Standard Metadata Dictionary

Stellar Cyber monitors your network to collect and respond to data reported from multiple sources such as network packets, endpoint telemetry, cloud logs, and threat intelligence feeds. Each type of data is handled differently before being populated into a standardized set of fields referred to as metadata. Where applicable, and based on your configuration and the type of content, the data may be de-duplicated, normalized, and enriched as it passes through sensors and the data processor, on its way to becoming part of an Interflow record.

Standard Metadata Fields in Interflow Records

The table below lists the standard metadata fields in the Stellar Cyber Interflow record, the type of data recorded, and a description. You can use these fields as part of your searches or queries that you build, along with vendor specific fields and values.

About GDPR Compliance

The table below is also a summary of the data collected by the Stellar Cyber platform and can be used as part of your GDPR compliance strategy.

Metadata Field Type Description
_id2 string Elasticsearch ID of the earlier of two login records.
_index2 string Elasticsearch index of the earlier of two login records.
access_mask string Object access mask.
access_subject string The subject entity that performed the object access.
accumulated_anomalous_failures integer Score in the TRW model, indicating degree of abnormal activities. Used for Machine Learning.
action string The action to be taken. Examples are allow or block.
actual integer Real value input for Machine Learning to process.
actual_range string Actual login time range.
ade object Namespace for all ADE-related fields.
aella_tuples string The concatenated fields of srcip, dstip, dstport, and appid.
alert_time date Time of anomaly being detected.
appid long The ID of an application identified by the DPI engine.
appid_family string The name of the application family to which the application belongs, such as network service, database, web, etc.
appid_name string The name of an application identified by the DPI engine, such as HTTP, DHCP, Google, etc.
appid_stdport string Whether the application is using the standard port.
appid_tags list The application's tags.
asset_view integer Whether the record contains a summary of scan results for one asset.
assignee string The user assigned to this event record.
attack_start_date string The time an attack began, reported by the sensor.
case_id string For Case Management, the ID of the case to which the record belongs, if any.
case_name string For Case Management, the name of the case to which the record belongs, if any.
cloud object From ECS, the fields related to the cloud or infrastructure from which the events are coming.
command string The command that was run in a system.
comments list A list of all comments made on the record.
computer_name string The host name of the endpoint.
correlation_info object Information about individual records involved in a correlation event.

custom_ser_field

object

reserved field (Used by ActZero only for now)

days_silent integer Time interval (days) between latest two appearances.
detect_date date The time when an attack was detected by the sensor.
detect_origin string The direction of the attack based on Stellar Cyber analysis of metadata..
detected_field string Identification field of the alert type.
detected_value IP address Identification field's value of the alert type.
detection_flag integer A special flag to encode what alert type(s) to which this record might be applicable.
detector_index integer Index of alert types for ML jobs. A Machine Learning job can have multiple alert types, each one with a detected_field value.
device object From OCSF, the device object represents an addressable computer system or host.
direction string The direction of the maltrace event.
distance_deviation float The distance deviation between two login geolocations.
diversity integer Typical variety of elements for an entity (1–100). The higher value, the more variety it has.
domain_list list List of domains.
domain_reputation string Formatted list of (one or more) domain reputations, separated by a comma.
dscp_name string Name as described in the commonly used DSCP values in RFC 2475Closed
Best Effort, Expedited Forwarding, AF11, AF12, AF13, AF21, AF22, AF23, AF31, AF32, AF33, AF41, AF42, AF43
.
dstip IP address Destination IP address of the session.
dstip_aella_flag integer The flag indicating how the destination IP address will be processed.
dstip_assetid string The asset ID associated with the destination IP address.
dstip_domain_creation date The creation date of the domain associated with the destination IP address.
dstip_geo object Geo location information for the destination IP address.
dstip_geo_point string Geo point of the destination IP address.
dstip_host string Host name or DNS name for the destination IP address.
dstip_reputation string Reputation of the destination IP address from Threat Intelligence, such as Good, Bad, Scanner, Spyware, etc.
dstip_reputation_source string The source of the reputation data.
dstip_sig_id string The signature ID concatenated with the dstip.
dstip_tag string The asset tag associated with the destination IP address.
dstip_type string The IP address type for the destination IP address, such as private, multicast, or public.
dstip_username string The username associated with the destination IP address.
dstip_usersid string The user ID associated with the destination IP address. For Windows, security identifier (SID) is used.
dstip_version string Indicates if the destination IP address is IPv4 or IPv6.
dstmac string Destination MAC address.
dstport integer Layer 4 destination port.
duration integer Session duration in milliseconds.
email object From ECS. The event fields are used for context information about the log or metric email itself.
end_bucket_time integer End time of the data that caused the anomaly, in milliseconds (combines with the start_bucket_time to form a time range).
end_reason integer Reason the session endedClosed
1–4: normal
5: TCP reset
10–25: ICMP-related
.
engid string ID of the sensor.
engid_device_class string The high level operating system of the sensor.

