This section presents the KUMA normalized event data model. All events that are processed by KUMA Correlator to detect alerts must be compliant to this model.
Events that are not compliant to this data model must be imported into this format (or normalized) using Collectors.
Normalized event data model
Field name |
Value type |
Description |
|
Internal standard fields |
|
|
|
ID |
String |
Unique event ID of UUID type. It never changes its value The collector generates the ID for the base event that is generated in the collector. The correlator generates the ID of the correlation event. |
|
Timestamp |
Number, timestamp |
Time when the base event and correlation events were created in the collector. Time when the correlation event was created in the correlator. The time is specified in UTC0. In the KUMA web interface, the value is displayed based in the timezone of the user's browser. |
|
TenantID |
String |
Tenant ID. |
|
ServiceID |
String |
ID of the service instance: correlator, collector, storage. |
|
ServiceName |
String |
Name of the service instance that was assigned by the KUMA administrator to the service when it was created. |
|
AggregationRuleName |
String |
The name of the aggregation rule that processed the event. |
|
AggregationRuleID |
String |
ID of the aggregation rule that processed the event. |
|
CorrelationRuleName |
String |
Name of the correlation rule that triggered the creation of the correlation event. It is filled in only for the correlation event. |
|
CorrelationRuleID |
String |
ID of the correlation rule that triggered the creation of the correlation event. It is filled in only for the correlation event. |
|
GroupedBy |
Nested list of strings |
List of names of the fields that were used for grouping in the correlation rule. It is filled in only for the correlation event. |
|
Priority |
Number |
Event severity level. |
|
Code |
String |
In a base event, this is the code of a process, function or operation return from the source. In a correlation event, the alert code for the first line support or the template code of the notification to be submitted is written to this field.
|
|
Tactic |
String |
Name of the tactic from MITRE. |
|
Technique |
String |
Name of the technique from MITRE. |
|
ReplayID |
String |
ID of the retroscan that generated the event. |
|
Raw |
String |
Unalterable text of the source "raw" event. |
|
SourceAssetID |
String |
ID of the destination asset. |
|
DestinationAssetID |
String |
ID of the source asset. |
|
DeviceAssetID |
String |
Asset ID. |
|
SourceAccountID |
String |
ID of the destination account. |
|
DestinationAccountID |
String |
ID of the source account. |
|
SpaceID |
String |
ID of the space. |
|
BaseEvents |
Nested [Event] list |
Nested structure containing a list of base events. This field can be filled in for correlation events. |
|
TI |
Nested [string:string] dictionary |
Field that contains categories in a dictionary format received from an external Threat Intelligence source based on indicators from an event. |
|
Extra |
Nested [string:string] dictionary |
During normalization of a raw event, this field can be used to place those fields that have not been mapped to KUMA event fields. This field can be filled in only for base events. |
|
AffectedAssets |
Nested [Affected] structure |
Nested structure from which you can query alert-related assets and user accounts, and find out the number of times they appear in alert events. |
|
CEF standard fields |
|
|
|
DeviceVendor |
String |
Name of the log source producer. The value is taken from the raw event. The DeviceVendor, DeviceProduct, and DeviceVersion all uniquely identify the log source. |
|
DeviceProduct |
String |
Product name from the log source. The value is taken from the raw event. The DeviceVendor, DeviceProduct, and DeviceVersion all uniquely identify the log source. |
|
DeviceVersion |
String |
Product version from the log source. The value is taken from the raw event. The DeviceVendor, DeviceProduct, and DeviceVersion all uniquely identify the log source. |
|
