You are viewing docs on Elastic's new documentation system, currently in technical preview. For all other Elastic docs, visit elastic.co/guide.

Symantec Endpoint Security

Collect logs from Symantec Endpoint Security with Elastic Agent.

Version
0.1.0 (View all)
Compatible Kibana version(s)
8.12.0 or higher
Supported Serverless project types

Security
Observability
Subscription level
Basic
Level of support
Elastic

This Symantec Endpoint Security integration enables your security team to securely stream event data to Elastic Security, via AWS S3, AWS SQS or GCS. When integrated with Elastic Security, this valuable data can be leveraged within Elastic. Symantec Endpoint Security (SES) delivers comprehensive protection for all your traditional and mobile devices across the entire attack chain. Symantec endpoint innovations include behavioral isolation, Active Directory security, and Threat Hunter technologies to protect your endpoints against sophisticated threats and targeted attacks.

The Symantec Endpoint Security integration can be used in three different modes to collect data:

  • AWS S3 polling mode: Symantec Endpoint Security writes data to S3, and Elastic Agent polls the S3 bucket by listing its contents and reading new files.
  • AWS S3 SQS mode: Symantec Endpoint Security writes data to S3, S3 sends a notification of a new object to SQS, the Elastic Agent receives the notification from SQS, and then reads the S3 object. Multiple agents can be used in this mode.
  • GCS polling mode: Symantec Endpoint Security writes data to GCS bucket, and Elastic Agent polls the GCS bucket by listing its contents and reading new files.

Data streams

The Symantec Endpoint Security integration collects logs for different events that Integrated Cyber Defense Schema organizes into following categories:

Security [1]

Event Type
8020 - Scan
8025 - Boot Record Detection
8026 - User Session Detection
8027 - Process Detection
8028 - Module Detection
8030 - Kernel Detection
8031 - File Detection
8032 - Registry Key Detection
8033 - Registry Value Detection
8038 - Peripheral Device Detection
8040 - Host Network Detection
8061 - Entity Change
8070 - Compliance Scan
8071 - Compliance
8075 - Incident Creation
8076 - Incident Update
8077 - Incident Closure
8078 - Incident Associate

License [2]

Event Type
30 - License Lifecycle
31 - License Expiry

Application Activity [3]

Event Type
2 - Application Lifecycle
3 - Update
4 - Policy Change
5 - File Reputation
11 - Command Activity
12 - Action Request
13 - Action Response
42 - URL Reputation

Audit [4]

Event Type
20 - User Session Audit
21 - Entity Audit
22 - Policy Override Audit

System Activity [5]

Event Type
8000 - User Session Activity
8001 - Process Activity
8002 - Module Activity
8003 - File Activity
8004 - Directory Activity
8005 - Registry Key Activity
8006 - Registry Value Activity
8007 - Host Network Activity
8009 - Kernel Activity
8011 - Email Activity
8015 - Monitored Source
8016 - Startup Application Configuration Change
8018 - AMSI Activity

Diagnostic [6]

Event Type
1000 - Status

NOTE: The Symantec Endpoint Security integration collects logs for the above mentioned events, but we have combined all of those in one data stream named event.

Requirements

  • Elastic Agent must be installed.
  • You can install only one Elastic Agent per host.
  • Elastic Agent is required to stream data from the S3 bucket or GCS and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines.

Installing and managing an Elastic Agent:

You have a few options for installing and managing an Elastic Agent:

With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier.

Install Elastic Agent in standalone mode (advanced users):

With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only.

Install Elastic Agent in a containerized environment:

You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, and we provide deployment manifests for running on Kubernetes.

There are some minimum requirements for running Elastic Agent and for more information, refer to the link here.

The minimum kibana.version required is 8.12.0.

Setup

To collect data from an AWS S3 bucket, follow the below steps:

  • Considering you already have an AWS S3 bucket setup, to configure it with Symantec Endpoint Security, follow the steps mentioned here to enable the Symantec Endpoint Streaming.

To collect data from a GCS bucket, follow the below steps:

  • Considering you already have a GCS bucket setup, configure it with Symantec Endpoint Security.
  • Enable the Symantec Endpoint Streaming as mentioned here.
  • Configure the integration with your GCS project ID, Bucket name and Service Account Key/Service Account Credentials File.

The GCS credentials key file:

Once you have added a key to GCP service account, you will get a JSON key file that can only be downloaded once. If you're new to GCS bucket creation, follow the following steps:

  1. Make sure you have a service account available, if not follow the steps below:
    • Navigate to 'APIs & Services' > 'Credentials'
    • Click on 'Create credentials' > 'Service account'
  2. Once the service account is created, you can navigate to the 'Keys' section and attach/generate your service account key.
  3. Make sure to download the JSON key file once prompted.
  4. Use this JSON key file either inline (JSON string object), or by specifying the path to the file on the host machine, where the agent is running.

A sample JSON Credentials file looks as follows:

{
  "type": "dummy_service_account",
  "project_id": "dummy-project",
  "private_key_id": "dummy-private-key-id",
  "private_key": "-----BEGIN PRIVATE KEY-----\nDummyPrivateKey\n-----END PRIVATE KEY-----\n",
  "client_email": "dummy-service-account@example.com",
  "client_id": "12345678901234567890",
  "auth_uri": "https://dummy-auth-uri.com",
  "token_uri": "https://dummy-token-uri.com",
  "auth_provider_x509_cert_url": "https://dummy-auth-provider-cert-url.com",
  "client_x509_cert_url": "https://dummy-client-cert-url.com",
  "universe_domain": "dummy-universe-domain.com"
}

NOTE:

  • You must have Symantec Account Credentials to configure event stream. Refer here for more details.

To collect data from AWS SQS, follow the below steps:

  1. Assuming you've already set up a connection to push data into the AWS bucket; if not, see the section above.
  2. To set up an SQS queue, follow "Step 1: Create an Amazon SQS Queue" mentioned in the link.
    • While creating an access policy, use the bucket name configured to create a connection for AWS S3 in Symantec.
  3. Configure event notifications for an S3 bucket. Follow this link.
    • While creating event notification select the event type as s3:ObjectCreated:*, destination type SQS Queue, and select the queue name created in Step 2.

Enabling the integration in Elastic:

  1. In Kibana go to Management > Integrations

  2. In "Search for integrations" search bar, type Symantec Endpoint Security

  3. Click on the "Symantec Endpoint Security" integration from the search results.

  4. Click on the Add Symantec Endpoint Security Integration button to add the integration.

  5. While adding the integration, if you want to collect logs via AWS S3, then you have to put the following details:

    • Collect logs via S3 Bucket toggled on
    • Access Key ID
    • Secret Access Key
    • Bucket ARN
    • Session Token

    or if you want to collect logs via AWS SQS, then you have to put the following details:

    • Collect logs via S3 Bucket toggled off
    • Queue URL
    • Secret Access Key
    • Access Key ID

    or if you want to collect logs via GCS, then you have to put the following details:

    • Project ID
    • Buckets
    • Service Account Key/Service Account Credentials File
  6. Save the integration.

NOTE:

  1. There are other input combination options available for the AWS S3 and AWS SQS, please check here.
  2. There are other input combination options available for the GCS, please check here.

Logs reference

Event

This is the Event dataset.

Example

An example event for event looks as following:

{
    "@timestamp": "2024-02-29T02:00:00.000Z",
    "agent": {
        "ephemeral_id": "c7db84fe-715c-47ad-8ec5-484489ddd1ea",
        "id": "fd5c2513-cbef-4142-aa92-f1756f76da26",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.12.0"
    },
    "aws": {
        "s3": {
            "bucket": {
                "arn": "arn:aws:s3:::elastic-package-symantec-endpoint-security-bucket-27504",
                "name": "elastic-package-symantec-endpoint-security-bucket-27504"
            },
            "object": {
                "key": "events.log"
            }
        }
    },
    "client": {
        "domain": "device.domain.internal.somecompany.com",
        "geo": {
            "country_iso_code": "IN"
        }
    },
    "cloud": {
        "region": "us-east-1"
    },
    "data_stream": {
        "dataset": "symantec_endpoint_security.event",
        "namespace": "ep",
        "type": "logs"
    },
    "destination": {
        "ip": "175.16.199.0"
    },
    "device": {
        "id": [
            "Device_UID"
        ],
        "manufacturer": [
            "LENOVO"
        ]
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "fd5c2513-cbef-4142-aa92-f1756f76da26",
        "snapshot": false,
        "version": "8.12.0"
    },
    "email": {
        "direction": [
            "unknown",
            "inbound"
        ],
        "from": {
            "address": [
                "abc@example.com"
            ]
        },
        "subject": [
            "Cybox-Emails-Header_Subject 1",
            "Cybox-Emails-Header_Subject 2"
        ],
        "to": {
            "address": [
                "Cybox-Emails-Header_To 1",
                "Cybox-Emails-Header_Tos 1",
                "Cybox-Emails-Header_To 2",
                "Cybox-Emails-Header_Tos 2"
            ]
        }
    },
    "event": {
        "agent_id_status": "verified",
        "created": "2021-02-11T05:30:04.000Z",
        "dataset": "symantec_endpoint_security.event",
        "end": [
            "2021-02-11T05:30:04.000Z"
        ],
        "id": "SR-1565234545",
        "ingested": "2024-04-23T12:21:14Z",
        "kind": "event",
        "original": "{\"category_id\":3,\"collector_device_ip\":\"175.16.199.0\",\"collector_device_name\":\"Collector_Device_Name\",\"collector_name\":\"Collection12\",\"collector_uid\":\"TT1456\",\"composite\":1,\"container\":{\"host_name\":\"azure-us.local\",\"image_name\":\"Image-sp2133\",\"image_uid\":\"SH4322323\",\"name\":\"User12345\",\"networks\":[{\"bssid\":\"Container-Networks-BSSID 1\",\"gateway_ip\":\"89.160.20.112\",\"gateway_mac\":\"00:B0:D0:63:C2:01\",\"ipv4\":\"81.2.69.144\",\"ipv6\":\"2a02:cf40::\",\"is_public\":true,\"mac\":\"00:B0:D0:63:C2:02\",\"rep_score_id\":0,\"ssid\":\"SSID-4326451\",\"type_id\":0},{\"bssid\":\"HN0845435\",\"gateway_ip\":\"81.2.69.142\",\"gateway_mac\":\"00:B0:D0:63:C2:03\",\"ipv4\":\"81.2.69.144\",\"ipv6\":\"2a02:cf40::\",\"is_public\":true,\"mac\":\"00:B0:D0:63:C2:04\",\"rep_score_id\":1,\"ssid\":\"Container-Networks-SSID 2\",\"type_id\":1}],\"os_name\":\"Windows\",\"uid\":\"UU35r3454\"},\"correlation_uid\":\"DD78666\",\"count\":563,\"customer_registry_uid\":\"CP45254\",\"customer_uid\":\"CH32534\",\"cybox\":{\"domains\":[\"example.com\",\"abc.com\"],\"emails\":[{\"direction_id\":0,\"header_from\":\"abc@example.com\",\"header_message_id\":\"Cybox-Emails-Header_Message_ID 1\",\"header_reply_to\":\"Cybox-Emails-Header_Reply_To 1\",\"header_subject\":\"Cybox-Emails-Header_Subject 1\",\"header_to\":[\"Cybox-Emails-Header_To 1\",\"Cybox-Emails-Header_Tos 1\"],\"sender_ip\":\"81.2.69.144\",\"size\":12345678901,\"smtp_from\":\"Cybox-Emails-SMTP_From 1\",\"smtp_hello\":\"Cybox-Emails-SMTP_Hello 1\",\"smtp_to\":\"Cybox-Emails-SMTP_To 1\"},{\"direction_id\":1,\"header_from\":\"abc@example.com\",\"header_message_id\":\"Cybox-Emails-Header_Message_ID 2\",\"header_reply_to\":\"Cybox-Emails-Header_Reply_To 2\",\"header_subject\":\"Cybox-Emails-Header_Subject 2\",\"header_to\":[\"Cybox-Emails-Header_To 2\",\"Cybox-Emails-Header_Tos 2\"],\"sender_ip\":\"81.2.69.144\",\"size\":12345678902,\"smtp_from\":\"Cybox-Emails-SMTP_From 2\",\"smtp_hello\":\"Cybox-Emails-SMTP_Hello 2\",\"smtp_to\":\"Cybox-Emails-SMTP_To 2\"}],\"files\":[{\"accessed\":1613021404000,\"accessor\":\"Cybox-Files-Accessor 1\",\"attribute_ids\":[1,2,3,4,5,6,7,8,9,10],\"attributes\":12345678901,\"company_name\":\"Microsoft Corporation\",\"confidentiality_id\":0,\"content_type\":{\"family_id\":0,\"subtype\":\"SubType 1\",\"type_id\":0},\"created\":1613021404000,\"creator\":\"Creator 1\",\"creator_process\":\"Cybox-Files-Creator_Process 1\",\"desc\":\"Cybox-Files-Desc 1\",\"folder\":\"c:\\\\windows\\\\system32\\\\cybox\\files\\folder\\\\1\",\"folder_uid\":\"Cybox-Files-Folder_UID 1\",\"is_system\":true,\"md5\":\"HFDajsdf3254345436\",\"mime_type\":\"Cybox-Files-MIME_Type 1\",\"modified\":1613021404000,\"modifier\":\"Cybox-Files-Modifier 1\",\"name\":\"cybox_files_name_1.exe\",\"normalized_path\":\"CSIDL_SYSTEM\\\\cybox_files_normalized_path_1.exe\",\"original_name\":\"Cybox-Files-Original_Name 1\",\"owner\":\"Cybox-Files-Owner 1\",\"parent_name\":\"Cybox-Files-Parent_Name 1\",\"parent_sha2\":\"Cybox-Files-Parent_SHA2 1\",\"path\":\"c:\\\\windows\\\\system32\\\\cybox_files_path_1.exe\",\"product_name\":\"Windows Internet Explorer 1\",\"product_path\":\"Cybox-Files-Product_Path 1\",\"rep_discovered_band\":0,\"rep_discovered_date\":1613021404000,\"rep_prevalence\":12345678901,\"rep_prevalence_band\":0,\"rep_score\":12345678901,\"rep_score_band\":0,\"security_descriptor\":\"Cybox-Files-Security_Descriptor 1\",\"sha1\":\"Cybox-Files-SHA1 1\",\"sha2\":\"Cybox-Files-SHA2 1\",\"signature_company_name\":\"Cybox-Files-Signature_Company_Name 1\",\"signature_created_date\":1613021404000,\"signature_developer_uid\":\"Cybox-Files-Signature_Developer_UID 1\",\"signature_fingerprints\":[{\"algorithm\":\"Cybox-Files-Signature_Fingerprints-Algorithm 1\",\"value\":\"Cybox-Files-Signature_Fingerprints-Value 1\"},{\"algorithm\":\"Cybox-Files-Signature_Fingerprints-Algorithms 1\",\"value\":\"Cybox-Files-Signature_Fingerprints-Values 1\"}],\"signature_issuer\":\"Cybox-Files-Signature_Issuer 1\",\"signature_level_id\":0,\"signature_serial_number\":\"Cybox-Files-Signature_Serial_Number 1\",\"signature_value\":12345678901,\"signature_value_ids\":[0,1,2,3,4,5,6,7,8,9,10],\"size\":12345678901,\"size_compressed\":12345678901,\"src_ip\":\"81.2.69.142\",\"src_name\":\"Cybox-Files-SRC_Name 1\",\"type_id\":1,\"uid\":\"Cybox-Files-UID 1\",\"url\":{\"categories\":[\"Cybox-Files-URL-Category 1\",\"Cybox-Files-URL-Categories 1\"],\"category_ids\":[1,3,4,5,6,7,9,11,14,15,16,17,18,20,21,22,23,24,25,26,27,29,30,31,32,33,34,35,36,37,38,40,43,44,45,46,47,49,50,51,52,53,54,55,56,57,58,59,60,61,63,64,65,66,67,68,71,83,84,85,86,87,88,89,90,92,93,95,96,97,98],\"extension\":\"Cybox-Files-URL-Extension 1\",\"host\":\"www.files-url-host-1.com\",\"method\":\"Cybox-Files-URL-Method 1\",\"parent_categories\":[\"Cybox-Files-URL-Parent_Category 1\",\"Cybox-Files-URL-Parent_Categories 1\"],\"path\":\"/download/trouble/cybox/files/url/path/1\",\"port\":80,\"provider\":\"Cybox-Files-URL-Provider 1\",\"query\":\"q=bad&sort=date_1\",\"referrer\":\"Cybox-Files-URL-Referrer 1\",\"referrer_categories\":[\"Cybox-Files-URL-Referrer_Category 1\",\"Cybox-Files-URL-Referrer_Categories 1\"],\"referrer_category_ids\":[12345678901,67890123451],\"rep_score_id\":0,\"scheme\":\"Cybox-Files-URL-Scheme 1\",\"text\":\"www.files-url-text-1.com/download/trouble\"},\"version\":\"Cybox-Files-Version 1\",\"xattributes\":{\"ads_name\":\"Cybox-Files-XAttributes-ADS_Name 1\",\"ads_size\":\"Cybox-Files-XAttributes-ADS_Size 1\",\"dacl\":\"Cybox-Files-XAttributes-DACL 1\",\"owner\":\"Cybox-Files-XAttributes-Owner 1\",\"primary_group\":\"Cybox-Files-XAttributes-Primary_Group 1\",\"link_name\":\"Cybox-Files-XAttributes-Link_Name 1\",\"hard_link_count\":\"Cybox-Files-XAttributes-Hard_Link_Count 1\",\"Unix_permissions\":\"Cybox-Files-XAttributes-Unix_Permissions 1\"}},{\"accessed\":1613021404000,\"accessor\":\"Cybox-Files-Accessor 2\",\"attribute_ids\":[11,12,13,14,15,16,17],\"attributes\":12345678902,\"company_name\":\"Microsoft Corporation 2\",\"confidentiality_id\":1,\"content_type\":{\"family_id\":1,\"subtype\":\"Cybox-Files-Content_Type-SubType 2\",\"type_id\":1},\"created\":1613021404000,\"creator\":\"Cybox-Files-Creator 2\",\"creator_process\":\"Cybox-Files-Creator_Process 2\",\"desc\":\"Cybox-Files-Desc 2\",\"folder\":\"c:\\\\windows\\\\system32\\\\cybox\\files\\folder\\\\2\",\"folder_uid\":\"Cybox-Files-Folder_UID 2\",\"is_system\":true,\"md5\":\"Cybox-Files-MD5 2\",\"mime_type\":\"Cybox-Files-MIME_Type 2\",\"modified\":1613021404000,\"modifier\":\"Cybox-Files-Modifier 2\",\"name\":\"cybox_files_name_2.exe\",\"normalized_path\":\"CSIDL_SYSTEM\\\\cybox_files_normalized_path_2.exe\",\"original_name\":\"Cybox-Files-Original_Name 2\",\"owner\":\"Cybox-Files-Owner 2\",\"parent_name\":\"Cybox-Files-Parent_Name 2\",\"parent_sha2\":\"Cybox-Files-Parent_SHA2 2\",\"path\":\"c:\\\\windows\\\\system32\\\\cybox_files_path_2.exe\",\"product_name\":\"Windows Internet Explorer 2\",\"product_path\":\"Cybox-Files-Product_Path 2\",\"rep_discovered_band\":1,\"rep_discovered_date\":1613021404000,\"rep_prevalence\":12345678902,\"rep_prevalence_band\":1,\"rep_score\":12345678902,\"rep_score_band\":1,\"security_descriptor\":\"Cybox-Files-Security_Descriptor 2\",\"sha1\":\"Cybox-Files-SHA1 2\",\"sha2\":\"Cybox-Files-SHA2 2\",\"signature_company_name\":\"Cybox-Files-Signature_Company_Name 2\",\"signature_created_date\":1613021404000,\"signature_developer_uid\":\"Cybox-Files-Signature_Developer_UID 2\",\"signature_fingerprints\":[{\"algorithm\":\"Cybox-Files-Signature_Fingerprints-Algorithm 2\",\"value\":\"Cybox-Files-Signature_Fingerprints-Value 2\"},{\"algorithm\":\"Cybox-Files-Signature_Fingerprints-Algorithms 2\",\"value\":\"Cybox-Files-Signature_Fingerprints-Values 2\"}],\"signature_issuer\":\"Cybox-Files-Signature_Issuer 2\",\"signature_level_id\":1,\"signature_serial_number\":\"Cybox-Files-Signature_Serial_Number 2\",\"signature_value\":12345678902,\"signature_value_ids\":[11,12,13,14,15,16,17,18,19,20,21,22,23,24,25],\"size\":12345678902,\"size_compressed\":12345678902,\"src_ip\":\"81.2.69.144\",\"src_name\":\"Cybox-Files-SRC_Name 2\",\"type_id\":1,\"uid\":\"Cybox-Files-UID 2\",\"url\":{\"categories\":[\"Cybox-Files-URL-Category 2\",\"Cybox-Files-URL-Categories 2\"],\"category_ids\":[101,102,103,104,105,106,107,108,109,110,111,112,113,114,116,117,118,121,124],\"extension\":\"Cybox-Files-URL-Extension 2\",\"host\":\"www.files-url-host-2.com\",\"method\":\"Cybox-Files-URL-Method 2\",\"parent_categories\":[\"Cybox-Files-URL-Parent_Category 2\",\"Cybox-Files-URL-Parent_Categories 2\"],\"path\":\"/download/trouble/cybox/files/url/path/2\",\"port\":81,\"provider\":\"Cybox-Files-URL-Provider 2\",\"query\":\"q=bad&sort=date_2\",\"referrer\":\"Cybox-Files-URL-Referrer 2\",\"referrer_categories\":[\"Cybox-Files-URL-Referrer_Category 2\",\"Cybox-Files-URL-Referrer_Categories 2\"],\"referrer_category_ids\":[12345678902,67890123452],\"rep_score_id\":1,\"scheme\":\"Cybox-Files-URL-Scheme 2\",\"text\":\"www.files-url-text-2.com/download/trouble\"},\"version\":\"Cybox-Files-Version 2\",\"xattributes\":{\"ads_name\":\"Cybox-Files-XAttributes-ADS_Name 2\",\"ads_size\":\"Cybox-Files-XAttributes-ADS_Size 2\",\"dacl\":\"Cybox-Files-XAttributes-DACL 2\",\"owner\":\"Cybox-Files-XAttributes-Owner 2\",\"primary_group\":\"Cybox-Files-XAttributes-Primary_Group 2\",\"link_name\":\"Cybox-Files-XAttributes-Link_Name 2\",\"hard_link_count\":\"Cybox-Files-XAttributes-Hard_Link_Count 2\",\"Unix_permissions\":\"Cybox-Files-XAttributes-Unix_Permissions 2\"}}],\"hostnames\":[\"Cybox-Hostname 1\",\"Cybox-Hostnames 1\"],\"icap_reqmod\":[{\"metadata\":{\"field1_keyword\":\"Cybox-ICAP_ReqMod-field1_Keyword\",\"field1_number\":12345678901,\"field1_boolean\":true,\"field1_ip\":\"175.16.199.0\"},\"service\":\"Cybox-ICAP_ReqMod-Service 1\",\"status\":\"Cybox-ICAP_ReqMod-Status 1\",\"status_detail\":\"Cybox-ICAP_ReqMod-Status_Detail 1\"},{\"metadata\":{\"field2_keyword\":\"Cybox-ICAP_ReqMod-field2_Keyword\",\"field2_number\":12345678902,\"field2_boolean\":true,\"field2_ip\":\"175.16.199.0\"},\"service\":\"Cybox-ICAP_ReqMod-Service 2\",\"status\":\"Cybox-ICAP_ReqMod-Status 2\",\"status_detail\":\"Cybox-ICAP_ReqMod-Status_Detail 2\"}],\"icap_respmod\":[{\"metadata\":{\"field1_keyword\":\"Cybox-ICAP_RespMod-field1_Keyword\",\"field1_number\":12345678901,\"field1_boolean\":true,\"field1_ip\":\"175.16.199.0\"},\"service\":\"Cybox-ICAP_RespMod-Service 1\",\"status\":\"Cybox-ICAP_RespMod-Status 1\",\"status_detail\":\"Cybox-ICAP_RespMod-Status_Detail 1\"},{\"metadata\":{\"field2_keyword\":\"Cybox-ICAP_RespMod-field2_Keyword\",\"field2_number\":12345678902,\"field2_boolean\":true,\"field2_ip\":\"175.16.199.0\"},\"service\":\"Cybox-ICAP_RespMod-Service 2\",\"status\":\"Cybox-ICAP_RespMod-Status 2\",\"status_detail\":\"Cybox-ICAP_RespMod-Status_Detail 2\"}],\"ipv4s\":[\"175.16.199.0\",\"175.16.199.0\"],\"ipv6s\":[\"2a02:cf40::\",\"2a02:cf40::\"],\"macs\":[\"00:B0:D0:63:C2:05\",\"00:B0:D0:63:C2:06\"],\"urls\":[{\"categories\":[\"Cybox-URLs-Category 1\",\"Cybox-URLs-Categories 1\"],\"category_ids\":[1,3,4,5,6,7,9,11,14,15,16,17,18,20,21,22,23,24,25,26,27,29,30,31,32,33,34,35,36,37,38,40,43,44,45,46,47,49,50,51,52,53,54,55,56,57,58,59,60,61,63,64,65,66,67,68,71,83,84,85,86,87,88,89,90,92,93,95,96,97,98],\"extension\":\"Cybox-URLs-Extension 1\",\"host\":\"www.urls-host-1.com\",\"method\":\"Cybox-URLs-Method 1\",\"parent_categories\":[\"Cybox-URLs-Parent_Category 1\",\"Cybox-URLs-Parent_Categories 1\"],\"path\":\"/download/trouble/cybox/urls/path/1\",\"port\":80,\"provider\":\"Cybox-URLs-Provider 1\",\"query\":\"q=bad&sort=date_1\",\"referrer\":\"Cybox-URLs-Referrer 1\",\"referrer_categories\":[\"Cybox-URLs-Referrer_Category 1\",\"Cybox-URLs-Referrer_Categories 1\"],\"referrer_category_ids\":[12345678901,67890123451],\"rep_score_id\":0,\"scheme\":\"Cybox-URLs-Scheme 1\",\"text\":\"www.urls-text-1.com/download/trouble\"},{\"categories\":[\"Cybox-URLs-Category 2\",\"Cybox-URLs-Categories 2\"],\"category_ids\":[101,102,103,104,105,106,107,108,109,110,111,112,113,114,116,117,118,121,124],\"extension\":\"Cybox-URLs-Extension 2\",\"host\":\"www.urls-host-2.com\",\"method\":\"Cybox-URLs-Method 2\",\"parent_categories\":[\"Cybox-URLs-Parent_Category 2\",\"Cybox-URLs-Parent_Categories 2\"],\"path\":\"/download/trouble/cybox/urls/path/2\",\"port\":81,\"provider\":\"Cybox-URLs-Provider 2\",\"query\":\"q=bad&sort=date_2\",\"referrer\":\"Cybox-URLs-Referrer 2\",\"referrer_categories\":[\"Cybox-URLs-Referrer_Category 2\",\"Cybox-URLs-Referrer_Categories 2\"],\"referrer_category_ids\":[12345678902,67890123452],\"rep_score_id\":1,\"scheme\":\"Cybox-URLs-Scheme 2\",\"text\":\"www.urls-text-2.com/download/trouble\"}]},\"device_alias_name\":\"Device_Alias_Name\",\"device_cap\":\"Device_Cap\",\"device_cloud_vm\":{\"autoscale_uid\":\"Device_Cloud_VM-Autoscale_UID\",\"dc_region\":\"Device_Cloud_VM-DC_Region\",\"instance_uid\":\"Device_Cloud_VM-Instance_UID\",\"subnet_uid\":\"Device_Cloud_VM-Subnet_UID\",\"vpc_uid\":\"Device_Cloud_VM-VPC_UID\"},\"device_desc\":\"Device_Desc\",\"device_domain\":\"device.domain.internal.somecompany.com\",\"device_domain_uid\":\"Device_Domain_UID\",\"device_end_time\":1613021404000,\"device_gateway\":\"175.16.199.0\",\"device_group\":\"Device_Group\",\"device_group_name\":\"Device_Group_Name\",\"device_hw_bios_date\":\"03/31/16\",\"device_hw_bios_manufacturer\":\"LENOVO\",\"device_hw_bios_ver\":\"LENOVO G5ETA2WW (2.62)\",\"device_hw_cpu_type\":\"x86 Family 6 Model 37 Stepping 5\",\"device_imei\":\"Device_IMEI\",\"device_ip\":\"175.16.199.0\",\"device_is_compliant\":true,\"device_is_personal\":true,\"device_is_trusted\":true,\"device_is_unmanaged\":true,\"device_location\":{\"city\":\"Device_Location-City\",\"continent\":\"Device_Location-Continent\",\"coordinates\":[-12.345,56.789],\"country\":\"US\",\"desc\":\"Device_Location-Desc\",\"isp\":\"Device_Location-ISP\",\"on_premises\":true,\"region\":\"US-CA\"},\"device_mac\":\"00:B0:D0:63:C2:07\",\"device_name\":\"device.name.computer.domain\",\"device_name_md5\":\"4ED962DDBF17E2BBA7B14EBC00F3162E\",\"device_networks\":[{\"bssid\":\"Device_Networks-BSSID 1\",\"gateway_ip\":\"175.16.199.0\",\"gateway_mac\":\"00:B0:D0:63:C2:08\",\"ipv4\":\"175.16.199.0\",\"ipv6\":\"2a02:cf40::\",\"is_public\":true,\"mac\":\"00:B0:D0:63:C2:09\",\"rep_score_id\":0,\"ssid\":\"Device_Networks-SSID 1\",\"type_id\":0},{\"bssid\":\"Device_Networks-BSSID 2\",\"gateway_ip\":\"89.160.20.112\",\"gateway_mac\":\"00:B0:D0:63:C2:10\",\"ipv4\":\"89.160.20.112\",\"ipv6\":\"2a02:cf40::\",\"is_public\":true,\"mac\":\"00:B0:D0:63:C2:11\",\"rep_score_id\":1,\"ssid\":\"Device_Networks-SSID 2\",\"type_id\":1}],\"device_org_unit\":\"Device_Org_Unit\",\"device_os_bits\":12345678901,\"device_os_build\":\"Device_OS_Build\",\"device_os_country\":\"IN\",\"device_os_edition\":\"Professional\",\"device_os_lang\":\"en\",\"device_os_name\":\"Windows Server 2019 Standard Edition\",\"device_os_sp_name\":\"Device_OS_SP_Name\",\"device_os_sp_ver\":\"Device_OS_SP_Ver\",\"device_os_type_id\":0,\"device_os_ver\":\"Windows 10\",\"device_proxy_ip\":\"89.160.20.112\",\"device_proxy_name\":\"Device_Proxy_Name\",\"device_public_ip\":\"89.160.20.112\",\"device_ref_uid\":\"Device_Ref_UID\",\"device_site\":\"Device_Site\",\"device_subnet\":\"81.2.69.144\",\"device_time\":1613021404000,\"device_type\":\"server\",\"device_uid\":\"Device_UID\",\"device_vhost\":\"Device_VHost\",\"device_vhost_id\":0,\"domain_uid\":\"Domain_UID\",\"end_time\":\"2024-02-29T01:00:00.000Z\",\"entity\":{\"data\":{\"field1_keyword\":\"Entity-Data-field1_Keyword\",\"field1_number\":12345678901,\"field1_boolean\":true},\"name\":\"Entity-Name\",\"type\":\"Entity-Type\",\"uid\":\"Entity-UID\",\"version\":\"Entity-Version\"},\"event_id\":2001,\"events\":[{\"connection\":{\"direction_id\":1,\"dst_service\":\"C:\\\\Windows\\\\system32\\\\NTOSKRNL.EXE\",\"src_ip\":\"159.19.163.218\"},\"count\":1,\"device_end_time\":1709225074618,\"device_time\":1709225074618}],\"feature_name\":\"Feature_Name\",\"feature_path\":\"Feature_Path\",\"feature_type\":\"Feature_Type\",\"feature_uid\":\"Feature_UID\",\"feature_ver\":\"2014.1.4.25\",\"id\":12345678901,\"impersonator_customer_uid\":\"Impersonator_Customer_UID\",\"impersonator_domain_uid\":\"Impersonator_Domain_UID\",\"impersonator_user_uid\":\"Impersonator_User_UID\",\"is_user_present\":true,\"log_level\":\"Log Level\",\"log_name\":\"Log_Name\",\"log_time\":\"2024-02-29T01:00:00.000Z\",\"logging_device_ip\":\"89.160.20.112\",\"logging_device_name\":\"Logging_Device_Name\",\"logging_device_post_time\":1613021404000,\"logging_device_ref_uid\":\"Logging_Device_Ref_UID\",\"message\":\"Message\",\"message_code\":\"Message_Code\",\"message_id\":0,\"org_unit_uid\":\"Org_Unit_UID\",\"orig_data\":\"Orig_Data\",\"product_data\":{\"sep_domain_uid\":\"Product_Data-Sep_Domain_UID\",\"sep_hw_uid\":\"Product_Data-Sep_HW_UID\"},\"product_lang\":\"en\",\"product_name\":\"Symantec Endpoint Security\",\"product_uid\":\"Product_UID\",\"product_ver\":\"2014.1.4.25-beta\",\"proxy_device_ip\":\"89.160.20.112\",\"proxy_device_name\":\"Proxy_Device_Name\",\"raw_data\":{\"assetID\":\"vc9DagprQYyLZ23SEY1APw\",\"assetOpstateDTO\":{\"productUuid\":\"31B0C880-0229-49E8-94C5-48D56B1BD7B9\",\"features\":[{\"uuid\":\"1DF0351C-146D-4F07-B155-BF5C7077FF40\",\"featureStatus\":\"SECURE\",\"opstate\":{\"EDRContentSequence\":\"20231128005\",\"EDREngineVersion\":\"4.11.0.10\",\"EDRFramworkVersion\":\"4.10.0.59\",\"FDRStatus\":true,\"LowDiskSpace\":false,\"MaxDBSizeHonored\":true,\"applied_policy\":{\"effective_date\":1709219437080,\"sha2\":\"ee6b0bebbc4575b507ac616d2c362f2c54d462b92cf4068cb6681ae3187d4de3\",\"uid\":\"7dc29d40-f303-477a-9012-287ef252a391\",\"version\":\"16\"},\"disk_usage_mb\":1546,\"fdr_first_event_date\":\"20240227\",\"fdr_state\":1},\"state\":\"ENABLED\",\"statusReason\":[\"-107\",\"0\"],\"prevention_state\":\"1\"}],\"products_active\":0,\"blades\":0}},\"ref_log_name\":\"Ref_Log_Name\",\"ref_log_time\":\"2024-02-29T01:00:00.000Z\",\"ref_orig_uid\":\"Ref_Orig_UID\",\"ref_uid\":\"Ref_UID\",\"remediated\":true,\"remediation\":\"Remediation\",\"remediation_ref\":\"Remediation_Ref\",\"remediation_uid\":0,\"seq_num\":12345678901,\"sessions\":[{\"auth_protocol_id\":0,\"cleartext_credentials\":true,\"direction_id\":0,\"id\":12345678901,\"is_admin\":true,\"logon_type_id\":1,\"port\":80,\"previous_users\":[\"Sessions-Previous_User 1\",\"Sessions-Previous_Users 1\"],\"remote\":true,\"remote_host\":\"Sessions-Remote_Host 1\",\"remote_ip\":\"89.160.20.112\",\"user\":{\"account_disabled\":true,\"cloud_resource_uid\":\"Sessions-User-Cloud_Resource_UID 1\",\"domain\":\"Sessions-User-Domain 1\",\"external_account_uid\":\"Sessions-User-External_Account_UID 1\",\"external_uid\":\"Sessions-User-External_UID 1\",\"full_name\":\"Sessions-User-Full_Name 1\",\"groups\":[\"Sessions-User-Group 1\",\"Sessions-User-Groups 1\"],\"home\":\"Sessions-User-Home 1\",\"is_admin\":true,\"logon_name\":\"Sessions-User-Logon_Name 1\",\"name\":\"session-User-Name 1\",\"password_expires\":true,\"shell\":\"Sessions-User-Shell 1\",\"sid\":\"Sessions-User-SID 1\",\"uid\":\"Sessions-User-UID 1\"}},{\"auth_protocol_id\":1,\"cleartext_credentials\":true,\"direction_id\":1,\"id\":67890123451,\"is_admin\":true,\"logon_type_id\":2,\"port\":81,\"previous_users\":[\"Sessions-Previous_User 2\",\"Sessions-Previous_Users 2\"],\"remote\":true,\"remote_host\":\"Sessions-Remote_Host 2\",\"remote_ip\":\"89.160.20.112\",\"user\":{\"account_disabled\":true,\"cloud_resource_uid\":\"Sessions-User-Cloud_Resource_UID 2\",\"domain\":\"Sessions-User-Domain 2\",\"external_account_uid\":\"Sessions-User-External_Account_UID 2\",\"external_uid\":\"Sessions-User-External_UID 2\",\"full_name\":\"Sessions-User-Full_Name 2\",\"groups\":[\"Sessions-User-Group 2\",\"Sessions-User-Groups 2\"],\"home\":\"Sessions-User-Home 2\",\"is_admin\":true,\"logon_name\":\"Sessions-User-Logon_Name 2\",\"name\":\"session-User-Name 2\",\"password_expires\":true,\"shell\":\"Sessions-User-Shell 2\",\"sid\":\"Sessions-User-SID 2\",\"uid\":\"Sessions-User-UID 2\"}}],\"severity_id\":0,\"source\":{\"facility\":\"Source-Facility\",\"facility_detail\":\"Source-Facility_Detail\",\"facility_uid\":\"Source-Facility_UID\",\"type_id\":1},\"status_detail\":\"Status_Detail\",\"status_id\":0,\"status_os\":\"Status_OS\",\"status_os_src\":12345678901,\"status_stack_trace\":\"Status_Stack_Trace\",\"status_thread_name\":\"Status_Thread_Name\",\"stic_has_pii\":true,\"stic_hw_uid\":\"STIC_HW_UID\",\"stic_ip_hash\":\"STIC_IP_Hash\",\"stic_legacy_ent_uids\":[\"STIC_Legacy_Ent_UIDs 1\",\"STIC_Legacy_Ent_UIDs 2\"],\"stic_legacy_hw_uids\":[\"STIC_Legacy_HW_UIDs 1\",\"STIC_Legacy_HW_UIDs 2\"],\"stic_legacy_uids\":[\"STIC_Legacy_UIDs 1\",\"STIC_Legacy_UIDs 2\"],\"stic_schema_id\":\"STIC_Schema_ID\",\"stic_uid\":\"STIC_UID\",\"stic_version\":\"STIC_Version\",\"subfeature_name\":\"Subfeature_Name\",\"time\":\"2024-02-29T02:00:00Z\",\"timezone\":12345678901,\"type\":\"Type\",\"type_id\":2,\"user\":{\"account_disabled\":true,\"cloud_resource_uid\":\"User-Cloud_Resource_UID\",\"domain\":\"User-Domain\",\"external_account_uid\":\"User-External_Account_UID\",\"external_uid\":\"User-External_UID\",\"full_name\":\"User-Full_Name\",\"groups\":[\"User-Group 1\",\"User-Groups 1\"],\"home\":\"User-Home\",\"is_admin\":true,\"logon_name\":\"User-Logon_Name\",\"name\":\"User123\",\"password_expires\":true,\"shell\":\"User-Shell\",\"sid\":\"TT23009\",\"uid\":\"UU34899825\"},\"user_name\":\"Mohit\",\"user_uid\":\"AB45698\",\"uuid\":\"SR-1565234545\",\"version\":\"1.4\"}",
