_json{}
timestampTIMESTAMP
userSTRING
Host to IP event type code block
1
{
2
"account": "STRING",
3
"account_domain": "STRING",
4
"action": "STRING",
5
"asset": "STRING",
6
"client_mac": "STRING",
7
"custom_data": {},
8
"host": "STRING",
9
"ip": "STRING",
10
"observation_status": "STRING"
11
"r7_context": {
12
"host": {
13
"rrn": "RRN",
14
"name": "STRING",
15
"type": "STRING"
16
},
17
"user": {
18
"rrn": "RRN",
19
"name": "STRING",
20
"type": "STRING",
21
"domain": "STRING"
22
},
23
"asset": {
24
"rrn": "RRN",
25
"name": "STRING",
26
"type": "STRING"
27
},
28
"account": {
29
"rrn": "RRN",
30
"name": "STRING",
31
"type": "STRING"
32
}
33
},
34
"source_data": "STRING",
35
"source_json": {},
36
"timestamp": "TIMESTAMP",
37
"user": "STRING",
38
}

IDS Alert

ids

KeyValue format
assetSTRING
categorySTRING
community_idSTRING
descriptionSTRING
destination_bytesSTRING
destination_ipSTRING
destination_portSTRING
destination_packet_countSTRING
ids_app_protocolSTRING
ids_app_protocol_infoSTRING
   ja3
       hashRRN
       stringSTRING
   ja3s
       hashRRN
       stringSTRING
   serialSTRING
   subjectSTRING
   versionSTRING
   issuerdnSTRING
   notafterSTRING
   notbeforeSTRING
   fingerprintSTRING
source_dataSTRING
source_jsonSTRING
timestampSTRING
ids_flow_initiatedTIMESTAMP
protocolSTRING
severitySTRING
signatureSTRING
signature_revisionSTRING
source_bytesSTRING
source_ipSTRING
source_packet_countSTRING
source_portSTRING
timestampTIMESTAMP
total_bytesSTRING
total_packet_countSTRING
userSTRING
IDS Alert event type code block
1
{
2
"asset": "STRING",
3
"category": "STRING",
4
"community_id": "STRING",
5
"description": "STRING",
6
"destination_bytes": "STRING",
7
"destination_ip": "STRING",
8
"destination_port": "STRING",
9
"destination_packet_count": "STRING"
10
"ids_app_protocol": "STRING",
11
"ids_app_protocol_info": {
12
"ja3": {
13
"hash": "STRING",
14
"string": "STRING"
15
},
16
"ja3s": {
17
"hash": "STRING",
18
"string": "STRING"
19
},
20
"serial": "STRING",
21
"subject": "STRING",
22
"version": "STRING",
23
"issuerdn": "STRING",
24
"notafter": "STRING",
25
"notbefore": "STRING",
26
"fingerprint": "STRING"
27
},
28
"ids_flow_initiated": "TIMESTAMP",
29
"protocol": "STRING",
30
"severity": "STRING",
31
"signature": "STRING",
32
"signature_revision": "STRING",
33
"source_bytes": "STRING",
34
"source_ip": "STRING",
35
"source_packet_count": "STRING",
36
"source_port": "STRING",
37
"timestamp": "TIMESTAMP",
38
"total_bytes": "STRING",
39
"total_packet_count": "STRING",
40
"user": "STRING",
41
}

