Standard Metadata Dictionary
Stellar Cyber monitors your network to collect and respond to data reported from multiple sources such as network packets, endpoint telemetry, cloud logs, and threat intelligence feeds. Each type of data is handled differently before being populated into a standardized set of fields referred to as metadata. Where applicable, and based on your configuration and the type of content, the data may be de-duplicated, normalized, and enriched as it passes through sensors and the data processor, on its way to becoming part of an Interflow record.
Standard Metadata Fields in Interflow Records
The table below lists the standard metadata fields in the Stellar Cyber Interflow record, the type of data recorded, and a description. You can use these fields as part of your searches or queries that you build, along with vendor specific fields and values.
About GDPR Compliance
The table below is also a summary of the data collected by the Stellar Cyber platform and can be used as part of your GDPR compliance strategy.
| Metadata Field | Type | Description |
|---|---|---|
| _id2 | string | Elasticsearch ID of the earlier of two login records. |
| _index2 | string | Elasticsearch index of the earlier of two login records. |
| access_mask | string | Object access mask. |
| access_subject | string | The subject entity that performed the object access. |
| accumulated_anomalous_failures | integer | Score in the TRW model, indicating degree of abnormal activities. Used for Machine Learning. |
| action | string | The action to be taken. Examples are allow or block. |
| actual | integer | Real value input for Machine Learning to process. |
| actual_range | string | Actual login time range. |
| ade | object | Namespace for all ADE-related fields. |
| aella_tuples | string | The concatenated fields of srcip, dstip, dstport, and appid. |
| alert_time | date | Time of anomaly being detected. |
| appid | long | The ID of an application identified by the DPI engine. |
| appid_family | string | The name of the application family to which the application belongs, such as network service, database, web, etc. |
| appid_name | string | The name of an application identified by the DPI engine, such as HTTP, DHCP, Google, etc. |
| appid_stdport | string | Whether the application is using the standard port. |
| appid_tags | list | The application's tags. |
| asset_view | integer | Whether the record contains a summary of scan results for one asset. |
| assignee | string | The user assigned to this event record. |
| attack_start_date | string | The time an attack began, reported by the sensor. |
| case_id | string | For Case Management, the ID of the case to which the record belongs, if any. |
| case_name | string | For Case Management, the name of the case to which the record belongs, if any. |
| cloud | object | From ECS, the fields related to the cloud or infrastructure from which the events are coming. |
| command | string | The command that was run in a system. |
| comments | list | A list of all comments made on the record. |
| computer_name | string | The host name of the endpoint. |
| correlation_info | object | Information about individual records involved in a correlation event. |
|
custom_ser_field |
object |
reserved field (Used by ActZero only for now) |
| days_silent | integer | Time interval (days) between latest two appearances. |
| detect_date | date | The time when an attack was detected by the sensor. |
| detect_origin | string | The direction of the attack based on Stellar Cyber analysis of metadata.. |
| detected_field | string | Identification field of the alert type. |
| detected_value | IP address | Identification field's value of the alert type. |
| detection_flag | integer | A special flag to encode what alert type(s) to which this record might be applicable. |
| detector_index | integer | Index of alert types for ML jobs. A Machine Learning job can have multiple alert types, each one with a detected_field value. |
| device | object | From OCSF, the device object represents an addressable computer system or host. |
| direction | string | The direction of the maltrace event. |
| distance_deviation | float | The distance deviation between two login geolocations. |
| diversity | integer | Typical variety of elements for an entity (1–100). The higher value, the more variety it has. |
| domain_list | list | List of domains. |
| domain_reputation | string | Formatted list of (one or more) domain reputations, separated by a comma. |
| dscp_name | string | Name as described in the commonly used DSCP values in RFC 2475 . |
| dstip | IP address | Destination IP address of the session. |
| dstip_aella_flag | integer | The flag indicating how the destination IP address will be processed. |
| dstip_assetid | string | The asset ID associated with the destination IP address. |
| dstip_domain_creation | date | The creation date of the domain associated with the destination IP address. |
| dstip_geo | object | Geo location information for the destination IP address. |
| dstip_geo_point | string | Geo point of the destination IP address. |
| dstip_host | string | Host name or DNS name for the destination IP address. |
| dstip_reputation | string | Reputation of the destination IP address from Threat Intelligence, such as Good, Bad, Scanner, Spyware, etc. |
| dstip_reputation_source | string | The source of the reputation data. |