engid_device_desc

string

OS version of the sensor. For agent sensors, this is the host OS version.

engid_gateway string The gateway of the sensor.
engid_name string The hostname of the sensor.

event

object

From ECS. The event fields are used for context information about the log or metric event itself.

event_category string The kill chain event category for the Machine Learning job.
event_data object This field's sub fields are the metadata associated with this Windows event.
event_description string The general description of the event.
event_detail object Used in gsuite-related alert types.
event_id integer The ID of the event.
event_name string The event name for the job.
event_score float Combination of severity, fidelity, and threat_score.
event_source string The data source for the Machine Learning job results.
event_status string The current status of a given event record. Can be new, in_progress, closed, or ignored.
event_summary object Summarized data points from records contributing to an alert.
event_tags list The upper-level namespace for tags.
event_tags.tag string A given tag's name.
event_type string The event type for the Machine Learning job.
exec_user string The user that executed a command, from auth_log.
fidelity integer Machine Learning confidence that an attack is happening. From 0–100, with a higher value indicating higher confidence.

file

object

From ECS. A file is a set of information that has been created on or has existed on a filesystem.

file_list list_of_object A list of file objects.
file_name string File name extracted from traffic.
file_path string Directory holding the fileName on the endpoint.
file_size integer File size in bytes.
fileid string Unique identifier for the file. It is a hash based on MD5 and SHA-256.
fileName string File name of the threat on the endpoint.
fw_policy_id string The rule or policy that the firewall checks against.
group string The detected threat group to which the threat belongs.
handler string Handler identifier.

host

object

From ECS. A host is a general computing instance.

host_list

list_of_object

A list of host objects.

hostip IP address The host IP address of the endpoint.
hostip_assetid string The asset ID associated with the host IP address.
hostip_domain_creation date The creation time of the domains associated with the host IP address.
hostip_geo object Geo location information for the host IP address.
hostip_geo_point string Geo point of the host IP address.
hostip_host string Host name of the host IP address.
hostip_reputation string Reputation of the host IP address.
hostip_reputation_source string The source of the reputation data.
hostip_sig_id string The signature ID concatenated with hostip.
hostip_tag string The asset tag associated with the host IP address.
hostip_type string The type of the host IP address.
hostip_username string The username associated with the host IP address.
hostip_usersid string The user ID associated with the host IP address. For Windows, security identifier (SID) is used.
hostip_version string Indicates if the host IP address is IPv4 or IPv6.
icmp_type string The ICMP message type.
ids object Namespace for all IDS related fields.
in_bytes_delta integer The number of bytes the client received from the server since the last update.
in_bytes_total integer Total number of bytes the client received from the server during the session.
in_rate float The incoming traffic rate, from the client to the server (in_bytes_delta / delta).
inbytes_delta integer The number of bytes the client received from the server since the last update.
inbytes_total integer Total number of bytes the client received from the server during the session.
inpkts_delta integer The number of packets the client received from the server since the last update.
inpkts_total integer Total number of packets the client received from the server during the session.
is_dga string Whether a DNS request is DGA.
last_login_time date Time of the earlier of two login records.
lateral boolean Whether the connection is from private to private.
locid string Location of the sensor if the location is assigned by the user from the user interface.
login_failure_rate float Rate of login failures per minute in the period.
login_result string The login result of any user login events.
login_type string The login type of the login events.
login_user string The username associated with the login event.
lstm_prob integer DGA probability based on the long short-term memory model.
mac list A list of MAC addresses associated with the host.
maltrace-cloud object The malicious activity for this file, from cloud analysis.
md5 string The MD5 hash value of this file.
metadata object Whether any field (such as domain, url, ip) in the metadata is in the whitelist.
msg_class string Whether this record belongs to an endpoint class.
msg_data list_of_object Used for extra, ingested data that is not mapped to specific fields and is not required for analytics or search.
msg_origin object

