RSA NetWitness® Suite Unified Data Model Available Concepts

Document created by RSA Link Team Employee on Feb 28, 2018Last modified by Saket Bajoria on Mar 27, 2018
Version 20Show Document
  • View in full screen mode
Meta ClassMeta ConceptLog Parser KeyLog Parser Key Flag

Meta Key

Meta TypeMeta IndexNotes
NetworkBytes ReceivedrbytesTransientrbytesUInt64        IndexKeysThis key should only be used to capture the size of Bytes Received
NetworkBytes SentsbytesNonebytes.srcUInt64   IndexKeysThis key should only be used to capture the size of Bytes Sent
NetworkBytes TotalbytesNonebytesUInt64   IndexKeysThis key is the total number of Bytes sent/received in a session. Also, in cases where the Sent or Received context is not clear, this can be used.
NetworkDirectiondirectionNonedirectionText                   IndexValuesThis Key should never be used in a parser, this is a reserved key used by the product to calculate the direction.
NetworkDomain Source

c_domain, sdomain (discontinued)

domain.src (new)

Nonedomain.srcTextIndexValuesThis key should only be used to capture Source Domain Only.
NetworkDomain Destination

ddomain (discontinued)

domain.dst (new)

Nonedomain.dstTextIndexValuesThis key should only be used to capture Destination Domain Only.
NetworkDomain Generic

domainname (discontinued)

domain (new)

NonedomainTextIndexValuesThis key should only be used to capture a Network Domain when the directionality is not clear. Use web.domain/tld/cctld/sld for Web based Domains
NetworkEthernet Typeeth_typeNoneeth.typeUInt16IndexValuesThis key is used to capture Ethernet Type, Used for Layer 3 Protocols Only
NetworkGatewaygatewayTransientgatewayTextIndexNoneThis key is used to capture the IP Address of the gateway
NetworkHostname

hostname, devicehostname,

hostid, r_hostid, workstation,web_host,

web_ref_host (discontinued)

alias.host (new)

Nonealias.hostTextIndexValuesThis key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.
NetworkHostname SourceshostNonehost.srcTextIndexNoneThis key should only be used when it’s a Source Hostname.
NetworkHostname DestinationdhostNonehost.dstTextIndexNoneThis key should only be used when it’s a Destination Hostname
NetworkHostname Originatinghost.origNonehost.origTextIndexValuesThis is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. 
NetworkICMP CodeicmpcodeTransienticmp.codeUInt32IndexNoneThis key is used to capture the ICMP code only
NetworkICMP TypeicmptypeTransienticmp.typeUInt32IndexNoneThis key is used to capture the ICMP type only
NetworkInterface SourcesinterfaceTransientsinterfaceTextIndexValuesThis key should only be used when it’s a Source Interface
NetworkInterface DestinationdinterfaceTransientdinterfaceTextIndexNoneThis key should only be used when it’s a Destination Interface
NetworkInterface GenericinterfaceTransientinterfaceTextIndexNoneThis key should be used when the source or destination context of an interface is not clear
NetworkIP Address v4 SourcesaddrNoneip.srcIPv4IndexValuesThis key should only be used when it’s a Source IP Address.
NetworkIP Address v4 DestinationdaddrNoneip.dstIPv4IndexValuesThis key should only be used when it’s a Destination IP Address.
NetworkIP address V4 Generic

devicehostip,

hostip (discontinued)

alias.ip (new)

Nonealias.ipIPv4IndexValuesThis key should be used when the source/destination/local/remote context of an IPv4 address is not clear
NetworkIP Address v4 Translated Source

stransaddr (discontinued)

ip.trans.src (new)

Noneip.trans.srcIPv4IndexValuesThis key should only be used when it’s a Source Translated IP Address
NetworkIP Address v4 Translated Destination

dtransaddr (discontinued)

ip.trans.dst (new)

Noneip.trans.dstIPv4IndexValuesThis key should only be used when it’s a Destination Translated IP Address
NetworkIP Address Originating 

orig_ip (discontinued)

ip.orig (new)

Noneip.origIPv4IndexValuesThis is used to capture the original systems IPv4 address in case of a Forwarding Agent or a Proxy in between. 
NetworkIP Address v6 Sourcesaddr_v6Noneipv6.srcIPv6IndexValuesThis key should only be used when it’s a Source IP v6 Address
NetworkIP Address v6 Destinationdaddr_v6Noneipv6.dstIPv6IndexValuesThis key should only be used when it’s a Destination IP v6 Address.
NetworkIP Address v6 Generichostip_v6 (discontinued) alias.ipv6 (new)Nonealias.ipv6IPv6IndexKeysThis key should be used when the source or destination context of an IPv6 address is not clear
NetworkIP Address v6 Originating ipv6.origNoneipv6.origIPv6IndexValuesThis is used to capture the original systems IPv6 address in case of a Forwarding Agent or a Proxy in between. 
NetworkMAC Address SourcesmacaddrNoneeth.srcMACIndexValuesThis key should only be used when it’s a Source Mac Address.
NetworkMAC Address DestinationdmacaddrNoneeth.dstMACIndexValuesThis key should only be used when it’s a Destination Mac Address
NetworkMAC Address Generic

macaddr,

devicehostmac (discontinued) alias.mac (new)

Nonealias.macMACIndexValuesThis key should be used when the source or destination context of a Mac Address is not clear
NetworkNetwork mask SourcesmaskTransientsmaskTextIndexNoneThis key is used for capturing source Network Mask
NetworkNetwork mask DestinationdmaskTransientdmaskTextIndexNoneThis key is used for Destionation Device network mask
NetworkNetwork mask GenericmaskTransientmaskTextIndexNoneThis key is used to capture the device network IPmask.
NetworkNetwork NamenetnameTransientnetnameTextIndexValuesThis key is used to capture the network name associated with an IP range. This is configured by the end user.
NetworkPayload bytes in retransmitted packetsrpayloadTransientrpayloadTextIndexNoneThis key is used to capture the total number of payload bytes seen in the retransmitted packets. 
NetworkPort Source

sport (discontinued)

port.src (new)

Noneport.srcUInt16IndexValuesThis key should only be used when it’s a Source Port.
NetworkPort Destination

dport (discontinued)

port.dst (new)

Noneport.dstUInt16IndexValuesThis key should only be used when it’s a Destination Port.
NetworkPort Generic

network_port (discontinued)

port (new)

