RSA NetWitness® Suite Unified Data Model Available Concepts

Document created by RSA Link Team Employee on Feb 28, 2018Last modified by RSA Link Team Employee on Dec 2, 2019
Version 45Show Document
  • View in full screen mode
Meta ClassMeta ConceptLog Parser KeyLog Parser Key Flag

Meta Key

Meta TypeMeta IndexNotes
ReservedTime
time
TransienttimeTimeTIndexValuesThis is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.
CountersDevice class Counter 1
dclass_counter1
Transientdclass.c1Int32This is a generic counter key that should be used with the label dclass.c1.str only
CountersDevice class Counter 1 Description
dclass_counter1_string
Transientdclass.c1.strTextThis is a generic counter string key that should be used with the label dclass.c1 only
CountersDevice class Counter 2
dclass_counter2
Transientdclass.c2Int32This is a generic counter key that should be used with the label dclass.c2.str only
CountersDevice class Counter 2 Description
dclass_counter2_string
Transientdclass.c2.strTextThis is a generic counter string key that should be used with the label dclass.c2 only
CountersDevice class Counter 3
dclass_counter3
Transientdclass.c3Int32This is a generic counter key that should be used with the label dclass.c3.str only
CountersDevice class Counter 3 Description
dclass_counter3_string
Transientdclass.c3.strTextThis is a generic counter string key that should be used with the label dclass.c3 only
CountersDevice class Ratio 1
dclass_ratio1
Transientdclass.r1TextThis is a generic ratio key that should be used with the label dclass.r1.str only
CountersDevice class Ratio 1 Description
dclass_ratio1_string
Transientdclass.r1.strTextThis is a generic ratio string key that should be used with the label dclass.r1 only
CountersDevice class Ratio 2
dclass_ratio2
Transientdclass.r2TextThis is a generic ratio key that should be used with the label dclass.r2.str only
CountersDevice class Ratio 2 Description
dclass_ratio2_string
Transientdclass.r2.strTextThis is a generic ratio string key that should be used with the label dclass.r2 only
CountersDevice class Ratio 3
dclass_ratio3
Transientdclass.r3TextThis is a generic ratio key that should be used with the label dclass.r3.str only
CountersDevice class Ratio 3 Description
dclass_ratio3_string
Transientdclass.r3.strTextThis is a generic ratio string key that should be used with the label dclass.r3 only
CountersEvent Counter
event_counter
Transientevent.counterInt32This is used to capture the number of times an event repeated
CryptographyCertificate Thumbprint
cert.thumbprint
Nonecert.thumbprintTextIndexValuesThis key is used to capture the certificate thumbprint only
CryptographyCertificate Common Name
cert_common
Nonecert.commonTextIndexValuesThis key is used to capture the Certificate common name only
CryptographyCertificate Error String
cert_error
Transientcert.errorTextThis key captures the Certificate Error String
CryptographyCertificate host category
cert_hostname_cat
Transientcert.host.catTextThis key is used for the hostname category value of a certificate
CryptographyCertificate Subject
cert_subject
Nonecert.subjectTextIndexValuesThis key is used to capture the Certificate organization only
CryptographyCertificate serial number
cert.serial
Transientcert.serialTextThis key is used to capture the Certificate serial number only
CryptographyCertificate Authority
cert_ca
Nonecert.caTextIndexValuesThis key is used to capture the Certificate signing authority only
CryptographyCertificate status
cert_status
Transientcert.statusTextThis key captures Certificate validation status
CryptographyCipher Name
encryption_type
TransientcryptoTextIndexValuesThis key is used to capture the Encryption Type or Encryption Key only
CryptographyDestination (Server) Cipher
d_cipher
Transientcipher.dstTextThis key is for Destination (Server) Cipher
CryptographyDestination (Server) Cipher size
d_ciphersize
Transientcipher.size.dstInt32This key captures Destination (Server) Cipher Size
CryptographyEncryption peer’s identity
peer_id
Transientpeer.idTextThis key is for Encryption peer’s identity
CryptographyEncryption peer's IP Address
peer
TransientpeerTextThis key is for Encryption peer's IP Address
CryptographyEncryption scheme used
scheme
TransientschemeTextThis key captures the Encryption scheme used
CryptographyEncryption scheme used
sigtype
Transientsig.typeTextThis key captures the Signature Type
CryptographyIkE Cookie 1
ike_cookie1
Transientike.cookie1TextID of the negotiation — sent for ISAKMP Phase One
CryptographyIKE Cookie 2
ike_cookie2
Transientike.cookie2TextID of the negotiation — sent for ISAKMP Phase Two
CryptographyIKE Negotiation Phase
ike
TransientikeTextIKE negotiation phase.
CryptographySource (Server) Cipher
s_cipher
Transientcipher.srcTextThis key is for Source (Client) Cipher
CryptographySource (Server) Cipher size
s_ciphersize
Transientcipher.size.srcInt32This key captures Source (Client) Cipher Size
DatabaseDatabase ID
db_id
Transientdb.idTextThis key is used to capture the unique identifier for a database
DatabaseDatabase instance name
instance
TransientinstanceTextThis key is used to capture the database server instance name
DatabaseDatabase Name
db_name
TransientdatabaseTextIndexValuesThis key is used to capture the name of a database or an instance as seen in a session
DatabaseDatabase server Process ID
db_pid
Transientdb.pidInt32This key captures the process id of a connection with database server
MiscellaneousFunction
function
NonefunctionTextIndexValuesThis key is used to capture the function name for actions such as hoooking. The hooking values will be in the format of 'filename!functionname'. An example of a value for hooking is 'ntdll.dll! NtCreateFile'.
DatabaseIndex ID
info
index
TransientindexTextThis key captures IndexID of the index.
DatabaseLogical Reads
lread
TransientlreadInt32This key is used for the number of logical reads
DatabaseLogical Writes
lwrite
TransientlwriteInt32This key is used for the number of logical writes
DatabasePermissions
permissions
TransientpermissionsTextThis key captures permission or privilege level assigned to a resource.
DatabasePhysical Reads
pread
TransientpreadInt32This key is used for the number of physical writes
DatabaseSQL Transaction ID
trans_id
Transienttransact.idTextThis key captures the SQL transantion ID of the current session
DatabaseTable Name
tbl_name
Transienttable.nameTextThis key is used to capture the table name
EmailE-mail Address
user_address
cc
bcc
email
NoneemailTextIndexValuesThis key is used to capture a generic email address where the source or destination context is not clear
EmailSource E-mail Address
from
Noneemail.srcTextIndexValuesThis key is used to capture the source email address only, when the source context is not clear use email
EmailDestination E-mail Address
to
Noneemail.dstTextIndexValuesThis key is used to capture the Destination email address only, when the destination context is not clear use email
EmailSubject
subject
NonesubjectTextIndexKeysThis key is used to capture the subject string from an Email only.
EndpointMachine State
host.state
Nonehost.stateTextIndexValuesThis key is used to capture the current state of the machine, such as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall disabled</strong> and so on
EndpointRegistry Key
registry.key
Noneregistry.keyTextIndexValuesThis key captures the path to the registry key
EndpointRegistry Value
registry.value
Noneregistry.valueTextIndexValuesThis key captures values or decorators used within a registry entry
FileAttachment
attachment
NoneattachmentTextIndexValuesThis key captures the attachment file name
FileDirectory
directory
NonedirectoryTextIndexValuesThis key is used to capture the file directory or path only
FileFile Entropy
file_entropy
Nonefile.entropyFloat32IndexValuesThis is used to capture entropy vale of a file
FileExtension
web_extension
extension
NoneextensionTextIndexValuesThis key is used to capture the extension portion of a filename / extension of the page that was requested
FileFile Type
filetype
TransientfiletypeTextIndexValuesThis key is used to capture the type of file only
FileFile Category
file.cat
Nonefile.catTextIndexValuesThis key captures the type of file such as 'office application' or 'scripting engine'
FileFile Category Source
file.cat.src
Nonefile.cat.srcTextIndexValuesThis key captures the type of file such as 'office application' or 'scripting engine'. This value is populated when there is a concept of source within the session
FileFile Category Destination
file.cat.dst
Nonefile.cat.dstTextIndexValuesThis key captures the type of file such as 'office application' or 'scripting engine'. This value is populated when there is a concept of destination within the session
FileFilename
filename
FilefilenameTextIndexValuesThis key is used to capture the complete filename/Webpage with extension where the directionality is not clear. This should not include the directory/path
FileFilename Source
filename_src
Nonefilename.srcTextIndexValuesThis is used to capture name of the parent filename, the file which performed the action
FileFilename Destination
filename_dst
Nonefilename.dstTextIndexValuesThis is used to capture name of the file targeted by the action
FileFile Size
filename_size
Nonefilename.sizeInt32IndexKeysThis key is used to capture the size of the file only
FileSource File Directory
directory.src
Nonedirectory.srcTextIndexValuesThis key is used to capture the directory of the source process or file
FileTarget File Directory
directory.dst
Nonedirectory.dstTextIndexValues<span>This key is used to capture the directory of the target process or file</span>
MiscellaneousSource Checksum
checksum.src
Nonechecksum.srcTextIndexValuesThis key is used to capture the checksum or hash of the source entity such as a file or process.
MiscellaneousTarget Checksum
checksum.dst
Nonechecksum.dstTextIndexValuesThis key is used to capture the checksum or hash of the the target entity such as a process or file.
FileTask Name
task_name
Nonetask.nameTextIndexValuesThis is used to capture name of the task
FileFile Vendor
file_vendor
Nonefile.vendorTextIndexValuesThis is used to capture Company name of file located in version_info
HealthcarePatient Identifier
patient_id
Transientpatient.idTextThis key captures the unique ID for a patient
HealthcarePatient's First Name
patient_fname
Transientpatient.fnameTextThis key is for First Names only, this is used for Healthcare predominantly to capture Patients information
HealthcarePatient's Last Name
patient_lname
Transientpatient.lnameTextThis key is for Last Names only, this is used for Healthcare predominantly to capture Patients information
HealthcarePatient's Middle Name
patient_mname
Transientpatient.mnameTextThis key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information
IdentityCommunity ID
community.id
Transientcommunity.idTextIndexNone