DeviceEventClassID |
String |
Unique ID for the event type from the log source. Certain log sources categorize events. |
|
Name |
String |
Event name in the raw event. |
|
Severity |
String |
Error severity from the raw event. |
|
DeviceAction |
String |
Action taken by a device or by a log source. For example, blocked, detected. |
|
ApplicationProtocol |
String |
Application-layer protocol such as HTTP or Telnet. |
|
DeviceCustomIPv6Address1 |
String |
Field for displaying an IPv6 address value that cannot be mapped to any other element of the data model. It can be used to process the logs of network devices where you need to distinguish between the IP addresses of various devices (for firewalls, for example). This field is customizable. |
|
DeviceCustomIPv6Address1Label |
String |
Description of the purpose of the DeviceCustomIPv6Address1 field. |
|
DeviceCustomIPv6Address2 |
String |
Field for displaying an IPv6 address value that cannot be mapped to any other element of the data model. It can be used to process the logs of network devices where you need to distinguish between the IP addresses of various devices (for firewalls, for example). This field is customizable. |
|
DeviceCustomIPv6Address2Label |
String |
Description of the purpose of the DeviceCustomIPv6Address2 field. |
|
DeviceCustomIPv6Address3 |
String |
Field for displaying an IPv6 address value that cannot be mapped to any other element of the data model. It can be used to process the logs of network devices where you need to distinguish between the IP addresses of various devices (for firewalls, for example). This field is customizable. |
|
DeviceCustomIPv6Address3Label |
String |
Description of the purpose of the DeviceCustomIPv6Address3 field. |
|
DeviceCustomIPv6Address4 |
String |
Field for displaying an IPv6 address value that cannot be mapped to any other element of the data model. It can be used to process the logs of network devices where you need to distinguish between the IP addresses of various devices (for firewalls, for example). This field is customizable. |
|
DeviceCustomIPv6Address4Label |
String |
Description of the purpose of the DeviceCustomIPv6Address4 field. |
|
DeviceEventCategory |
String |
Raw event category from the diagram defining the categories of log source events. |
|
DeviceCustomFloatingPoint1 |
Number |
Field for the Float-type value that cannot be mapped to any other field of the data model. This field is customizable. |
|
DeviceCustomFloatingPoint1Label |
String |
Description of the purpose of the DeviceCustomFloatingPoint1 field. |
|
DeviceCustomFloatingPoint2 |
Number |
Field for the Float-type value that cannot be mapped to any other field of the data model. This field is customizable. |
|
DeviceCustomFloatingPoint2Label |
String |
Description of the purpose of the DeviceCustomFloatingPoint2 field. |
|
DeviceCustomFloatingPoint3 |
Number |
Field for the Float-type value that cannot be mapped to any other field of the data model. This field is customizable. |
|
DeviceCustomFloatingPoint3Label |
String |
Description of the purpose of the DeviceCustomFloatingPoint3 field. |
|
DeviceCustomFloatingPoint4 |
Number |
Field for the Float-type value that cannot be mapped to any other field of the data model. This field is customizable. |
|
DeviceCustomFloatingPoint4Label |
String |
Description of the purpose of the DeviceCustomFloatingPoint4 field. |
|
DeviceCustomNumber1 |
Number |
Field for the integer value that cannot be mapped to any other field of the data model. This field is customizable.
|
|
DeviceCustomNumber1Label |
String |
Description of the purpose of the DeviceCustomNumber1 field. |
|
DeviceCustomNumber2 |
Number |
Field for the integer value that cannot be mapped to any other field of the data model. This field is customizable.
|
|
DeviceCustomNumber2Label |
String |
Description of the purpose of the DeviceCustomNumber2 field. |
|
DeviceCustomNumber3 |
Number |
Field for the integer value that cannot be mapped to any other field of the data model. This field is customizable.
