Normalized event data model

This section presents the KUMA normalized event data model. All events that are processed by KUMA Correlator to detect alerts must be compliant to this model.

Events that are not compliant to this data model must be imported into this format (or normalized) using Collectors.

Normalized event data model

Field name

Field type

Description

AggregationRuleName

Internal

The name of the aggregation rule that processed the event.

BaseEventIDs

Internal

IDs of events that triggered creation of the correlation event.

Code

Internal

In a base event, this is the code of a process, function or operation return from the source.

In a correlation event, the alert code for the first line support or the template code of the notification to be submitted is written to this field.

CorrelationRuleName

Internal

It is filled in only for the correlation event.

The name of the correlation rule that gave rise to the correlation event.

ID

Internal

Unique event ID of UID type.

The collector generates the ID for the base event that is generated in the collector.

The correlator generates the ID of the correlation event.

The ID never changes its value.

You can search for the event in Storage using this ID.

Raw

Internal

Text of the source "as is" event.

Score

Internal

It is filled in for events that were processed by the triggered correlation rule. This is the priority of the identified <incident> that was specified in the correlation rule.

ServiceAddress

Internal

IP address of the host on which the service is deployed.

ServiceID

Internal

Identifier of a service instance: correlator, collector, storage.

ServiceKind

Internal

Service type: correlator, collector, storage

ServiceName

Internal

The name of the service instance that the KUMA administrator assigns the service when it is created.

Tactic

Internal

Name of the tactic from MITRE

Technique

Internal

Name of the technique from MITRE

Timestamp 

Internal

Timestamp of the base event created in the collector.

Timestamp of the correlation event created in the collector.

The time is specified in UTC0.

Extra

Internal

Used for mapping unparsed values during event normalization.

TICategories

Internal

Threat intelligence categories that were received from external TI sources in response to receiving event indicators.

DeviceVendor

CEF

Name of the log source producer. The value is taken from the raw event.

The DeviceVendor, DeviceProduct, and DeviceVersion all uniquely identify the log source.

DeviceProduct

CEF

Product name from the log source. The value is taken from the raw event.

The DeviceVendor, DeviceProduct, and DeviceVersion all uniquely identify the log source.

DeviceVersion

CEF

Product version from the log source. The value is taken from the raw event.

The DeviceVendor, DeviceProduct, and DeviceVersion all uniquely identify the log source.

DeviceEventClassID

CEF

Unique ID for the event type from the log source. Certain log sources categorize events.

Name

CEF

Event name in the raw event.

Severity

CEF

Error priority from the raw event.

This can be a Severity field or a Level field, etc., depending on the log.

DeviceAction

CEF

Action taken by the asset.

The action that was taken by the producer of the log source.

For example, blocked, detected.

ApplicationProtocol

CEF

Application Level Protocol (HTTP, HTTPS, Telnet, and so on)

DeviceCustomIPv6Address1

CEF

Field for mapping IPv6 address value that cannot be mapped to any other data model element.

It can be used to process the logs of network assets where you need to distinguish between the IP addresses of various assets (for firewalls, etc.).

The field is customizable.

DeviceCustomIPv6Address1Label

CEF

Field for describing the purpose of the DeviceCustomIPv6Address1 field.

DeviceCustomIPv6Address2

CEF

Field for mapping IPv6 address value that cannot be mapped to any other data model element.

It can be used to process the logs of network assets where you need to distinguish between the IP addresses of various assets (for firewalls, etc.).

The field is customizable.

DeviceCustomIPv6Address2Label

CEF

Field for describing the purpose of the DeviceCustomIPv6Address2 field.

DeviceCustomIPv6Address3

CEF

Field for mapping IPv6 address value that cannot be mapped to any other data model element.

It can be used to process the logs of network assets where you need to distinguish between the IP addresses of various assets (for firewalls, etc.).

The field is customizable.

DeviceCustomIPv6Address3Label

CEF

Field for describing the purpose of the DeviceCustomIPv6Address3 field.

DeviceCustomIPv6Address4

CEF

Field for mapping IPv6 address value that cannot be mapped to any other data model element.

It can be used to process the logs of network assets where you need to distinguish between the IP addresses of various assets (for firewalls, etc.).

The field is customizable.

DeviceCustomIPv6Address4Label

CEF

Field for describing the purpose of the DeviceCustomIPv6Address4 field.

DeviceEventCategory

CEF

The raw event category from the diagram of categorization of log producer events.

DeviceCustomFloatingPoint1

CEF

Field for mapping the Float type value that cannot be mapped to any other data model element.