The device category, such as IdP, endpoint, or firewall.

Note that records ingested from Stellar Cyber sensors will have msg_origin.source set to linux_agent, windows_agent, network_sensor, security_sensor, or modular_sensor and will also include the msg_origin.category field set to traffic.

msgtype integer Integer value of the Stellar Cyber internal message typeClosed
1—metadata for a session that started but has not yet finished
2—metadata for a just finished session
3—meta data update for an on-going session
4—metadata for a short session that has finished
.
msgtype_name string String value of the Stellar Cyber internal message typeClosed
start—a new session started
end—an existing session ended
update—stats and metadata update for an ongoing session
startend—a short session started and ended
.
netid_name string The name of a network ID.
new_dns_record string Whether the DNS A record has never been seen before.
num_failed integer Number of failures in the time period.
num_successful integer Number of successes in the time period.

org_id

string

Organization ID.

org_name

string

Organization name.

orig_id string Elasticsearch ID of the data causing the anomaly.
orig_index string Elasticsearch index of the data causing the anomaly.
out_bytes_delta integer The number of bytes sent to the server by the client since the last update.
out_bytes_total integer The number of bytes sent by the client to the server during the session.
out_rate float The outgoing traffic rate, from the server to the client (out_bytes_delta / delta).
out_record_delta integer The number of records (logs) from the log forwarder to the DP since the last update.
out_record_total integer The total number of records (logs) from the log forwarder to the DP.
outbytes_delta integer The number of bytes sent to the server by the client since the last update.
outbytes_total integer The number of bytes sent by the client to the server during the session.
outpkts_delta integer The number of packets sent to the server by the client since the last update.
outpkts_total integer The number of packets sent to the server by the client during the session.
parent_child string The concatenation of parent process name and child process name.
parent_proc_name string The parent process of the running process.
parser_err_msg string

Parsing error message. In the case of a parsing error, the complete log is put into this field.

If the keep raw message option is enabled in the UI, the original log will be put into this field, regardless of parsing error.

parser_raw_msg string

If the Raw Log Capture feature is enabled in the sensor profile, this field indicates the raw, unparsed message.

In the case of a parsing error, the entire error log.

percent_failed float num_fail/(num_fail+num_success)

process

object

From ECS. Information about a process.