        "sequence": [
            12345678901
        ],
        "severity": 0
    },
    "file": {
        "accessed": [
            "2021-02-11T05:30:04.000Z"
        ],
        "created": [
            "2021-02-11T05:30:04.000Z"
        ],
        "hash": {
            "md5": [
                "HFDajsdf3254345436",
                "Cybox-Files-MD5 2"
            ],
            "sha1": [
                "Cybox-Files-SHA1 1",
                "Cybox-Files-SHA1 2"
            ]
        },
        "mime_type": [
            "Cybox-Files-MIME_Type 1",
            "Cybox-Files-MIME_Type 2"
        ],
        "name": [
            "cybox_files_name_1.exe",
            "cybox_files_name_2.exe"
        ],
        "path": [
            "c:\\windows\\system32\\cybox_files_path_1.exe",
            "c:\\windows\\system32\\cybox_files_path_2.exe"
        ],
        "size": [
            12345678901,
            12345678902
        ],
        "x509": {
            "issuer": {
                "distinguished_name": [
                    "Cybox-Files-Signature_Issuer 1",
                    "Cybox-Files-Signature_Issuer 2"
                ]
            },
            "serial_number": [
                "Cybox-Files-Signature_Serial_Number 1",
                "Cybox-Files-Signature_Serial_Number 2"
            ]
        }
    },
    "host": {
        "architecture": "x86 Family 6 Model 37 Stepping 5",
        "geo": {
            "city_name": "Device_Location-City",
            "continent_name": "Device_Location-Continent",
            "country_iso_code": "US",
            "region_name": "US-CA"
        },
        "os": {
            "name": "Windows Server 2019 Standard Edition",
            "version": [
                "Device_OS_Build"
            ]
        },
        "type": [
            "server"
        ]
    },
    "input": {
        "type": "aws-s3"
    },
    "log": {
        "file": {
            "path": "https://elastic-package-symantec-endpoint-security-bucket-27504.s3.us-east-1.amazonaws.com/events.log"
        },
        "level": [
            "Log Level"
        ],
        "logger": "Log_Name",
        "offset": 0
    },
    "message": "Message",
    "process": {
        "thread": {
            "name": [
                "Status_Thread_Name"
            ]
        }
    },
    "related": {
        "hash": [
            "4ED962DDBF17E2BBA7B14EBC00F3162E",
            "HFDajsdf3254345436",
            "Cybox-Files-MD5 2",
            "Cybox-Files-SHA1 1",
            "Cybox-Files-SHA1 2"
        ],
        "ip": [
            "175.16.199.0",
            "89.160.20.112",
            "81.2.69.144",
            "81.2.69.142",
            "2a02:cf40::"
        ],
        "user": [
            "AB45698",
            "Mohit",
            "UU34899825",
            "User123"
        ]
    },
    "ses": {
        "category_id": "3",
        "category_name": "Application Activity",
        "collector_device_name": "Collector_Device_Name",
        "collector_name": "Collection12",
        "collector_uid": "TT1456",
        "composite": 1,
        "container": {
            "host_name": "azure-us.local",
            "image_name": "Image-sp2133",
            "image_uid": "SH4322323",
            "name": "User12345",
            "networks": [
                {
                    "bssid": "Container-Networks-BSSID 1",
                    "gateway_ip": "89.160.20.112",
                    "gateway_mac": "00:B0:D0:63:C2:01",
                    "ipv4": "81.2.69.144",
                    "ipv6": "2a02:cf40::",
                    "is_public": true,
                    "mac": "00:B0:D0:63:C2:02",
                    "rep_score_id": "0",
                    "ssid": "SSID-4326451",
                    "type_id": "0"
                },
                {
                    "bssid": "HN0845435",
                    "gateway_ip": "81.2.69.142",
                    "gateway_mac": "00:B0:D0:63:C2:03",
                    "ipv4": "81.2.69.144",
                    "ipv6": "2a02:cf40::",
                    "is_public": true,
                    "mac": "00:B0:D0:63:C2:04",
                    "rep_score_id": "1",
                    "ssid": "Container-Networks-SSID 2",
                    "type_id": "1"
                }
            ],
            "os_name": "Windows",
            "uid": "UU35r3454"
        },
        "correlation_uid": "DD78666",
        "count": 563,
        "customer_registry_uid": "CP45254",
        "customer_uid": "CH32534",
        "cybox": {
            "domains": [
                "example.com",
                "abc.com"
            ],
            "emails": [
                {
                    "header_message_id": "Cybox-Emails-Header_Message_ID 1",
                    "header_reply_to": "Cybox-Emails-Header_Reply_To 1",
                    "sender_ip": "81.2.69.144",
                    "size": 12345678901,
                    "smtp_from": "Cybox-Emails-SMTP_From 1",
                    "smtp_hello": "Cybox-Emails-SMTP_Hello 1",
                    "smtp_to": "Cybox-Emails-SMTP_To 1"
                },
                {
                    "header_message_id": "Cybox-Emails-Header_Message_ID 2",
                    "header_reply_to": "Cybox-Emails-Header_Reply_To 2",
                    "sender_ip": "81.2.69.144",
                    "size": 12345678902,
                    "smtp_from": "Cybox-Emails-SMTP_From 2",
                    "smtp_hello": "Cybox-Emails-SMTP_Hello 2",
                    "smtp_to": "Cybox-Emails-SMTP_To 2"
                }
            ],
            "files": [
                {
                    "accessor": "Cybox-Files-Accessor 1",
                    "attribute_ids": [
                        "1",
                        "2",
                        "3",
                        "4",
                        "5",
                        "6",
                        "7",
                        "8",
                        "9",
                        "10"
                    ],
                    "attributes": 12345678901,
                    "company_name": "Microsoft Corporation",
                    "confidentiality_id": "0",
                    "content_type": {
                        "family_id": "0",
                        "subtype": "SubType 1",
                        "type_id": "0"
                    },
                    "creator": "Creator 1",
                    "creator_process": "Cybox-Files-Creator_Process 1",
                    "desc": "Cybox-Files-Desc 1",
                    "folder": "c:\\windows\\system32\\cybox\u000ciles\u000colder\\1",
                    "folder_uid": "Cybox-Files-Folder_UID 1",
                    "is_system": true,
                    "modified": "2021-02-11T05:30:04.000Z",
                    "modifier": "Cybox-Files-Modifier 1",
                    "normalized_path": "CSIDL_SYSTEM\\cybox_files_normalized_path_1.exe",
                    "original_name": "Cybox-Files-Original_Name 1",
                    "owner": "Cybox-Files-Owner 1",
                    "parent_name": "Cybox-Files-Parent_Name 1",
                    "parent_sha2": "Cybox-Files-Parent_SHA2 1",
                    "product_name": "Windows Internet Explorer 1",
                    "product_path": "Cybox-Files-Product_Path 1",
                    "rep_discovered_band": 0,
                    "rep_discovered_date": "2021-02-11T05:30:04.000Z",
                    "rep_prevalence": 12345678901,
                    "rep_prevalence_band": 0,
                    "rep_score": 12345678901,
                    "rep_score_band": 0,
                    "security_descriptor": "Cybox-Files-Security_Descriptor 1",
                    "sha2": "Cybox-Files-SHA2 1",
                    "signature_company_name": "Cybox-Files-Signature_Company_Name 1",
                    "signature_created_date": "2021-02-11T05:30:04.000Z",
                    "signature_developer_uid": "Cybox-Files-Signature_Developer_UID 1",
                    "signature_fingerprints": [
                        {
                            "algorithm": "Cybox-Files-Signature_Fingerprints-Algorithm 1",
                            "value": "Cybox-Files-Signature_Fingerprints-Value 1"
                        },
                        {
                            "algorithm": "Cybox-Files-Signature_Fingerprints-Algorithms 1",
                            "value": "Cybox-Files-Signature_Fingerprints-Values 1"
                        }
                    ],
                    "signature_level_id": "0",
                    "signature_value": 12345678901,
                    "signature_value_ids": [
                        "0",
                        "1",
                        "2",
                        "3",
                        "4",
                        "5",
                        "6",
                        "7",
                        "8",
                        "9",
                        "10"
                    ],
                    "size_compressed": 12345678901,
                    "src_ip": "81.2.69.142",
                    "src_name": "Cybox-Files-SRC_Name 1",
                    "uid": "Cybox-Files-UID 1",
                    "url": {
                        "categories": [
                            "Cybox-Files-URL-Category 1",
                            "Cybox-Files-URL-Categories 1"
                        ],
                        "category_ids": [
                            "1",
                            "3",
                            "4",
                            "5",
                            "6",
                            "7",
                            "9",
                            "11",
                            "14",
                            "15",
                            "16",
                            "17",
                            "18",
                            "20",
                            "21",
                            "22",
                            "23",
                            "24",
                            "25",
                            "26",
                            "27",
                            "29",
                            "30",
                            "31",
                            "32",
                            "33",
                            "34",
                            "35",
                            "36",
                            "37",
                            "38",
                            "40",
                            "43",
                            "44",
                            "45",
                            "46",
                            "47",
                            "49",
                            "50",
                            "51",
                            "52",
                            "53",
                            "54",
                            "55",
                            "56",
                            "57",
                            "58",
                            "59",
                            "60",
                            "61",
                            "63",
                            "64",
                            "65",
                            "66",
                            "67",
                            "68",
                            "71",
                            "83",
                            "84",
                            "85",
                            "86",
                            "87",
                            "88",
                            "89",
                            "90",
                            "92",
                            "93",
                            "95",
                            "96",
                            "97",
                            "98"
                        ],
                        "extension": "Cybox-Files-URL-Extension 1",
                        "host": "www.files-url-host-1.com",
                        "method": "Cybox-Files-URL-Method 1",
                        "parent_categories": [
                            "Cybox-Files-URL-Parent_Category 1",
                            "Cybox-Files-URL-Parent_Categories 1"
                        ],
                        "path": "/download/trouble/cybox/files/url/path/1",
                        "port": 80,
                        "provider": "Cybox-Files-URL-Provider 1",
                        "query": "q=bad&sort=date_1",
                        "referrer": "Cybox-Files-URL-Referrer 1",
                        "referrer_categories": [
                            "Cybox-Files-URL-Referrer_Category 1",
                            "Cybox-Files-URL-Referrer_Categories 1"
                        ],
                        "referrer_category_ids": [
                            "12345678901",
                            "67890123451"
                        ],
                        "rep_score_id": "0",
                        "scheme": "Cybox-Files-URL-Scheme 1",
                        "text": "www.files-url-text-1.com/download/trouble"
                    },
                    "version": "Cybox-Files-Version 1",
                    "xattributes": {
                        "Unix_permissions": "Cybox-Files-XAttributes-Unix_Permissions 1",
                        "ads_name": "Cybox-Files-XAttributes-ADS_Name 1",
                        "ads_size": "Cybox-Files-XAttributes-ADS_Size 1",
                        "dacl": "Cybox-Files-XAttributes-DACL 1",
                        "hard_link_count": "Cybox-Files-XAttributes-Hard_Link_Count 1",
                        "link_name": "Cybox-Files-XAttributes-Link_Name 1",
                        "owner": "Cybox-Files-XAttributes-Owner 1",
                        "primary_group": "Cybox-Files-XAttributes-Primary_Group 1"
                    }
                },
                {
                    "accessor": "Cybox-Files-Accessor 2",
                    "attribute_ids": [
                        "11",
                        "12",
                        "13",
                        "14",
                        "15",
                        "16",
                        "17"
                    ],
                    "attributes": 12345678902,
                    "company_name": "Microsoft Corporation 2",
                    "confidentiality_id": "1",
                    "content_type": {
                        "family_id": "1",
                        "subtype": "Cybox-Files-Content_Type-SubType 2",
                        "type_id": "1"
                    },
                    "creator": "Cybox-Files-Creator 2",
                    "creator_process": "Cybox-Files-Creator_Process 2",
                    "desc": "Cybox-Files-Desc 2",
                    "folder": "c:\\windows\\system32\\cybox\u000ciles\u000colder\\2",
                    "folder_uid": "Cybox-Files-Folder_UID 2",
                    "is_system": true,
                    "modified": "2021-02-11T05:30:04.000Z",
                    "modifier": "Cybox-Files-Modifier 2",
                    "normalized_path": "CSIDL_SYSTEM\\cybox_files_normalized_path_2.exe",
                    "original_name": "Cybox-Files-Original_Name 2",
                    "owner": "Cybox-Files-Owner 2",
                    "parent_name": "Cybox-Files-Parent_Name 2",
                    "parent_sha2": "Cybox-Files-Parent_SHA2 2",
                    "product_name": "Windows Internet Explorer 2",
                    "product_path": "Cybox-Files-Product_Path 2",
                    "rep_discovered_band": 1,
                    "rep_discovered_date": "2021-02-11T05:30:04.000Z",
                    "rep_prevalence": 12345678902,
                    "rep_prevalence_band": 1,
                    "rep_score": 12345678902,
                    "rep_score_band": 1,
                    "security_descriptor": "Cybox-Files-Security_Descriptor 2",
                    "sha2": "Cybox-Files-SHA2 2",
                    "signature_company_name": "Cybox-Files-Signature_Company_Name 2",
                    "signature_created_date": "2021-02-11T05:30:04.000Z",
                    "signature_developer_uid": "Cybox-Files-Signature_Developer_UID 2",
                    "signature_fingerprints": [
                        {
                            "algorithm": "Cybox-Files-Signature_Fingerprints-Algorithm 2",
                            "value": "Cybox-Files-Signature_Fingerprints-Value 2"
                        },
                        {
                            "algorithm": "Cybox-Files-Signature_Fingerprints-Algorithms 2",
                            "value": "Cybox-Files-Signature_Fingerprints-Values 2"
                        }
                    ],
                    "signature_level_id": "1",
                    "signature_value": 12345678902,
                    "signature_value_ids": [
                        "11",
                        "12",
                        "13",
                        "14",
                        "15",
                        "16",
                        "17",
                        "18",
                        "19",
                        "20",
                        "21",
                        "22",
                        "23",
                        "24",
                        "25"
                    ],
                    "size_compressed": 12345678902,
                    "src_ip": "81.2.69.144",
                    "src_name": "Cybox-Files-SRC_Name 2",
                    "uid": "Cybox-Files-UID 2",
                    "url": {
                        "categories": [
                            "Cybox-Files-URL-Category 2",
                            "Cybox-Files-URL-Categories 2"
                        ],
                        "category_ids": [
                            "101",
                            "102",
                            "103",
                            "104",
                            "105",
                            "106",
                            "107",
                            "108",
                            "109",
                            "110",
                            "111",
                            "112",
                            "113",
                            "114",
                            "116",
                            "117",
                            "118",
                            "121",
                            "124"
                        ],
                        "extension": "Cybox-Files-URL-Extension 2",
                        "host": "www.files-url-host-2.com",
                        "method": "Cybox-Files-URL-Method 2",
                        "parent_categories": [
                            "Cybox-Files-URL-Parent_Category 2",
                            "Cybox-Files-URL-Parent_Categories 2"
                        ],
                        "path": "/download/trouble/cybox/files/url/path/2",
                        "port": 81,
                        "provider": "Cybox-Files-URL-Provider 2",
                        "query": "q=bad&sort=date_2",
                        "referrer": "Cybox-Files-URL-Referrer 2",
                        "referrer_categories": [
                            "Cybox-Files-URL-Referrer_Category 2",
                            "Cybox-Files-URL-Referrer_Categories 2"
                        ],
                        "referrer_category_ids": [
                            "12345678902",
                            "67890123452"
                        ],
                        "rep_score_id": "1",
                        "scheme": "Cybox-Files-URL-Scheme 2",
                        "text": "www.files-url-text-2.com/download/trouble"
                    },
                    "version": "Cybox-Files-Version 2",