|
|
DeviceCustomNumber3Label |
String |
Description of the purpose of the DeviceCustomNumber3 field. |
|
BaseEventCount |
Number |
Number of base events combined into an aggregated event. |
|
DeviceCustomString1 |
String |
Field for the string value that cannot be mapped to any other field of the data model. This field is customizable. |
|
DeviceCustomString1Label |
String |
Descriptions of the purpose of the DeviceCustomString1 field. |
|
DeviceCustomString2 |
String |
Field for the string value that cannot be mapped to any other field of the data model. This field is customizable. |
|
DeviceCustomString2Label |
String |
Descriptions of the purpose of the DeviceCustomString2 field. |
|
DeviceCustomString3 |
String |
Field for the string value that cannot be mapped to any other field of the data model. This field is customizable. |
|
DeviceCustomString3Label |
String |
Descriptions of the purpose of the DeviceCustomString3 field. |
|
DeviceCustomString4 |
String |
Field for the string value that cannot be mapped to any other field of the data model. This field is customizable. |
|
DeviceCustomString4Label |
String |
Descriptions of the purpose of the DeviceCustomString4 field. |
|
DeviceCustomString5 |
String |
Field for the string value that cannot be mapped to any other field of the data model. This field is customizable. |
|
DeviceCustomString5Label |
String |
Descriptions of the purpose of the DeviceCustomString5 field. |
|
DeviceCustomString6 |
String |
Field for the string value that cannot be mapped to any other field of the data model. This field is customizable. |
|
DeviceCustomString6Label |
String |
Descriptions of the purpose of the DeviceCustomString6 field. |
|
DestinationDnsDomain |
String |
The DNS domain portion of the complete fully qualified domain name (FQDN) of the destination, if the raw event contains the values of the traffic sender and recipient. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
DestinationServiceName |
String |
Service name on the traffic recipient's side. For example, "sshd". This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
DestinationTranslatedAddress |
String |
IP address of the traffic recipient asset (after the address is translated). This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
DestinationTranslatedPort |
Number |
Port number on the traffic recipient asset (after the recipient address is translated). This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
DeviceCustomDate1 |
Number, timestamp |
Field for the Timestamp-type value that cannot be mapped to any other field of the data model. This field is customizable. The time is specified in UTC0. In the KUMA web interface, the value is displayed based in the timezone of the user's browser.
|
|
DeviceCustomDate1Label |
String |
Field for describing the purpose of the DeviceCustomDate1 field. |
|
DeviceCustomDate2 |
Number, timestamp |
Field for the Timestamp-type value that cannot be mapped to any other field of the data model. This field is customizable. The time is specified in UTC0. In the KUMA web interface, the value is displayed based in the timezone of the user's browser.
|
|
DeviceCustomDate2Label |
String |
Field for describing the purpose of the DeviceCustomDate2 field. |
|
DeviceDirection |
Number |
Field for a description of the connection direction from the raw event.
|
|
DeviceDnsDomain |
String |
The DNS domain part of the complete fully qualified domain name (FQDN) of the asset IP address from which the raw event was received. |
|
DeviceExternalID |
String |
External unique ID of the device if it is communicated in the raw event. |
|
DeviceFacility |
String |
Facility from the raw event, if one exists. For example, the Facility field in the Syslog can be used to transmit the OS component name where an error occurred.
|
|
DeviceInboundInterface |
String |
Name of the incoming connection interface. |
|
DeviceNtDomain |
String |
Windows Domain Name of the device. |
|
DeviceOutboundInterface |
String |
Name of the outgoing connection interface. |
|
DevicePayloadID |
String |
The payload's unique ID associated with the raw event. |
|
DeviceProcessName |
String |
Name of the process from the raw event. |
|
DeviceTranslatedAddress |
String |
Retranslated IP address of the device from which the raw event was received. |
|
DestinationHostName |
String |
Host name of the traffic receiver. FQDN of the traffic recipient, if available. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
DestinationMacAddress |
String |
MAC address of the traffic recipient asset. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
DestinationNtDomain |
String |
Windows Domain Name of the traffic recipient device. |
|
DestinationProcessID |
Number |
ID of the system process that is associated with the traffic recipient in the raw event. For example, if Process ID 105 is specified in the event, DestinationProcessId=105. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