Community ID is a string identifier that represents a given network flow, and may be used to reduce the pivots between disparate event sources to a simple string comparison. See https://github.com/corelight/community-id-spec for the specification.

IdentityAccesses
accesses
NoneaccessesTextIndexValuesThis key is used to capture actual privileges used in accessing an object
IdentityAuthentication Method
authmethod
Transientauth.methodTextThis key is used to capture authentication methods used only
IdentityDomain OU
dn
NonednTextIndexValuesX.500 (LDAP) Distinguished Name
IdentityDistinguished Name Source
src_dn
Transientdn.srcTextAn X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn
IdentityDistinguished Name Destination
dst_dn
Transientdn.dstTextAn X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn
IdentityDomain ID
domain_id
Transientdomain.idTextThis key captures Pre Windows 2000 (NetBIOS) name of the domain ONLY
IdentityFederated Identity Provider
federated_idp
Transientfederated.idpTextThis key is the federated Identity Provider. This is the server providing the authentication.
IdentityFederated Service Provider
federated_sp
Transientfederated.spTextThis key is the Federated Service Provider. This is the application requesting authentication.
IdentityFirst name of a Person
user_fname
TransientfirstnameTextThis key is for First Names only, this is used for Healthcare predominantly to capture Patients information
IdentityFull Name
patient_fullname
user_fullname
TransientfullnameTextThis key is for Full Names only, this is used for Healthcare predominantly to capture Patients information
IdentityHost Role
host_role
Nonehost.roleTextIndexValuesThis key should only be used to capture the role of a Host Machine
IdentityLast name of a Person
user_lname
TransientlastnameTextThis key is for Last Names only, this is used for Healthcare predominantly to capture Patients information
IdentityLdap Generic
ldap
TransientldapTextThis key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context
IdentityLdap Responses
ldap.response
Transientldap.responseTextThis key is to capture Results from an LDAP search
IdentityLdap search criteria
ldap.query
Transientldap.queryTextThis key is the Search criteria from an LDAP search
IdentityMiddle name of a Person
user_mname
TransientmiddlenameTextThis key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information
IdentityOwner
original_owner
NoneownerTextIndexValuesThis is used to capture username the process or service is running as, the author of the task
IdentityPassword
password
TransientpasswordTextIndexKeysThis key is for Passwords seen in any session, plain text or encrypted
IdentityRealm
realm
TransientrealmTextRadius realm or similar grouping of accounts
IdentityUser Account
user
NoneuserTextIndexValuesThis key should be used when the source/destination/initiated/target of a username is not clear
IdentitySource User Account
c_username
Noneuser.srcTextIndexValuesThis key should only be used to capture the Secondary/Source User in the event
IdentityDestination User Account
username
Noneuser.dstTextIndexValuesThis key should only be used to capture the Primary/Destination User in the event
IdentityUser Role
user_role
Transientuser.roleTextThis key is used to capture the Role of a user only
IdentityUser Unique ID/Logon ID
user.id
Noneuser.idTextThis key is used to capture Unique identifier for an account.
IdentitySource User Session ID
c_sid
Transientuser.sid.srcTextThis key captures Source User Session ID
IdentityDestination User Session ID
sid
Transientuser.sid.dstTextThis key captures Destination User Session ID
IdentityUser's Department
user_dept
Transientuser.deptTextUser's Department Names only
IdentityOrganization
user_org
TransientorgTextIndexValuesThis key captures the User organization
IdentityService Account
service.account
Noneservice.accountTextThis key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage
IdentityLogon Type
logon_type
Nonelogon.typeTextIndexValuesThis key is used to capture the type of logon method used.
IdentityDescription of Logon Type
logon_type_desc
Nonelogon.type.descTextIndexValuesThis key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'.
IdentityUser Profile
profile
TransientprofileTextThis key is used to capture the user profile
InvestigationsBehaviors of Compromise
boc
NonebocTextIndexValuesThis is used to capture behaviour of compromise
InvestigationsIndicators of Compromise
ioc
NoneiocTextIndexValuesThis is key capture indicator of compromise
InvestigationsEnablers of Compromise
eoc
NoneeocTextIndexValuesThis is used to capture Enablers of Compromise
InvestigationsEvent Categorization ID
event_cat
event.cat
Transientevent.catUInt32This key captures the Event category number
InvestigationsEvent Category Name
event_cat_name
event.cat.name
Noneevent.cat.nameTextIndexValuesThis key captures the event category name corresponding to the event cat code
InvestigationsEvent Activity
ec_activity
Noneec.activityTextIndexValuesThis key captures the particular event activity(Ex:Logoff)
InvestigationsEvent Outcome
ec_outcome
Noneec.outcomeTextIndexValuesThis key captures the outcome of a particular Event(Ex:Success)
InvestigationsEvent Subject
ec_subject
Noneec.subjectTextIndexValuesThis key captures the Subject of a particular Event(Ex:User)
InvestigationsEvent Theme
ec_theme
Noneec.themeTextIndexValuesThis key captures the Theme of a particular Event(Ex:Authentication)
InvestigationsFile Analysis
analysis.file
Noneanalysis.fileTextIndexValuesThis is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file
InvestigationsService Analysis
analysis.service
Noneanalysis.serviceTextIndexValuesThis is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service
InvestigationsSession Analysis
analysis.session
Noneanalysis.sessionTextIndexValuesThis is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session
InvestigationsInvestigation Category
inv.category
Noneinv.categoryTextIndexValuesThis used to capture investigation category
InvestigationsInvestigation Context
inv.context
Noneinv.contextTextIndexValuesThis used to capture investigation context
InvestigationsVendor supplied Event Category
vendor_event_cat
Transientevent.vcatTextThis is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.
MiscellaneousAction Event
web_method
action
NoneactionTextIndexValuesThis key is used to capture the primary action in a session
MiscellaneousPhone
calling_from
calling_to
phone_number
TransientphoneTextThis is used to capture the Phone Number or a Calling station ID
MiscellaneousAutorun Type
autorun_type
Noneautorun.typeTextIndexValuesThis is used to capture Auto Run type
MiscellaneousCategory
category
NonecategoryTextIndexValuesThis key is used to capture the category of an event given by the vendor in the session
MiscellaneousChange Attribute
change_attribute
Transientchange.attribTextThis key is used to capture the name of the attribute that’s changing in a session
MiscellaneousChange New
change_new
Transientchange.newTextThis key is used to capture the new values of the attribute that’s changing in a session
MiscellaneousChange Old
change_old