NoneportUInt16IndexValuesThis key should only be used to capture a Network Port when the directionality is not clear
NetworkPort Translated Source

stransport (discontinued)

port.trans.src (new)

Noneport.trans.srcUInt16IndexValuesThis key should only be used when it’s a Source Translated Port Number
NetworkPort Translated Destination

dtransport (discontinued)

port.trans.dst (new)

Noneport.trans.dstUInt16IndexValuesThis key should only be used when it’s a Destination Translated Port Number
NetworkProtocol Numberip_protoNoneip.protoUInt8IndexValuesThis key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI
NetworkProtocolprotocolTransientprotocolTextIndexNoneThis key should be used to capture the protocol name
NetworkProtocol Detailprotocol_detailTransientprotocol.detailTextIndexNoneThis key should be used to capture additional protocol information
NetworkServiceserviceNoneserviceUInt32IndexValuesThis is used to capture layer 7 protocols
NetworkService Nameservice.nameNoneservice.nameTextIndexValuesThis is used to capture descriptive service name, typically seen in Windows
NetworkNetwork Service Namenetwork_serviceTransientnetwork.serviceTextIndexNoneThis is used to capture layer 7 protocols/service names
NetworkTCP initiator port numbertcp.srcportTransienttcp.srcportUInt16IndexValuesThis key capture source port for tcp protocol
NetworkTCP responder port numbertcp.dstportTransienttcp.dstportUInt16IndexValuesThis key capture destination port for tcp protocol
NetworkUDP initiator port numberudp.srcportTransientudp.srcportUInt16IndexValuesThis key capture source port for udp protocol
NetworkUDP responder port numberudp.dstportTransientudp.dstportUInt16IndexValuesThis key capture destination port for udp protocol
NetworkVlan NamevlanTransientvlan.nameTextIndexNoneThis key should only be used to capture the name of the Virtual LAN
NetworkVlan NumbervlanTransientvlanTextIndexNoneThis key should only be used to capture the ID of the Virtual LAN
NetworkZone Sourcesrc_zoneTransientzone.srcTextIndexNoneThis key should only be used when it’s a Source Zone.
NetworkZone Destinationdst_zoneTransientzone.dstTextIndexNoneThis key should only be used when it’s a Destination Zone.
NetworkZone GenericzoneTransientzoneTextIndexNoneThis key should be used when the source or destination context of a Zone is not clear
IdentityAccessesaccessesNoneaccessesTextIndexNoneThis key is used to capture actual priviliges used in accessing an object 
IdentityAuthentication MethodauthmethodTransientauth.methodTextIndexNoneThis key is used to capture authentication methods used only
IdentityDistinguished NamednNonednTextIndexValuesX.500 (LDAP) Distinguished Name
IdentityDistinguished Name Sourcesrc_dnTransientdn.srcTextIndexNoneAn X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn 
IdentityDistinguished Name Destinationdst_dnTransientdn.dstTextIndexNoneAn X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn 
IdentityDomain IDdomain_idTransientdomain.idTextIndexNoneThis key captures Pre Windows 2000 (NetBIOS) name of the domain ONLY
IdentityFederated Identity Providerfederated_idpTransientfederated.idpTextIndexNoneThis key is the federated Identity Provider. This is the server providing the authentication.
IdentityFederated Service Providerfederated_spTransientfederated.spTextIndexNoneThis key is the Federated Service Provider. This is the application requesting authentication.
IdentityFirst name of a Personuser_fnameTransientfirstnameTextIndexNoneThis key is for First Names only, this is used for Healthcare predominantly to capture Patients information
IdentityFull Name of a Personpatient_fullname (discontinued) user_fullname (new)TransientfullnameTextIndexKeysThis key is for Full Names only, this is used for Healthcare predominantly to capture Patients information
IdentityHost Rolehost_roleNonehost.roleTextIndexValuesThis key should only be used to capture the role of a Host Machine
IdentityLast name of a Personuser_lnameTransientlastnameTextIndexNoneThis key is for Last Names only, this is used for Healthcare predominantly to capture Patients information
IdentityLdap GenericldapTransientldapTextIndexNoneThis key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context
IdentityLdap Responsesldap.responseTransientldap.responseTextIndexNoneThis key is to capture Results from an LDAP search
IdentityLdap search criterialdap.queryTransientldap.queryTextIndexNoneThis key is the Search criteria from an LDAP search
IdentityMiddle name of a Personuser_mnameTransientmiddlenameTextIndexNoneThis key is for  Middle Names only, this is used for Healthcare predominantly to capture Patients information
IdentityOwneroriginal_ownerNoneownerTextIndexValuesThis is used to capture username the process or service is running as, the author of the task
IdentityPasswordspasswordTransientpasswordTextIndexKeysThis key is for Passwords seen in any session, plain text or encrypted
IdentityRealmrealmTransientrealmTextIndexNoneRadius realm or similar grouping of accounts
IdentityGeneric Username

administrator (discontinued)

user (new)

NoneuserTextIndexValuesThis key should be used when the source/destination/initiated/target of a username is not clear
IdentitySecondary Usernamec_usernameNoneuser.srcTextIndexValuesThis key should only be used to capture the Secondary/Source User in the event
IdentityPrimary UsernameusernameNoneuser.dstTextIndexValuesThis key should only be used to capture the Primary/Destination User in the event
IdentityUser Roleuser_roleTransientuser.roleTextIndexNoneThis key is used to capture the Role of a user only
IdentityUser Unique ID/Logon ID

uid, logon_id (discontinued)

user.id (new)

Noneuser.idTextIndexNoneThis key is used to capture Unique identifier for an account.
IdentitySource User Session IDc_sidTransientuser.sid.srcTextIndexNoneThis key captures Source User Session ID
IdentityDestination User Session IDsidTransientuser.sid.dstTextIndexNoneThis key captures Destination User Session ID
IdentityUser's Departmentuser_deptTransientuser.deptTextIndexNoneUser's Department Names only
IdentityUserOrganizationuser_orgTransientorgTextIndexValuesThis key captures the User organization
IdentityService Accountservice_account (discontinued) service.account (new)Noneservice.accountTextIndexNoneThis key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage
IdentityType of Logonlogon_typeNonelogon.typeTextIndexValuesThis key is used to capture the Type of Logon method used only
IdentityUser ProfileprofileTransientprofileTextIndexNoneThis key is used to capture the user profile
InvestigationsBehaviour of CompromisebocTransientbocTextIndexValuesThis is used to capture behaviour of compromise
InvestigationsIndicator of compromiseiocTransientiocTextIndexValuesThis is key capture indicator of compromise
InvestigationsEnablers of CompromiseeocTransienteocTextIndexValuesThis is used to capture Enablers of Compromise
InvestigationsEvent Categorization ID

event_cat (discontinued)

event.cat (new)