                    "xattributes": {
                        "Unix_permissions": "Cybox-Files-XAttributes-Unix_Permissions 2",
                        "ads_name": "Cybox-Files-XAttributes-ADS_Name 2",
                        "ads_size": "Cybox-Files-XAttributes-ADS_Size 2",
                        "dacl": "Cybox-Files-XAttributes-DACL 2",
                        "hard_link_count": "Cybox-Files-XAttributes-Hard_Link_Count 2",
                        "link_name": "Cybox-Files-XAttributes-Link_Name 2",
                        "owner": "Cybox-Files-XAttributes-Owner 2",
                        "primary_group": "Cybox-Files-XAttributes-Primary_Group 2"
                    }
                }
            ],
            "hostnames": [
                "Cybox-Hostname 1",
                "Cybox-Hostnames 1"
            ],
            "icap_reqmod": [
                {
                    "metadata": {
                        "field1_boolean": true,
                        "field1_ip": "175.16.199.0",
                        "field1_keyword": "Cybox-ICAP_ReqMod-field1_Keyword",
                        "field1_number": 12345678901
                    },
                    "service": "Cybox-ICAP_ReqMod-Service 1",
                    "status": "Cybox-ICAP_ReqMod-Status 1",
                    "status_detail": "Cybox-ICAP_ReqMod-Status_Detail 1"
                },
                {
                    "metadata": {
                        "field2_boolean": true,
                        "field2_ip": "175.16.199.0",
                        "field2_keyword": "Cybox-ICAP_ReqMod-field2_Keyword",
                        "field2_number": 12345678902
                    },
                    "service": "Cybox-ICAP_ReqMod-Service 2",
                    "status": "Cybox-ICAP_ReqMod-Status 2",
                    "status_detail": "Cybox-ICAP_ReqMod-Status_Detail 2"
                }
            ],
            "icap_respmod": [
                {
                    "metadata": {
                        "field1_boolean": true,
                        "field1_ip": "175.16.199.0",
                        "field1_keyword": "Cybox-ICAP_RespMod-field1_Keyword",
                        "field1_number": 12345678901
                    },
                    "service": "Cybox-ICAP_RespMod-Service 1",
                    "status": "Cybox-ICAP_RespMod-Status 1",
                    "status_detail": "Cybox-ICAP_RespMod-Status_Detail 1"
                },
                {
                    "metadata": {
                        "field2_boolean": true,
                        "field2_ip": "175.16.199.0",
                        "field2_keyword": "Cybox-ICAP_RespMod-field2_Keyword",
                        "field2_number": 12345678902
                    },
                    "service": "Cybox-ICAP_RespMod-Service 2",
                    "status": "Cybox-ICAP_RespMod-Status 2",
                    "status_detail": "Cybox-ICAP_RespMod-Status_Detail 2"
                }
            ],
            "ipv4s": [
                "175.16.199.0",
                "175.16.199.0"
            ],
            "ipv6s": [
                "2a02:cf40::",
                "2a02:cf40::"
            ],
            "macs": [
                "00:B0:D0:63:C2:05",
                "00:B0:D0:63:C2:06"
            ],
            "urls": [
                {
                    "categories": [
                        "Cybox-URLs-Category 1",
                        "Cybox-URLs-Categories 1"
                    ],
                    "category_ids": [
                        "1",
                        "3",
                        "4",
                        "5",
                        "6",
                        "7",
                        "9",
                        "11",
                        "14",
                        "15",
                        "16",
                        "17",
                        "18",
                        "20",
                        "21",
                        "22",
                        "23",
                        "24",
                        "25",
                        "26",
                        "27",
                        "29",
                        "30",
                        "31",
                        "32",
                        "33",
                        "34",
                        "35",
                        "36",
                        "37",
                        "38",
                        "40",
                        "43",
                        "44",
                        "45",
                        "46",
                        "47",
                        "49",
                        "50",
                        "51",
                        "52",
                        "53",
                        "54",
                        "55",
                        "56",
                        "57",
                        "58",
                        "59",
                        "60",
                        "61",
                        "63",
                        "64",
                        "65",
                        "66",
                        "67",
                        "68",
                        "71",
                        "83",
                        "84",
                        "85",
                        "86",
                        "87",
                        "88",
                        "89",
                        "90",
                        "92",
                        "93",
                        "95",
                        "96",
                        "97",
                        "98"
                    ],
                    "extension": "Cybox-URLs-Extension 1",
                    "host": "www.urls-host-1.com",
                    "method": "Cybox-URLs-Method 1",
                    "parent_categories": [
                        "Cybox-URLs-Parent_Category 1",
                        "Cybox-URLs-Parent_Categories 1"
                    ],
                    "provider": "Cybox-URLs-Provider 1",
                    "referrer": "Cybox-URLs-Referrer 1",
                    "referrer_categories": [
                        "Cybox-URLs-Referrer_Category 1",
                        "Cybox-URLs-Referrer_Categories 1"
                    ],
                    "referrer_category_ids": [
                        "12345678901",
                        "67890123451"
                    ],
                    "rep_score_id": "0"
                },
                {
                    "categories": [
                        "Cybox-URLs-Category 2",
                        "Cybox-URLs-Categories 2"
                    ],
                    "category_ids": [
                        "101",
                        "102",
                        "103",
                        "104",
                        "105",
                        "106",
                        "107",
                        "108",
                        "109",
                        "110",
                        "111",
                        "112",
                        "113",
                        "114",
                        "116",
                        "117",
                        "118",
                        "121",
                        "124"
                    ],
                    "extension": "Cybox-URLs-Extension 2",
                    "host": "www.urls-host-2.com",
                    "method": "Cybox-URLs-Method 2",
                    "parent_categories": [
                        "Cybox-URLs-Parent_Category 2",
                        "Cybox-URLs-Parent_Categories 2"
                    ],
                    "provider": "Cybox-URLs-Provider 2",
                    "referrer": "Cybox-URLs-Referrer 2",
                    "referrer_categories": [
                        "Cybox-URLs-Referrer_Category 2",
                        "Cybox-URLs-Referrer_Categories 2"
                    ],
                    "referrer_category_ids": [
                        "12345678902",
                        "67890123452"
                    ],
                    "rep_score_id": "1"
                }
            ]
        },
        "device_alias_name": "Device_Alias_Name",
        "device_cap": "Device_Cap",
        "device_cloud_vm": {
            "autoscale_uid": "Device_Cloud_VM-Autoscale_UID",
            "dc_region": "Device_Cloud_VM-DC_Region",
            "instance_uid": "Device_Cloud_VM-Instance_UID",
            "subnet_uid": "Device_Cloud_VM-Subnet_UID",
            "vpc_uid": "Device_Cloud_VM-VPC_UID"
        },
        "device_desc": "Device_Desc",
        "device_domain": "device.domain.internal.somecompany.com",
        "device_domain_uid": "Device_Domain_UID",
        "device_end_time": "2021-02-11T05:30:04.000Z",
        "device_gateway": "175.16.199.0",
        "device_group": "Device_Group",
        "device_group_name": "Device_Group_Name",
        "device_hw_bios_date": "03/31/16",
        "device_hw_bios_manufacturer": "LENOVO",
        "device_hw_bios_ver": "LENOVO G5ETA2WW (2.62)",
        "device_hw_cpu_type": "x86 Family 6 Model 37 Stepping 5",
        "device_imei": "Device_IMEI",
        "device_ip": "175.16.199.0",
        "device_is_compliant": true,
        "device_is_personal": true,
        "device_is_trusted": true,
        "device_is_unmanaged": true,
        "device_location": {
            "coordinates": [
                -12.345,
                56.789
            ],
            "desc": "Device_Location-Desc",
            "isp": "Device_Location-ISP",
            "on_premises": true
        },
        "device_mac": "00-B0-D0-63-C2-07",
        "device_name": "device.name.computer.domain",
        "device_name_md5": "4ED962DDBF17E2BBA7B14EBC00F3162E",
        "device_networks": [
            {
                "bssid": "Device_Networks-BSSID 1",
                "gateway_ip": "175.16.199.0",
                "gateway_mac": "00:B0:D0:63:C2:08",
                "ipv4": "175.16.199.0",
                "ipv6": "2a02:cf40::",
                "is_public": true,
                "mac": "00:B0:D0:63:C2:09",
                "rep_score_id": "0",
                "ssid": "Device_Networks-SSID 1",
                "type_id": "0"
            },
            {
                "bssid": "Device_Networks-BSSID 2",
                "gateway_ip": "89.160.20.112",
                "gateway_mac": "00:B0:D0:63:C2:10",
                "ipv4": "89.160.20.112",
                "ipv6": "2a02:cf40::",
                "is_public": true,
                "mac": "00:B0:D0:63:C2:11",
                "rep_score_id": "1",
                "ssid": "Device_Networks-SSID 2",
                "type_id": "1"
            }
        ],
        "device_org_unit": "Device_Org_Unit",
        "device_os_bits": 12345678901,
        "device_os_build": "Device_OS_Build",
        "device_os_country": "IN",
        "device_os_edition": "Professional",
        "device_os_lang": "en",
        "device_os_name": "Windows Server 2019 Standard Edition",
        "device_os_sp_name": "Device_OS_SP_Name",
        "device_os_sp_ver": "Device_OS_SP_Ver",
        "device_os_type_id": "0",
        "device_os_ver": "Windows 10",
        "device_proxy_ip": "89.160.20.112",
        "device_proxy_name": "Device_Proxy_Name",
        "device_public_ip": "89.160.20.112",
        "device_ref_uid": "Device_Ref_UID",
        "device_site": "Device_Site",
        "device_subnet": "81.2.69.144",
        "device_time": "2021-02-11T05:30:04.000Z",
        "device_type": "server",
        "device_uid": "Device_UID",
        "device_vhost": "Device_VHost",
        "device_vhost_id": "0",
        "domain_uid": "Domain_UID",
        "end_time": "2024-02-29T01:00:00.000Z",
        "entity": {
            "data": {
                "field1_boolean": true,
                "field1_keyword": "Entity-Data-field1_Keyword",
                "field1_number": 12345678901
            },
            "name": "Entity-Name",
            "type": "Entity-Type",
            "uid": "Entity-UID",
            "version": "Entity-Version"
        },
        "event_id": "2001",
        "events": [
            {
                "connection": {
                    "direction_id": 1,
                    "dst_service": "C:\\Windows\\system32\\NTOSKRNL.EXE",
                    "src_ip": "159.19.163.218"
                },
                "count": 1,
                "device_end_time": 1709225074618,
                "device_time": 1709225074618
            }
        ],
        "feature_name": "Feature_Name",
        "feature_path": "Feature_Path",
        "feature_type": "Feature_Type",
        "feature_uid": "Feature_UID",
        "feature_ver": "2014.1.4.25",
        "id": 12345678901,
        "impersonator_customer_uid": "Impersonator_Customer_UID",
        "impersonator_domain_uid": "Impersonator_Domain_UID",
        "impersonator_user_uid": "Impersonator_User_UID",
        "is_user_present": true,
        "log_level": "Log Level",
        "log_name": "Log_Name",
        "log_time": "2024-02-29T01:00:00.000Z",
        "logging_device_ip": "89.160.20.112",
        "logging_device_name": "Logging_Device_Name",
        "logging_device_post_time": "2021-02-11T05:30:04.000Z",
        "logging_device_ref_uid": "Logging_Device_Ref_UID",
        "message_code": "Message_Code",
        "message_id": "0",
        "org_unit_uid": "Org_Unit_UID",
        "orig_data": "Orig_Data",
        "product_data": {
            "sep_domain_uid": "Product_Data-Sep_Domain_UID",
            "sep_hw_uid": "Product_Data-Sep_HW_UID"
        },
        "product_lang": "en",
        "product_name": "Symantec Endpoint Security",
        "product_uid": "Product_UID",
        "product_ver": "2014.1.4.25-beta",
        "proxy_device_ip": "89.160.20.112",
        "proxy_device_name": "Proxy_Device_Name",
        "raw_data": {
            "assetID": "vc9DagprQYyLZ23SEY1APw",
            "assetOpstateDTO": {
                "blades": 0,
                "features": [
                    {
                        "featureStatus": "SECURE",
                        "opstate": {
                            "EDRContentSequence": "20231128005",
                            "EDREngineVersion": "4.11.0.10",
                            "EDRFramworkVersion": "4.10.0.59",
                            "FDRStatus": true,
                            "LowDiskSpace": false,
                            "MaxDBSizeHonored": true,
                            "applied_policy": {
                                "effective_date": 1709219437080,
                                "sha2": "ee6b0bebbc4575b507ac616d2c362f2c54d462b92cf4068cb6681ae3187d4de3",
                                "uid": "7dc29d40-f303-477a-9012-287ef252a391",
                                "version": "16"
                            },
                            "disk_usage_mb": 1546,
                            "fdr_first_event_date": "20240227",
                            "fdr_state": 1
                        },
                        "prevention_state": "1",
                        "state": "ENABLED",
                        "statusReason": [
                            "-107",
                            "0"
                        ],
                        "uuid": "1DF0351C-146D-4F07-B155-BF5C7077FF40"
                    }
                ],
                "productUuid": "31B0C880-0229-49E8-94C5-48D56B1BD7B9",
                "products_active": 0
            }
        },
        "ref_log_name": "Ref_Log_Name",
        "ref_log_time": "2024-02-29T01:00:00.000Z",
        "ref_orig_uid": "Ref_Orig_UID",
        "ref_uid": "Ref_UID",
        "remediated": true,
        "remediation": "Remediation",
        "remediation_ref": "Remediation_Ref",
        "remediation_uid": "0",
        "sessions": [
            {
                "auth_protocol_id": "0",
                "cleartext_credentials": true,
                "direction_id": "0",
                "id": 12345678901,
                "is_admin": true,
                "logon_type_id": "1",
                "port": 80,
                "previous_users": [
                    "Sessions-Previous_User 1",
                    "Sessions-Previous_Users 1"
                ],
                "remote": true,
                "remote_host": "Sessions-Remote_Host 1",
                "remote_ip": "89.160.20.112",
                "user": {
                    "account_disabled": true,
                    "cloud_resource_uid": "Sessions-User-Cloud_Resource_UID 1",
                    "domain": "Sessions-User-Domain 1",
                    "external_account_uid": "Sessions-User-External_Account_UID 1",
                    "external_uid": "Sessions-User-External_UID 1",
                    "full_name": "Sessions-User-Full_Name 1",
                    "groups": [
                        "Sessions-User-Group 1",
                        "Sessions-User-Groups 1"
                    ],
                    "home": "Sessions-User-Home 1",
                    "is_admin": true,
                    "logon_name": "Sessions-User-Logon_Name 1",
                    "name": "session-User-Name 1",
                    "password_expires": true,
                    "shell": "Sessions-User-Shell 1",
                    "sid": "Sessions-User-SID 1",
                    "uid": "Sessions-User-UID 1"
                }
            },
            {
                "auth_protocol_id": "1",
                "cleartext_credentials": true,
                "direction_id": "1",
                "id": 67890123451,
                "is_admin": true,
                "logon_type_id": "2",
                "port": 81,
                "previous_users": [
                    "Sessions-Previous_User 2",
                    "Sessions-Previous_Users 2"
                ],
                "remote": true,
                "remote_host": "Sessions-Remote_Host 2",
                "remote_ip": "89.160.20.112",
                "user": {
                    "account_disabled": true,
                    "cloud_resource_uid": "Sessions-User-Cloud_Resource_UID 2",
                    "domain": "Sessions-User-Domain 2",
                    "external_account_uid": "Sessions-User-External_Account_UID 2",
                    "external_uid": "Sessions-User-External_UID 2",
                    "full_name": "Sessions-User-Full_Name 2",
                    "groups": [
                        "Sessions-User-Group 2",
                        "Sessions-User-Groups 2"
                    ],
                    "home": "Sessions-User-Home 2",
                    "is_admin": true,
                    "logon_name": "Sessions-User-Logon_Name 2",
                    "name": "session-User-Name 2",
                    "password_expires": true,
                    "shell": "Sessions-User-Shell 2",
                    "sid": "Sessions-User-SID 2",
                    "uid": "Sessions-User-UID 2"
                }
            }
        ],
        "severity_value": "Unknown",
        "source": {
            "facility": "Source-Facility",
            "facility_detail": "Source-Facility_Detail",
            "facility_uid": "Source-Facility_UID",
            "type_id": "1"
        },
        "status_detail": "Status_Detail",
        "status_id": "0",
        "status_os": "Status_OS",
        "status_os_src": 12345678901,
        "status_stack_trace": "Status_Stack_Trace",
        "status_value": "Unknown",
        "stic_has_pii": true,
        "stic_hw_uid": "STIC_HW_UID",
        "stic_ip_hash": "STIC_IP_Hash",
        "stic_legacy_ent_uids": [
            "STIC_Legacy_Ent_UIDs 1",
            "STIC_Legacy_Ent_UIDs 2"
        ],
        "stic_legacy_hw_uids": [
            "STIC_Legacy_HW_UIDs 1",
            "STIC_Legacy_HW_UIDs 2"
        ],
        "stic_legacy_uids": [
            "STIC_Legacy_UIDs 1",
            "STIC_Legacy_UIDs 2"
        ],
        "stic_schema_id": "STIC_Schema_ID",
        "stic_uid": "STIC_UID",
        "stic_version": "STIC_Version",
        "subfeature_name": "Subfeature_Name",
        "timezone": 12345678901,
        "type": "Type",
        "type_id": "2",
        "user": {
            "account_disabled": true,
            "cloud_resource_uid": "User-Cloud_Resource_UID",
            "external_account_uid": "User-External_Account_UID",
            "external_uid": "User-External_UID",
            "full_name": "User-Full_Name",
            "groups": [
                "User-Group 1",
                "User-Groups 1"
            ],
            "home": "User-Home",
            "is_admin": true,
            "logon_name": "User-Logon_Name",
            "password_expires": true,
            "shell": "User-Shell",
            "sid": "TT23009"
        },
        "version": "1.4"
    },
    "source": {
        "address": "device.name.computer.domain",
        "domain": "Device_Domain_UID",
        "ip": "175.16.199.0",
        "mac": "00-B0-D0-63-C2-07"
    },
    "tags": [
        "collect_sqs_logs",
        "preserve_original_event",
        "forwarded",
        "symantec_endpoint_security-event"
    ],
    "url": {
        "full": [
            "www.urls-text-1.com/download/trouble",
            "www.urls-text-2.com/download/trouble"
        ],
        "path": [
            "/download/trouble/cybox/urls/path/1",
            "/download/trouble/cybox/urls/path/2"
        ],
        "port": [
            80,
            81
        ],
        "query": [
            "q=bad&sort=date_1",
            "q=bad&sort=date_2"
        ],
        "scheme": [
            "Cybox-URLs-Scheme 1",
            "Cybox-URLs-Scheme 2"
        ]
    },
    "user": {
        "domain": [
            "User-Domain"
        ],
        "id": "UU34899825",
        "name": "User123"
    }
}