process_id integer The process ID that generated the log.
process_list list_of_object A list of process objects.
process_name string On an agent sensor, the name of the process that opened the connection. The process is correlated with the network connection.
process_user string On an agent sensor, the user who started the process that opened the connection. The user information is correlated with the network connection.
processing_time string Processing time from the sensor.
proto integer IP header protocol typeClosed
1—ICMP
2—IGMP
6—TCP
17—UDP
proto_name string Layer 4 protocol name. Can be TCP, UDP, ICMP, or IGMP.
query_count integer Number of DNS queries in a tunnel.
remote_ip IP address The IP address of the remote entity involved in the event.
remote_ip_domain_creation date The creation time of the domains associated with the remote IP address.
remote_ip_geo object Geo location information for the remote IP address.
remote_ip_geo_point string Geo point of the remote IP address.
remote_ip_reputation string Remote IP address reputation.
remote_ip_reputation_source string Source of the reputation data.
remote_ip_type string The type of the remote IP address.
remote_ip_username string The username associated with the remote IP address.
remote_ip_usersid string The user ID associated with the remote IP address. For Windows, security identifier (SID) is used.
remote_ip_version string Indicates if the remote IP address is IPv4 or IPv6.
remote_port integer The port of the remote entity involved in the event.
response_time integer Server processing time calculated by the sensor.
rule object The rule name.
saved_query string For storing queries used for Threat Hunting.
scan_end date The security scan end time.
scan_start date The security scan start time.
sds_engid string The ID of the security sensor that generated the event.
sds_engid_name string The name of the security sensor that generated the event.
severity integer Severity of the event. From 0–100, with a higher value indicating higher severity.
sha256 string The SHA-256 hash value of this file.
smb_denied_count integer Number of times access was denied in a single SMB session.
smb_username_count integer Number of unique usernames used in a single SMB session.
smb_username_set list The set of unique usernames observed in the SMB session.
srcip IP address Source IP address of the session.
srcip_assetid string The asset ID associated with the source IP address.
srcip_domain_creation date The creation time of the domains associated with the source IP address.
srcip_geo object Geo location information for the source IP address.
srcip_geo_point string Geo point of the source IP address.
srcip_geo2 string Geo location of the earlier of two login records.
srcip_host string Host name or DNS name for the source IP address.
srcip_reputation string Reputation of the source IP address from Threat Intelligence, such as Good, Bad, Scanner, Spyware, etc.
srcip_reputation_source string The source of the reputation data.
srcip_sig_id string The signature ID concatenated with srcip.
srcip_tag string The asset tag associated with the source IP address.
srcip_type string IP address type for the source IP address, such as private, multicast, or public.
srcip_username string The username associated with the source IP address.
srcip_usersid string The user ID associated with the source IP address. For Windows, security identifier (SID) is used.
srcip_version string Indicates if the source IP address is IPv4 or IPv6.
srcmac string Source MAC address.
srcport integer Layer 4 source port.
stability integer Amount of time without change for an entity (1–100). The higher value, the more stability it has.
start_bucket_time date Start time of the data that caused the anomaly.
state string The current state of the sessionClosed
Established
Closed
HalfOpened
Aborted
Created
Closing
Expired
.
suspicious_ips list A list of suspicious IP addresses that could do credential stuffing in a cloud service.
tcp_rtt integer Round trip time for a TCP connection, which represents the network delay.
tenant_name string The name of the tenant.
tenantid string The ID of the tenant.

threat

string

The detected threat category to which the threat belongs.

threat_score integer Threat score (0–100).
time_deviation float Difference between two login times, in seconds.
timestamp date Time of an action, such as start of session, time of update, etc.
tls object TLS-related metadata, such as fingerprint, issuerdn, ja3, etc.

tos

integer

Type of Service value in the IP header.

total_entropy float Total entropy of DNS queries in a tunnel.
totalbytes integer Total number of bytes received and sent by client for a session.
totalpackets integer Total number of packets received and sent by client for a session.
travel_speed float Travel speed (in mph) between two login locations.
typical integer The typical value that Machine Learning calculated.
typical_range string Typical login time range such as 10:00am-11:00am.
unknown_users_to_login_failure float Ratio of unknown usernames (unknown_users_rate) to login failures (login_failure_rate) in the period.
unknown_users_rate float Rate of unknown login usernames per minute in the period.
url string The URL that is a reference to a web resource.
url_list list List of URLs.
url_reputation string Reputation of the URL.
user object Information about a Windows user, including domain, ID, name, and type.
user_action object The upper-level namespace for all user action fields.

user_list

list_of_object

A list of user objects.

username string The user name.
user_profile object Used to store information for Active Directory connector.
verdict_share boolean Whether or not to share the record in Threat Intelligence.
vlan integer VLAN ID.
vuln_count float The number of vulnerabilities.
vuln_score float The overall vulnerability score.
vulnerabilities list List of vulnerabilities.
vulnerability object Vulnerability information as reported by original source.
write_by string Service that wrote the anomaly record.
write_time date Time the event was written to Elasticsearch.

xdr_event

object

The XDR kill chain info of each alert, such as stage, tactic, technique.

xgb_prob integer DGA probability based on the XGBoost model.