Ingress Authentication

ingress_auth

KeyValue format
accountSTRING
authentication_targetSTRING
custom_data{}
geoip_citySTRING
geoip_country_codeSTRING
geoip_country_nameSTRING
geoip_organizationSTRING
geoip_regionSTRING
mobile_device_idSTRING
r7_context
   user
       rrnRRN
       nameSTRING
       typeSTRING
       domainSTRING
   account
       rrnRRN
       nameSTRING
       typeSTRING
resultSTRING
serviceSTRING
service_addressSTRING
source_dataSTRING
source_ipSTRING
source_json{}
timestampTIMESTAMP
userSTRING
user_agentSTRING
user_domainSTRING
Ingress Authentication event type code block
1
{
2
"account": "STRING",
3
"authentication_target": "STRING"
4
"custom_data": {},
5
"geoip_city": "STRING",
6
"geoip_country_code": "STRING",
7
"geoip_country_name": "STRING",
8
"geoip_organization": "STRING",
9
"geoip_region": "STRING",
10
"mobile_device_id": "STRING",
11
"r7_context": {
12
"user": {
13
"rrn": "RRN",
14
"name": "STRING",
15
"type": "STRING",
16
"domain": "STRING"
17
},
18
"account": {
19
"rrn": "RRN",
20
"name": "STRING",
21
"type": "STRING"
22
}
23
},
24
"result": "STRING",
25
"service": "STRING",
26
"service_address": "STRING",
27
"source_data": "STRING",
28
"source_ip": "STRING",
29
"source_json": {},
30
"timestamp": "TIMESTAMP",
31
"user": "STRING",
32
"user_agent": "STRING",
33
"user_domain": "STRING",
34
}

Network Flow

flow

KeyValue format
app_protocolSTRING
app_protocol_descriptionSTRING
community_idSTRING
destination_addressSTRING
destination_assetSTRING
destination_bytesSTRING
destination_packet_countSTRING
destination_portSTRING
destination_userSTRING
directionSTRING
first_packet_timeTIMESTAMP
flow_initiatedTIMESTAMP
geoip_citySTRING
geoip_country_codeSTRING
geoip_country_nameSTRING
geoip_organizationSTRING
geoip_regionSTRING
mobile_device_idSTRING
last_packet_timeTIMESTAMP
r7_context
   source_user
       rrnRRN
       nameSTRING
       typeSTRING
   source_asset
       rrnRRN
       nameSTRING
       typeSTRING
   destination_user
       rrnRRN
       nameSTRING
       typeSTRING
   destination_asset
       rrnRRN
       nameSTRING
       typeSTRING
source_addressSTRING
source_assetSTRING
source_bytesSTRING
source_portSTRING
source_jsonSTRING
source_packet_countTIMESTAMP
source_userSTRING
timestampTIMESTAMP
total_bytesSTRING
total_packet_countSTRING
transport_protocolSTRING
Network Flow event type code block
1
{
2
"app_protocol": "STRING",
3
"app_protocol_description": "STRING",
4
"community_id": "STRING",
5
"destination_address": "STRING",
6
"destination_asset": "STRING",
7
"destination_bytes": "STRING",
8
"destination_packet_count": "STRING"
9
"destination_port": "STRING",
10
"destination_user": "STRING",
11
"direction": "STRING",
12
"first_packet_time": "TIMESTAMP",
13
"flow_initiated": "TIMESTAMP",
14
"geoip_city": "STRING",
15
"geoip_country_code": "STRING",
16
"geoip_country_name": "STRING",
17
"geoip_organization": "STRING",
18
"geoip_region": "STRING",
19
"last_packet_time": "TIMESTAMP",
20
"r7_context": {
21
"source_user": {
22
"rrn": "RRN",
23
"name": "STRING",
24
"type": "STRING"
25
},
26
"source_asset": {
27
"rrn": "RRN",
28
"name": "STRING",
29
"type": "STRING"
30
},
31
"destination_user": {
32
"rrn": "RRN",
33
"name": "STRING",
34
"type": "STRING"
35
},
36
"destination_asset": {
37
"rrn": "RRN",
38
"name": "STRING",
39
"type": "STRING"
40
}
41
},
42
"source_address": "STRING",
43
"source_asset": "STRING",
44
"source_bytes": "STRING",
45
"source_port": "STRING",
46
"source_packet_count": "STRING",
47
"source_user": "STRING",
48
"timestamp": "TIMESTAMP",
49
"total_bytes": "STRING",
50
"total_packet_count": "STRING",
51
"transport_protocol": "STRING",
52
}