| dstip_sig_id | string | The signature ID concatenated with the dstip. |
| dstip_tag | string | The asset tag associated with the destination IP address. |
| dstip_type | string | The IP address type for the destination IP address, such as private, multicast, or public. |
| dstip_username | string | The username associated with the destination IP address. |
| dstip_usersid | string | The user ID associated with the destination IP address. For Windows, security identifier (SID) is used. |
| dstip_version | string | Indicates if the destination IP address is IPv4 or IPv6. |
| dstmac | string | Destination MAC address. |
| dstport | integer | Layer 4 destination port. |
| duration | integer | Session duration in milliseconds. |
| object | From ECS. The event fields are used for context information about the log or metric email itself. | |
| end_bucket_time | integer | End time of the data that caused the anomaly, in milliseconds (combines with the start_bucket_time to form a time range). |
| end_reason | integer | Reason the session ended. |
| engid | string | ID of the sensor. |
| engid_device_class | string | The high level operating system of the sensor. |
|
engid_device_desc |
string |
OS version of the sensor. For agent sensors, this is the host OS version. |
| engid_gateway | string | The gateway of the sensor. |
| engid_name | string | The hostname of the sensor. |
|
event |
object |
From ECS. The event fields are used for context information about the log or metric event itself. |
| event_category | string | The kill chain event category for the Machine Learning job. |
| event_data | object | This field's sub fields are the metadata associated with this Windows event. |
| event_description | string | The general description of the event. |
| event_detail | object | Used in gsuite-related alert types. |
| event_id | integer | The ID of the event. |
| event_name | string | The event name for the job. |
| event_score | float | Combination of severity, fidelity, and threat_score. |
| event_source | string | The data source for the Machine Learning job results. |
| event_status | string | The current status of a given event record. Can be new, in_progress, closed, or ignored. |
| event_summary | object | Summarized data points from records contributing to an alert. |
| event_tags | list | The upper-level namespace for tags. |
| event_tags.tag | string | A given tag's name. |
| event_type | string | The event type for the Machine Learning job. |
| exec_user | string | The user that executed a command, from auth_log. |
| fidelity | integer | Machine Learning confidence that an attack is happening. From 0–100, with a higher value indicating higher confidence. |
|
file |
object |
From ECS. A file is a set of information that has been created on or has existed on a filesystem. |
| file_list | list_of_object | A list of file objects. |
| file_name | string | File name extracted from traffic. |
| file_path | string | Directory holding the fileName on the endpoint. |
| file_size | integer | File size in bytes. |
| fileid | string | Unique identifier for the file. It is a hash based on MD5 and SHA-256. |
| fileName | string | File name of the threat on the endpoint. |
| fw_policy_id | string | The rule or policy that the firewall checks against. |
| group | string | The detected threat group to which the threat belongs. |
| handler | string | Handler identifier. |
|
host |
object |
From ECS. A host is a general computing instance. |
|
host_list |
list_of_object |
A list of host objects. |
| hostip | IP address | The host IP address of the endpoint. |
| hostip_assetid | string | The asset ID associated with the host IP address. |
| hostip_domain_creation | date | The creation time of the domains associated with the host IP address. |
| hostip_geo | object | Geo location information for the host IP address. |
| hostip_geo_point | string | Geo point of the host IP address. |
| hostip_host | string | Host name of the host IP address. |
| hostip_reputation | string | Reputation of the host IP address. |
| hostip_reputation_source | string | The source of the reputation data. |
| hostip_sig_id | string | The signature ID concatenated with hostip. |
| hostip_tag | string | The asset tag associated with the host IP address. |
| hostip_type | string | The type of the host IP address. |
| hostip_username | string | The username associated with the host IP address. |
| hostip_usersid | string | The user ID associated with the host IP address. For Windows, security identifier (SID) is used. |
| hostip_version | string | Indicates if the host IP address is IPv4 or IPv6. |
| icmp_type | string | The ICMP message type. |
| ids | object | Namespace for all IDS related fields. |
| in_bytes_delta | integer | The number of bytes the client received from the server since the last update. |
| in_bytes_total | integer | Total number of bytes the client received from the server during the session. |
| in_rate | float | The incoming traffic rate, from the client to the server (in_bytes_delta / delta). |
| inbytes_delta | integer | The number of bytes the client received from the server since the last update. |
| inbytes_total | integer | Total number of bytes the client received from the server during the session. |
| inpkts_delta | integer | The number of packets the client received from the server since the last update. |