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
aws.s3.bucket.arn
The AWS S3 bucket ARN.
keyword
aws.s3.bucket.name
The AWS S3 bucket name.
keyword
aws.s3.object.key
The AWS S3 Object key.
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
event.dataset
Event dataset.
constant_keyword
event.module
Event module.
constant_keyword
input.type
Type of filebeat input.
keyword
log.offset
Log offset.
long
ses.access_mask
The access mask in platform-native format.
long
ses.access_mask_ids
The access mask values.
keyword
ses.access_scope_id
The scope of the requested access.
keyword
ses.activity_id
The process activity.
keyword
ses.actor.app_name
A label that may be associated with this process, for example, the name of the containment sandbox assigned to the process or, for login detection events, the login application (ssh, telnet, sql server, etc.).
keyword
ses.actor.app_uid
The identifier of the application that may be associated with this process.
keyword
ses.actor.app_ver
The version of the application that may be associated with this process.
keyword
ses.actor.cmd_line
The command line used to launch the startup application, service, process or job.
keyword
ses.actor.file.accessed
The time that the file was last accessed.
date
ses.actor.file.accessor
The name of the user who last accessed the object.
keyword
ses.actor.file.attribute_ids
The array of file attributes.
keyword
ses.actor.file.attributes
The bitmask value that represents the file attributes.
long
ses.actor.file.company_name
The name of the company that published the file.
keyword
ses.actor.file.confidentiality_id
The file content confidentiality indicator.
keyword
ses.actor.file.content_type.family_id
The top level file classification.
keyword
ses.actor.file.content_type.subtype
The specific format for the type of data.
keyword
ses.actor.file.content_type.type_id
The general type of a file.
keyword
ses.actor.file.created
The time that the file was created.
date
ses.actor.file.creator
The name of the user who created the file.
keyword
ses.actor.file.creator_process
The name of the process that created (or downloaded) the file or module.
keyword
ses.actor.file.desc
The description of the file, as returned by file system.
keyword
ses.actor.file.folder
The parent folder in which the file resides.
keyword
ses.actor.file.folder_uid
The unique identifier of the folder in which the file resides.
keyword
ses.actor.file.is_system
The indication of whether the object is part of the operating system.
boolean
ses.actor.file.md5
The MD5 checksum of the object content.
keyword
ses.actor.file.mime_type
The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable.
keyword
ses.actor.file.modified
The time when the file was last modified.
date
ses.actor.file.modifier
The name of the user who last modified the file.
keyword
ses.actor.file.name
The name of the file.
keyword
ses.actor.file.normalized_path
The CSIDL normalized path name.
keyword
ses.actor.file.original_name
The original name of the file.
keyword
ses.actor.file.owner
The owner of the file.
keyword
ses.actor.file.parent_name
The name of the file that contains this file.
keyword
ses.actor.file.parent_sha2
The SHA-256 checksum of the parent file.
keyword
ses.actor.file.path
The full path to the file.
keyword
ses.actor.file.product_name
The name of the product that includes the file.
keyword
ses.actor.file.product_path
The path to the product that includes the file.
keyword
ses.actor.file.rep_discovered_band
The discovery fuzzed band number, expressed as the number of days since discovery.
long
ses.actor.file.rep_discovered_date
The Symantec discovery date of the reputed file or URL.
date
ses.actor.file.rep_prevalence
The file reputation prevalence, as provided by a reputation query.
long
ses.actor.file.rep_prevalence_band
The file reputation prevalence fuzzed band number.
long
ses.actor.file.rep_score
The reputation score of the file.
long
ses.actor.file.rep_score_band
The file reputation score fuzzed band number.
long
ses.actor.file.security_descriptor
The object security descriptor.
keyword
ses.actor.file.sha1
The SHA-1 checksum of the object content.
keyword
ses.actor.file.sha2
The SHA-256 checksum of the object content.
keyword
ses.actor.file.signature_company_name
The company name on the certificate that signed the file.
keyword
ses.actor.file.signature_created_date
The date and time when the signature was created.
date
ses.actor.file.signature_developer_uid
The developer ID on the certificate that signed the file.
keyword
ses.actor.file.signature_fingerprints.algorithm
The algorithm used to create the fingerprint.
keyword
ses.actor.file.signature_fingerprints.value
The fingerprint value.Note: The submission format is a lower-case string.
keyword
ses.actor.file.signature_issuer
The issuer of the object signature.
keyword
ses.actor.file.signature_level_id
A numeric representation of the signature level. The signature levels are defined by STAR.
keyword
ses.actor.file.signature_serial_number
The object serial number.
keyword
ses.actor.file.signature_value
The digital signature bitmask.
long
ses.actor.file.signature_value_ids
The array of signature values as derived from the Signature Bits.
keyword
ses.actor.file.size
The size of the object, in bytes.
long
ses.actor.file.size_compressed
The compressed size of the object, in bytes.
long
ses.actor.file.src_ip
The IP address of the host where the file resides.
ip
ses.actor.file.src_name
The name of the host where the file resides.
keyword
ses.actor.file.type_id
The file type.
keyword
ses.actor.file.uid
The unique identifier of the file as defined by the storage system, such the file system file ID.
keyword
ses.actor.file.url.categories
The array of URL categories.
keyword
ses.actor.file.url.category_ids
The array of URL categories.
keyword
ses.actor.file.url.extension
Document extension from the original URL requested.
keyword
ses.actor.file.url.host
The URL host as extracted from the URL.
keyword
ses.actor.file.url.method
The HTTP method used in the URL request.
keyword
ses.actor.file.url.parent_categories
The array of parent URL categories.
keyword
ses.actor.file.url.path
The URL path as extracted from the URL.
keyword
ses.actor.file.url.port
The URL port.
long
ses.actor.file.url.provider
The origin of the reputation and category information.
keyword
ses.actor.file.url.query
The query portion of the URL.
keyword
ses.actor.file.url.referrer
The address accessed prior to this one.
keyword
ses.actor.file.url.referrer_categories
All content categories of the Referrer header URL.
keyword
ses.actor.file.url.referrer_category_ids
The array of Referrer URL categories IDs.
keyword
ses.actor.file.url.rep_score_id
The reputation score of the URL.
keyword
ses.actor.file.url.scheme
The scheme portion of the URL.
keyword
ses.actor.file.url.text
The URL.
keyword
ses.actor.file.version
The file version.
keyword
ses.actor.file.xattributes
An unordered collection of zero or more name/value pairs where each pair represents a file or directory extended attribute.
flattened
ses.actor.integrity_id
The process integrity level (Windows only).
keyword
ses.actor.lineage
The lineage of the actor process.
keyword
ses.actor.loaded_modules
The list of loaded module names.
keyword
ses.actor.module.accessed
The time that the file was last accessed.
date
ses.actor.module.accessor
The name of the user who last accessed the object.
keyword
ses.actor.module.attribute_ids
The array of file attributes.
keyword
ses.actor.module.attributes
The bitmask value that represents the file attributes.
long
ses.actor.module.base_address
The memory address where the module was loaded.
keyword
ses.actor.module.company_name
The name of the company that published the file.
keyword
ses.actor.module.confidentiality_id
The file content confidentiality indicator.
keyword
ses.actor.module.content_type.family_id
The top level file classification.
keyword
ses.actor.module.content_type.subtype
The specific format for the type of data.
keyword
ses.actor.module.content_type.type_id
The general type of a file.
keyword
ses.actor.module.created
The time that the module was created.
date
ses.actor.module.creator
The name of the user who created the module.
keyword
ses.actor.module.creator_process
The name of the process that created (or downloaded) the file or module.
keyword
ses.actor.module.desc
The description of the file, as returned by file system.
keyword
ses.actor.module.folder
The parent folder in which the file resides.
keyword
ses.actor.module.folder_uid
The unique identifier of the folder in which the file resides.
keyword
ses.actor.module.is_system
The indication of whether the object is part of the operating system.
boolean
ses.actor.module.load_type
The load type describes how the module was loaded in memory.
keyword
ses.actor.module.load_type_id
The load type identifies how the module was loaded in memory.
keyword
ses.actor.module.md5
The MD5 checksum of the object content.
keyword
ses.actor.module.mime_type
The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable.
keyword
ses.actor.module.modified
The time when the module was last modified.
date
ses.actor.module.modifier
The name of the user who last modified the module.
keyword
ses.actor.module.name
The name of the file.
keyword
ses.actor.module.normalized_path
The CSIDL normalized path name.
keyword
ses.actor.module.original_name
The original name of the file.
keyword
ses.actor.module.owner
The owner of the file.
keyword
ses.actor.module.parent_name
The name of the file that contains this file.
keyword
ses.actor.module.parent_sha2
The SHA-256 checksum of the parent file.
keyword
ses.actor.module.path
The full path to the file.
keyword
ses.actor.module.product_name
The name of the product that includes the file.
keyword
ses.actor.module.product_path
The path to the product that includes the file.
keyword
ses.actor.module.rep_discovered_band
The discovery fuzzed band number, expressed as the number of days since discovery.
long
ses.actor.module.rep_discovered_date
The Symantec discovery date of the reputed file or URL.
date
ses.actor.module.rep_prevalence
The file reputation prevalence, as provided by a reputation query.
long
ses.actor.module.rep_prevalence_band
The file reputation prevalence fuzzed band number.
long
ses.actor.module.rep_score
The reputation score of the file.
long
ses.actor.module.rep_score_band
The file reputation score fuzzed band number.
long
ses.actor.module.security_descriptor
The object security descriptor.
keyword
ses.actor.module.sha1
The SHA-1 checksum of the object content.
keyword
ses.actor.module.sha2
The SHA-256 checksum of the object content.
keyword
ses.actor.module.signature_company_name
The company name on the certificate that signed the file.
keyword
ses.actor.module.signature_created_date
The date and time when the signature was created.
date
ses.actor.module.signature_developer_uid
The developer ID on the certificate that signed the file.
keyword
ses.actor.module.signature_fingerprints.algorithm
The algorithm used to create the fingerprint.
keyword
ses.actor.module.signature_fingerprints.value
The fingerprint value.Note: The submission format is a lower-case string.
keyword
ses.actor.module.signature_issuer
The issuer of the object signature.
keyword
ses.actor.module.signature_level_id
A numeric representation of the signature level. The signature levels are defined by STAR.
keyword
ses.actor.module.signature_serial_number
The object serial number.
keyword
ses.actor.module.signature_value
The digital signature bitmask.
long
ses.actor.module.signature_value_ids
The array of signature values as derived from the Signature Bits.
keyword
ses.actor.module.size
The size of the object, in bytes.
long
ses.actor.module.size_compressed
The compressed size of the object, in bytes.
long
ses.actor.module.src_ip
The IP address of the host where the file resides.
ip
ses.actor.module.src_name
The name of the host where the file resides.
keyword
ses.actor.module.type_id
The file type.
keyword
ses.actor.module.uid
The unique identifier of the file as defined by the storage system, such the file system file ID.
keyword
ses.actor.module.url.categories
The array of URL categories.
keyword
ses.actor.module.url.category_ids
The array of URL categories.
keyword
ses.actor.module.url.extension
Document extension from the original URL requested.
keyword
ses.actor.module.url.host
The URL host as extracted from the URL.
keyword
ses.actor.module.url.method
The HTTP method used in the URL request.
keyword
ses.actor.module.url.parent_categories
The array of parent URL categories.
keyword
ses.actor.module.url.path
The URL path as extracted from the URL.
keyword
ses.actor.module.url.port
The URL port.
long
ses.actor.module.url.provider
The origin of the reputation and category information.
keyword
ses.actor.module.url.query
The query portion of the URL.
keyword
ses.actor.module.url.referrer
The address accessed prior to this one.
keyword
ses.actor.module.url.referrer_categories
All content categories of the Referrer header URL.
keyword
ses.actor.module.url.referrer_category_ids
The array of Referrer URL categories IDs.
keyword
ses.actor.module.url.rep_score_id
The reputation score of the URL.
keyword
ses.actor.module.url.scheme
The scheme portion of the URL.
keyword
ses.actor.module.url.text
The URL.
keyword
ses.actor.module.version
The file version.
keyword
ses.actor.module.xattributes
An unordered collection of zero or more name/value pairs where each pair represents a file or directory extended attribute.
flattened
ses.actor.normalized_cmd_line
The CSIDL normalized command line used to launch the startup application, service, process or job (Windows only).
keyword
ses.actor.pid
The process identifier, as reported by the operating system.
long
ses.actor.sandbox_name
The name of the containment jail (sandbox) assigned by the policy to this process/module.
keyword
ses.actor.session.auth_protocol_id
The authentication protocol.
keyword
ses.actor.session.cleartext_credentials
Indicates whether the credentials were passed in clear text.
boolean
ses.actor.session.direction_id
The direction of the initiated traffic.
keyword
ses.actor.session.id
The unique session identifier, as reported by the operating system.
keyword
ses.actor.session.is_admin
The indication of whether the user or user session is admin/root.
boolean
ses.actor.session.logon_type_id
The type of session logon.
keyword
ses.actor.session.port
The port that the remote session connects to; applicable for remote sessions only.
long
ses.actor.session.previous_users
An ordered list of the previous user names used within the session, from latest to earliest.
keyword
ses.actor.session.remote
The indication of whether the session is remote.
boolean
ses.actor.session.remote_host
The host name of the device associated with the remote session.
keyword
ses.actor.session.remote_ip
The IP address of the device associated with the remote session. The format is either IPv4 or IPv6.
ip
ses.actor.session.user.account_disabled
The indication of whether the user's account is disabled.
boolean
ses.actor.session.user.cloud_resource_uid
The cloud resource unique identifier of this user.
keyword
ses.actor.session.user.domain
The domain where the user is defined.
keyword
ses.actor.session.user.external_account_uid
The user's external account unique identifier.
keyword
ses.actor.session.user.external_uid
The user's external unique identifier.
keyword
ses.actor.session.user.full_name
The full name of the user.
keyword
ses.actor.session.user.groups
The administrative groups to which the user belongs.
keyword
ses.actor.session.user.home
The user's home directory.
keyword
ses.actor.session.user.is_admin
The indication of whether the user or user session is admin/root.
boolean
ses.actor.session.user.logon_name
The name of the authenticated principal that is associated with the event.
keyword
ses.actor.session.user.name
The name of the user that originated or caused the event (if the event involves a user) or the user on whose behalf the event occurred.
keyword
ses.actor.session.user.password_expires
The indication of whether the user's password is configured to expire.
boolean
ses.actor.session.user.shell
The user's login shell.
keyword
ses.actor.session.user.sid
The user security identifier (SID).
keyword
ses.actor.session.user.uid
The unique identifier of the user associated with the event.
keyword
ses.actor.session_id
The user session ID from which the process was launched.
keyword
ses.actor.start_time
The time that the process started.
date
ses.actor.tid
The Identifier of the thread associated with the event, as returned by the operating system.
long
ses.actor.uid
The unique identifier of the process.
keyword
ses.actor.user.account_disabled
The indication of whether the user's account is disabled.
boolean
ses.actor.user.cloud_resource_uid
The cloud resource unique identifier of this user.
keyword
ses.actor.user.domain
The domain where the user is defined.
keyword
ses.actor.user.external_account_uid
The user's external account unique identifier.
keyword
ses.actor.user.external_uid
The user's external unique identifier.
keyword
ses.actor.user.full_name
The full name of the user.
keyword
ses.actor.user.groups
The administrative groups to which the user belongs.
keyword
ses.actor.user.home
The user's home directory.
keyword
ses.actor.user.is_admin
The indication of whether the user or user session is admin/root.
boolean
ses.actor.user.logon_name
The name of the authenticated principal that is associated with the event.
keyword
ses.actor.user.name
The name of the user that originated or caused the event (if the event involves a user) or the user on whose behalf the event occurred.
keyword
ses.actor.user.password_expires
The indication of whether the user's password is configured to expire.
boolean
ses.actor.user.shell
The user's login shell.
keyword
ses.actor.user.sid
The user security identifier (SID).
keyword
ses.actor.user.uid
The unique identifier of the user associated with the event.
keyword
ses.actor.xattributes
An unordered collection of zero or more name/value pairs that represent a process extended attribute.
flattened
ses.actual_permissions
The permissions that were granted to the process.
long
ses.analysis
The anti-malware emulation analysis.
keyword
ses.app_name
The name of the application that may be associated with the policy change.
keyword
ses.app_uid
The identifier of the application that may be associated with the policy change.
keyword
ses.app_ver
The version of the application that may be associated with the policy change.
keyword
ses.assignee
The name of the user who is assigned to the incident.
keyword
ses.attacker_ip
The IP address of the malicious network device. The format is either IPv4 or IPv6.
ip
ses.attacks.sub_technique_name
The name of the attack sub-technique, as defined by ATT&CK MatrixTM.
keyword
ses.attacks.sub_technique_uid
The unique identifier of the attack sub-technique, as defined by ATT&CK MatrixTM.
keyword
ses.attacks.tactic_ids
The tactics that are associated with the attack technique (To be deprecated, use tactic_uids).
keyword
ses.attacks.tactic_uids
The tactics that are associated with the attack technique, as defined by ATT&CK MatrixTM.
keyword
ses.attacks.technique_name
The name of the attack technique, as defined by ATT&CK MatrixTM.
keyword
ses.attacks.technique_uid
The unique identifier of the attack technique, as defined by ATT&CK MatrixTM.
keyword
ses.audit
The audit mode of the event. When true, no remediation actions were performed.
boolean
ses.category_id
The event type category.
keyword
ses.category_name
Category name of the event.
keyword
ses.change_type_id
The reason for the policy change.
keyword
ses.channel_id
The channel that was used to update the component.
keyword
ses.client_uid
The OAUTH 2.0 Client ID.
keyword
ses.collector_device_ip
The IP address of the collector device in either IPv4 or IPv6 format.
ip
ses.collector_device_name
The name of the collector device.
keyword
ses.collector_name
The name of the collector.
keyword
ses.collector_uid
The unique identifier of the collector.
keyword
ses.command_name
The command that pertains to the event or object.
keyword
ses.command_ref_uid
The command identifier that corresponds to the original command identifier.
keyword
ses.command_uid
The command identifier that is associated with this Scan event; required if the scan was initiated by a command.
keyword
ses.comment
The user-provided comment.
keyword
ses.compliance_rule.criteria_id
The criteria that is associated with the rule.
keyword
ses.compliance_rule.desc
The description of the rule.
keyword
ses.compliance_rule.name
The name given to the rule.
keyword
ses.compliance_rule.type_id
The type of the rule.
keyword
ses.compliance_rule.uid
The unique identifier of the rule.
keyword
ses.component
The name or relative pathname of a subcomponent of the data object, if applicable.
keyword
ses.composite
The type of composite event. See the Event Logging API for more information.
long
ses.conclusion
The conclusive description of the events that are associated with the incident.
keyword
ses.config_path
The file or registry key that holds the startup application configuration.
keyword
ses.connection.bytes_download
The number of bytes downloaded from the source to the destination.
long
ses.connection.bytes_upload
The number of bytes uploaded from the source to the destination.
long
ses.connection.connection_direction_id
The direction of the initiated connection.
keyword
ses.connection.direction_id
The direction of the initiated traffic.
keyword
ses.connection.dst_ip
The IP address of the destination network connection device. The format is either IPv4 or IPv6.
ip
ses.connection.dst_location.city
The name of the city.
keyword
ses.connection.dst_location.continent
The name of the continent.
keyword
ses.connection.dst_location.coordinates
A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON.
float
ses.connection.dst_location.country
The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes.Note: The two letter country code should be capitalized.
keyword
ses.connection.dst_location.desc
The description of the location.
keyword
ses.connection.dst_location.isp
The name of the Internet Service Provider (ISP).
keyword
ses.connection.dst_location.on_premises
The indication of whether the location is on premises.
boolean
ses.connection.dst_location.region
The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For examples, see the region codes for the US.
keyword
ses.connection.dst_mac
The MAC address of the destination network connection device.
keyword
ses.connection.dst_name
The host name of the destination network connection device.
keyword
ses.connection.dst_port
The port number of the destination network connection.
long
ses.connection.dst_service
The destination network connection service name.