Transientchange.oldTextThis key is used to capture the old value of the attribute that’s changing in a session
MiscellaneousChecksum
checksum
NonechecksumTextIndexValuesThis key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.
MiscellaneousClient Application
agent
NoneclientTextIndexValuesThis key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.
MiscellaneousComments
comments
TransientcommentsTextComment information provided in the log message
MiscellaneousConnection ID
connectionid
Transientconnection.idTextThis key captures the Connection ID
MiscellaneousContent Type
content
TransientcontentTextIndexValuesThis key captures the content type from protocol headers
MiscellaneousContent Type
content_type
Transientcontent.typeTextThis key is used to capture Content Type only.
MiscellaneousContent Version
content_version
Transientcontent.versionTextThis key captures Version level of a signature or database content.
MiscellaneousContext
context
NonecontextTextIndexValuesThis key captures Information which adds additional context to the event.
MiscellaneousContext Subject
s_context
Transientcontext.subjectTextThis key is to be used in an audit context where the subject is the object being identified
MiscellaneousContext Destination
context.dst
Nonecontext.dstTextIndexValuesThis key is to be used in an audit context where the target is the object being identified
MiscellaneousContext Source
context.src
Nonecontext.srcTextIndexValuesThis key is to be used in an audit context where the source is the object being identified
MiscellaneousCPU Time
cpu
TransientcpuUInt32This key is the CPU time used in the execution of the event being recorded.
MiscellaneousCredit Card Number
cc.number
Transientcc.numberInt32Valid Credit Card Numbers only
MiscellaneousCVE
cve
TransientcveTextThis key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.
MiscellaneousDestination SPI Index
dst_spi
Transientspi.dstTextDestination SPI Index
MiscellaneousDevice Name
device
Transientdevice.nameTextIndexValuesThis is used to capture name of the Device associated with the node Like: a physical disk, printer, etc
MiscellaneousDisposition
disposition
NonedispositionTextIndexNoneThis key captures the The end state of an action.
MiscellaneousDNS Query Type
dns_querytype
Transientdns.querytypeTextThis key is used to capture the DNS Query type only
MiscellaneousDocument/File number
doc_number
Transientdoc.numberInt32This key captures File Identification number
MiscellaneousEmployer identification number
ein.number
Transientein.numberInt32Employee Identification Numbers only
MiscellaneousErrors
error
TransienterrorTextIndexValuesThis key captures All non successful Error codes or responses
MiscellaneousEvent Description
detail
event_description
Noneevent.descTextIndexValuesThis key is used to capture a description of an event available directly or inferred
MiscellaneousEvent Hostname
event_computer
Noneevent.computerTextIndexValuesThis key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.
MiscellaneousReference ID
id
Nonereference.idTextIndexValuesThis key is used to capture an event id from the session directly
MiscellaneousEvent Log Name
event_log
Transientevent.logTextThis key captures the Name of the event log
MiscellaneousEvent Session ID
sessionid
Transientlog.session.idTextThis key is used to capture a sessionid from the session directly
MiscellaneousLinked (Related) Session ID
sessionid1
Transientlog.session.id1TextThis key is used to capture a Linked (Related) Session ID from the session directly
MiscellaneousEvent Source
event_source
Noneevent.sourceTextIndexValuesThis key captures Source of the event that’s not a hostname
MiscellaneousEvent State
event_state
Noneevent.stateTextIndexValuesThis key captures the current state of the object/item referenced within the event. Describing an on-going event.
MiscellaneousEvent Type
event_type
Noneevent.typeTextIndexValuesThis key captures the event category type as specified by the event source.
MiscellaneousEvent User
event_user
Noneevent.userTextThis key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.
MiscellaneousExpected Value
expected_val
Transientexpected.valTextThis key captures the Value expected (from the perspective of the device generating the log).
MiscellaneousFilter Category Number
fcatnum
TransientfcatnumTextThis key captures Filter Category Number. Legacy Usage
MiscellaneousFilter
filter
NonefilterTextIndexValuesThis key captures Filter used to reduce result set
MiscellaneousFilter Result
fresult
TransientfresultInt32This key captures the Filter Result
MiscellaneousFound Search
found
TransientfoundTextIndexValuesThis is used to capture the results of regex match
MiscellaneousGroup ID
groupid
Transientgroup.idTextThis key captures Group ID Number (related to the group name)
MiscellaneousGroup Name
group
NonegroupTextThis key captures the Group Name value
MiscellaneousGroup Object
group_object
Transientgroup.objectTextThis key captures a collection/grouping of entities. Specific usage
MiscellaneousHardware/Serial ID
hardware_id
Transienthardware.idTextThis key is used to capture unique identifier for a device or system (NOT a Mac address)
MiscellaneousJob Number
jobnum
Transientjob.numTextThis key captures the Job Number
MiscellaneousLanguages
language
TransientlanguageTextIndexValuesThis is used to capture list of languages the client support and what it prefers
MiscellaneousLifeTime
lifetime
TransientlifetimeUInt16This key is used to capture the session lifetime in seconds.
MiscellaneousLink to Data
link
TransientlinkTextIndexKeysThis key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
MiscellaneousLinked Signature ID
sigid1
Transientsig.id1Int32This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id
MiscellaneousMessage
message
TransientmessageTextThis key captures the contents of instant messages
MiscellaneousMessage Body
message_body
Transientmessage.bodyTextThis key captures the The contents of the message body.
MiscellaneousName of the Terminal
terminal
TransientterminalTextThis key captures the Terminal Names only
MiscellaneousNode
node
TransientnodeTextCommon use case is the node name within a cluster. The cluster name is reflected by the host name.
MiscellaneousObject Name
obj_name
Noneobj.nameTextIndexValuesThis is used to capture name of object
MiscellaneousObject Type
obj_type
Noneobj.typeTextIndexValuesThis is used to capture type of object
MiscellaneousObserved Value
observed_val
Transientobserved.valTextThis key captures the Value observed (from the perspective of the device generating the log).
MiscellaneousOperation Number
operation_id
Transientoperation.idTextAn alert number or operation number. The values should be unique and non-repeating.
MiscellaneousOperating System
os
NoneOSTextIndexValuesThis key captures the Name of the Operating System
MiscellaneousPackets Total
packets
NonepacketsUInt32This key is the total number of packets sent/received in a session. Also, in cases where the Sent or Received context is not clear, this can be used.
MiscellaneousParent Node Name
parent_node
Transientparent.nodeTextThis key captures the Parent Node Name. Must be related to node variable.