| inpkts_total | integer | Total number of packets the client received from the server during the session. |
| is_dga | string | Whether a DNS request is DGA. |
| last_login_time | date | Time of the earlier of two login records. |
| lateral | boolean | Whether the connection is from private to private. |
| locid | string | Location of the sensor if the location is assigned by the user from the user interface. |
| login_failure_rate | float | Rate of login failures per minute in the period. |
| login_result | string | The login result of any user login events. |
| login_type | string | The login type of the login events. |
| login_user | string | The username associated with the login event. |
| lstm_prob | integer | DGA probability based on the long short-term memory model. |
| mac | list | A list of MAC addresses associated with the host. |
| maltrace-cloud | object | The malicious activity for this file, from cloud analysis. |
| md5 | string | The MD5 hash value of this file. |
| metadata | object | Whether any field (such as domain, url, ip) in the metadata is in the whitelist. |
| msg_class | string | Whether this record belongs to an endpoint class. |
| msg_data | list_of_object | Used for extra, ingested data that is not mapped to specific fields and is not required for analytics or search. |
| msg_origin | object |
The device category, such as IdP, endpoint, or firewall. Note that records ingested from Stellar Cyber sensors will have msg_origin.source set to linux_agent, windows_agent, network_sensor, security_sensor, or modular_sensor and will also include the msg_origin.category field set to traffic. |
| msgtype | integer | Integer value of the Stellar Cyber internal message type. |
| msgtype_name | string | String value of the Stellar Cyber internal message type. |
| netid_name | string | The name of a network ID. |
| new_dns_record | string | Whether the DNS A record has never been seen before. |
| num_failed | integer | Number of failures in the time period. |
| num_successful | integer | Number of successes in the time period. |
|
org_id |
string |
Organization ID. |
|
org_name |
string |
Organization name. |
| orig_id | string | Elasticsearch ID of the data causing the anomaly. |
| orig_index | string | Elasticsearch index of the data causing the anomaly. |
| out_bytes_delta | integer | The number of bytes sent to the server by the client since the last update. |
| out_bytes_total | integer | The number of bytes sent by the client to the server during the session. |
| out_rate | float | The outgoing traffic rate, from the server to the client (out_bytes_delta / delta). |
| out_record_delta | integer | The number of records (logs) from the log forwarder to the DP since the last update. |
| out_record_total | integer | The total number of records (logs) from the log forwarder to the DP. |
| outbytes_delta | integer | The number of bytes sent to the server by the client since the last update. |
| outbytes_total | integer | The number of bytes sent by the client to the server during the session. |
| outpkts_delta | integer | The number of packets sent to the server by the client since the last update. |
| outpkts_total | integer | The number of packets sent to the server by the client during the session. |
| parent_child | string | The concatenation of parent process name and child process name. |
| parent_proc_name | string | The parent process of the running process. |
| parser_err_msg | string |
Parsing error message. In the case of a parsing error, the complete log is put into this field. If the keep raw message option is enabled in the UI, the original log will be put into this field, regardless of parsing error. |
| parser_raw_msg | string |
If the Raw Log Capture feature is enabled in the sensor profile, this field indicates the raw, unparsed message. In the case of a parsing error, the entire error log. |
| percent_failed | float | num_fail/(num_fail+num_success) |
|
process |
object |
From ECS. Information about a process. |
| process_id | integer | The process ID that generated the log. |
| process_list | list_of_object | A list of process objects. |
| process_name | string | On an agent sensor, the name of the process that opened the connection. The process is correlated with the network connection. |
| process_user | string | On an agent sensor, the user who started the process that opened the connection. The user information is correlated with the network connection. |
| processing_time | string | Processing time from the sensor. |
| proto | integer | IP header protocol type |
| proto_name | string | Layer 4 protocol name. Can be TCP, UDP, ICMP, or IGMP. |
| query_count | integer | Number of DNS queries in a tunnel. |
| remote_ip | IP address | The IP address of the remote entity involved in the event. |
| remote_ip_domain_creation | date | The creation time of the domains associated with the remote IP address. |
| remote_ip_geo | object | Geo location information for the remote IP address. |
| remote_ip_geo_point | string | Geo point of the remote IP address. |
| remote_ip_reputation | string | Remote IP address reputation. |
| remote_ip_reputation_source | string | Source of the reputation data. |
| remote_ip_type | string | The type of the remote IP address. |
| remote_ip_username | string | The username associated with the remote IP address. |
| remote_ip_usersid | string | The user ID associated with the remote IP address. For Windows, security identifier (SID) is used. |