Transientevent.catUInt32IndexNoneThis key captures the Event category number
InvestigationsEvent Category Nameevent_cat_name (discontinued) event.cat.name (new)Noneevent.cat.nameTextIndexValuesThis  key captures the event category name corresponding to the event cat code
InvestigationsEvent Activityec_activityNoneec.activityTextIndexValuesThis key captures the particular event activity(Ex:Logoff)
InvestigationsEvent Outcomeec_outcomeNoneec.outcomeTextIndexValuesThis key captures the outcome of a particular Event(Ex:Success)
InvestigationsEvent Subjectec_subjectNoneec.subjectTextIndexValuesThis key captures the Subject of a particular Event(Ex:User)
InvestigationsEvent Themeec_themeNoneec.themeTextIndexValuesThis key captures the Theme of a particular Event(Ex:Authentication)
InvestigationsFile Analysisanalysis.fileTransientanalysis.fileTextIndexValuesThis is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file
InvestigationsService Analysisanalysis.serviceTransientanalysis.serviceTextIndexValuesThis is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service
InvestigationsSession Analysisanalysis.sessionTransientanalysis.sessionTextIndexValuesThis is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session
InvestigationsInvestigation Categoryinv.categoryTransientinv.categoryTextIndexValuesThis used to capture investigation category
InvestigationsInvestigation Contextinv.contextTransientinv.contextTextIndexValuesThis used to capture investigation context
InvestigationsVendor supplied Event Categoryvendor_event_catTransientevent.vcatTextIndexNoneThis is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. 
CountersDevice class Counter 1dclass_counter1Transientdclass.c1Int32IndexNoneThis is a generic counter key that should be used with the label dclass.c1.str only
CountersDevice class Counter 1 Descriptiondclass_counter1_stringTransientdclass.c1.strTextIndexNoneThis is a generic counter string key that should be used with the label dclass.c1 only
CountersDevice class Counter 2dclass_counter2Transientdclass.c2Int32IndexNoneThis is a generic counter key that should be used with the label dclass.c2.str only
CountersDevice class Counter 2 Descriptiondclass_counter2_stringTransientdclass.c2.strTextIndexNoneThis is a generic counter string key that should be used with the label dclass.c2 only
CountersDevice class Counter 3dclass_counter3Transientdclass.c3Int32IndexNoneThis is a generic counter key that should be used with the label dclass.c3.str only
CountersDevice class Counter 3 Descriptiondclass_counter3_stringTransientdclass.c3.strTextIndexNoneThis is a generic counter string key that should be used with the label dclass.c3 only
CountersDevice class Ratio 1dclass_ratio1Transientdclass.r1TextIndexNoneThis is a generic ratio key that should be used with the label dclass.r1.str only
CountersDevice class Ratio 1 Descriptiondclass_ratio1_stringTransientdclass.r1.strTextIndexNoneThis is a generic ratio string key that should be used with the label dclass.r1 only
CountersDevice class Ratio 2dclass_ratio2Transientdclass.r2TextIndexNoneThis is a generic ratio key that should be used with the label dclass.r2.str only
CountersDevice class Ratio 2 Descriptiondclass_ratio2_stringTransientdclass.r2.strTextIndexNoneThis is a generic ratio string key that should be used with the label dclass.r2 only
CountersDevice class Ratio 3dclass_ratio3Transientdclass.r3TextIndexNoneThis is a generic ratio key that should be used with the label dclass.r3.str only
CountersDevice class Ratio 3 Descriptiondclass_ratio3_stringTransientdclass.r3.strTextIndexNoneThis is a generic ratio string key that should be used with the label dclass.r3 only
CountersEvent Counterevent_counterTransientevent.counterInt32IndexNoneThis is used to capture the number of times an event repeated
CryptographyCertificate Cheksumcert_checksumNonecert.checksumTextIndexValuesThis key is used to capture the Certificate checksum only
CryptographyCertificate Error Stringcert_errorTransientcert.errorTextIndexNoneThis key captures the Certificate Error String
CryptographyCertificate hostcert_common (discontinued) cert_hostname (new)Transientcert.host.nameTextIndexValuesThis key is used to capture the Certificate host only
CryptographyCertificate host categorycert_hostname_catTransientcert.host.catTextIndexNoneThis key is used for the hostname category value of a certificate
CryptographyCertificate organizationcert_subjectNonecert.subjectTextIndexValuesThis key is used to capture the Certificate organization only
CryptographyCertificate serial numbercert.serialTransientcert.serialTextIndexNoneThis key is used to capture the Certificate serial number only
CryptographyCertificate signing authoritycert_caNonecert.caTextIndexValuesThis key is used to capture the Certificate signing authority only
CryptographyCertificate statuscert_statusTransientcert.statusTextIndexNoneThis key captures Certificate validation status
CryptographyCryptographic Method and Versionencryption_typeTransientcryptoTextIndexValuesThis key is used to capture the Encryption Type or Encryption Key only
CryptographyDestination (Server) Cipherd_cipherTransientcipher.dstTextIndexNoneThis key is for Destination (Server) Cipher
CryptographyDestination (Server) Cipher sized_ciphersizeTransientcipher.size.dstInt32IndexNoneThis key captures Destination (Server) Cipher Size
CryptographyEncryption peer’s identitypeer_idTransientpeer.idTextIndexNoneThis key is for Encryption peer’s identity
CryptographyEncryption peer's IP AddresspeerTransientpeerTextIndexNoneThis key is for Encryption peer's IP Address
CryptographyEncryption scheme usedschemeTransientschemeTextIndexNoneThis key captures the Encryption scheme used
CryptographyEncryption scheme usedsigtypeTransientsig.typeTextIndexNoneThis key captures the Signature Type
CryptographyIkE Cookie 1ike_cookie1Transientike.cookie1TextIndexNoneID of the negotiation — sent for ISAKMP Phase One
CryptographyIKE Cookie 2ike_cookie2Transientike.cookie2TextIndexNoneID of the negotiation — sent for ISAKMP Phase Two
CryptographyIKE Negotiation PhaseikeTransientikeTextIndexNoneIKE negotiation phase.
CryptographySource (Server) Ciphers_cipherTransientcipher.srcTextIndexNoneThis key is for Source (Client) Cipher
CryptographySource (Server) Cipher sizes_ciphersizeTransientcipher.size.srcInt32IndexNoneThis key captures Source (Client) Cipher Size
DatabaseDatabase IDdb_idTransientdb.idTextIndexNoneThis key is used to capture the unique identifier for a database
DatabaseDatabase instance nameinstanceTransientinstanceTextIndexNoneThis key is used to capture the database server instance name
DatabaseDatabase Namedb_nameTransientdatabaseTextIndexValuesThis key is used to capture the name of a database or an instance as seen in a session
DatabaseDatabase server Process IDdb_pidTransientdb.pidInt32IndexNoneThis key captures the process id of a connection with database server
DatabaseIndex IDindexTransientindexTextIndexNoneThis key captures IndexID of the index.
DatabaseLogical ReadslreadTransientlreadInt32IndexNoneThis key is used for the number of logical reads
DatabaseLogical WriteslwriteTransientlwriteInt32IndexNoneThis key is used for the number of logical writes
DatabasePermissions