MiscellaneousPolicy Contents
policy_value
Transientpolicy.valueTextThis key captures the contents of the policy. This contains details about the policy
MiscellaneousPolicy ID
policy_id
Transientpolicy.idTextThis key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise
MiscellaneousPolicy Name
policyname
signame
Nonepolicy.nameTextIndexValuesThis key is used to capture the Policy Name only.
MiscellaneousPool ID
pool_id
Transientpool.idTextThis key captures the identifier (typically numeric field) of a resource pool
MiscellaneousPool Name
pool_name
Transientpool.nameTextThis key captures the name of a resource pool
MiscellaneousPort(Physical/Logical)
portname
Transientport.nameTextThis key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).
MiscellaneousProcess
child_process
process
NoneprocessTextIndexValuesThis key is used to capture the Process Name, in case of parent child relationship, this can be used for child process name context.
MiscellaneousSource Process Name
parent_process
process_src
Transientprocess.srcTextThis key is used to capture the Source Proccess Name, in case of parent child relationship, this can be used for parent process name context
MiscellaneousProcess ID
process_id
Transientprocess.idInt64This key is used to capture the Process ID, in case of parent child relationship, this can be used for child process id context.
MiscellaneousSource Process ID
process_id_src
Transientprocess.id.srcInt64This key is used to capture the Source Process ID, in case of parent child relationship, this can be used for parent process id context
MiscellaneousProcess ID Value
process_id_val
Transientprocess.id.valTextThis key is a failure key for Process ID when it is not an integer value
MiscellaneousParameter
param
NoneparamTextIndexValuesThis key is the parameters passed as part of a command or application, etc.
MiscellaneousSource Parameter
param.src
Noneparam.srcTextIndexValuesThis key captures source parameter
MiscellaneousTarget Parameter
param.dst
Noneparam.dstTextIndexValuesThis key captures the command line/launch argument of the target process or file
MiscellaneousProduct Name
product
TransientproductTextThis key is used to capture the name of the product.
MiscellaneousReference Id1
id1
Nonereference.id1TextIndexNoneThis key is for Linked ID to be used as an addition to "reference.id"
MiscellaneousReference Id2
id2
Nonereference.id2TextIndexNoneThis key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play.
MiscellaneousMatch Search Item
match
TransientmatchTextIndexKeysThis key is for regex match name from search.ini
MiscellaneousResult
result
NoneresultTextIndexValuesThis key is used to capture the outcome/result string value of an action in a session.
MiscellaneousResult Code
resultcode
Noneresult.codeTextIndexValuesThis key is used to capture the outcome/result numeric value of an action in a session
MiscellaneousRisk
risk
NoneriskTextIndexValuesThis key captures the non-numeric risk value
MiscellaneousRisk Number
risk_num
Nonerisk.numFloat64This key captures a Numeric Risk value
MiscellaneousRisk Number Community
risk_num_comm
Nonerisk.num.commFloat32This key captures Risk Number Community
MiscellaneousRisk Number NextGen
risk_num_next
Nonerisk.num.nextFloat32This key captures Risk Number NextGen
MiscellaneousRisk Number SandBox
risk_num_sand
Nonerisk.num.sandFloat32This key captures Risk Number SandBox
MiscellaneousRisk Number Static
risk_num_static
Nonerisk.num.staticFloat32This key captures Risk Number Static
MiscellaneousRule Group
rule_group
Transientrule.groupTextThis key captures the Rule group name
MiscellaneousRule Name
rulename
Transientrule.nameTextThis key captures the Rule Name
MiscellaneousRule Number
rule
TransientruleTextThis key captures the Rule number
MiscellaneousRule Template
rule_template
Transientrule.templateTextA default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template
MiscellaneousRule Unique ID
rule_uid
Transientrule.uidTextThis key is the Unique Identifier for a rule.
MiscellaneousSearch Engine Queries
search.text
Transientsearch.textTextIndexKeysThis key captures the Search Text used
MiscellaneousSensor Name
sensor
TransientsensorTextThis key captures Name of the sensor. Typically used in IDS/IPS based devices
MiscellaneousSerial Number
serial_number
Transientserial.numberTextThis key is the Serial number associated with a physical asset.
MiscellaneousServer Application
application
TransientserverTextIndexValuesThis key is used to capture the name of the server application only
MiscellaneousSeverity
severity
TransientseverityTextThis key is used to capture the severity given the session
MiscellaneousSignature ID
sigid
Nonesig.idInt32This key captures IDS/IPS Int Signature ID
MiscellaneousSignature String
sigid_string
Transientsig.id.strTextThis key captures a string object of the sigid variable.
MiscellaneousSignature Name
sig.name
Nonesig.nameTextThis key is used to capture the Signature Name only.
MiscellaneousSNMP OID
snmp.oid
Transientsnmp.oidTextSNMP Object Identifier
MiscellaneousSNMP Value
snmp.value
Transientsnmp.valueTextSNMP set request value
MiscellaneousSource SPI Index
src_spi
Transientspi.srcTextSource SPI Index
MiscellaneousSQL Query
sql
TransientsqlTextIndexKeysThis key captures the SQL query
MiscellaneousStream Info
streams
TransientstreamsUInt8This key captures number of streams in session
MiscellaneousSub component Version
component_version
Transientcomp.versionTextThis key captures the Version level of a sub-component of a product.
MiscellaneousLibrary
library
TransientlibraryTextThis key is used to capture library information in mainframe devices
MiscellaneousListnum
listnum
TransientlistnumTextThis key is used to capture listname or listnumber, primarily for collecting access-list
MiscellaneousTCP Flags
tcp_flags
Nonetcp.flagsUInt8This key is captures the TCP flags set in any packet of session
MiscellaneousTCP Flags Description
tcp.flags.desc
Nonetcp.flags.descTextIndexValuesThis key is captures the textual representation, such as SYN or ACK, of TCP flags set in any packet of session.
MiscellaneousTrigger Description
trigger_desc
Transienttrigger.descTextThis key captures the Description of the trigger or threshold condition.
MiscellaneousTrigger Value
trigger_val
Transienttrigger.valTextThis key captures the Value of the trigger or threshold condition.
MiscellaneousType Of Service
tos
TransienttosInt32This key describes the type of service
MiscellaneousAgent Id
agent.id
Noneagent.idTextIndexValuesThis key is used to capture agent id
MiscellaneousUser Agent
user_agent
Noneuser.agentTextIndexValuesThis key captures the user agent identifier or the browser identification string. See the client meta key for the client application making the request.
MiscellaneousVersions
version
NoneversionTextIndexValuesThis key captures Version of the application or OS which is generating the event.
MiscellaneousVirtual system name
vsys
TransientvsysTextThis key captures Virtual System Name
MiscellaneousVirus Name
virusname
NonevirusnameTextIndexValuesThis key captures the name of the virus