DestinationUserPrivileges |
String |
Names of user roles that identify user privileges at the destination. For example, "User", "Guest", or "Administrator". This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
DestinationProcessName |
String |
Name of the system process at the destination. For example, "sshd" or "telnet". This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
DestinationPort |
Number |
Port number at the destination. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
DestinationAddress |
String |
Destination IPv4 address. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
DeviceTimeZone |
String |
Timezone of the device where the event was generated. The default timezone is the collector or correlator system time. If the event is configured to be enriched with timezone information, the field specifies the timezone from the enrichment rule. If the time zone of the event source was specified in the raw event and this data was saved during normalization, information about the time zone of the event source is saved in the event field. The format of the field value is +-hh:mm. |
|
DestinationUserID |
String |
User ID at the destination. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
DestinationUserName |
String |
User name at the destination. It may contain the email address of the user. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
DeviceAddress |
String |
IPv4 address of the asset from which the event was received. |
|
DeviceHostName |
String |
Name of the asset host from which the event was received. FQDN of the asset, if available. |
|
DeviceMacAddress |
String |
MAC address of the asset from which the event was received. FQDN of the asset, if available. |
|
DeviceProcessID |
Number |
ID of the system process on the device that generated the event. |
|
EndTime |
Number |
Timestamp when the event was terminated. The time is specified in UTC0. In the KUMA web interface, the value is displayed based in the timezone of the user's browser. |
|
ExternalID |
String |
ID of the device that generated the event. |
|
FileCreateTime |
Number |
Time of file creation from the event. The time is specified in UTC0. In the KUMA web interface, the value is displayed based in the timezone of the user's browser. |
|
FileHash |
String |
Hash of the file. |
|
FileID |
String |
File ID. |
|
FileModificationTime |
Number |
Time when the file was last modified. The time is specified in UTC0. In the KUMA web interface, the value is displayed based in the timezone of the user's browser. |
|
FilePath |
String |
File path, including the file name. |
|
FilePermission |
String |
List of file permissions. |
|
FileType |
String |
File type. For example, application, pipe, or socket. |
|
FlexDate1 |
Number, timestamp |
Field for the Timestamp-type value that cannot be mapped to any other field of the data model. This field is customizable. The time is specified in UTC0. In the KUMA web interface, the value is displayed based in the timezone of the user's browser.
|
|
FlexDate1Label |
String |
Description of the purpose of the flexDate1 field. |
|
FlexString1 |
String |
Field for the String-type value that cannot be mapped to any other field of the data model. This field is customizable. |
|
FlexString1Label |
String |
Description of the purpose of the flexString1 field. |
|
FlexString2 |
String |
Field for the String-type value that cannot be mapped to any other field of the data model. This field is customizable. |
|
FlexString2Label |
String |
Description of the purpose of the flexString2 field. |
|
FlexNumber1 |
Number |
Field for the integer type that cannot be mapped to any other field of the data model. This field is customizable. |
|
FlexNumber1Label |
String |
Description of the purpose of the flexNumber1 field. |
|
FlexNumber2 |
Number |
Field for the integer type that cannot be mapped to any other field of the data model. This field is customizable. |
|
FlexNumber2Label |
String |
Description of the purpose of the flexNumber2 field. |
|
FileName |
String |
Filename without specifying the file path. |
|
FileSize |
Number |
File size. |
|
BytesIn |
Number |
Number of bytes received by the source and sent to the destination. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination.
|
|
Message |
String |
Short description of the error or problem from the raw event. |
|
OldFileCreateTime |
Number |
Time when the OLD file was created from the event. The time is specified in UTC0. In the KUMA web interface, the value is displayed based in the timezone of the user's browser. |
|
OldFileHash |
String |
Hash code of the OLD file. |
|
OldFileID |
String |
ID of the OLD file. |
|
OldFileModificationTime |
Number |
Time when the OLD file was last modified. The time is specified in UTC0. In the KUMA web interface, the value is displayed based in the timezone of the user's browser.