privilege (discontinued)

permissions (new)

TransientpermissionsTextIndexNoneThis key captures permission or privilege level assigned to a resource.
DatabasePhysical ReadspreadTransientpreadInt32IndexNoneThis key is used for the number of physical writes
DatabaseSQL Transaction IDtrans_idTransienttransact.idTextIndexNoneThis key captures the SQL transantion ID of the current session
DatabaseTable Nametbl_nameTransienttable.nameTextIndexNoneThis key is used to capture the table name
EmailEmail Generic

user_address, cc, bcc (discontinued)

email (new)

NoneemailTextIndexValuesThis key is used to capture a generic email address where the source or destination context is not clear
EmailEmail SourcefromNoneemail.srcTextIndexValuesThis key is used to capture the source email address only, when the source context is not clear use email
EmailEmail DestinationtoNoneemail.dstTextIndexValuesThis key is used to capture the Destination email address only, when the destination context is not clear use email
EmailSubjectsubjectNonesubjectTextIndexKeysThis key is used to capture the subject string from an Email only.
FileAttachment FileattachmentNoneattachmentTextIndexValuesThis key captures the attachment file name
FileFile DirectorydirectoryNonedirectoryTextIndexKeysThis key is used to capture the file directory or path only
FileFile Entropyfile_entropyNonefile.entropyFloat32IndexValuesThis is used to capture entropy vale of a file
FileFile Extension

web_extension (discontinued)

extension (new)

NoneextensionTextIndexValuesThis key is used to capture the extension portion of a filename / extension of the page that was requested
FileFile TypefiletypeTransientfiletypeTextIndexValuesThis key is used to capture the Type of File only
FileFilenamefilenameFilefilenameTextIndexValuesThis key is used to capture the complete filename/Webpage with extension where the directionality is not clear. This should not include the directory/path
FileSource Filenamefilename_srcNonefilename.srcTextIndexValuesThis is used to capture name of the parent filename, the file which performed the action
FileDestination Filenamefilename_dstNonefilename.dstTextIndexValuesThis is used to capture name of the file targeted by the action
FileFilesizefilename_sizeNonefilename.sizeInt32IndexKeysThis key is used to capture the size of the file only
FileFile Attributefile.attributesNonefile.attributesTextIndexValuesThis key is used to capture the attribute of the file
FileTask Nametask_nameNonetask.nameTextIndexValuesThis is used to capture name of the task
FileVendor Filefile_vendorNonefile.vendorTextIndexValuesThis is used to capture Company name of file located in version_info
PhysicalCity Source city.srcTransientcity.srcTextIndexValuesThis is used to capture the source City location based on the GEOPIP Maxmind database. 
PhysicalCity Destinationcity.dstTransientcity.dstTextIndexValuesThis is used to capture the destination City location based on the GEOPIP Maxmind database. 
PhysicalLatitude Sourcelatdec_srcNonelatdec.srcFloat32IndexNoneThis is used to capture the source Latitude based on the GEOPIP Maxmind database. 
PhysicalLatitude Destinationlatdec_dstNonelatdec.dstFloat32IndexNoneThis is used to capture the destination Latitude based on the GEOPIP Maxmind database. 
PhysicalLongitude Sourcelongdec_srcNonelongdec.srcFloat32IndexNoneThis is used to capture the source Longitude based on the GEOPIP Maxmind database. 
PhysicalLongitude Destinationlongdec_dstNonelongdec.dstFloat32IndexNoneThis is used to capture the destination Longitude based on the GEOPIP Maxmind database. 
PhysicalOrganization Sourceorg.srcNoneorg.srcTextIndexValuesThis is used to capture the source organization based on the GEOPIP Maxmind database. 
PhysicalOrganization Destination

org_dst (discontinued)

org.dst (new)

Noneorg.dstTextIndexValuesThis is used to capture the destination organization based on the GEOPIP Maxmind database. 
HealthcarePatient Identifierpatient_idTransientpatient.idTextIndexNoneThis key captures the unique ID for a patient
HealthcarePatient's First Namepatient_fnameTransientpatient.fnameTextIndexNoneThis key is for First Names only, this is used for Healthcare predominantly to capture Patients information
HealthcarePatient's Last Namepatient_lnameTransientpatient.lnameTextIndexNoneThis key is for Last Names only, this is used for Healthcare predominantly to capture Patients information
HealthcarePatient's Middle Namepatient_mnameTransientpatient.mnameTextIndexNoneThis key is for  Middle Names only, this is used for Healthcare predominantly to capture Patients information
MiscellaneousAction Taken

web_method (discontinued)

action (new) 

NoneactionTextIndexValuesThis key is used to capture the primary action in a session
MiscellaneousAdditional InfoinfoTransientindexTextIndexNoneThis key captures  Additional/Extra event information that could not be captured into a separate column. 
MiscellaneousPhone

calling_from, calling_to (discontinued)

phone_number (new)