MiscellaneousVMWARE Target
vm_target
Transientvm.targetTextVMWare Target **VMWARE** only varaible.
MiscellaneousVulnerability Reference
vuln_ref
Transientvuln.refTextThis key captures the Vulnerability Reference details
MiscellaneousWorkspace Description
workspace_desc
TransientworkspaceTextThis key captures Workspace Description
MiscellaneousPayload Source
src_payload
Transientpayload.srcTextThis key is used to capture source payload
MiscellaneousPayload Destination
dst_payload
Transientpayload.dstTextThis key is used to capture destination payload
MiscellaneousMailbox ID/Name
mail_id
Transientmail.idTextThis key is used to capture the mailbox id/name
NetworkBytes Received
rbytes
TransientrbytesUInt64IndexKeysThis key should only be used to capture the size of Bytes Received
NetworkBytes Sent
sbytes
Nonebytes.srcUInt64IndexKeysThis key should only be used to capture the size of Bytes Sent
NetworkBytes Total
bytes
NonebytesUInt64This key is the total number of Bytes sent/received in a session. Also, in cases where the Sent or Received context is not clear, this can be used.
NetworkTraffic Flow Direction
direction
NonedirectionTextIndexValuesThis Key should never be used in a parser, this is a reserved key used by the product to calculate the direction.
NetworkSource Domain
domain.src
Nonedomain.srcTextIndexValuesThis key should only be used to capture Source Domain Only.
NetworkDestination Domain
domain.dst
Nonedomain.dstTextIndexValuesThis key should only be used to capture Destination Domain Only.
NetworkDomain
domainname
domain
NonedomainTextIndexValuesThis key should only be used to capture a Network Domain when the directionality is not clear. Use web.domain/tld/cctld/sld for Web based Domains
NetworkEthernet Protocol
eth_type
Noneeth.typeUInt16IndexValuesThis key is used to capture Ethernet Type, Used for Layer 3 Protocols Only
NetworkGateway
gateway
TransientgatewayTextThis key is used to capture the IP Address of the gateway
NetworkHostname Aliases
hostname
devicehostname
hostid
r_hostid
workstation
web_host
web_ref_host
alias.host
Nonealias.hostTextIndexValuesThis key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.
NetworkSource Hostname
shost
Nonehost.srcTextIndexValuesThis key should only be used when it’s a Source Hostname.
NetworkDestination Hostname
dhost
Nonehost.dstTextIndexValuesThis key should only be used when it’s a Destination Hostname
NetworkHostname Originating
host.orig
Nonehost.origTextIndexValuesThis is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.
NetworkICMP Code
icmpcode
Transienticmp.codeUInt32This key is used to capture the ICMP code only
NetworkICMP Type
icmptype
Transienticmp.typeUInt32This key is used to capture the ICMP type only
NetworkSource Interface
sinterface
TransientsinterfaceTextIndexValuesThis key should only be used when it’s a Source Interface
NetworkInterface Destination
dinterface
TransientdinterfaceTextThis key should only be used when it’s a Destination Interface
NetworkInterface Generic
interface
TransientinterfaceTextThis key should be used when the source or destination context of an interface is not clear
NetworkSource IP Address
saddr
Noneip.srcIPv4IndexValuesThis key should only be used when it’s a Source IP Address.
NetworkDestination IP address
daddr
Noneip.dstIPv4IndexValuesThis key should only be used when it’s a Destination IP Address.
NetworkIP Aliases
devicehostip
alias.ip
Nonealias.ipIPv4IndexValuesThis key should be used when the source/destination/local/remote context of an IPv4 address is not clear
NetworkIP Address v4 Translated Source
ip.trans.src
Noneip.trans.srcIPv4This key should only be used when it’s a Source Translated IP Address
NetworkIP Address v4 Translated Destination
ip.trans.dst
Noneip.trans.dstIPv4This key should only be used when it’s a Destination Translated IP Address
NetworkIP Address Originating
ip.orig
Noneip.origIPv4IndexValuesThis is used to capture the original systems IPv4 address in case of a Forwarding Agent or a Proxy in between.
NetworkSource IPv6 Address
saddr_v6
Noneipv6.srcIPv6IndexValuesThis key should only be used when it’s a Source IP v6 Address
NetworkDestination IPv6 address
daddr_v6
Noneipv6.dstIPv6IndexValuesThis key should only be used when it’s a Destination IP v6 Address.
NetworkIPv6 Aliases
alias.ipv6
Nonealias.ipv6IPv6IndexValuesThis key should be used when the source or destination context of an IPv6 address is not clear
NetworkIP Address v6 Originating
ipv6.orig
Noneipv6.origIPv6IndexValuesThis is used to capture the original systems IPv6 address in case of a Forwarding Agent or a Proxy in between.
NetworkEthernet Source
smacaddr
Noneeth.srcMACIndexValuesThis key should only be used when it’s a Source Mac Address.
NetworkEthernet Destination
dmacaddr
Noneeth.dstMACIndexValuesThis key should only be used when it’s a Destination Mac Address
NetworkMAC Address Generic
devicehostmac
alias.mac
Nonealias.macMACThis key should be used when the source or destination context of a Mac Address is not clear
NetworkNetwork mask Source
smask
TransientsmaskTextThis key is used for capturing source Network Mask
NetworkNetwork mask Destination
dmask
TransientdmaskTextThis key is used for Destionation Device network mask
NetworkNetwork mask Generic
mask
TransientmaskTextThis key is used to capture the device network IPmask.
NetworkNetwork Name
netname
TransientnetnameTextIndexValuesThis key is used to capture the network name associated with an IP range. This is configured by the end user.
NetworkPayload bytes in retransmitted packets
rpayload
TransientrpayloadTextThis key is used to capture the total number of payload bytes seen in the retransmitted packets.
NetworkNon-Protocol Specific Source Port
port.src
Noneport.srcUInt16IndexValuesThis key should only be used when it’s a Source Port.
NetworkNon-Protocol Specific Destination Port
port.dst
Noneport.dstUInt16IndexValuesThis key should only be used when it’s a Destination Port.
NetworkPort Generic
port
NoneportUInt16This key should only be used to capture a Network Port when the directionality is not clear
NetworkPort Translated Source
port.trans.src
Noneport.trans.srcUInt16This key should only be used when it’s a Source Translated Port Number
NetworkPort Translated Destination
port.trans.dst
Noneport.trans.dstUInt16This key should only be used when it’s a Destination Translated Port Number
NetworkIP Protocol
ip_proto
Noneip.protoUInt8IndexValuesThis key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI
NetworkProtocol
protocol
TransientprotocolTextThis key should be used to capture the protocol name
NetworkProtocol Detail
protocol_detail
Transientprotocol.detailTextThis key should be used to capture additional protocol information
NetworkService TypeserviceUInt32IndexValuesThis is used to capture layer 7 protocols
NetworkService Name
service
service.name
Noneservice.nameTextIndexValuesThis is used to capture descriptive service name, typically seen in Windows
NetworkNetwork Service Name
network_service
Transientnetwork.serviceTextThis is used to capture layer 7 protocols/service names
NetworkTCP Source Port
tcp.srcport
Transienttcp.srcportUInt16IndexValues