The field is customizable.

DeviceCustomFloatingPoint1Label

CEF

Field for describing the purpose of the DeviceCustomFloatingPoint1 field.

DeviceCustomFloatingPoint2

CEF

Field for mapping the Float type value that cannot be mapped to any other data model element.

The field is customizable.

DeviceCustomFloatingPoint2Label

CEF

Field for describing the purpose of the DeviceCustomFloatingPoint2 field.

DeviceCustomFloatingPoint3

CEF

Field for mapping the Float type value that cannot be mapped to any other data model element.

The field is customizable.

DeviceCustomFloatingPoint3Label

CEF

Field for describing the purpose of the DeviceCustomFloatingPoint3 field.

DeviceCustomFloatingPoint4

CEF

Field for mapping the Float type value that cannot be mapped to any other data model element.

The field is customizable.

DeviceCustomFloatingPoint4Label

CEF

Field for describing the purpose of the DeviceCustomFloatingPoint4 field.

DeviceCustomNumber1

CEF

Field for mapping the integer value that cannot be mapped to any other data model element.

The field is customizable.

DeviceCustomNumber1Label

CEF

Field for describing the purpose of the DeviceCustomNumber1 field.

DeviceCustomNumber2

CEF

Field for mapping the integer value that cannot be mapped to any other data model element.

The field is customizable.

DeviceCustomNumber2Label

CEF

Field for describing the purpose of the DeviceCustomNumber2 field.

DeviceCustomNumber3

CEF

Field for mapping the integer value that cannot be mapped to any other data model element.

The field is customizable.

DeviceCustomNumber3Label

CEF

Field for describing the purpose of the DeviceCustomNumber3 field.

BaseEventCount

CEF

For a correlation event, this is the number of base events that were processed by the correlation rule that generated the correlation event.
For a "collapsed base event", this is the number of base events that were processed by the aggregation rule.

DeviceCustomString1

CEF

Field for mapping the string value that cannot be mapped to any other data model element.

The field is customizable.

DeviceCustomString1Label

CEF

Field for describing the purpose of the DeviceCustomString1 field.

DeviceCustomString2

CEF

Field for mapping the string value that cannot be mapped to any other data model element.

The field is customizable.

DeviceCustomString2Label

CEF

Field for describing the purpose of the DeviceCustomString2 field.

DeviceCustomString3

CEF

Field for mapping the string value that cannot be mapped to any other data model element.

The field is customizable.

DeviceCustomString3Label

CEF

Field for describing the purpose of the DeviceCustomString3 field.

DeviceCustomString4

CEF

Field for mapping the string value that cannot be mapped to any other data model element.

The field is customizable.

DeviceCustomString4Label

CEF

Field for describing the purpose of the DeviceCustomString4 field.

DeviceCustomString5

CEF

Field for mapping the string value that cannot be mapped to any other data model element.

The field is customizable.

DeviceCustomString5Label

CEF

Field for describing the purpose of the DeviceCustomString5 field.

DeviceCustomString6

CEF

Field for mapping the string value that cannot be mapped to any other data model element.

The field is customizable.

DeviceCustomString6Label

CEF

Field for describing the purpose of the DeviceCustomString6 field.

DestinationDnsDomain

CEF

The DNS domain portion of the complete fully qualified domain name (FQDN) of the destination, if the raw event contains the values of the traffic sender and recipient.

This is used to process network traffic logs in which you need to be able to distinguish between the source and destination.

DestinationServiceName

CEF

Service name on the traffic recipient's side. For example, "sshd".

This is used to process network traffic logs in which you need to be able to distinguish between the source and destination.

DestinationTranslatedAddress

CEF

IP address of the traffic recipient asset (after the address is translated).

This is used to process network traffic logs in which you need to be able to distinguish between the source and destination.

DestinationTranslatedPort

CEF

Port number on the traffic recipient asset (after the recipient address is translated).

This is used to process network traffic logs in which you need to be able to distinguish between the source and destination.

DeviceCustomDate1

CEF

Field for mapping the Timestamp type value that cannot be mapped to any other data model element.

The field is customizable.

The time is specified in UTC0.

DeviceCustomDate1Label

CEF

Field for describing the purpose of the DeviceCustomDate1 field.

DeviceCustomDate2

CEF

Field for mapping the Timestamp type value that cannot be mapped to any other data model element.

The field is customizable.

The time is specified in UTC0.

DeviceCustomDate2Label

CEF

Field for describing the purpose of the DeviceCustomDate2 field.