TransientphoneTextIndexNoneThis is used to capture the Phone Number or a Calling station ID
MiscellaneousAuto Run typeautorun_typeNoneautorun.typeTextIndexValuesThis is used to capture Auto Run type
MiscellaneousCategory Given by VendorcategoryNonecategoryTextIndexValuesThis key is used to capture the category of an event given by the vendor in the session
MiscellaneousChange Attributechange_attributeTransientchange.attribTextIndexNoneThis key is used to capture the name of the attribute that’s changing in a session
MiscellaneousChange Newchange_newTransientchange.newTextIndexNoneThis key is used to capture the new values of the attribute that’s changing in a session
MiscellaneousChange Old change_oldTransientchange.oldTextIndexNoneThis key is used to capture the old value of the attribute that’s changing in a session
MiscellaneousChecksum/HashchecksumNonechecksumTextIndexKeysThis is used to capture the checksum or a hash of an entity
MiscellaneousClient ApplicationagentNoneclientTextIndexValuesThis key is used to capture the name of the client application only
MiscellaneousCommentscommentsTransientcommentsTextIndexNoneComment information provided in the log message
MiscellaneousConnection IDconnectionidTransientconnection.idTextIndexNoneThis key captures the Connection ID
MiscellaneousContentcontentTransientcontentTextIndexValuesThis key captures the content type from protocol headers
MiscellaneousContent Typecontent_typeTransientcontent.typeTextIndexNoneThis key is used to capture Content Type only.
MiscellaneousContent Versioncontent_versionTransientcontent.versionTextIndexNoneThis key captures Version level of a signature or database content.  
MiscellaneousContext InfocontextTransientcontextTextIndexNoneThis key captures Information which adds additional context to the event.
MiscellaneousContext Subjects_contextTransientcontext.subjectTextIndexNoneThis key is to be used in an audit context where the subject is the object being identified
MiscellaneousContext Targett_contextTransientcontext.targetTextIndexNoneThis key is to be used in an audit context where the Target is the object being identified
MiscellaneousCPU TimecpuTransientcpuUInt32IndexNoneThis key is the CPU time used in the execution of the event being recorded.
MiscellaneousCredit Card Numbercc.numberTransientcc.numberInt32IndexNoneValid Credit Card Numbers only
MiscellaneousCVEcveTransientcveTextIndexNoneThis key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.
MiscellaneousDestination SPI Indexdst_spiTransientspi.dstTextIndexNoneDestination SPI Index
MiscellaneousDevice NamedeviceTransientdevice.nameTextIndexValuesThis is used to capture name of the Device associated with the node Like: a physical disk, printer, etc
MiscellaneousDispositiondispositionTransientdispositionTextIndexNoneThis key captures the The end state of an action.
MiscellaneousDNS Query Typedns_querytypeTransientdns.querytypeTextIndexNoneThis key is used to capture the DNS Query type only
MiscellaneousDocument/File numberdoc_numberTransientdoc.numberInt32IndexNoneThis key captures File Identification number
MiscellaneousEmployer identification numberein.numberTransientein.numberInt32IndexNoneEmployee Identification Numbers only
MiscellaneousError CodeserrorTransienterrorTextIndexValuesThis key captures All non successful Error codes or responses
MiscellaneousEvent Description

detail (discontinued)

event_description (new) 

Noneevent.descTextIndexValuesThis key is used to capture a description of an event available directly or inferred
MiscellaneousEvent HostNameevent_computerNoneevent.computerTextIndexValuesThis key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.
MiscellaneousEvent IDidNonereference.idTextIndexValuesThis key is used to capture an event id from the session directly
MiscellaneousEvent Log Nameevent_logTransientevent.logTextIndexNoneThis key captures the Name of the event log
MiscellaneousEvent Session IDsessionidTransientlog.session.idTextIndexNoneThis key is used to capture a sessionid from the session directly
MiscellaneousLinked (Related) Session IDsessionid1Transientlog.session.id1TextIndexNoneThis key is used to capture a Linked (Related) Session ID from the session directly
MiscellaneousEvent Sourceevent_sourceNoneevent.sourceTextIndexValuesThis key captures Source of the event that’s not a hostname 
MiscellaneousEvent Stateevent_stateNoneevent.stateTextIndexNoneThis key captures the current state of the object/item referenced within the event. Describing an on-going event. 
MiscellaneousEvent Typeevent_typeNoneevent.typeTextIndexValuesThis key captures the event category type as specified by the event source.
MiscellaneousEvent Userevent_userNoneevent.userTextIndexValuesThis key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.
MiscellaneousExpected Valueexpected_valTransientexpected.valTextIndexNoneThis key captures the Value expected (from the perspective of the device generating the log).  
MiscellaneousFilter Category NumberfcatnumTransientfcatnumTextIndexNoneThis key captures Filter Category Number. Legacy Usage
MiscellaneousFilter NamefilterNonefilterTextIndexValuesThis key captures Filter used to reduce result set
MiscellaneousFilter ResultfresultTransientfresultInt32IndexNoneThis key captures the Filter Result
MiscellaneousFoundfoundTransientfoundTextIndexValuesThis is used to capture the results of regex match
MiscellaneousGroup IDgroupidTransientgroup.idTextIndexNoneThis key captures Group ID Number (related to the group name)
MiscellaneousGroup NamegroupNonegroupTextIndexNoneThis key captures the Group Name value
MiscellaneousGroup Objectgroup_objectTransientgroup.objectTextIndexNoneThis key captures a collection/grouping of entities. Specific usage
MiscellaneousHardware/Serial IDhardware_idTransienthardware.idTextIndexNoneThis key is used to capture unique identifier for a device or system (NOT a Mac address)
MiscellaneousInformationinfoTransientindexTextIndexNoneThis key captures Extra event information that could not be captured into a separate meta. 
MiscellaneousJob NumberjobnumTransientjob.numTextIndexNoneThis key captures the Job Number
MiscellaneousLanguagelanguageTransientlanguageTextIndexValuesThis is used to capture list of languages the client support and what it prefers
MiscellaneousLifeTimelifetimeTransientlifetimeUInt16IndexNoneThis key is used to capture the  session lifetime in seconds.
MiscellaneousLink to another SessionlinkTransientlinkTextIndexKeysThis key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
MiscellaneousLinked Signature IDsigid1Transientsig.id1Int32IndexNoneThis key captures IDS/IPS Int Signature ID. This must be linked to the sig.id
MiscellaneousMessagemessageTransientmessageTextIndexNoneThis key captures the contents of instant messages
MiscellaneousMessage Bodymessage_bodyTransientmessage.bodyTextIndexNoneThis key captures the The contents of the message body.
MiscellaneousName of the TerminalterminalTransientterminalTextIndexNoneThis key captures the Terminal Names only
MiscellaneousNodenodeTransientnodeTextIndexNoneCommon use case is the node name within a cluster. The cluster name is reflected by the host name.
MiscellaneousObject Nameobj_nameNoneobj.nameTextIndexValuesThis is used to capture name of object
MiscellaneousObject Typeobj_typeNoneobj.typeTextIndexValuesThis is used to capture type of object
MiscellaneousObserved Valueobserved_valTransientobserved.valTextIndexNoneThis key captures the Value observed (from the perspective of the device generating the log).  
MiscellaneousOperation Numberoperation_idTransientoperation.idTextIndexNoneAn alert number or operation number.  The values should be unique and non-repeating.
MiscellaneousOS NameosNoneOSTextIndexNoneThis key captures the Name of the Operating System
MiscellaneousPackets TotalpacketsTransientpacketsUInt32IndexNoneThis key is the total number of packets sent/received in a session. Also, in cases where the Sent or Received context is not clear, this can be used.
MiscellaneousParent Node Nameparent_nodeTransientparent.nodeTextIndexNoneThis key captures the Parent Node Name.  Must be related to node variable.
MiscellaneousPolicy Contentspolicy_valueTransientpolicy.valueTextIndexNoneThis key captures the contents of the policy.  This contains details about the policy
MiscellaneousPolicy IDpolicy_idTransientpolicy.idTextIndexNoneThis key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise
MiscellaneousPolicy NamepolicynameNonepolicy.nameTextIndexValuesThis key is used to capture the Policy Name only.
MiscellaneousPool IDpool_idTransientpool.idTextIndexNoneThis key captures the identifier (typically numeric field) of a resource pool
MiscellaneousPool Namepool_nameTransientpool.nameTextIndexNoneThis key  captures the name of a resource pool
MiscellaneousPort(Physical/Logical)portnameTransientport.nameTextIndexNoneThis key is used for Physical or logical port connection but does NOT include a network port.  (Example: Printer port name).
MiscellaneousProcess Name child_process (discontinued) process (new) NoneprocessTextIndexValuesThis key is used to capture the Process Name, in case of parent child relationship, this can be used for child process name context.
MiscellaneousSource Process Nameparent_process (discontinued) process_src (new)Transientprocess.srcTextIndexNoneThis key is used to capture the Source Proccess Name, in case of parent child relationship, this can be used for parent process name context
MiscellaneousProcess ID