Deprecated, use port.src.

This key captures source port for tcp protocol.

NetworkTCP Destination Port
tcp.dstport
Transienttcp.dstportUInt16IndexValues

Deprecated, use port.dst.

This key captures destination port for tcp protocol.

NetworkUDP Source Port
udp.srcport
Transientudp.srcportUInt16IndexValues

Deprecated, use port.src.

This key captures source port for udp protocol.

NetworkUDP Target Port
udp.dstport
Transientudp.dstportUInt16IndexValues

Deprecated, use port.dst.

This key captures destination port for udp protocol.

NetworkVlan Name
vlan.name
Transientvlan.nameTextThis key should only be used to capture the name of the Virtual LAN
NetworkVlan Number
vlan
TransientvlanUInt16This key should only be used to capture the ID of the Virtual LAN
NetworkZone Source
src_zone
Transientzone.srcTextThis key should only be used when it’s a Source Zone.
NetworkZone Destination
dst_zone
Transientzone.dstTextThis key should only be used when it’s a Destination Zone.
NetworkZone Generic
zone
TransientzoneTextThis key should be used when the source or destination context of a Zone is not clear
PhysicalSource City
city.src
Transientcity.srcTextIndexValuesThis is used to capture the source City location based on the GEOPIP Maxmind database.
PhysicalDestination City
city.dst
Transientcity.dstTextIndexValuesThis is used to capture the destination City location based on the GEOPIP Maxmind database.
PhysicalSource Latitude
latdec_src
Nonelatdec.srcFloat32IndexNoneThis is used to capture the source Latitude based on the GEOPIP Maxmind database.
PhysicalDestination Latitude
latdec_dst
Nonelatdec.dstFloat32IndexNoneThis is used to capture the destination Latitude based on the GEOPIP Maxmind database.
PhysicalSource Longitude
longdec_src
Nonelongdec.srcFloat32IndexNoneThis is used to capture the source Longitude based on the GEOPIP Maxmind database.
PhysicalDestination Longitude
longdec_dst
Nonelongdec.dstFloat32IndexNoneThis is used to capture the destination Longitude based on the GEOPIP Maxmind database.
PhysicalSource Organization
org.src
Noneorg.srcTextIndexValuesThis is used to capture the source organization based on the GEOPIP Maxmind database.
PhysicalDestination Organization
org_dst
org.dst
Noneorg.dstTextIndexValuesThis is used to capture the destination organization based on the GEOPIP Maxmind database.
PhysicalCity name
location_city
Transientloc.cityTextThis is used to capture the CIty Name when the Source/Destination Context is not clear, as seen in a session. There is a separate key for GeoIP based City
PhysicalCountry name
location_country
Transientloc.countryTextThis is used to capture the Country Name when the Source/Destination Context is not clear, as seen in a session.
PhysicalSource Country
location_src
Nonecountry.srcTextIndexValuesThis is used to capture Source Country
PhysicalDestination Country
location_dst
Nonecountry.dstTextIndexValuesThis is used to capture Destination Country
PhysicalLocation
location_desc
Transientloc.descTextThis is used to capture either the complete address or a description about a location being referenced in a session
PhysicalState or province name
location_state
Transientloc.stateTextThis is used to capture the State Name as seen in a session.
ReservedConcentrator Source
cid
TransientcidTextIndexValuesThis is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedDecoder Source
did
TransientdidTextIndexValuesThis is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedEntropy Request
entropy.req
Transiententropy.reqUInt16This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration
ReservedEntropy Response
entropy.res
Transiententropy.resUInt16This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration
ReservedEvent Source Group
device.group
Nonedevice.groupTextIndexValuesThis key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedDevice Class
device.class
Nonedevice.classTextIndexValuesThis is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedDevice Discovery Scoredevice.discUInt8
ReservedDevice Discovery Typedevice.disc.typeText
ReservedDevice Host
device.host
Nonedevice.hostTextIndexValuesThis is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedDevice IP
device.ip
Nonedevice.ipIPv4IndexValuesThis is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedDevice IPv6
device.ipv6
Nonedevice.ipv6IPv6IndexValuesThis is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedDevice Type
device.type
Nonedevice.typeTextIndexValuesThis is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedFeed Category
feed.category
Transientfeed.categoryTextIndexKeysThis is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedFeed Description
feed_desc
Nonefeed.descTextIndexKeysThis is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedFeed Name
feed_name
Nonefeed.nameTextIndexKeysThis is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedHeader ID
header.id
Noneheader.idTextThis is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedEvent Relay IPv4 Address
forward.ip
Noneforward.ipIPv4IndexValuesThis key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.
ReservedEvent Relay IPv6 Address
forward.ipv6
Noneforward.ipv6IPv6IndexValuesThis key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedCollector ID
lc.cid
Nonelc.cidTextIndexValuesThis is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedLog Collector Time
lc.ctime
Nonelc.ctimeTimeTThis is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedMedium
medium
TransientmediumUInt8IndexValuesThis key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, &lt; 32 is packet session
ReservedMessage ID1
vid
Transientmsg.vidTextThis is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedMessage ID
msg_id
Nonemsg.idTextIndexValuesThis is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedMost Common Byte Count Request
mcbc.req
Transientmcbc.reqUInt32This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams
ReservedMost Common Byte Count Response
mcbc.res
Transientmcbc.resUInt32This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams
ReservedMost Common Byte Request
mcb.req
Transientmcb.reqUInt8This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most
ReservedMost Common Byte Response
mcb.res
Transientmcb.resUInt8This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most
ReservedNWE Callback Id
nwe.callback_id
Nonenwe.callback_idTextIndexKeysThis key denotes that event is endpoint related