SSO

sso

KeyValue format
userSTRING
accountSTRING
serviceSTRING
source_ipSTRING
timestampTIMESTAMP
geoip_citySTRING
source_json{}
geoip_regionSTRING
sso_providerSTRING
geoip_country_codeSTRING
geoip_country_nameSTRING
geoip_organizationSTRING
SSO event type code block
1
{
2
"user": "STRING",
3
"account": "STRING",
4
"service": "STRING",
5
"source_ip": "STRING",
6
"timestamp": "TIMESTAMP",
7
"geoip_city": "STRING",
8
"source_json": {},
9
"geoip_region": "STRING",
10
"sso_provider": "STRING",
11
"geoip_country_code": "STRING",
12
"geoip_country_name": "STRING",
13
"geoip_organization": "STRING",
14
}

Third Party Alert

third_party_alert

KeyValue format
alert_idSTRING
assetSTRING
custom_data{}
descriptionSTRING
r7_context
   user
       rrnRRN
       nameSTRING
       typeSTRING
   asset
       rrnRRN
       nameSTRING
       typeSTRING
productSTRING
severitySTRING
source_dataSTRING
source_json{}
timestampTIMESTAMP
titleSTRING
typeSTRING
userSTRING
Third Party Alert event type code block
1
{
2
"alert_id": "UUID",
3
"asset": "STRING",
4
"custom_data": {},
5
"description": "STRING",
6
"r7_context": {
7
"user": {
8
"rrn": "RRN",
9
"name": "STRING",
10
"type": "STRING"
11
},
12
"asset": {
13
"rrn": "RRN",
14
"name": "STRING",
15
"type": "STRING"
16
}
17
},
18
"product": "STRING",
19
"severity": "STRING",
20
"source_data": "STRING",
21
"source_json": {}
22
"timestamp": "TIMESTAMP",
23
"title": "STRING",
24
"type": "STRING",
25
"user": "STRING",
26
}

Virus Alert

virus

KeyValue format
accountSTRING
actionSTRING
action_statusSTRING
assetSTRING
custom_data{}
error_codeSTRING
error_descriptionSTRING
file_pathSTRING
r7_context
   user
       rrnRRN
       nameSTRING
       typeSTRING
       domainSTRING
   asset
       rrnRRN
       nameSTRING
       typeSTRING
   account
       rrnRRN
       nameSTRING
       typeSTRING
riskSTRING
source_addressSTRING
source_dataSTRING
source_json{}
timestampTIMESTAMP
userSTRING
user_domainSTRING
Virus Alert event type code block
1
{
2
"account": "STRING",
3
"action": "STRING",
4
"action_status": "STRING",
5
"asset": "STRING",
6
"custom_data": {},
7
"error_code": "STRING",
8
"error_description": "STRING"
9
"file_path": "STRING",
10
"r7_context": {
11
"user": {
12
"rrn": "RRN",
13
"name": "STRING",
14
"type": "STRING",
15
"domain": "STRING"
16
},
17
"asset": {
18
"rrn": "RRN",
19
"name": "STRING",
20
"type": "STRING"
21
},
22
"account": {
23
"rrn": "RRN",
24
"name": "STRING",
25
"type": "STRING"
26
}
27
},
28
"risk": "STRING",
29
"source_address": "STRING",
30
"source_data": "STRING",
31
"source_json": {},
32
"timestamp": "TIMESTAMP",
33
"user": "STRING",
34
"user_domain": "STRING",
35
}

Web Proxy Activity

web_proxy

KeyValue format
assetSTRING
custom_data{}
destination_ipSTRING
geoip_citySTRING
geoip_country_codeSTRING
geoip_country_nameSTRING
geoip_organizationSTRING
geoip_regionSTRING
http_methodSTRING
incoming_bytesSTRING
is_blockedSTRING
outgoing_bytesSTRING
public_suffixSTRING
r7_context
   user
       rrnRRN
       nameSTRING
       typeSTRING
       domainSTRING
   asset
       rrnRRN
       nameSTRING
       typeSTRING
schemeSTRING
source_dataSTRING
source_ipSTRING
source_json{}
timestampTIMESTAMP
top_private_domainSTRING
urlSTRING
url_hostSTRING
url_pathSTRING
url_querySTRING
userSTRING
observation_countNUMERIC
first_observed_timeTIMESTAMP
last_observed_timeTIMESTAMP
user_agentSTRING
user_domainSTRING

This event type contains deduplicated data.