|
|
OldFileName |
String |
Name of the OLD file (without the file path). |
|
OldFilePath |
String |
Path to the OLD file, including the file name. |
|
OldFilePermission |
String |
Path to the OLD file, including the file name. |
|
OldFileSize |
Number |
Size of the OLD file. |
|
OldFileType |
String |
File type. For example, application, pipe, or socket. |
|
BytesOut |
Number |
Number of sent bytes. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
EventOutcome |
String |
Result of the action. For example, "success", "failure". |
|
TransportProtocol |
String |
Name of the OSI Layer 4 protocol (such as TCP or UDP). |
|
Reason |
String |
Short description of the audit reason in the audit messages. |
|
RequestUrl |
String |
URL of the request. |
|
RequestClientApplication |
String |
Agent that processed the request. |
|
RequestContext |
String |
Description of the request context. |
|
RequestCookies |
String |
Cookie files related to the request. |
|
RequestMethod |
String |
Method that was used to access the URL (such as POST or GET). |
|
DeviceReceiptTime |
Number |
Time when the event was received. The time is specified in UTC0. In the KUMA web interface, the value is displayed based in the timezone of the user's browser. |
|
SourceHostName |
String |
Name of the host of the traffic source. FQDN of the traffic source, if available. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
SourceDnsDomain |
String |
Windows Domain Name of the traffic source device. |
|
SourceServiceName |
String |
Name of the service at the traffic source. For example, "sshd". This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
SourceTranslatedAddress |
String |
Source translated IPv4 address. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
SourceTranslatedPort |
Number |
Number of the translated port at the source. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
SourceMacAddress |
String |
MAC address of the traffic source asset. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
SourceNtDomain |
String |
Windows Domain Name of the traffic source device. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
SourceProcessID |
Number |
System process ID that is associated with the traffic source in the raw event. For example, if Process ID 105 is specified in the event, SourceProcessId=105. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
SourceUserPrivileges |
String |
Names of user roles that identify user privileges at the source. For example, "User", "Guest", or "Administrator". This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
SourceProcessName |
String |
Name of the system process at the source. For example, "sshd" or "telnet". This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
SourcePort |
Number |
Port number at the source. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
SourceAddress |
String |
Source IPv4 address. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
StartTime |
Number |
Timestamp of the action associated with the event began. The time is specified in UTC0. In the KUMA web interface, the value is displayed based in the timezone of the user's browser. |
|
SourceUserID |
String |
User ID at the source. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
SourceUserName |
String |
User name at the source. It may contain the email address of the user. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
|
Type |
Number |
Indicator of the correlation event type. The following values are available:
|
|
Fields containing geographic data |
|
|
|
SourceCountry |
String |
Country matching the source IPv4 address from the SourceAddress field. |
|
SourceRegion |
String |
Region matching the source IPv4 address from the SourceAddress field. |
|
SourceCity |
String |
City matching the source IPv4 address from the SourceAddress field. |
|
SourceLatitude |
Number |
Longitude matching the source IPv4 address from the SourceAddress field. |
|
SourceLongitude |
Number |
Latitude matching the source IPv4 address from the SourceAddress field. |
|
DestinationCountry |
String |
Country matching the destination IPv4 address from the DestinationAddress field. |
|
DestinationRegion |
String |
Region matching the destination IPv4 address from the DestinationAddress field. |
|
DestinationCity |
String |
City matching the destination IPv4 address from the DestinationAddress field. |
|
DestinationLatitude |
Number |
Longitude matching the destination IPv4 address from the DestinationAddress field. |
|
DestinationLongitude |
Number |
Latitude matching the destination IPv4 address from the DestinationAddress field. |
|
DeviceCountry |
String |
Country matching the device IPv4 address from the DeviceAddress field. |
|
DeviceRegion |
String |
Region matching the device IPv4 address from the DeviceAddress field. |
|
DeviceCity |
String |
City matching the device IPv4 address from the DeviceAddress field. |
|
DeviceLatitude |
Number |
Longitude matching the device IPv4 address from the DeviceAddress field. |
|
DeviceLongitude |
Number |
Latitude matching the device IPv4 address from the DeviceAddress field.
|
|
Nested Affected structure
Field |
Data type |
Description |
|
Nested |
List and number of assets associated with the alert. |
|
Nested |
List and number of user accounts associated with the alert. |
Nested AffectedRecord structure
Field |
Data type |
Description |
|
String |
ID of the asset or user account. |
|
Number |
The number of times an asset or user account appears in alert-related events. |