keyword
ses.connection.ether_type
The EtherType indicates which protocol is encapsulated in the payload of an Ethernet frame.
long
ses.connection.http_status
The HTTP status code returned to the client.
long
ses.connection.http_user_agent
The request header that is used to identify the operating system and web browser.
keyword
ses.connection.local
The indication of whether the connection is between two endpoints on the same device. For example, if Source IP (src_ip) and Destination IP (dst_ip) could be the same.
boolean
ses.connection.protocol_id
The network protocol as defined by RFC1340.
keyword
ses.connection.protocol_version
The version of the network protocol.
long
ses.connection.request_headers
The additional information associated with HTTP request.
flattened
ses.connection.response_headers
The additional information associated with HTTP response.
flattened
ses.connection.rpc.binding
The remote procedure call protocol family, hostname, and endpoint connection.
keyword
ses.connection.rpc.interface_op
The remote procedure call interface operation number.
long
ses.connection.rpc.interface_uid
The unique identifier of the remote procedure call interface.
keyword
ses.connection.rpc.interface_ver
The remote procedure call interface version.
keyword
ses.connection.src_ip
The IP address of the device that initiated the network connection.
ip
ses.connection.src_location.city
The name of the city.
keyword
ses.connection.src_location.continent
The name of the continent.
keyword
ses.connection.src_location.coordinates
A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON.
float
ses.connection.src_location.country
The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes.Note: The two letter country code should be capitalized.
keyword
ses.connection.src_location.desc
The description of the location.
keyword
ses.connection.src_location.isp
The name of the Internet Service Provider (ISP).
keyword
ses.connection.src_location.on_premises
The indication of whether the location is on premises.
boolean
ses.connection.src_location.region
The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters.
keyword
ses.connection.src_mac
The MAC address of the device that initiated the network connection.
keyword
ses.connection.src_name
The host name of the device that initiated the network connection.
keyword
ses.connection.src_port
The port number of the source device.
long
ses.connection.src_service
The source network connection service name.
keyword
ses.connection.svc_name
The service name as defined by the Internet Assigned Numbers Authority (IANA). See Service Name and Transport Protocol Port Number Registry.
keyword
ses.connection.tcp_flags
The network connection TCP header flags (i.e., control bits).
long
ses.connection.tls.cipher
The encryption algorithm.
keyword
ses.connection.tls.cipher_size
Cipher size of the OpenSSL cipher suite negotiated for the client or server connection.
long
ses.connection.tls.cipher_strength
Strength of the OpenSSL cipher suite negotiated for the client or server connection.
long
ses.connection.tls.client_certificate.end_time
The time at which the certificate becomes invalid.
date
ses.connection.tls.client_certificate.is_valid
The indication of whether the certificate is valid.
boolean
ses.connection.tls.client_certificate.issuer_name
The certificate issuer name.
keyword
ses.connection.tls.client_certificate.issuer_organization
The certificate issuer organization.
keyword
ses.connection.tls.client_certificate.serial
The certificate serial number.
keyword
ses.connection.tls.client_certificate.signature_statuses
The array of signature statuses.
keyword
ses.connection.tls.client_certificate.start_time
The time at which the certificate becomes valid.
date
ses.connection.tls.client_certificate.subject_city
The certificate subject city.
keyword
ses.connection.tls.client_certificate.subject_country
The certificate subject country.
keyword
ses.connection.tls.client_certificate.subject_email
The certificate subject email.
keyword
ses.connection.tls.client_certificate.subject_name
The certificate subject name.
keyword
ses.connection.tls.client_certificate.subject_org_unit
The certificate subject organizational unit.
keyword
ses.connection.tls.client_certificate.subject_organization
The certificate subject organization.
keyword
ses.connection.tls.client_certificate.subject_state
The certificate subject state.
keyword
ses.connection.tls.client_certificate.subject_street
The certificate subject street.
keyword
ses.connection.tls.client_certificate.version
The certificate version.
keyword
ses.connection.tls.is_advertised
The indication of whether the protocol is advertised by the server.
boolean
ses.connection.tls.is_used
The indication of whether the TLS is used.
boolean
ses.connection.tls.issuer_keyring
Issuer for forged certificates.
keyword
ses.connection.tls.issuer_keyring_alias
Key alias name in HSM issuer for forged certificates.
keyword
ses.connection.tls.key_length
The length of the encryption key.
long
ses.connection.tls.ocsp_status_detail
Errors observed during OCSP check of server certificate.
keyword
ses.connection.tls.server_certificate.end_time
The time at which the certificate becomes invalid.
date
ses.connection.tls.server_certificate.is_valid
The indication of whether the certificate is valid.
boolean
ses.connection.tls.server_certificate.issuer_name
The certificate issuer name.
keyword
ses.connection.tls.server_certificate.issuer_organization
The certificate issuer organization.
keyword
ses.connection.tls.server_certificate.serial
The certificate serial number.
keyword
ses.connection.tls.server_certificate.signature_statuses
The array of signature statuses.
keyword
ses.connection.tls.server_certificate.start_time
The time at which the certificate becomes valid.
date
ses.connection.tls.server_certificate.subject_city
The certificate subject city.
keyword
ses.connection.tls.server_certificate.subject_country
The certificate subject country.
keyword
ses.connection.tls.server_certificate.subject_email
The certificate subject email.
keyword
ses.connection.tls.server_certificate.subject_name
The certificate subject name.
keyword
ses.connection.tls.server_certificate.subject_org_unit
The certificate subject organizational unit.
keyword
ses.connection.tls.server_certificate.subject_organization
The certificate subject organization.
keyword
ses.connection.tls.server_certificate.subject_state
The certificate subject state.
keyword
ses.connection.tls.server_certificate.subject_street
The certificate subject street.
keyword
ses.connection.tls.server_certificate.version
The certificate version.
keyword
ses.connection.tls.tls_policy_id
The Transport Layer Security (TLS) policy.
keyword
ses.connection.tls.version
The protocol version.
keyword
ses.connection.uid
The unique identifier of the connection.
keyword
ses.connection.url.categories
The array of URL categories.
keyword
ses.connection.url.category_ids
The array of URL categories.
keyword
ses.connection.url.extension
Document extension from the original URL requested.
keyword
ses.connection.url.host
The URL host as extracted from the URL.
keyword
ses.connection.url.method
The HTTP method used in the URL request.
keyword
ses.connection.url.parent_categories
The array of parent URL categories.
keyword
ses.connection.url.path
The URL path as extracted from the URL.
keyword
ses.connection.url.port
The URL port.
long
ses.connection.url.provider
The origin of the reputation and category information.
keyword
ses.connection.url.query
The query portion of the URL.
keyword
ses.connection.url.referrer
The address accessed prior to this one.
keyword
ses.connection.url.referrer_categories
All content categories of the Referrer header URL.
keyword
ses.connection.url.referrer_category_ids
The array of Referrer URL categories IDs.
keyword
ses.connection.url.rep_score_id
The reputation score of the URL.
keyword
ses.connection.url.scheme
The scheme portion of the URL.
keyword
ses.connection.url.text
The URL.
keyword
ses.connection_ref_uid
The reference to the network connection object that pertains to the event.
keyword
ses.container.host_name
The container host name.
keyword
ses.container.image_name
The container image name.
keyword
ses.container.image_uid
The container unique image identifier.
keyword
ses.container.name
The container instance name.
keyword
ses.container.networks.bssid
The Basic Service Set Identifier (BSSID).
keyword
ses.container.networks.gateway_ip
The gateway IP address.
ip
ses.container.networks.gateway_mac
The gateway media access control (MAC) address.
keyword
ses.container.networks.ipv4
The IPv4 address that is associated with the network interface.
ip
ses.container.networks.ipv6
The IPv6 address that is associated with the network interface.
ip
ses.container.networks.is_public
The indication of whether the network interface is a public IP address.
boolean
ses.container.networks.mac
The MAC address that is associated with the network interface.
keyword
ses.container.networks.rep_score_id
The reputation of the network.
keyword
ses.container.networks.ssid
The Service Set Identifier (SSID).
keyword
ses.container.networks.type_id
The type of network.
keyword
ses.container.os_name
The container operating system name.
keyword
ses.container.uid
The container unique identifier.
keyword
ses.content_type_id
The type of the content to which the update pertains.
keyword
ses.content_ver
The version of the detection engine or signature content.
keyword
ses.correlation_uid
The unique identifier used to correlate events.
keyword
ses.count
For aggregated events, the number of times that the event occurred during the Device Time to Device End Time period.
long
ses.create_mask
The Windows setting needed when creating a file.
long
ses.create_mask_id
The Windows create file flag, applicable to System Activity File Create event.
keyword
ses.created
The time that the incident was created.
date
ses.creator
The name of the user who created the incident.
keyword
ses.curr_location.city
The name of the city.
keyword
ses.curr_location.continent
The name of the continent.
keyword
ses.curr_location.coordinates
A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON.
float
ses.curr_location.country
The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes.Note: The two letter country code should be capitalized.
keyword
ses.curr_location.desc
The description of the location.
keyword
ses.curr_location.isp
The name of the Internet Service Provider (ISP).
keyword
ses.curr_location.on_premises
The indication of whether the location is on premises.
boolean
ses.curr_location.region
The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters.
keyword
ses.curr_security_level_id
The current security level of the entity.
keyword
ses.curr_security_level_value
The current security level of the entity in keyword.
keyword
ses.curr_security_state_ids
The type of the operating system.
keyword
ses.curr_ver
The updated version of the code, content, configuration or policy.
keyword
ses.customer_registry_uid
The unique Symantec customer registry identifier.
keyword
ses.customer_uid
The unique customer identifier.
keyword
ses.cve.desc
The description that pertains to the CVE.
keyword
ses.cve.name
The name of the CVE.
keyword
ses.cve.published
The date and time the CVE Record was first published in the CVE List.
date
ses.cve.reference_url
The URL associated with the CVE.
keyword
ses.cve.requires_device
True if there is a device associated with the CVE.
boolean
ses.cve.score
A CVE score used for prioritizing the severity of the vulnerability.
float
ses.cve.severity_id
The severity of the event.
keyword
ses.cve.title
The title associated with the CVE.
keyword
ses.cve.uid
The unique CVE identifier that this record pertains to.
keyword
ses.cvssv2.access_complexity_id
The access complexity Common Vulnerability Scoring System (CVSS) metric.
keyword
ses.cvssv2.attack_vector_id
The attack vector Common Vulnerability Scoring System (CVSS) metric.
keyword
ses.cvssv2.authentication_id
The authentication Common Vulnerability Scoring System (CVSS) metric.
keyword
ses.cvssv2.availability_impact_id
The availability impact Common Vulnerability Scoring System (CVSS) metric.
keyword
ses.cvssv2.confidentiality_impact_id
The confidentiality impact Common Vulnerability Scoring System (CVSS) metric.
keyword
ses.cvssv2.integrity_impact_id
The integrity impact Common Vulnerability Scoring System (CVSS) metric.
keyword
ses.cvssv2.risk
The Common Vulnerability Scoring System (CVSS) calculated risk.
float
ses.cybox.domains
The array of CybOXTM fully qualified domain names (FQDN).
keyword
ses.cybox.emails.direction_id
The direction of the email relative to the scanning host or organization.
keyword
ses.cybox.emails.header_from
The email header From values, as defined by RFC 5322.
keyword
ses.cybox.emails.header_message_id
The email header Message-Id value, as defined by RFC 5322.
keyword
ses.cybox.emails.header_reply_to
The email header Reply-To values, as defined by RFC 5322.
keyword
ses.cybox.emails.header_subject
The email header Subject value, as defined by RFC 5322.
keyword
ses.cybox.emails.header_to
The email header To values, as defined by RFC 5322.
keyword
ses.cybox.emails.sender_ip
The IP address of the sender, in either IPv4 or IPv6 format.
ip
ses.cybox.emails.size
The size in bytes of the email, including attachments.
long
ses.cybox.emails.smtp_from
The value of the SMTP MAIL FROM command.
keyword
ses.cybox.emails.smtp_hello
The value of the SMTP HELO or EHLO command.
keyword
ses.cybox.emails.smtp_to
The value of the SMTP envelope RCPT TO command.
keyword
ses.cybox.files.accessed
The time that the file was last accessed.
date
ses.cybox.files.accessor
The name of the user who last accessed the object.
keyword
ses.cybox.files.attribute_ids
The array of file attributes.
keyword
ses.cybox.files.attributes
The bitmask value that represents the file attributes.
long
ses.cybox.files.company_name
The name of the company that published the file.
keyword
ses.cybox.files.confidentiality_id
The file content confidentiality indicator.
keyword
ses.cybox.files.content_type.family_id
The top level file classification.
keyword
ses.cybox.files.content_type.subtype
The specific format for the type of data.
keyword
ses.cybox.files.content_type.type_id
The general type of a file.
keyword
ses.cybox.files.created
The time that the file was created.
date
ses.cybox.files.creator
The name of the user who created the file.
keyword
ses.cybox.files.creator_process
The name of the process that created (or downloaded) the file or module.
keyword
ses.cybox.files.desc
The description of the file, as returned by file system.
keyword
ses.cybox.files.folder
The parent folder in which the file resides.
keyword
ses.cybox.files.folder_uid
The unique identifier of the folder in which the file resides.
keyword
ses.cybox.files.is_system
The indication of whether the object is part of the operating system.
boolean
ses.cybox.files.md5
The MD5 checksum of the object content.
keyword
ses.cybox.files.mime_type
The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable.
keyword
ses.cybox.files.modified
The time when the file was last modified.
date
ses.cybox.files.modifier
The name of the user who last modified the file.
keyword
ses.cybox.files.name
The name of the file.
keyword
ses.cybox.files.normalized_path
The CSIDL normalized path name.
keyword
ses.cybox.files.original_name
The original name of the file.
keyword
ses.cybox.files.owner
The owner of the file.
keyword
ses.cybox.files.parent_name
The name of the file that contains this file.
keyword
ses.cybox.files.parent_sha2
The SHA-256 checksum of the parent file.
keyword
ses.cybox.files.path
The full path to the file.
keyword
ses.cybox.files.product_name
The name of the product that includes the file.
keyword
ses.cybox.files.product_path
The path to the product that includes the file.
keyword
ses.cybox.files.rep_discovered_band
The discovery fuzzed band number, expressed as the number of days since discovery.
long
ses.cybox.files.rep_discovered_date
The Symantec discovery date of the reputed file or URL.
date
ses.cybox.files.rep_prevalence
The file reputation prevalence, as provided by a reputation query.
long
ses.cybox.files.rep_prevalence_band
The file reputation prevalence fuzzed band number.
long
ses.cybox.files.rep_score
The reputation score of the file.
long
ses.cybox.files.rep_score_band
The file reputation score fuzzed band number.
long
ses.cybox.files.security_descriptor
The object security descriptor.
keyword
ses.cybox.files.sha1
The SHA-1 checksum of the object content.
keyword
ses.cybox.files.sha2
The SHA-256 checksum of the object content.
keyword
ses.cybox.files.signature_company_name
The company name on the certificate that signed the file.
keyword
ses.cybox.files.signature_created_date
The date and time when the signature was created.
date
ses.cybox.files.signature_developer_uid
The developer ID on the certificate that signed the file.
keyword
ses.cybox.files.signature_fingerprints.algorithm
The algorithm used to create the fingerprint.
keyword
ses.cybox.files.signature_fingerprints.value
The fingerprint value.Note: The submission format is a lower-case string.
keyword
ses.cybox.files.signature_issuer
The issuer of the object signature.
keyword
ses.cybox.files.signature_level_id
A numeric representation of the signature level. The signature levels are defined by STAR.
keyword
ses.cybox.files.signature_serial_number
The object serial number.
keyword
ses.cybox.files.signature_value
The digital signature bitmask.
long
ses.cybox.files.signature_value_ids
The array of signature values as derived from the Signature Bits.
keyword
ses.cybox.files.size
The size of the object, in bytes.
long
ses.cybox.files.size_compressed
The compressed size of the object, in bytes.
long
ses.cybox.files.src_ip
The IP address of the host where the file resides.
ip
ses.cybox.files.src_name
The name of the host where the file resides.
keyword
ses.cybox.files.type_id
The file type.
keyword
ses.cybox.files.uid
The unique identifier of the file as defined by the storage system, such the file system file ID.
keyword
ses.cybox.files.url.categories
The array of URL categories.
keyword
ses.cybox.files.url.category_ids
The array of URL categories.
keyword
ses.cybox.files.url.extension
Document extension from the original URL requested.
keyword
ses.cybox.files.url.host
The URL host as extracted from the URL.
keyword
ses.cybox.files.url.method
The HTTP method used in the URL request.
keyword
ses.cybox.files.url.parent_categories
The array of parent URL categories.
keyword
ses.cybox.files.url.path
The URL path as extracted from the URL.
keyword
ses.cybox.files.url.port
The URL port.
long
ses.cybox.files.url.provider
The origin of the reputation and category information.
keyword
ses.cybox.files.url.query
The query portion of the URL.
keyword
ses.cybox.files.url.referrer
The address accessed prior to this one.
keyword
ses.cybox.files.url.referrer_categories
All content categories of the Referrer header URL.
keyword
ses.cybox.files.url.referrer_category_ids
The array of Referrer URL categories IDs.
keyword
ses.cybox.files.url.rep_score_id
The reputation score of the URL.
keyword
ses.cybox.files.url.scheme
The scheme portion of the URL.
keyword
ses.cybox.files.url.text
The URL.
keyword
ses.cybox.files.version
The file version.
keyword
ses.cybox.files.xattributes
An unordered collection of zero or more name/value pairs where each pair represents a file or directory extended attribute.
flattened
ses.cybox.hostnames
The array of CybOXTM hostnames.
keyword
ses.cybox.icap_reqmod.metadata
ICAP request modification header details.
flattened
ses.cybox.icap_reqmod.service
Name of the ICAP service.
keyword
ses.cybox.icap_reqmod.status
ICAP request modification status.
keyword
ses.cybox.icap_reqmod.status_detail
ICAP request modification error details.
keyword
ses.cybox.icap_respmod.metadata
ICAP response modification header details.
flattened
ses.cybox.icap_respmod.service
Name of the ICAP service.
keyword
ses.cybox.icap_respmod.status
ICAP response modification status.
keyword
ses.cybox.icap_respmod.status_detail
ICAP response modification error details.
keyword
ses.cybox.ipv4s
The array of CybOXTM IPv4 addresses.
ip
ses.cybox.ipv6s
The array of CybOXTM IPv6 addresses.
ip
ses.cybox.macs
The array of CybOXTM MAC addresses.
keyword
ses.cybox.urls.categories
The array of URL categories.
keyword
ses.cybox.urls.category_ids
The array of URL categories.
keyword
ses.cybox.urls.extension
Document extension from the original URL requested.
keyword
ses.cybox.urls.host
The URL host as extracted from the URL.
keyword
ses.cybox.urls.method
The HTTP method used in the URL request.
keyword
ses.cybox.urls.parent_categories
The array of parent URL categories.
keyword
ses.cybox.urls.path
The URL path as extracted from the URL.
keyword
ses.cybox.urls.port
The URL port.
long
ses.cybox.urls.provider
The origin of the reputation and category information.
keyword
ses.cybox.urls.query
The query portion of the URL.
keyword
ses.cybox.urls.referrer
The address accessed prior to this one.
keyword
ses.cybox.urls.referrer_categories
All content categories of the Referrer header URL.
keyword
ses.cybox.urls.referrer_category_ids
The array of Referrer URL categories IDs.
keyword
ses.cybox.urls.rep_score_id
The reputation score of the URL.
keyword
ses.cybox.urls.scheme
The scheme portion of the URL.
keyword
ses.cybox.urls.text
The URL.
keyword
ses.data
The data that was scanned.
keyword
ses.data_size
The size of the data prior to truncation.
long
ses.days_left
The number of days left before license expiration.
long
ses.detection_type
The incident detection type.
keyword
ses.detection_uid
The associated unique detection event identifier.
keyword
ses.device_alias_name
The alternate device name, ordinarily as assigned by an administrator.
keyword
ses.device_cap
A short description or caption of the device.
keyword
ses.device_cloud_vm.autoscale_uid
The unique identifier of the cloud autoscale configuration.
keyword
ses.device_cloud_vm.dc_region
The data center region, as defined by the cloud vendor.
keyword
ses.device_cloud_vm.instance_uid
The unique identifier of the cloud hosted virtual machine instance.
keyword
ses.device_cloud_vm.subnet_uid
The unique identifier of the virtual subnet.
keyword
ses.device_cloud_vm.vpc_uid
The unique identifier of the Virtual Private Cloud (VPC).
keyword
ses.device_desc
The description of the device, ordinarily as reported by the operating system.
keyword
ses.device_domain
The network domain where the device resides.
keyword
ses.device_domain_uid
The unique identifier of the domain where the device resides.
keyword
ses.device_end_time
The time of the last aggregated event.
date
ses.device_gateway
The gateway IP address.
ip
ses.device_group
The full path of the group to which the device belongs.