DeviceDirection

CEF

This field stores a description of the connection direction from the raw event.
0—Inbound connection
1—Outbound connection

DeviceDnsDomain

CEF

The DNS domain part of the complete fully qualified domain name (FQDN) of the asset IP address from which the raw event was received.

DeviceExternalID

CEF

External unique asset (product) ID, if it is communicated in the raw event.

DeviceFacility

CEF

Facility from the raw event, if one exists.

For example, the Facility field in the Syslog can be used to transmit the OS component name where an error occurred.

DeviceInboundInterface

CEF

Name of the incoming connection interface.

DeviceNtDomain

CEF

Windows Domain Name of the asset

DeviceOutboundInterface

CEF

Name of the outgoing connection interface.

DevicePayloadID

CEF

The payload's unique ID associated with the raw event.

DeviceProcessName

CEF

Name of the process from the raw event

DeviceTranslatedAddress

CEF

Retranslated IP address of the asset from which the raw event was received.

DestinationHostName

CEF

Host name of the traffic receiver. FQDN of the traffic recipient, if available.

This is used to process network traffic logs in which you need to be able to distinguish between the source and destination.

DestinationMacAddress

CEF

MAC address of the traffic recipient asset.

This is used to process network traffic logs in which you need to be able to distinguish between the source and destination.

DestinationNtDomain

CEF

Windows Domain Name of the traffic recipient asset.
This is used to process network traffic logs in which you need to distinguish between the source and destination.

DestinationProcessID

CEF

ID of the system process that is associated with the traffic recipient in the raw event.

For example, if Process ID 105 is specified in the event, then DestinationProcessId=105

This is used to process network traffic logs in which you need to be able to distinguish between the source and destination.

DestinationUserPrivileges

CEF

Names of security roles that identify user privileges at the destination.

For example, "User", "Guest", "Administrator", etc.

This is used to process network traffic logs in which you need to be able to distinguish between the source and destination.

DestinationProcessName

CEF

Name of the system process at the destination.

For example, "sshd", "telnet", etc.

This is used to process network traffic logs in which you need to be able to distinguish between the source and destination.

DestinationPort

CEF

Port number at the destination.

This is used to process network traffic logs in which you need to be able to distinguish between the source and destination.

DestinationAddress

CEF

Destination IPv4 address.

This is used to process network traffic logs in which you need to be able to distinguish between the source and destination.

DeviceTimeZone

CEF

Time zone of the asset where the event was generated

DestinationUserID

CEF

User ID at the destination.

This is used to process network traffic logs in which you need to be able to distinguish between the source and destination.

DestinationUserName

CEF

User name at the destination. It may contain the email address of the user.

This is used to process network traffic logs in which you need to be able to distinguish between the source and destination.

DeviceAddress

CEF

IPv4 address of the asset from which the event was received.

DeviceHostName

CEF

Name of the asset host from which the event was received. FQDN of the asset, if available.

DeviceMacAddress

CEF

MAC address of the asset from which the event was received. FQDN of the asset, if available.

DeviceProcessID

CEF

ID of the system process on the device that generated the event.

EndTime

CEF

Timestamp when the event was terminated.

The time is specified in UTC0.

ExternalID

CEF

ID of the device that generated the event.

FileCreateTime

CEF

Time of file creation from the event.

The time is specified in UTC0.

FileHash

CEF

Hash of the file.

FileID

CEF

File ID if one exists.

FileModificationTime

CEF

Time when the file was last modified.

The time is specified in UTC0.

FilePath

CEF

File path, including the file name.

FilePermission

CEF

List of file permissions.

FileType

CEF

File type.

For example, application, pipe, socket, etc.

FlexDate1

CEF

Field for mapping the Timestamp type value that cannot be mapped to any other data model element.

The field is customizable.

The time is specified in UTC0.

FlexDate1Label

CEF

Field for describing the purpose of the flexDate1Label field.

FlexString1

CEF

Field for mapping the String type value that cannot be mapped to any other data model element.

The field is customizable.

FlexString1Label

CEF

Field for describing the purpose of the flexString1Label field.

FlexString2

CEF

Field for mapping the String type value that cannot be mapped to any other data model element.

The field is customizable.

FlexString2Label

CEF

Field for describing the purpose of the flexString2Label field.

FlexNumber1

CEF

Field for mapping the integer type that cannot be mapped to any other data model element.

The field is customizable.

FlexNumber1Label

CEF

Field for describing the purpose of the flexNumber1Label field.