child_pid (discontinued)

process_id (new)

Transientprocess.idInt64IndexNoneThis key is used to capture the Process ID, in case of parent child relationship, this can be used for child process id context.
MiscellaneousSource Process IDparent_pid (discontinued) process_id_src (new)Transientprocess.id.srcInt64IndexNoneThis key is used to capture the Source Proccess ID, in case of parent child relationship, this can be used for parent process id context 
MiscellaneousProcess ID Value

child_pid_val (discontinued)

process_id_val (new)

Transientprocess.id.valTextIndexNoneThis key is a failure key for Process ID when it is not an integer value 
MiscellaneousParametersparamNoneparamTextIndexNoneThis key is the parameters passed as part of a command or application, etc.
MiscellaneousSource Parameterparam.srcNoneparam.srcTextIndexNoneThis key captures source paramater
MiscellaneousProduct NameproductTransientproductTextIndexNoneThis key is used to capture the name of the product.
MiscellaneousReference Id1id1Transientreference.id1TextIndexNoneThis key is for Linked ID to be used as an addition to "reference.id"
MiscellaneousReference Id2id2Transientreference.id2TextIndexNoneThis key is for the 2nd Linked ID.  Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play.
MiscellaneousRegex MatchmatchTransientmatchTextIndexKeysThis key is for regex match name from search.ini
MiscellaneousResultresultNoneresult TextIndexValuesThis key is used to capture the outcome/result string value of an action in a session.
MiscellaneousResult CoderesultcodeNoneresult.codeTextIndexValuesThis key is used to capture the outcome/result numeric value of an action in a session
MiscellaneousRiskriskTransientrisk TextIndexNoneThis key captures the non-numeric risk value
MiscellaneousRisk Numberrisk_numNonerisk.numFloat64IndexNoneThis key captures a Numeric Risk value
MiscellaneousRisk Number Communityrisk_num_commNonerisk.num.commFloat32IndexNoneThis key captures Risk Number Community
MiscellaneousRisk Number NextGenrisk_num_nextNonerisk.num.nextFloat32IndexNoneThis key captures Risk Number NextGen
MiscellaneousRisk Number SandBoxrisk_num_sandNonerisk.num.sandFloat32IndexNoneThis key captures Risk Number SandBox
MiscellaneousRisk Number Staticrisk_num_staticNonerisk.num.staticFloat32IndexNoneThis key captures Risk Number Static
MiscellaneousRule Grouprule_groupTransientrule.groupTextIndexNoneThis key captures the Rule group name
MiscellaneousRule NamerulenameTransientrule.nameTextIndexNoneThis key captures the Rule Name 
MiscellaneousRule NumberruleTransientruleTextIndexNoneThis key captures the Rule number
MiscellaneousRule Templaterule_templateTransientrule.templateTextIndexNoneA default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template
MiscellaneousRule Unique IDrule_uidTransientrule.uidTextIndexNoneThis key is the Unique Identifier for a rule.  
MiscellaneousSearch Textsearch.textTransientsearch.textTextIndexKeysThis key captures the Search Text used
MiscellaneousSensor NamesensorTransientsensorTextIndexNoneThis key captures Name of the sensor. Typically used in IDS/IPS based devices
MiscellaneousSerial Numberserial_numberTransientserial.numberTextIndexNoneThis key is the Serial number associated with a physical asset.
MiscellaneousServer ApplicationapplicationTransientserverTextIndexValuesThis key is used to capture the name of the server application only
MiscellaneousSeverityseverityTransientseverityTextIndexNoneThis key is used to capture the severity given the session
MiscellaneousSignature IDsigidNonesig.idInt32IndexNoneThis key captures IDS/IPS Int Signature ID
MiscellaneousSignature Stringsigid_stringTransientsig.id.strTextIndexNoneThis key captures a string object of the sigid variable.
MiscellaneousSignature Namesigname (discontinued) sig.name (new)Nonesig.nameTextIndexNoneThis key is used to capture the Signature Name only.
MiscellaneousSNMP OID snmp.oidTransientsnmp.oidTextIndexNoneSNMP Object Identifier
MiscellaneousSNMP Valuesnmp.valueTransientsnmp.valueTextIndexNoneSNMP set request value
MiscellaneousSource SPI Indexsrc_spiTransientspi.srcTextIndexNoneSource SPI Index
MiscellaneousSQL QuerysqlTransientsqlTextIndexKeysThis key captures the SQL query
MiscellaneousStream InfostreamsTransientstreamsUInt8IndexNoneThis key captures number of streams in session
MiscellaneousSub component Versioncomponent_versionTransientcomp.versionTextIndexNoneThis key captures the Version level of a sub-component of a product. 
MiscellaneousLibrarylibraryTransientlibraryTextIndexNoneThis key is used to capture library information in mainframe devices
MiscellaneousListnumlistnumTransientlistnumTextIndexNoneThis key is used to capture listname or listnumber, primarily for collecting access-list
MiscellaneousTCP Flagstcp_flagsNonetcp.flagsUInt8IndexNoneThis key is captures the TCP flags set in any packet of session
MiscellaneousTrigger Descriptiontrigger_descTransienttrigger.descTextIndexNoneThis key captures the Description of the trigger or threshold condition.
MiscellaneousTrigger Valuetrigger_valTransienttrigger.valTextIndexNoneThis key captures the Value of the trigger or threshold condition.
MiscellaneousType Of ServicetosTransienttosInt32IndexNoneThis key describes the type of service
MiscellaneousAgent IDagent.idNoneagent.idTextIndexNoneThis key is used to capture agent id
MiscellaneousUser Agentuser_agentNoneuser.agentTextIndexNoneThis key captures the User agent identifier or the  browser identification string 
MiscellaneousVersion OS/ApplicationversionNoneversionTextIndexValuesThis key captures Version of the application or OS which is generating the event.
MiscellaneousVirtual system namevsysTransientvsysTextIndexNoneThis key captures Virtual System Name
MiscellaneousVirus NamevirusnameNonevirusnameTextIndexValuesThis key captures the name of the virus