Web Proxy event type code block
1
{
2
"asset": "STRING",
3
"custom_data": {},
4
"destination_ip": "STRING",
5
"geoip_city": "STRING",
6
"geoip_country_code": "STRING",
7
"geoip_country_name": "STRING",
8
"geoip_organization": "STRING",
9
"geoip_region": "STRING",
10
"http_method": "STRING",
11
"incoming_bytes": "STRING",
12
"is_blocked": "STRING",
13
"outgoing_bytes": "STRING",
14
"public_suffix": "STRING",
15
"r7_context": {
16
"user": {
17
"rrn": "RRN",
18
"name": "STRING",
19
"type": "STRING",
20
"domain": "STRING"
21
},
22
"asset": {
23
"rrn": "RRN",
24
"name": "STRING",
25
"type": "STRING"
26
}
27
},
28
"scheme": "STRING",
29
"source_data": "STRING",
30
"source_ip": "STRING",
31
"source_json": {},
32
"timestamp": "TIMESTAMP",
33
"top_private_domain": "STRING"
34
"url": "STRING",
35
"url_host": "STRING",
36
"url_path": "STRING",
37
"url_query": "STRING",
38
"user": "STRING",
39
"observation_count": "NUMERIC",
40
"first_observed_time": "TIMESTAMP",
41
"last_observed_time": "TIMESTAMP",
42
"user_agent": "STRING",
43
"user_domain": "STRING",
44
}

Web Server Access

web_server_access

KeyValue format
timestampTIMESTAMP
source_addressSTRING
geoip_organizationSTRING
geoip_country_codeSTRING
geoip_country_nameSTRING
geoip_citySTRING
geoip_regionSTRING
server_addressSTRING
url_hostSTRING
http_methodSTRING
url_pathSTRING
response_statusSTRING
outgoing_bytesSTRING
user_agentSTRING
refererSTRING
forwarded_forSTRING
auth_userSTRING
Web Server Access event type code block
1
{
2
"timestamp": "TIMESTAMP",
3
"source_address": STRING,
4
"geoip_organization": "STRING",
5
"geoip_country_code": "STRING",
6
"geoip_country_name": "STRING",
7
"geoip_city": "STRING",
8
"geoip_region": "STRING",
9
"server_address": "STRING",
10
"url_host": "STRING",
11
"http_method": "STRING",
12
"url_path": "STRING",
13
"response_status": "STRING",
14
"outgoing_bytes": "STRING",
15
"user_agent": "STRING",
16
"referer": "STRING",
17
"forwarded_for": "STRING",
18
"auth_user": "STRING",
19
}

Detection-based Event Types

Anomalous Data Transfer

anomalous_data_transfer

KeyValue format
analysis_hour_destinations
       citySTRING
       dst_addrNUMERIC
       dst_portNUMERIC
       hostnameSTRING
       cert_nameSTRING
       country_codeSTRING
       organizationSTRING
       dst_bytes_humanSTRING
       src_bytes_humanSTRING
       dst_bytes_percentNUMERIC
       src_bytes_percentNUMERIC
analysis_hour_stats
   bytes_ratioSTRING
   num_destinationsNUMERIC
   incoming_bytes_humanSTRING
   outgoing_bytes_humanSTRING
   num_destination_portsNUMERIC
dateTIMESTAMP
source_addressesSTRING
source_asset_idUUID
source_asset_namesSTRING
Anomalous Data Transfer event type code block
1
{
2
"analysis_hour_destinations": [
3
{
4
"city": "STRING",
5
"dst_addr": "NUMERIC",
6
"dst_port": "NUMERIC",
7
"hostname": "STRING",
8
"cert_name": "STRING",
9
"country_code": "STRING",
10
"organization": "STRING",
11
"dst_bytes_human": "STRING",
12
"src_bytes_human": "STRING",
13
"dst_bytes_percent": "NUMERIC",
14
"src_bytes_percent": "NUMERIC"
15
}
16
]
17
"analysis_hour_stats": {
18
"bytes_ratio": "STRING",
19
"num_destinations": "NUMERIC",
20
"incoming_bytes_human": "STRING",
21
"outgoing_bytes_human": "STRING",
22
"num_destination_ports": "NUMERIC"
23
},
24
"date": "TIMESTAMP",
25
"source_addresses": "STRING",
26
"source_asset_id": "UUID",
27
"source_asset_names": "STRING",
28
}