FlexNumber2

CEF

Field for mapping the integer type that cannot be mapped to any other data model element.

The field is customizable.

FlexNumber2Label

CEF

Field for describing the purpose of the flexNumber2Label field.

FileName

CEF

Filename without specifying the file path.

FileSize

CEF

File size

BytesIn

CEF

Number of obtained bytes that were received from the source and transmitted to the destination.

This is used to process network traffic logs in which you need to be able to distinguish between the source and destination.

Message

CEF

Short name of the error (problem) from the event.

OldFileCreateTime

CEF

Time of the old file creation from the event.

The time is specified in UTC0.

OldFileHash

CEF

Hash of the old file.

OldFileID

CEF

ID of the old file, if one exists.

OldFileModificationTime

CEF

Time when the old file was last modified.

The time is specified in UTC0.

OldFileName

CEF

Name of the old file (without the file path).

OldFilePath

CEF

Path to the old file, including the file name.

OldFilePermission

CEF

List of the old file permissions.

OldFileSize

CEF

Size of the old file.

OldFileType

CEF

File type.

For example, application, pipe, socket, etc.

BytesOut

CEF

Number of sent bytes.

This is used to process network traffic logs in which you need to be able to distinguish between the source and destination.

EventOutcome

CEF

Result of the Action execution.

For example, "success", "failure".

TransportProtocol

CEF

OSI layer 4 protocol name (TCP, UDP, etc.).

Reason

CEF

Short description of the audit reason in the audit messages.

RequestUrl

CEF

Requested URL.

RequestClientApplication

CEF

Agent that processed the Request.

RequestContext

CEF

Description of the request context.

RequestCookies

CEF

Cookie files related to the request.

RequestMethod

CEF

Method that was used to access the URL (POST, GET, etc.).

DeviceReceiptTime

CEF

Time when the event was received.

The time is specified in UTC0.

SourceHostName

CEF

Name of the host of the traffic source. FQDN of the traffic source, if available.

This is used to process network traffic logs in which you need to be able to distinguish between the source and destination.

SourceDnsDomain

CEF

Windows Domain Name of the traffic source asset.
This is used to process network traffic logs in which you need to be able to distinguish between the source and destination.

SourceServiceName

CEF

Name of the service at the traffic source. For example, "sshd".

This is used to process network traffic logs in which you need to be able to distinguish between the source and destination.

SourceTranslatedAddress

CEF

Source translated IPv4 address.

This is used to process network traffic logs in which you need to be able to distinguish between the source and destination.

SourceTranslatedPort

CEF

Number of the translated port at the source.

This is used to process network traffic logs in which you need to be able to distinguish between the source and destination.

SourceMacAddress

CEF

MAC address of the traffic source asset.

This is used to process network traffic logs in which you need to be able to distinguish between the source and destination.

SourceNtDomain

CEF

Windows Domain Name of the traffic source asset. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination.

SourceProcessID

CEF

System process ID that is associated with the traffic source in the raw event.

For example, if Process ID 105 is specified in the event, SourceProcessId=105

This is used to process network traffic logs in which you need to be able to distinguish between the source and destination.

SourceUserPrivileges

CEF

Names of security roles that identify user privileges at the source.

For example, "User", "Guest", "Administrator", etc.

This is used to process network traffic logs in which you need to be able to distinguish between the source and destination.

SourceProcessName

CEF

Name of the system process at the source.

For example, "sshd", "telnet", etc.

This is used to process network traffic logs in which you need to be able to distinguish between the source and destination.

SourcePort

CEF

Port number at the source.

This is used to process network traffic logs in which you need to be able to distinguish between the source and destination.

SourceAddress

CEF

Source IPv4 address.

This is used to process network traffic logs in which you need to be able to distinguish between the source and destination.

StartTime

CEF

Timestamp of the action associated with the event began.

SourceUserID

CEF

User ID at the source.

This is used to process network traffic logs in which you need to be able to distinguish between the source and destination.

SourceUserName

CEF

User name at the source. It may contain the email address of the user.

This is used to process network traffic logs in which you need to be able to distinguish between the source and destination.

Type

CEF

The following values are available:

  • 1—Base event
  • 2—Aggregated event
  • 3—Correlation event
  • 4—Audit event
  • 5—Monitoring event

CorrelationBucketHash

CEF

Correlation Bucket key. Correlation event fields are used when generating a key.

Used when generating notifications for the user.

GroupedBy

CEF

List of names of the fields that were used for grouping in the correlation rule. It is filled in only for the correlation event.

TenantID

CEF

Tenant ID

Page top