MiscellaneousVMWARE Targetvm_targetTransientvm.targetTextIndexNoneVMWare Target **VMWARE** only varaible.
MiscellaneousVulnerability Referencevuln_refTransientvuln.refTextIndexNoneThis key captures the Vulnerability Reference details
MiscellaneousWorkspace Descriptionworkspace_descTransientworkspaceTextIndexNoneThis key captures Workspace Description
MiscellaneousPayload Sourcesrc_payloadTransientpayload.srcTextIndexNoneThis key is used to capture source payload
MiscellaneousPayload Destinationdst_payloadTransientpayload.dstTextIndexNoneThis key is used to capture destination payload
MiscellaneousMailbox ID/Namemail_idTransientmail.idTextIndexNoneThis key is used to capture the mailbox id/name
PhysicalCity namelocation_cityTransientloc.cityTextIndexNoneThis is used to capture the CIty Name when the Source/Destination Context is not clear,  as seen in a session. There is a separate key for GeoIP based City
PhysicalCountry namelocation_countryTransientloc.countryTextIndexNoneThis is used to capture the Country Name when the Source/Destination Context is not clear,  as seen in a session. 
PhysicalSource Countrylocation_srcNonecountry.srcTextIndexValuesThis is used to capture Source Country
PhysicalDestination Countrylocation_dstNonecountry.dstTextIndexValuesThis is used to capture Destination Country
PhysicalLocationlocation_descTransientloc.descTextIndexNoneThis is used to capture either the complete address or a description about a location being referenced in a session
PhysicalState or province namelocation_stateTransientloc.stateTextIndexNoneThis is used to capture the State Name as seen in a session.
ReservedConcentrator IDcidTransientcidTextIndexValuesThis is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedDecoder IDdidTransientdidTextIndexValuesThis is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedEntropy Requestentropy.reqTransiententropy.reqUInt16IndexNoneThis key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration
ReservedEntropy Responseentropy.resTransiententropy.resUInt16IndexNoneThis key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration
ReservedESM Device Groupdevice.groupNonedevice.groupTextIndexValuesThis key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedEvent Source Classdevice.classNonedevice.classTextIndexValuesThis is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedEvent Source HostNamedevice.hostNonedevice.hostTextIndexValuesThis is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedEvent Source IPv4 Addressdevice.ipNonedevice.ipIPv4IndexValuesThis is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedEvent Source IPv6 Addressdevice.ipv6Nonedevice.ipv6IPv6IndexValuesThis is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedEvent Source Parser Namedevice.typeNonedevice.typeTextIndexValuesThis is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedFeed Categoryfeed.categoryTransientfeed.categoryTextIndexKeysThis is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedFeed Descriptionfeed_descNonefeed.descTextIndexKeysThis is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedFeed Namefeed_nameNonefeed.nameTextIndexKeysThis is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedHeader IDheader.idNoneheader.idTextIndexNoneThis is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedIP Address v4 Relayforward.ipNoneforward.ipIPv4IndexNoneThis key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. 
ReservedIP Address v6 Relayforward.ipv6Noneforward.ipv6IPv6IndexNoneThis key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedLog Collector IDlc.cidNonelc.cidTextIndexValuesThis is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedLog Collector Timelc.ctimeNonelc.ctimeTimeTIndexNoneThis is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedMediummediumTransientmediumUInt8IndexValuesThis key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session
ReservedMessage ID1vidTransientmsg.vidTextIndexNoneThis is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedMessage ID2msg_idNonemsg.idTextIndexValuesThis is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedMost Common Byte Count Requestmcbc.reqTransientmcbc.reqUInt32IndexNoneThis key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams
ReservedMost Common Byte Count Responsemcbc.resTransientmcbc.resUInt32IndexNoneThis key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams
ReservedMost Common Byte Requestmcb.reqTransientmcb.reqUInt8IndexNoneThis key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most
ReservedMost Common Byte Responsemcb.resTransientmcb.resUInt8IndexNoneThis key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most
ReservedNetwitness Endpoint Callback IDnwe.callback_idNonenwe.callback_idTextIndexKeysThis key denotes that event is endpoint related
ReservedParser Errorparse.errorNoneparse.errorTextIndexValuesThis is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedPayload Requestpayload.reqTransientpayload.reqUInt16IndexNoneThis key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing.  However, in order to keep
ReservedPayload Responsepayload.resTransientpayload.resUInt16IndexNoneThis key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing.  However, in order to keep
ReservedPayload SizepayloadTransientpayloadUInt32IndexNoneThis is the size of a payload in a Packet Session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedRaw MessagemsgTransientmsgTextIndexNoneThis key is used to capture the raw message that comes into the Log Decoder
ReservedRemote Session IDridTransientridUInt64IndexKeysThis is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedSession IDsessionidTransientsessionidUInt64Index SpecialThis is a special ID of the session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedSession SizesizeTransientsizeUInt32Index SpecialThis is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedSession TimetimeTransienttimeTimeTIndexValuesThis is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 