keyword
ses.device_group_name
The name of the leaf group to which the device belongs.
keyword
ses.device_hw_bios_date
The BIOS date.
keyword
ses.device_hw_bios_manufacturer
The BIOS manufacturer.
keyword
ses.device_hw_bios_ver
The BIOS version.
keyword
ses.device_hw_cpu_type
The processor type.
keyword
ses.device_imei
The International Mobile Station Equipment Identifier that is associated with the device.
keyword
ses.device_ip
The IP address that pertains to the event, in either IPv4 or IPv6 format.
ip
ses.device_is_compliant
The event occurred on a compliant device.
boolean
ses.device_is_personal
The event occurred on a personal device.
boolean
ses.device_is_trusted
The event occurred on a trusted device.
boolean
ses.device_is_unmanaged
The event occurred on an unmanaged device.
boolean
ses.device_location.city
The name of the city.
keyword
ses.device_location.continent
The name of the continent.
keyword
ses.device_location.coordinates
A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON.
float
ses.device_location.country
The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes.
keyword
ses.device_location.desc
The description of the location.
keyword
ses.device_location.isp
The name of the Internet Service Provider (ISP).
keyword
ses.device_location.on_premises
The indication of whether the location is on premises.
boolean
ses.device_location.region
The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters.
keyword
ses.device_mac
The Media Access Control (MAC) address that is associated with the device.
keyword
ses.device_name
The name of the device originating the event.
keyword
ses.device_name_md5
The MD5 hash of the device name.Note: The hash must be of the lower-case device name.
keyword
ses.device_networks.bssid
The Basic Service Set Identifier (BSSID).
keyword
ses.device_networks.gateway_ip
The gateway IP address.
ip
ses.device_networks.gateway_mac
The gateway media access control (MAC) address.
keyword
ses.device_networks.ipv4
The IPv4 address that is associated with the network interface.
ip
ses.device_networks.ipv6
The IPv6 address that is associated with the network interface.
ip
ses.device_networks.is_public
The indication of whether the network interface is a public IP address.
boolean
ses.device_networks.mac
The MAC address that is associated with the network interface.
keyword
ses.device_networks.rep_score_id
The reputation of the network.
keyword
ses.device_networks.ssid
The Service Set Identifier (SSID).
keyword
ses.device_networks.type_id
The type of network.
keyword
ses.device_org_unit
The name of the org unit to which the device belongs.
keyword
ses.device_os_bits
The number of processor bits.
long
ses.device_os_build
The operating system build number.
keyword
ses.device_os_country
The operating system country code as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes.
keyword
ses.device_os_edition
The operating system edition.
keyword
ses.device_os_lang
The lowercase two-letter ISO language code as defined by ISO 639-1.
keyword
ses.device_os_name
The name of the operating system running on the device from which the event originated.
keyword
ses.device_os_sp_name
The name of the latest Service Pack.
keyword
ses.device_os_sp_ver
The version number of the latest Service Pack.
keyword
ses.device_os_type_id
The type of the operating system.
keyword
ses.device_os_type_value
The type value of the operating system.
keyword
ses.device_os_ver
The version of the OS running on the device that originated the event.
keyword
ses.device_proxy_ip
The proxy IP address.
ip
ses.device_proxy_name
The proxy host name.
keyword
ses.device_public_ip
The public IP address.
ip
ses.device_ref_uid
The unique reference identifier of the device.
keyword
ses.device_site
The name of the site to which the device belongs.
keyword
ses.device_subnet
The subnet IP address.
ip
ses.device_time
The time that the event occurred at the device.
date
ses.device_type
The type of device originating the event.
keyword
ses.device_uid
The unique identifier of the device.
keyword
ses.device_vhost
The device virtual host type string.
keyword
ses.device_vhost_id
The device virtual host type.
keyword
ses.directory.accessed
The time that the file was last accessed.
date
ses.directory.accessor
The name of the user who last accessed the object.
keyword
ses.directory.attribute_ids
The array of file attributes.
keyword
ses.directory.attributes
The bitmask value that represents the file attributes.
long
ses.directory.company_name
The name of the company that published the file.
keyword
ses.directory.confidentiality_id
The file content confidentiality indicator.
keyword
ses.directory.content_type.family_id
The top level file classification.
keyword
ses.directory.content_type.subtype
The specific format for the type of data.
keyword
ses.directory.content_type.type_id
The general type of a file.
keyword
ses.directory.created
The time that the file was created.
date
ses.directory.creator
The name of the user who created the file.
keyword
ses.directory.creator_process
The name of the process that created (or downloaded) the file or module.
keyword
ses.directory.desc
The description of the file, as returned by file system.
keyword
ses.directory.folder
The parent folder in which the file resides.
keyword
ses.directory.folder_uid
The unique identifier of the folder in which the file resides.
keyword
ses.directory.is_system
The indication of whether the object is part of the operating system.
boolean
ses.directory.md5
The MD5 checksum of the object content.
keyword
ses.directory.mime_type
The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable.
keyword
ses.directory.modified
The time when the file was last modified.
date
ses.directory.modifier
The name of the user who last modified the file.
keyword
ses.directory.name
The name of the file.
keyword
ses.directory.normalized_path
The CSIDL normalized path name.
keyword
ses.directory.original_name
The original name of the file.
keyword
ses.directory.owner
The owner of the file.
keyword
ses.directory.parent_name
The name of the file that contains this file.
keyword
ses.directory.parent_sha2
The SHA-256 checksum of the parent file.
keyword
ses.directory.path
The full path to the file.
keyword
ses.directory.product_name
The name of the product that includes the file.
keyword
ses.directory.product_path
The path to the product that includes the file.
keyword
ses.directory.rep_discovered_band
The discovery fuzzed band number, expressed as the number of days since discovery.
long
ses.directory.rep_discovered_date
The Symantec discovery date of the reputed file or URL.
date
ses.directory.rep_prevalence
The file reputation prevalence, as provided by a reputation query.
long
ses.directory.rep_prevalence_band
The file reputation prevalence fuzzed band number.
long
ses.directory.rep_score
The reputation score of the file.
long
ses.directory.rep_score_band
The file reputation score fuzzed band number.
long
ses.directory.security_descriptor
The object security descriptor.
keyword
ses.directory.sha1
The SHA-1 checksum of the object content.
keyword
ses.directory.sha2
The SHA-256 checksum of the object content.
keyword
ses.directory.signature_company_name
The company name on the certificate that signed the file.
keyword
ses.directory.signature_created_date
The date and time when the signature was created.
date
ses.directory.signature_developer_uid
The developer ID on the certificate that signed the file.
keyword
ses.directory.signature_fingerprints.algorithm
The algorithm used to create the fingerprint.
keyword
ses.directory.signature_fingerprints.value
The fingerprint value.Note: The submission format is a lower-case string.
keyword
ses.directory.signature_issuer
The issuer of the object signature.
keyword
ses.directory.signature_level_id
A numeric representation of the signature level. The signature levels are defined by STAR.
keyword
ses.directory.signature_serial_number
The object serial number.
keyword
ses.directory.signature_value
The digital signature bitmask.
long
ses.directory.signature_value_ids
The array of signature values as derived from the Signature Bits.
keyword
ses.directory.size
The size of the object, in bytes.
long
ses.directory.size_compressed
The compressed size of the object, in bytes.
long
ses.directory.src_ip
The IP address of the host where the file resides.
ip
ses.directory.src_name
The name of the host where the file resides.
keyword
ses.directory.type_id
The file type.
keyword
ses.directory.uid
The unique identifier of the file as defined by the storage system, such the file system file ID.
keyword
ses.directory.url.categories
The array of URL categories.
keyword
ses.directory.url.category_ids
The array of URL categories.
keyword
ses.directory.url.extension
Document extension from the original URL requested.
keyword
ses.directory.url.host
The URL host as extracted from the URL.
keyword
ses.directory.url.method
The HTTP method used in the URL request.
keyword
ses.directory.url.parent_categories
The array of parent URL categories.
keyword
ses.directory.url.path
The URL path as extracted from the URL.
keyword
ses.directory.url.port
The URL port.
long
ses.directory.url.provider
The origin of the reputation and category information.
keyword
ses.directory.url.query
The query portion of the URL.
keyword
ses.directory.url.referrer
The address accessed prior to this one.
keyword
ses.directory.url.referrer_categories
All content categories of the Referrer header URL.
keyword
ses.directory.url.referrer_category_ids
The array of Referrer URL categories IDs.
keyword
ses.directory.url.rep_score_id
The reputation score of the URL.
keyword
ses.directory.url.scheme
The scheme portion of the URL.
keyword
ses.directory.url.text
The URL.
keyword
ses.directory.version
The file version.
keyword
ses.directory.xattributes
An unordered collection of zero or more name/value pairs where each pair represents a file or directory extended attribute.
flattened
ses.directory_result.accessed
The time that the file was last accessed.
date
ses.directory_result.accessor
The name of the user who last accessed the object.
keyword
ses.directory_result.attribute_ids
The array of file attributes.
keyword
ses.directory_result.attributes
The bitmask value that represents the file attributes.
long
ses.directory_result.company_name
The name of the company that published the file.
keyword
ses.directory_result.confidentiality_id
The file content confidentiality indicator.
keyword
ses.directory_result.content_type.family_id
The top level file classification.
keyword
ses.directory_result.content_type.subtype
The specific format for the type of data.
keyword
ses.directory_result.content_type.type_id
The general type of a file.
keyword
ses.directory_result.created
The time that the file was created.
date
ses.directory_result.creator
The name of the user who created the file.
keyword
ses.directory_result.creator_process
The name of the process that created (or downloaded) the file or module.
keyword
ses.directory_result.desc
The description of the file, as returned by file system.
keyword
ses.directory_result.folder
The parent folder in which the file resides.
keyword
ses.directory_result.folder_uid
The unique identifier of the folder in which the file resides.
keyword
ses.directory_result.is_system
The indication of whether the object is part of the operating system.
boolean
ses.directory_result.md5
The MD5 checksum of the object content.
keyword
ses.directory_result.mime_type
The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable.
keyword
ses.directory_result.modified
The time when the file was last modified.
date
ses.directory_result.modifier
The name of the user who last modified the file.
keyword
ses.directory_result.name
The name of the file.
keyword
ses.directory_result.normalized_path
The CSIDL normalized path name.
keyword
ses.directory_result.original_name
The original name of the file.
keyword
ses.directory_result.owner
The owner of the file.
keyword
ses.directory_result.parent_name
The name of the file that contains this file.
keyword
ses.directory_result.parent_sha2
The SHA-256 checksum of the parent file.
keyword
ses.directory_result.path
The full path to the file.
keyword
ses.directory_result.product_name
The name of the product that includes the file.
keyword
ses.directory_result.product_path
The path to the product that includes the file.
keyword
ses.directory_result.rep_discovered_band
The discovery fuzzed band number, expressed as the number of days since discovery.
long
ses.directory_result.rep_discovered_date
The Symantec discovery date of the reputed file or URL.
date
ses.directory_result.rep_prevalence
The file reputation prevalence, as provided by a reputation query.
long
ses.directory_result.rep_prevalence_band
The file reputation prevalence fuzzed band number.
long
ses.directory_result.rep_score
The reputation score of the file.
long
ses.directory_result.rep_score_band
The file reputation score fuzzed band number.
long
ses.directory_result.security_descriptor
The object security descriptor.
keyword
ses.directory_result.sha1
The SHA-1 checksum of the object content.
keyword
ses.directory_result.sha2
The SHA-256 checksum of the object content.
keyword
ses.directory_result.signature_company_name
The company name on the certificate that signed the file.
keyword
ses.directory_result.signature_created_date
The date and time when the signature was created.
date
ses.directory_result.signature_developer_uid
The developer ID on the certificate that signed the file.
keyword
ses.directory_result.signature_fingerprints.algorithm
The algorithm used to create the fingerprint.
keyword
ses.directory_result.signature_fingerprints.value
The fingerprint value.Note: The submission format is a lower-case string.
keyword
ses.directory_result.signature_issuer
The issuer of the object signature.
keyword
ses.directory_result.signature_level_id
A numeric representation of the signature level. The signature levels are defined by STAR.
keyword
ses.directory_result.signature_serial_number
The object serial number.
keyword
ses.directory_result.signature_value
The digital signature bitmask.
long
ses.directory_result.signature_value_ids
The array of signature values as derived from the Signature Bits.
keyword
ses.directory_result.size
The size of the object, in bytes.
long
ses.directory_result.size_compressed
The compressed size of the object, in bytes.
long
ses.directory_result.src_ip
The IP address of the host where the file resides.
ip
ses.directory_result.src_name
The name of the host where the file resides.
keyword
ses.directory_result.type_id
The file type.
keyword
ses.directory_result.uid
The unique identifier of the file as defined by the storage system, such the file system file ID.
keyword
ses.directory_result.url.categories
The array of URL categories.
keyword
ses.directory_result.url.category_ids
The array of URL categories.
keyword
ses.directory_result.url.extension
Document extension from the original URL requested.
keyword
ses.directory_result.url.host
The URL host as extracted from the URL.
keyword
ses.directory_result.url.method
The HTTP method used in the URL request.
keyword
ses.directory_result.url.parent_categories
The array of parent URL categories.
keyword
ses.directory_result.url.path
The URL path as extracted from the URL.
keyword
ses.directory_result.url.port
The URL port.
long
ses.directory_result.url.provider
The origin of the reputation and category information.
keyword
ses.directory_result.url.query
The query portion of the URL.
keyword
ses.directory_result.url.referrer
The address accessed prior to this one.
keyword
ses.directory_result.url.referrer_categories
All content categories of the Referrer header URL.
keyword
ses.directory_result.url.referrer_category_ids
The array of Referrer URL categories IDs.
keyword
ses.directory_result.url.rep_score_id
The reputation score of the URL.
keyword
ses.directory_result.url.scheme
The scheme portion of the URL.
keyword
ses.directory_result.url.text
The URL.
keyword
ses.directory_result.version
The file version.
keyword
ses.directory_result.xattributes
An unordered collection of zero or more name/value pairs where each pair represents a file or directory extended attribute.
flattened
ses.displayed_text
The information that is displayed to the user that describes the impact of a client side override action.
keyword
ses.domain_uid
The unique domain identifier.
keyword
ses.dst_endpoint_app.groups
Reports the group of an application.
keyword
ses.dst_endpoint_app.name
Reports the application name.
keyword
ses.dst_endpoint_app.operation
Reports the operation (action) of an application.
keyword
ses.duration
The duration of the scan (seconds).
long
ses.email.direction_id
The direction of the email relative to the scanning host or organization.
keyword
ses.email.direction_value
The direction value of the email relative to the scanning host or organization.
keyword
ses.email.header_from
The email header From values, as defined by RFC 5322.
keyword
ses.email.header_message_id
The email header Message-Id value, as defined by RFC 5322.
keyword
ses.email.header_reply_to
The email header Reply-To values, as defined by RFC 5322.
keyword
ses.email.header_subject
The email header Subject value, as defined by RFC 5322.
keyword
ses.email.header_to
The email header To values, as defined by RFC 5322.
keyword
ses.email.sender_ip
The IP address of the sender, in either IPv4 or IPv6 format.
ip
ses.email.size
The size in bytes of the email, including attachments.
long
ses.email.smtp_from
The value of the SMTP MAIL FROM command.
keyword
ses.email.smtp_hello
The value of the SMTP HELO or EHLO command.
keyword
ses.email.smtp_to
The value of the SMTP envelope RCPT TO command.
keyword
ses.email_auth.dkim_domain
The DomainKeys Identified Mail (DKIM) signing domain of the email.
keyword
ses.email_auth.dkim_id
The DomainKeys Identified Mail (DKIM) status of the email.
keyword
ses.email_auth.dmarc_id
The Domain-based Message Authentication, Reporting and Conformance (DMARC) status of the email.
keyword
ses.email_auth.dmarc_override
The Domain-based Message Authentication, Reporting and Conformance (DMARC) override action.
keyword
ses.email_auth.dmarc_policy_id
The Domain-based Message Authentication, Reporting and Conformance (DMARC) policy..
keyword
ses.email_auth.raw_header
The email authentication header.
keyword
ses.email_auth.spf_id
The Sender Policy Framework (SPF) status of the email.
keyword
ses.email_uid
The unique identifier of the email, used to correlate related email detection and activity events.
keyword
ses.end_time
For aggregate events, the Device End Time adjusted to the server clock.
date
ses.entity.data
The managed entity content as a JSON object.
flattened
ses.entity.name
The name of the managed entity.
keyword
ses.entity.type
The managed entity type.
keyword
ses.entity.uid
A unique identifier of the managed entity.
keyword
ses.entity.version
The version of the managed entity.
keyword
ses.entity_result.data
The managed entity content as a JSON object.
flattened
ses.entity_result.name
The name of the managed entity.
keyword
ses.entity_result.type
The managed entity type.
keyword
ses.entity_result.uid
A unique identifier of the managed entity.
keyword
ses.entity_result.version
The version of the managed entity.
keyword
ses.environment_name
The environment in which the event occurred such as Production, Test, Development, Load.
keyword
ses.environment_uid
The unique identifier of the provisioned environment.
keyword
ses.event_duration
Time taken (in milliseconds) to process the request (from the first byte of client request data received by the proxy to the last byte sent by the proxy to the client including all of the delays by ICAP and so on).
long
ses.event_id
The event ID identifies the event's semantics, structure and outcome.
keyword
ses.events
The additional events that pertain to the event or incident.
flattened
ses.feature_name
The name of the feature originating the event. Note: The Feature Name is ordinarily defined by the product SKU, but it could be any other name that identifies the software component originating the event.
keyword
ses.feature_path
The path of the feature originating the event.
keyword
ses.feature_type
The type of feature.
keyword
ses.feature_uid
The unique identifier of the feature originating the event.
keyword
ses.feature_ver
The version of the feature originating the event.
keyword
ses.file.accessed
The time that the file was last accessed.
date
ses.file.accessor
The name of the user who last accessed the object.
keyword
ses.file.attribute_ids
The array of file attributes.
keyword
ses.file.attributes
The bitmask value that represents the file attributes.
long
ses.file.company_name
The name of the company that published the file.
keyword
ses.file.confidentiality_id
The file content confidentiality indicator.
keyword
ses.file.content_type.family_id
The top level file classification.
keyword
ses.file.content_type.subtype
The specific format for the type of data.
keyword
ses.file.content_type.type_id
The general type of a file.
keyword
ses.file.created
The time that the file was created.
date
ses.file.creator
The name of the user who created the file.
keyword
ses.file.creator_process
The name of the process that created (or downloaded) the file or module.
keyword
ses.file.desc
The description of the file, as returned by file system.
keyword
ses.file.folder
The parent folder in which the file resides.
keyword
ses.file.folder_uid
The unique identifier of the folder in which the file resides.
keyword
ses.file.is_system
The indication of whether the object is part of the operating system.
boolean
ses.file.md5
The MD5 checksum of the object content.
keyword
ses.file.mime_type
The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable.
keyword
ses.file.modified
The time when the file was last modified.
date
ses.file.modifier
The name of the user who last modified the file.
keyword
ses.file.name
The name of the file.
keyword
ses.file.normalized_path
The CSIDL normalized path name.
keyword
ses.file.original_name
The original name of the file.
keyword
ses.file.owner
The owner of the file.
keyword
ses.file.parent_name
The name of the file that contains this file.
keyword
ses.file.parent_sha2
The SHA-256 checksum of the parent file.
keyword
ses.file.path
The full path to the file.
keyword
ses.file.product_name
The name of the product that includes the file.
keyword
ses.file.product_path
The path to the product that includes the file.
keyword
ses.file.rep_discovered_band
The discovery fuzzed band number, expressed as the number of days since discovery.
long
ses.file.rep_discovered_date
The Symantec discovery date of the reputed file or URL.
date
ses.file.rep_prevalence
The file reputation prevalence, as provided by a reputation query.
long
ses.file.rep_prevalence_band