ReservedParse Error
parse.error
Noneparse.errorTextIndexValuesThis is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedPayload Request
payload.req
Transientpayload.reqUInt16This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep
ReservedPayload Response
payload.res
Transientpayload.resUInt16This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep
ReservedPayload Size
payload
TransientpayloadUInt32This is the size of a payload in a Packet Session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedMessage
msg
TransientmsgTextIndexNoneThis key is used to capture the raw message that comes into the Log Decoder
ReservedRemote Session ID
rid
TransientridUInt64IndexKeysThis is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedSession IDsessionidUInt64This is a special ID of the session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedSession Size
size
TransientsizeUInt32This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedSource Filename
sourcefile
TransientsourcefileTextIndexValuesThis is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedSplit Sessions
session.split
Transientsession.splitTextThis key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedUnique Byte Count Request
ubc.req
Transientubc.reqUInt32This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once
ReservedUnique Byte Count Response
ubc.res
Transientubc.resUInt32This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once
ReservedEndpoint Source Process ID
process.vid.src
Noneprocess.vid.srcTextIndexValuesEndpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.
ReservedEndpoint Target Process ID
process.vid.dst
Noneprocess.vid.dstTextIndexValuesEndpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.
ReservedText Token
word
TransientwordTextIndexValuesThis is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log
StorageDisk Volume
disk_volume
Transientdisk.volumeTextA unique name assigned to logical units (volumes) within a physical disk
StorageLogical Unit Number
lun
TransientlunTextLogical Unit Number.This key is a very useful concept in Storage.
StoragePort World Wide Name
pwwn
TransientpwwnTextThis uniquely identifies a port on a HBA.
ThreatAlerts
alert
TransientalertTextIndexValuesThis key is used to capture name of the alert
ThreatThreat Category
threat_name
Nonethreat.categoryTextIndexValuesThis key captures Threat Name/Threat Category/Categorization of alert
ThreatThreat Description
threat_val
Nonethreat.descTextIndexValuesThis key is used to capture the threat description from the session directly or inferred
ThreatThreat Source
threat_source
Nonethreat.sourceTextIndexValuesThis key is used to capture source of the threat
TimeEvent Time
event_time
Noneevent.timeTimeTIndexValuesThis key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form
TimeEvent Time String
event_time_string
Transientevent.time.strTextThis key is used to capture the incomplete time mentioned in a session as a string
TimeDuration
duration_string
Transientduration.strTextA text string version of the duration
TimeDuration in seconds
duration
Noneduration.timeFloat64This key is used to capture the normalized duration/lifetime in seconds.
TimeEvent Effective time
effective_time
Transienteffective.timeTimeTThis key is the effective time referenced by an individual event in a Standard Timestamp format
TimeEvent End time
endtime
TransientendtimeTimeTThis key is used to capture the End time mentioned in a session in a standard form
TimeEvent Queing Time
event_queue_time
Transientevent.queue.timeTimeTThis key is the Time that the event was queued.
TimeExpiration time
expiration_time
Transientexpire.timeTimeTThis key is the timestamp that explicitly refers to an expiration.
TimeExpiration time string
expiration_time_string
Transientexpire.time.strTextThis key is used to capture incomplete timestamp that explicitly refers to an expiration.
TimeRecorded time
recorded_time
Transientrecorded.timeTimeTThe event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format.
TimeTime Start
starttime
NonestarttimeTimeTIndexValuesThis key is used to capture the Start time mentioned in a session in a standard form
TimeTime Zone
timezone
NonetimezoneTextIndexValuesThis key is used to capture the timezone of the Event Time
WebCountry Code Top level domain
cctld
TransientcctldTextThis key captures Country Top Level Domain extracted from a URL
WebDNS Response Text
dns.resptext
Transientdns.resptextTextThis key is used to capture the DNS response text only
WebDNS Response Type
dns.responsetype
Transientdns.responsetypeTextThis key is used to capture the DNS Response type only
WebFQDN
fqdn
NonefqdnTextIndexValuesFully Qualified Domain Names
WebReferer
web_referer
referer
NonerefererTextIndexKeysThis is used to capture the Web Referrer URL address specifically.
WebReputation Number
reputation_num
Transientreputation.numFloat64Reputation Number of an entity. Typically used for Web Domains
WebRoot URLPath
web_root
Transientweb.rootTextThis key captures the root URL path
WebSecond Level Domain
sld
TransientsldTextSecond Level Domains extracted from a URL
WebTop Level Domains
tld
TransienttldTextIndexValuesTop Level Domains extracted from a URL
WebURL
url
TransienturlTextThis key is used for capturing complete url
WebQuerystring
query
web_query
NonequeryTextIndexKeysThis key is used to capture the Query portion of the URL.
WebWeb Cookie
web_cookie
Transientweb.cookieTextThis key is used to capture the Web cookies specifically.
WebWeb page
webpage
Transientweb.pageTextThe captures the web page information
WebWeb referer Domain
web_ref_domain
Transientweb.ref.domainTextWeb referer's domain
WebWeb referer query
web_ref_query
Transientweb.ref.queryTextThis key captures Web referer's query portion of the URL
WebWeb referer Root URLPath
web_ref_root
Transientweb.ref.rootTextWeb referer's root URL path
WebWeb Referrer page
web_ref_page
Transientweb.ref.pageTextThis key captures Web referer's page information
WebWeb request Domain
web_domain
Transientweb.domainTextThis key captures Domain name in the Web Request
WirelessAccess Point
access_point
Noneaccess.pointTextIndexValuesThis key is used to capture the access point name.
WirelessWLAN Service Set Identifier
ssid
bssid
Transientwlan.ssidTextIndexKeysThis key is used to capture the ssid of a Wireless Session
WirelessWLAN frequency channel
wifi_channel