ReservedSource FilesourcefileTransientsourcefileTextIndexValuesThis is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedSplit Sessionssession.splitTransientsession.splitTextIndexNoneThis key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedUnique Byte Count Requestubc.reqTransientubc.reqUInt32IndexNoneThis key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream.  256 would mean all byte values of 0 thru 255 were seen at least once
ReservedUnique Byte Count Responseubc.resTransientubc.resUInt32IndexNoneThis key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream.  256 would mean all byte values of 0 thru 255 were seen at least once
ReservedWordwordTransientwordTextIndexValuesThis is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log
StorageDisk Volumedisk_volumeTransientdisk.volumeTextIndexNoneA unique name assigned to logical units (volumes) within a physical disk
StorageLogical Unit NumberlunTransientlunTextIndexNoneLogical Unit Number.This key is a very useful concept in Storage.
StoragePort World Wide NamepwwnTransientpwwnTextIndexNoneThis uniquely identifies a port on a HBA.
ThreatAlertalertTransientalertTextIndexValuesThis key is used to capture name of the alert
ThreatThreat Categorythreat_nameNonethreat.categoryTextIndexValuesThis key captures Threat Name/Threat Category/Categorization of alert
ThreatThreat Descriptionthreat_valNonethreat.descTextIndexValuesThis key is used to capture the threat description from the session directly or inferred
ThreatThreat Sourcethreat_sourceNonethreat.sourceTextIndexValuesThis key is used to capture source of the threat
TimeActual Event timeevent_timeNoneevent.timeTimeTIndexValuesThis key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form
TimeEvent Time Stringevent_time_stringTransientevent.time.strTextIndexNoneThis key is used to capture the incomplete time mentioned in a session as a string
TimeDurationduration_stringTransientduration.strTextIndexNoneA text string version of the duration
TimeDuration in secondsdurationNoneduration.timeFloat64IndexNoneThis key is used to capture the normalized duration/lifetime in seconds.
TimeEvent Effective timeeffective_timeTransienteffective.timeTimeTIndexNoneThis key is the effective time referenced by an individual event in a Standard Timestamp format
TimeEvent End timeendtimeTransientendtimeTimeTIndexNoneThis key is used to capture the End time mentioned in a session in a standard form
TimeEvent Queing Timeevent_queue_timeTransientevent.queue.timeTimeTIndexNoneThis key is  the Time that the event was queued.
TimeExpiration timeexpiration_timeTransientexpire.timeTimeTIndexNoneThis key is the timestamp that explicitly refers to an expiration.
TimeExpiration time stringexpiration_time_stringTransientexpire.time.strTextIndexNoneThis key is used to capture incomplete timestamp that explicitly refers to an expiration.
TimeRecorded timerecorded_timeTransientrecorded.timeTimeTIndexNoneThe event time as recorded by the system the event is collected from.  The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes.  Must be in timestamp format.
TimeStart TimestarttimeNonestarttimeTimeTIndexValuesThis key is used to capture the Start time mentioned in a session in a standard form
TimetimezonetimezoneNonetimezoneTextIndexValuesThis key is used to capture the timezone of the Event Time
WebCountry Code Top level domaincctldTransientcctldTextIndexNoneThis key captures Country Top Level Domain extracted from a URL
WebDNS Response Textdns.resptextTransientdns.resptextTextIndexNoneThis key is used to capture the DNS response text only
WebDNS Response Typedns.responsetypeTransientdns.responsetypeTextIndexNoneThis key is used to capture the DNS Response type only
WebFully Qualified Domain NamefqdnNonefqdnTextIndexValuesFully Qualified Domain Names
WebReferrer URLweb_referer (discontinued) referer (new)NonerefererTextIndexKeysThis is used to capture the Web Referrer URL address specifically.
WebReputation Numberreputation_numTransientreputation.numFloat64IndexNoneReputation Number of an entity. Typically used for Web Domains
WebRoot URLPathweb_rootTransientweb.rootTextIndexNoneThis key captures the root URL path
WebSecond Level DomainsldTransientsldTextIndexNoneSecond Level Domains extracted from a URL
WebTop Level DomaintldTransienttldTextIndexValuesTop Level Domains extracted from a URL
WebURLurlTransienturlTextIndexNoneThis key is used for capturing complete url
WebURL Queryweb_queryNonequeryTextIndexKeysThis key is used to capture the Query portion of the URL.
WebWeb Cookieweb_cookieTransientweb.cookieTextIndexNoneThis key is used to capture the Web cookies specifically.
WebWeb pagewebpageTransientweb.pageTextIndexNoneThe captures the web page information
WebWeb referer Domainweb_ref_domainTransientweb.ref.domainTextIndexNoneWeb referer's domain
WebWeb referer queryweb_ref_queryTransientweb.ref.queryTextIndexNoneThis key captures Web referer's query portion of the URL
WebWeb referer Root  URLPathweb_ref_rootTransientweb.ref.rootTextIndexNoneWeb referer's root URL path
WebWeb Referrer pageweb_ref_pageTransientweb.ref.pageTextIndexNoneThis key captures Web referer's page information
WebWeb request Domainweb_domainTransientweb.domainTextIndexNoneThis key captures Domain name in the Web Request
WirelessAccess Point IDaccess_pointNoneaccess.pointTextIndexValuesThis key is used to capture the access point name.
WirelessSSID of a Wireless Networkssid,bssidTransientwlan.ssidTextIndexKeysThis key is used to capture the ssid of a Wireless Session
WirelessWifi Channel Namewifi_channelTransientwlan.channelUInt16IndexKeysThis is used to capture the channel names
WirelessWLAN name/numberwlanTransientwlan.nameTextIndexNoneThis key captures either WLAN number/name

Attachments

    Outcomes