| remote_ip_version | string | Indicates if the remote IP address is IPv4 or IPv6. |
| remote_port | integer | The port of the remote entity involved in the event. |
| response_time | integer | Server processing time calculated by the sensor. |
| rule | object | The rule name. |
| saved_query | string | For storing queries used for Threat Hunting. |
| scan_end | date | The security scan end time. |
| scan_start | date | The security scan start time. |
| sds_engid | string | The ID of the security sensor that generated the event. |
| sds_engid_name | string | The name of the security sensor that generated the event. |
| severity | integer | Severity of the event. From 0–100, with a higher value indicating higher severity. |
| sha256 | string | The SHA-256 hash value of this file. |
| smb_denied_count | integer | Number of times access was denied in a single SMB session. |
| smb_username_count | integer | Number of unique usernames used in a single SMB session. |
| smb_username_set | list | The set of unique usernames observed in the SMB session. |
| srcip | IP address | Source IP address of the session. |
| srcip_assetid | string | The asset ID associated with the source IP address. |
| srcip_domain_creation | date | The creation time of the domains associated with the source IP address. |
| srcip_geo | object | Geo location information for the source IP address. |
| srcip_geo_point | string | Geo point of the source IP address. |
| srcip_geo2 | string | Geo location of the earlier of two login records. |
| srcip_host | string | Host name or DNS name for the source IP address. |
| srcip_reputation | string | Reputation of the source IP address from Threat Intelligence, such as Good, Bad, Scanner, Spyware, etc. |
| srcip_reputation_source | string | The source of the reputation data. |
| srcip_sig_id | string | The signature ID concatenated with srcip. |
| srcip_tag | string | The asset tag associated with the source IP address. |
| srcip_type | string | IP address type for the source IP address, such as private, multicast, or public. |
| srcip_username | string | The username associated with the source IP address. |
| srcip_usersid | string | The user ID associated with the source IP address. For Windows, security identifier (SID) is used. |
| srcip_version | string | Indicates if the source IP address is IPv4 or IPv6. |
| srcmac | string | Source MAC address. |
| srcport | integer | Layer 4 source port. |
| stability | integer | Amount of time without change for an entity (1–100). The higher value, the more stability it has. |
| start_bucket_time | date | Start time of the data that caused the anomaly. |
| state | string | The current state of the session. |
| suspicious_ips | list | A list of suspicious IP addresses that could do credential stuffing in a cloud service. |
| tcp_rtt | integer | Round trip time for a TCP connection, which represents the network delay. |
| tenant_name | string | The name of the tenant. |
| tenantid | string | The ID of the tenant. |
|
threat |
string |
The detected threat category to which the threat belongs. |
| threat_score | integer | Threat score (0–100). |
| time_deviation | float | Difference between two login times, in seconds. |
| timestamp | date | Time of an action, such as start of session, time of update, etc. |
| tls | object | TLS-related metadata, such as fingerprint, issuerdn, ja3, etc. |
|
tos |
integer |
Type of Service value in the IP header. |
| total_entropy | float | Total entropy of DNS queries in a tunnel. |
| totalbytes | integer | Total number of bytes received and sent by client for a session. |
| totalpackets | integer | Total number of packets received and sent by client for a session. |
| travel_speed | float | Travel speed (in mph) between two login locations. |
| typical | integer | The typical value that Machine Learning calculated. |
| typical_range | string | Typical login time range such as 10:00am-11:00am. |
| unknown_users_to_login_failure | float | Ratio of unknown usernames (unknown_users_rate) to login failures (login_failure_rate) in the period. |
| unknown_users_rate | float | Rate of unknown login usernames per minute in the period. |
| url | string | The URL that is a reference to a web resource. |
| url_list | list | List of URLs. |
| url_reputation | string | Reputation of the URL. |
| user | object | Information about a Windows user, including domain, ID, name, and type. |
| user_action | object | The upper-level namespace for all user action fields. |
|
user_list |
list_of_object |
A list of user objects. |
| username | string | The user name. |
| user_profile | object | Used to store information for Active Directory connector. |
| verdict_share | boolean | Whether or not to share the record in Threat Intelligence. |
| vlan | integer | VLAN ID. |
| vuln_count | float | The number of vulnerabilities. |
| vuln_score | float | The overall vulnerability score. |
| vulnerabilities | list | List of vulnerabilities. |
| vulnerability | object | Vulnerability information as reported by original source. |
| write_by | string | Service that wrote the anomaly record. |
| write_time | date | Time the event was written to Elasticsearch. |
|
xdr_event |
object |
The XDR kill chain info of each alert, such as stage, tactic, technique. |
| xgb_prob | integer | DGA probability based on the XGBoost model. |