Transientwlan.channelUInt16IndexKeysThis is used to capture the channel names
WirelessWLAN name/number
wlan
Transientwlan.nameTextThis key captures either WLAN number/name
Active Directory Workstation Destination
ad_computer_dst
Nonead.computer.dstTextIndexValuesDeprecated, use host.dst
Active Directory Workstation Sourcead.computer.srcTextIndexValuesDeprecated, use host.src
Active Directory Domain Destinationad.domain.dstTextIndexValuesDeprecated, use domain.dst
Active Directory Domain Sourcead.domain.srcTextIndexValuesDeprecated, use domain.src
Active Directory Username Destinationad.username.dstTextIndexValuesDeprecated, use user.dst
Active Directory Username Sourcead.username.srcTextIndexValuesDeprecated, use domain.src
Alert ID
alert_id
Nonealert.idTextIndexValuesDeprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
Child Pid
child_pid
Transientchild.pidInt32Deprecated, use process.id
Child Pid Value
child_pid_val
Transientchild.pid.valTextDeprecated, use process.id.val
Destination Domain
ddomain
TransientddomainTextDeprecated, use domain.dst
Translated Destination Address
dtransaddr
TransientdtransaddrTextDeprecated, use ip.trans.dst
Translated Destination Port
dtransport
TransientdtransportUInt16IndexValuesDeprecated, use port.trans.dst. NOTE: There is a type discrepancy as currently used, TM: Text, INDEX: UInt16
Ethernet Host Address
macaddr
Noneeth.hostMACDeprecated, use alias.mac
Event Classificationevent.classTextIndexValuesDeprecated
IP Address
hostip
Noneip.addrIPv4IndexValuesDeprecated, use alias.ip
Destination Port
dport
Noneip.dstportUInt16IndexValuesDeprecated, use port.dst
IP Source Port
sport
Transientip.srcportUInt16Deprecated, use port.src
IPv6 Address
hostip_v6
Transientipv6.addrIPv6Deprecated, use alias.ipv6
IP V6 Protocolipv6.protoUInt8IndexValuesDeprecated, use ip.proto
Network Port
network_port
Nonenetwork.portUInt64IndexValuesDeprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)
Originating IP Address
orig_ip
Noneorig_ipTextIndexValuesDeprecated, use ip.orig, ipv6.orig or host.orig based on value type
Device Address
paddr
NonepaddrIPv4IndexValuesDeprecated
Parent Pid
parent_pid
Transientparent.pidInt32Deprecated, use process.id.src
Privilege
privilege
TransientprivilegeTextDeprecated, use permissions
Process Time
processing_time
Transientprocess.timeTextDeprecated, use duration.time
Risk: Informational
risk_info
Nonerisk.infoTextIndexValuesDeprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
Risk: Suspicious
risk_suspicious
Nonerisk.suspiciousTextIndexValuesDeprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
Risk: Warning
risk_warning
Nonerisk.warningTextIndexValuesDeprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
Source Domain
c_domain
sdomain
TransientsdomainTextDeprecated, use domain.src
Site Categorysite.catTextIndexValuesDeprecated, use category
SSL CAssl.caTextIndexKeysDeprecated, use cert.ca
SSL Checksumssl.checksumTextDeprecated, use checksum
SSL Common Namessl.commonTextDeprecated, use cert.common
SSL Subjectssl.subjectTextIndexKeysDeprecated, use cert.subject
SSL Destination Version
d_sslver
Transientssl.ver.dstTextDeprecated, use version
SSL Source Version
s_sslver
Transientssl.ver.srcTextDeprecated, use version
Translated Source Address
stransaddr
TransientstransaddrTextDeprecated, use ip.trans.src
Translated Source Port
stransport
TransientstransportUInt16IndexValuesDeprecated, use port.trans.src. NOTE: There is a type discrepancy as currently used, TM: Text, INDEX: UInt16
User Account
administrator
logon_id
owner
service_account
uid
NoneusernameTextIndexValuesDeprecated, use user
audit_class
Transientaudit.classTextDeprecated key defined only in table map.
binary
TransientbinaryTextDeprecated key defined only in table map.
cert_hostname
Transientcert.host.nameTextDeprecated key defined only in table map.
data
TransientdataTextDeprecated key defined only in table map.
dead
TransientdeadInt32Deprecated key defined only in table map.
device.type.id
Transientdevice.type.idInt32Deprecated key defined only in table map.
entry
TransiententryTextDeprecated key defined only in table map.
event_name
Noneevent.nameTextDeprecated key defined only in table map.
h_code
TransienthcodeTextDeprecated key defined only in table map.
inode
TransientinodeInt64Deprecated key defined only in table map.
level
NonelevelInt32Deprecated key defined only in table map.
nodename
Transientnode.nameTextDeprecated key defined only in table map.
obj_id
Transientobj.idTextDeprecated key defined only in table map.
obj_server
Transientobj.serverTextDeprecated key defined only in table map.
obj_value
Transientobj.valTextDeprecated key defined only in table map.
parent_pid_val
Transientparent.pid.valTextDeprecated key defined only in table map.
resource
TransientresourceTextDeprecated key defined only in table map.
resource_class
Transientresource.classTextDeprecated key defined only in table map.
site
TransientsiteTextDeprecated key defined only in table map.
stamp
TransientstampTimeTDeprecated key defined only in table map.
statement
TransientstatementTextDeprecated key defined only in table map.
trans_from
Transienttrans.fromTextDeprecated key defined only in table map.
trans_to
Transienttrans.toTextDeprecated key defined only in table map.
url_raw
Transienturl.rawTextDeprecated key defined only in table map.
FileDirectory Path
dir.path
Nonedir.pathTextIndexValuesThis key contains context for the directory path such as whether it is a user directory or a Windows program directory. This will be populated if there is no concept of source or destination path within the session. Otherwise, see the meta keys for Directory Path Source or Directory Path Destination.
FileDirectory Path Source
dir.path.src
Nonedir.path.srcTextIndexValuesThis key contains context for the directory path such as whether it is a user directory or a Windows program directory. This will be populated if there is a concept of source path within the session. Otherwise, see the meta keys for Directory Path or Directory Path Destination.
FileDirectory Path Destination
dir.path.dst
Nonedir.path.dstTextIndexValuesThis key contains context for the directory path such as whether it is a user directory or a Windows program directory. This will be populated if there is a concept of destination path within the session. Otherwise, see the meta keys for Directory Path or Directory Path Source.

Attachments

    Outcomes