Audit Logs

The audit logs in InsightIDR capture a chronological view of every action taken in relation to a particular object, such as an investigation or alert. You can use Log Search to query the data in the audit log.

The log sets that are generated from the audit log originate from actions taken in InsightIDR, rather than event sources or the Insight Agent, so they don’t have event types.

InsightIDR Investigations

KeyValue format
timeTIMESTAMP
actionSTRING
audit_idSTRING
resultSTRING
access_methodSTRING
productSTRING
descriptionSTRING
service_info
    investigation_idSTRING
    investigation_nameSTRING
    investigation_typeSTRING
    investigation_rrnRRN
    assigned_userSTRING
    assignee_loginSTRING
request
    user_agentSTRING
    geo_location
        organizationSTRING
        country_nameSTRING
        country_codeSTRING
        citySTRING
        regionSTRING
    ipSTRING
    user
        emailSTRING
        nameSTRING
InsightIDR Investigations code block
1
{
2
"time": "TIMESTAMP",
3
"action": "STRING",
4
"audit_id": "STRING",
5
"result": "STRING",
6
"access_method": "STRING",
7
"product": "STRING",
8
"description": "STRING",
9
"service_info": {
10
"investigation_id": "STRING",
11
"investigation_name": "STRING",
12
"investigation_type": "STRING",
13
"investigation_rrn": "RRN",
14
"assigned_user": "STRING",
15
"assignee_login": "STRING"
16
},
17
"request": {
18
"user_agent": "STRING",
19
"geo_location": {
20
"organization": "STRING",
21
"country_name": "STRING",
22
"country_code": "STRING",
23
"city": "STRING",
24
"region": "STRING"
25
},
26
"ip": "STRING",
27
"user": {
28
"email": "STRING",
29
"name": "STRING"
30
}
31
}
32
}

InsightIDR Alerts

KeyValue format
timeTIMESTAMP
actionSTRING
audit_idSTRING
resultSTRING
access_methodSTRING
productSTRING
descriptionSTRING
service_info
    alert_idSTRING
    alert_nameSTRING
    alert_typeSTRING
    alert_rrnRRN
    assigned_userSTRING
    assignee_loginSTRING
request
    user_agentSTRING
    geo_location
        organizationSTRING
        country_nameSTRING
        country_codeSTRING
        citySTRING
        regionSTRING
    ipSTRING
    user
        emailSTRING
        nameSTRING
InsightIDR Alerts code block
1
{
2
"time": "TIMESTAMP",
3
"action": "STRING",
4
"audit_id": "STRING",
5
"result": "STRING",
6
"access_method": "STRING",
7
"product": "STRING",
8
"description": "STRING",
9
"service_info": {
10
"alert_id": "STRING",
11
"alert_name": "STRING",
12
"alert_type": "STRING",
13
"alert_rrn": "RRN",
14
"assigned_user": "STRING",
15
"assignee_login": "STRING"
16
},
17
"request": {
18
"user_agent": "STRING",
19
"geo_location": {
20
"organization": "STRING",
21
"country_name": "STRING",
22
"country_code": "STRING",
23
"city": "STRING",
24
"region": "STRING"
25
},
26
"ip": "STRING",
27
"user": {
28
"email": "STRING",
29
"name": "STRING"
30
}
31
}
32
}