The file reputation prevalence fuzzed band number.
long
ses.file.rep_score
The reputation score of the file.
long
ses.file.rep_score_band
The file reputation score fuzzed band number.
long
ses.file.security_descriptor
The object security descriptor.
keyword
ses.file.sha1
The SHA-1 checksum of the object content.
keyword
ses.file.sha2
The SHA-256 checksum of the object content.
keyword
ses.file.signature_company_name
The company name on the certificate that signed the file.
keyword
ses.file.signature_created_date
The date and time when the signature was created.
date
ses.file.signature_developer_uid
The developer ID on the certificate that signed the file.
keyword
ses.file.signature_fingerprints.algorithm
The algorithm used to create the fingerprint.
keyword
ses.file.signature_fingerprints.value
The fingerprint value.Note: The submission format is a lower-case string.
keyword
ses.file.signature_issuer
The issuer of the object signature.
keyword
ses.file.signature_level_id
A numeric representation of the signature level. The signature levels are defined by STAR.
keyword
ses.file.signature_serial_number
The object serial number.
keyword
ses.file.signature_value
The digital signature bitmask.
long
ses.file.signature_value_ids
The array of signature values as derived from the Signature Bits.
keyword
ses.file.size
The size of the object, in bytes.
long
ses.file.size_compressed
The compressed size of the object, in bytes.
long
ses.file.src_ip
The IP address of the host where the file resides.
ip
ses.file.src_name
The name of the host where the file resides.
keyword
ses.file.type_id
The file type.
keyword
ses.file.type_value
The file type value.
keyword
ses.file.uid
The unique identifier of the file as defined by the storage system, such the file system file ID.
keyword
ses.file.url.categories
The array of URL categories.
keyword
ses.file.url.category_ids
The array of URL categories.
keyword
ses.file.url.extension
Document extension from the original URL requested.
keyword
ses.file.url.host
The URL host as extracted from the URL.
keyword
ses.file.url.method
The HTTP method used in the URL request.
keyword
ses.file.url.parent_categories
The array of parent URL categories.
keyword
ses.file.url.path
The URL path as extracted from the URL.
keyword
ses.file.url.port
The URL port.
long
ses.file.url.provider
The origin of the reputation and category information.
keyword
ses.file.url.query
The query portion of the URL.
keyword
ses.file.url.referrer
The address accessed prior to this one.
keyword
ses.file.url.referrer_categories
All content categories of the Referrer header URL.
keyword
ses.file.url.referrer_category_ids
The array of Referrer URL categories IDs.
keyword
ses.file.url.rep_score_id
The reputation score of the URL.
keyword
ses.file.url.scheme
The scheme portion of the URL.
keyword
ses.file.url.text
The URL.
keyword
ses.file.version
The file version.
keyword
ses.file.xattributes
An unordered collection of zero or more name/value pairs where each pair represents a file or directory extended attribute.
flattened
ses.file_diff
File content differences used for change detection.
keyword
ses.file_result.accessed
The time that the file was last accessed.
date
ses.file_result.accessor
The name of the user who last accessed the object.
keyword
ses.file_result.attribute_ids
The array of file attributes.
keyword
ses.file_result.attributes
The bitmask value that represents the file attributes.
long
ses.file_result.company_name
The name of the company that published the file.
keyword
ses.file_result.confidentiality_id
The file content confidentiality indicator.
keyword
ses.file_result.content_type.family_id
The top level file classification.
keyword
ses.file_result.content_type.subtype
The specific format for the type of data.
keyword
ses.file_result.content_type.type_id
The general type of a file.
keyword
ses.file_result.created
The time that the file was created.
date
ses.file_result.creator
The name of the user who created the file.
keyword
ses.file_result.creator_process
The name of the process that created (or downloaded) the file or module.
keyword
ses.file_result.desc
The description of the file, as returned by file system.
keyword
ses.file_result.folder
The parent folder in which the file resides.
keyword
ses.file_result.folder_uid
The unique identifier of the folder in which the file resides.
keyword
ses.file_result.is_system
The indication of whether the object is part of the operating system.
boolean
ses.file_result.md5
The MD5 checksum of the object content.
keyword
ses.file_result.mime_type
The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable.
keyword
ses.file_result.modified
The time when the file was last modified.
date
ses.file_result.modifier
The name of the user who last modified the file.
keyword
ses.file_result.name
The name of the file.
keyword
ses.file_result.normalized_path
The CSIDL normalized path name.
keyword
ses.file_result.original_name
The original name of the file.
keyword
ses.file_result.owner
The owner of the file.
keyword
ses.file_result.parent_name
The name of the file that contains this file.
keyword
ses.file_result.parent_sha2
The SHA-256 checksum of the parent file.
keyword
ses.file_result.path
The full path to the file.
keyword
ses.file_result.product_name
The name of the product that includes the file.
keyword
ses.file_result.product_path
The path to the product that includes the file.
keyword
ses.file_result.rep_discovered_band
The discovery fuzzed band number, expressed as the number of days since discovery.
long
ses.file_result.rep_discovered_date
The Symantec discovery date of the reputed file or URL.
date
ses.file_result.rep_prevalence
The file reputation prevalence, as provided by a reputation query.
long
ses.file_result.rep_prevalence_band
The file reputation prevalence fuzzed band number.
long
ses.file_result.rep_score
The reputation score of the file.
long
ses.file_result.rep_score_band
The file reputation score fuzzed band number.
long
ses.file_result.security_descriptor
The object security descriptor.
keyword
ses.file_result.sha1
The SHA-1 checksum of the object content.
keyword
ses.file_result.sha2
The SHA-256 checksum of the object content.
keyword
ses.file_result.signature_company_name
The company name on the certificate that signed the file.
keyword
ses.file_result.signature_created_date
The date and time when the signature was created.
date
ses.file_result.signature_developer_uid
The developer ID on the certificate that signed the file.
keyword
ses.file_result.signature_fingerprints.algorithm
The algorithm used to create the fingerprint.
keyword
ses.file_result.signature_fingerprints.value
The fingerprint value.Note: The submission format is a lower-case string.
keyword
ses.file_result.signature_issuer
The issuer of the object signature.
keyword
ses.file_result.signature_level_id
A numeric representation of the signature level. The signature levels are defined by STAR.
keyword
ses.file_result.signature_serial_number
The object serial number.
keyword
ses.file_result.signature_value
The digital signature bitmask.
long
ses.file_result.signature_value_ids
The array of signature values as derived from the Signature Bits.
keyword
ses.file_result.size
The size of the object, in bytes.
long
ses.file_result.size_compressed
The compressed size of the object, in bytes.
long
ses.file_result.src_ip
The IP address of the host where the file resides.
ip
ses.file_result.src_name
The name of the host where the file resides.
keyword
ses.file_result.type_id
The file type.
keyword
ses.file_result.uid
The unique identifier of the file as defined by the storage system, such the file system file ID.
keyword
ses.file_result.url.categories
The array of URL categories.
keyword
ses.file_result.url.category_ids
The array of URL categories.
keyword
ses.file_result.url.extension
Document extension from the original URL requested.
keyword
ses.file_result.url.host
The URL host as extracted from the URL.
keyword
ses.file_result.url.method
The HTTP method used in the URL request.
keyword
ses.file_result.url.parent_categories
The array of parent URL categories.
keyword
ses.file_result.url.path
The URL path as extracted from the URL.
keyword
ses.file_result.url.port
The URL port.
long
ses.file_result.url.provider
The origin of the reputation and category information.
keyword
ses.file_result.url.query
The query portion of the URL.
keyword
ses.file_result.url.referrer
The address accessed prior to this one.
keyword
ses.file_result.url.referrer_categories
All content categories of the Referrer header URL.
keyword
ses.file_result.url.referrer_category_ids
The array of Referrer URL categories IDs.
keyword
ses.file_result.url.rep_score_id
The reputation score of the URL.
keyword
ses.file_result.url.scheme
The scheme portion of the URL.
keyword
ses.file_result.url.text
The URL.
keyword
ses.file_result.version
The file version.
keyword
ses.file_result.xattributes
An unordered collection of zero or more name/value pairs where each pair represents a file or directory extended attribute.
flattened
ses.http_status
The HTTP status code returned to the client.
long
ses.id
The outcome of the event.
long
ses.impersonator_customer_uid
The unique customer identifier of the impersonating agent.
keyword
ses.impersonator_domain_uid
The unique domain identifier of the impersonating agent.
keyword
ses.impersonator_user_uid
The unique user identifier of the impersonating agent.
keyword
ses.incident_uid
The incident unique identifier.
keyword
ses.incident_url
The URL used to access the original incident.
keyword
ses.injection_type_id
The process injection method.
keyword
ses.interpreter
The script interpreter used.
keyword
ses.is_user_present
The indication of whether the user was logged on at event generation time.
boolean
ses.kernel.is_system
The indication of whether the object is part of the operating system.
boolean
ses.kernel.name
The name of the kernel resource.
keyword
ses.kernel.system_call
The system call that was invoked.
keyword
ses.kernel.type_id
The type of the kernel resource.
keyword
ses.kernel.type_value
The type value of the kernel resource.
keyword
ses.license.count
The number of seats.
long
ses.license.end_time
The time at which the license expires.
date
ses.license.name
The name of the license.
keyword
ses.license.start_time
The time at which the license becomes valid.
date
ses.license.type_id
The license type.
keyword
ses.license.uid
The unique identifier of the license.
keyword
ses.lineage
The lineage of the actor process.
keyword
ses.log_level
The log level as reported by the logger subsystem.
keyword
ses.log_name
The name of the database, index, or archive where the event was logged.
keyword
ses.log_time
The time that the system collected the event.
date
ses.logging_device_ip
The IP address of the device that logged the event.
ip
ses.logging_device_name
The name of the device that logged the event.
keyword
ses.logging_device_post_time
The time when the event was logged by the logging device.
date
ses.logging_device_ref_uid
The unique identifier of the device that collects logs from other devices.
keyword
ses.logon_type_id
The type of logon.
keyword
ses.message
The description of the event.
keyword
ses.message_code
The coded string representation of the message, ordinarily used for trouble shooting.
keyword
ses.message_id
The numeric representation of the message, ordinarily used for translation purposes.
keyword
ses.modified
The time that the incident was modified.
date
ses.modifier
The name of the user who modified the incident.
keyword
ses.module.accessed
The time that the file was last accessed.
date
ses.module.accessor
The name of the user who last accessed the object.
keyword
ses.module.attribute_ids
The array of file attributes.
keyword
ses.module.attributes
The bitmask value that represents the file attributes.
long
ses.module.base_address
The memory address where the module was loaded.
keyword
ses.module.company_name
The name of the company that published the file.
keyword
ses.module.confidentiality_id
The file content confidentiality indicator.
keyword
ses.module.content_type.family_id
The top level file classification.
keyword
ses.module.content_type.subtype
The specific format for the type of data.
keyword
ses.module.content_type.type_id
The general type of a file.
keyword
ses.module.created
The time that the module was created.
date
ses.module.creator
The name of the user who created the module.
keyword
ses.module.creator_process
The name of the process that created (or downloaded) the file or module.
keyword
ses.module.desc
The description of the file, as returned by file system.
keyword
ses.module.folder
The parent folder in which the file resides.
keyword
ses.module.folder_uid
The unique identifier of the folder in which the file resides.
keyword
ses.module.is_system
The indication of whether the object is part of the operating system.
boolean
ses.module.load_type
The load type describes how the module was loaded in memory.
keyword
ses.module.load_type_id
The load type identifies how the module was loaded in memory.
keyword
ses.module.md5
The MD5 checksum of the object content.
keyword
ses.module.mime_type
The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable.
keyword
ses.module.modified
The time when the module was last modified.
date
ses.module.modifier
The name of the user who last modified the module.
keyword
ses.module.name
The name of the file.
keyword
ses.module.normalized_path
The CSIDL normalized path name.
keyword
ses.module.original_name
The original name of the file.
keyword
ses.module.owner
The owner of the file.
keyword
ses.module.parent_name
The name of the file that contains this file.
keyword
ses.module.parent_sha2
The SHA-256 checksum of the parent file.
keyword
ses.module.path
The full path to the file.
keyword
ses.module.product_name
The name of the product that includes the file.
keyword
ses.module.product_path
The path to the product that includes the file.
keyword
ses.module.rep_discovered_band
The discovery fuzzed band number, expressed as the number of days since discovery.
long
ses.module.rep_discovered_date
The Symantec discovery date of the reputed file or URL.
date
ses.module.rep_prevalence
The file reputation prevalence, as provided by a reputation query.
long
ses.module.rep_prevalence_band
The file reputation prevalence fuzzed band number.
long
ses.module.rep_score
The reputation score of the file.
long
ses.module.rep_score_band
The file reputation score fuzzed band number.
long
ses.module.security_descriptor
The object security descriptor.
keyword
ses.module.sha1
The SHA-1 checksum of the object content.
keyword
ses.module.sha2
The SHA-256 checksum of the object content.
keyword
ses.module.signature_company_name
The company name on the certificate that signed the file.
keyword
ses.module.signature_created_date
The date and time when the signature was created.
date
ses.module.signature_developer_uid
The developer ID on the certificate that signed the file.
keyword
ses.module.signature_fingerprints.algorithm
The algorithm used to create the fingerprint.
keyword
ses.module.signature_fingerprints.value
The fingerprint value.Note: The submission format is a lower-case string.
keyword
ses.module.signature_issuer
The issuer of the object signature.
keyword
ses.module.signature_level_id
A numeric representation of the signature level. The signature levels are defined by STAR.
keyword
ses.module.signature_serial_number
The object serial number.
keyword
ses.module.signature_value
The digital signature bitmask.
long
ses.module.signature_value_ids
The array of signature values as derived from the Signature Bits.
keyword
ses.module.size
The size of the object, in bytes.
long
ses.module.size_compressed
The compressed size of the object, in bytes.
long
ses.module.src_ip
The IP address of the host where the file resides.
ip
ses.module.src_name
The name of the host where the file resides.
keyword
ses.module.type_id
The file type.
keyword
ses.module.type_value
The file type value.
keyword
ses.module.uid
The unique identifier of the file as defined by the storage system, such the file system file ID.
keyword
ses.module.url.categories
The array of URL categories.
keyword
ses.module.url.category_ids
The array of URL categories.
keyword
ses.module.url.extension
Document extension from the original URL requested.
keyword
ses.module.url.host
The URL host as extracted from the URL.
keyword
ses.module.url.method
The HTTP method used in the URL request.
keyword
ses.module.url.parent_categories
The array of parent URL categories.
keyword
ses.module.url.path
The URL path as extracted from the URL.
keyword
ses.module.url.port
The URL port.
long
ses.module.url.provider
The origin of the reputation and category information.
keyword
ses.module.url.query
The query portion of the URL.
keyword
ses.module.url.referrer
The address accessed prior to this one.
keyword
ses.module.url.referrer_categories
All content categories of the Referrer header URL.
keyword
ses.module.url.referrer_category_ids
The array of Referrer URL categories IDs.
keyword
ses.module.url.rep_score_id
The reputation score of the URL.
keyword
ses.module.url.scheme
The scheme portion of the URL.
keyword
ses.module.url.text
The URL.
keyword
ses.module.version
The file version.
keyword
ses.module.xattributes
An unordered collection of zero or more name/value pairs where each pair represents a file or directory extended attribute.
flattened
ses.module_type
The type of module.
keyword
ses.net_detection_uid
The application-generated unique identifier of the network detection event that is associated with this detection event.
keyword
ses.num_archives
The number of archives scanned.
long
ses.num_detections
The number of detections.
long
ses.num_errors
The number of files with either scanning or remediation errors.
long
ses.num_files
The number of files scanned.
long
ses.num_folders
The number of folders scanned.
long
ses.num_network
The number of network items scanned.
long
ses.num_processes
The number of processes scanned.
long
ses.num_registry
The number of registry items scanned.
long
ses.num_resolutions
The number of items that were resolved.
long
ses.num_skipped
The number of skipped items.
long
ses.num_trusted
The number of trusted items.
long
ses.num_unresolved
The number of scanned items with threats, but no resolution.
long
ses.open_mask_id
The Windows setting needed to open a registry key.
keyword
ses.open_mode
The mode in which the file was opened: 'Read' = false, 'Write' = true. Applicable to file open events.
boolean
ses.operation
The OS operation that initiated the event.
keyword
ses.org_unit_uid
The unique identifier of the organizational unit.
keyword
ses.orig_data
The pre-normalized event data.
keyword
ses.override_duration
The length in minutes for the override action to remain in place until restored upon expiration of time. If not provided it implies infinite duration of policy enforcement or until such time as another policy action occurs.
long
ses.parent.app_name
A label that may be associated with this process, for example, the name of the containment sandbox assigned to the process or, for login detection events, the login application (ssh, telnet, sql server, etc.).
keyword
ses.parent.app_uid
The identifier of the application that may be associated with this process.
keyword
ses.parent.app_ver
The version of the application that may be associated with this process.
keyword
ses.parent.cmd_line
The command line used to launch the startup application, service, process or job.
keyword
ses.parent.file.accessed
The time that the file was last accessed.
date
ses.parent.file.accessor
The name of the user who last accessed the object.
keyword
ses.parent.file.attribute_ids
The array of file attributes.
keyword
ses.parent.file.attributes
The bitmask value that represents the file attributes.
long
ses.parent.file.company_name
The name of the company that published the file.
keyword
ses.parent.file.confidentiality_id
The file content confidentiality indicator.
keyword
ses.parent.file.content_type.family_id
The top level file classification.
keyword
ses.parent.file.content_type.subtype
The specific format for the type of data.
keyword
ses.parent.file.content_type.type_id
The general type of a file.
keyword
ses.parent.file.created
The time that the file was created.
date
ses.parent.file.creator
The name of the user who created the file.
keyword
ses.parent.file.creator_process
The name of the process that created (or downloaded) the file or module.
keyword
ses.parent.file.desc
The description of the file, as returned by file system.
keyword
ses.parent.file.folder
The parent folder in which the file resides.
keyword
ses.parent.file.folder_uid
The unique identifier of the folder in which the file resides.
keyword
ses.parent.file.is_system
The indication of whether the object is part of the operating system.
boolean
ses.parent.file.md5
The MD5 checksum of the object content.
keyword
ses.parent.file.mime_type
The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable.
keyword
ses.parent.file.modified
The time when the file was last modified.
date
ses.parent.file.modifier
The name of the user who last modified the file.
keyword
ses.parent.file.name
The name of the file.
keyword
ses.parent.file.normalized_path
The CSIDL normalized path name.
keyword
ses.parent.file.original_name
The original name of the file.
keyword
ses.parent.file.owner
The owner of the file.
keyword
ses.parent.file.parent_name
The name of the file that contains this file.
keyword
ses.parent.file.parent_sha2
The SHA-256 checksum of the parent file.
keyword
ses.parent.file.path
The full path to the file.
keyword
ses.parent.file.product_name
The name of the product that includes the file.
keyword
ses.parent.file.product_path
The path to the product that includes the file.
keyword
ses.parent.file.rep_discovered_band
The discovery fuzzed band number, expressed as the number of days since discovery.
long
ses.parent.file.rep_discovered_date
The Symantec discovery date of the reputed file or URL.
date
ses.parent.file.rep_prevalence
The file reputation prevalence, as provided by a reputation query.
long
ses.parent.file.rep_prevalence_band
The file reputation prevalence fuzzed band number.
long
ses.parent.file.rep_score
The reputation score of the file.
long
ses.parent.file.rep_score_band
The file reputation score fuzzed band number.
long
ses.parent.file.security_descriptor
The object security descriptor.
keyword
ses.parent.file.sha1
The SHA-1 checksum of the object content.
keyword
ses.parent.file.sha2
The SHA-256 checksum of the object content.
keyword
ses.parent.file.signature_company_name
The company name on the certificate that signed the file.
keyword
ses.parent.file.signature_created_date
The date and time when the signature was created.
date
ses.parent.file.signature_developer_uid